Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-02-10 20:27:38 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/gitlab-runner] feat: 🎉 Add chart (#32513)

Browse Source 
* [bitnami/gitlab-runner] feat: 🎉 Add chart

Signed-off-by: Javier J. Salmerón García <javier.salmeron@broadcom.com>

* Update CHANGELOG.md

Signed-off-by: Bitnami Bot <bitnami.bot@broadcom.com>

* feat:  Add HPA and VPA

Signed-off-by: Javier J. Salmerón García <javier.salmeron@broadcom.com>

* fix: 🐛 Set correct vib-verify

Signed-off-by: Javier J. Salmerón García <javier.salmeron@broadcom.com>

* Update CHANGELOG.md

Signed-off-by: Bitnami Bot <bitnami.bot@broadcom.com>

* chore: ♻️ Apply suggestions from code review

Signed-off-by: Javier J. Salmerón García <javier.salmeron@broadcom.com>

* chore: ♻️ Apply suggestions from code review

Signed-off-by: Javier J. Salmerón García <javier.salmeron@broadcom.com>

* chore: 🔧 Disable kubescape

Signed-off-by: Javier J. Salmerón García <javier.salmeron@broadcom.com>

* chore: 🔧 Disable validation

Signed-off-by: Javier J. Salmerón García <javier.salmeron@broadcom.com>

* fix: 🐛 Use proper configmap

Signed-off-by: Javier J. Salmerón García <javier.salmeron@broadcom.com>

---------

Signed-off-by: Javier J. Salmerón García <javier.salmeron@broadcom.com>
Signed-off-by: Bitnami Bot <bitnami.bot@broadcom.com>
Co-authored-by: Bitnami Bot <bitnami.bot@broadcom.com>
This commit is contained in:
Javier J. Salmerón García
2025-03-28 13:50:16 +01:00
committed by GitHub
parent 08742e3f0a
commit 21a3ab7fee
29 changed files with 2829 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
.vib/gitlab-runner/goss/goss.yaml Normal file
View File

@@ -0,0 +1,35 @@
# Copyright Broadcom, Inc. All Rights Reserved.
# SPDX-License-Identifier: APACHE-2.0
command:
{{- $uid := .Vars.containerSecurityContext.runAsUser }}
{{- $gid := .Vars.podSecurityContext.fsGroup }}
check-user-info:
# The UID and GID should always be either the one specified as vars (always a bigger number that the default)
# or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value.
exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi
exit-status: 0
{{ if .Vars.automountServiceAccountToken }}
check-sa:
exec: cat /var/run/secrets/kubernetes.io/serviceaccount/token | cut -d '.' -f 2 | xargs -I '{}' echo '{}====' | fold -w 4 | sed '$ d' | tr -d '\n' | base64 -d
exit-status: 0
stdout:
- /serviceaccount.*name.*{{.Env.BITNAMI_APP_NAME }}/
{{ end }}
check-gitlab-url:
exec: env
exit-status: 0
stdout:
- /CI_SERVER_URL.*{{ .Vars.gitlabUrl }}/
file:
/configmaps/config.toml:
exists: true
filetype: symlink
contents:
- /listen_address.*{{ .Vars.containerPorts.metrics }}/
- /listen_address.*{{ .Vars.containerPorts.sessionServer }}/
/secrets/runner-token:
exists: true
filetype: symlink
contents:
- {{ .Vars.runnerToken }}

28
.vib/gitlab-runner/runtime-parameters.yaml Normal file
View File

@@ -0,0 +1,28 @@
# Gitlab Runner needs a running Gitlab instance to work. As we do
# not have one, we need to overwrite the command and args with a sleep
command:
- sleep
args:
- infinity
livenessProbe:
enabled: false
readinessProbe:
enabled: false
gitlabUrl: example.com
runnerToken: ComplicatedToken
serviceAccount:
create: true
automountServiceAccountToken: true
podSecurityContext:
enabled: true
fsGroup: 1002
containerSecurityContext:
enabled: true
runAsUser: 1002
containerPorts:
metrics: 2231
sessionServer: 8372
metrics:
enabled: true
sessionServer:
enabled: true

47
.vib/gitlab-runner/vib-publish.json Normal file
View File

@@ -0,0 +1,47 @@
{
"phases": {
"package": {
"context": {
"credentials": [
{
"url": "{VIB_ENV_CHARTS_REGISTRY}",
"authn": {
"username": "{VIB_ENV_CHARTS_REGISTRY_USERNAME}",
"password": "{VIB_ENV_CHARTS_REGISTRY_PASSWORD}"
}
}
],
"resources": {
"url": "{SHA_ARCHIVE}",
"path": "/bitnami/gitlab-runner"
}
},
"actions": [
{
"action_id": "helm-package"
},
{
"action_id": "helm-lint"
}
]
},
"publish": {
"actions": [
{
"action_id": "helm-publish",
"params": {
"repository": {
"kind": "S3",
"url": "{VIB_ENV_S3_URL}",
"authn": {
"access_key_id": "{VIB_ENV_S3_ACCESS_KEY_ID}",
"secret_access_key": "{VIB_ENV_S3_SECRET_ACCESS_KEY}",
"role": "{VIB_ENV_S3_ROLE_ARN}"
}
}
}
}
]
}
}
}

66
.vib/gitlab-runner/vib-verify.json Normal file
View File

@@ -0,0 +1,66 @@
{
"phases": {
"package": {
"context": {
"credentials": [
{
"url": "{VIB_ENV_CHARTS_REGISTRY}",
"authn": {
"username": "{VIB_ENV_CHARTS_REGISTRY_USERNAME}",
"password": "{VIB_ENV_CHARTS_REGISTRY_PASSWORD}"
}
}
],
"resources": {
"url": "{SHA_ARCHIVE}",
"path": "/bitnami/gitlab-runner"
}
},
"actions": [
{
"action_id": "helm-package"
},
{
"action_id": "helm-lint"
}
]
},
"verify": {
"context": {
"resources": {
"url": "{SHA_ARCHIVE}",
"path": "/bitnami/gitlab-runner"
},
"target_platform": {
"target_platform_id": "{VIB_ENV_ALTERNATIVE_TARGET_PLATFORM}",
"size": {
"name": "S4"
}
}
},
"actions": [
{
"action_id": "goss",
"params": {
"resources": {
"path": "/.vib"
},
"tests_file": "gitlab-runner/goss/goss.yaml",
"vars_file": "gitlab-runner/runtime-parameters.yaml",
"remote": {
"pod": {
"workload": "deploy-gitlab-runner"
}
}
}
},
{
"action_id": "kubescape",
"params": {
"threshold": {VIB_ENV_KUBESCAPE_SCORE_THRESHOLD}
}
}
]
}
}
}

25
bitnami/gitlab-runner/.helmignore Normal file
View File

@@ -0,0 +1,25 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
# img folder
img/
# Changelog
CHANGELOG.md

5
bitnami/gitlab-runner/CHANGELOG.md Normal file
View File

@@ -0,0 +1,5 @@
# Changelog
## 0.1.0 (2025-03-28)
* [bitnami/gitlab-runner] feat: :tada: Add chart ([#32513](https://github.com/bitnami/charts/pull/32513))

6
bitnami/gitlab-runner/Chart.lock Normal file
View File

@@ -0,0 +1,6 @@
dependencies:
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
version: 2.30.0
digest: sha256:46afdf79eae69065904d430f03f7e5b79a148afed20aa45ee83ba88adc036169
generated: "2025-02-19T23:00:17.371196542Z"

32
bitnami/gitlab-runner/Chart.yaml Normal file
View File

@@ -0,0 +1,32 @@
# Copyright Broadcom, Inc. All Rights Reserved.
# SPDX-License-Identifier: APACHE-2.0
annotations:
tanzuCategory: application
category: Infrastructure
licenses: Apache-2.0
images: |
- name: gitlab-runner
image: docker.io/bitnami/gitlab-runner:17.9.1-debian-12-r1
apiVersion: v2
appVersion: 17.9.1
dependencies:
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
tags:
- bitnami-common
version: 2.x.x
description: Gitlab Runner is an auxiliary application for Gitlab installations. Written in Go, it allows to run CI/CD jobs and send the results back to Gitlab.
home: https://bitnami.com
icon: https://dyltqmyl993wv.cloudfront.net/assets/stacks/gitlab-runner/img/gitlab-runner-stack-220x234.png
keywords:
- git
- ci
- deploy
maintainers:
- name: Broadcom, Inc. All Rights Reserved.
url: https://github.com/bitnami/charts
name: gitlab-runner
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/gitlab-runner
version: 0.1.0

377
bitnami/gitlab-runner/README.md Normal file
View File

@@ -0,0 +1,377 @@
<!--- app-name: Gitlab Runner -->
# Bitnami package for Gitlab Runner
Gitlab Runner is an auxiliary application for Gitlab installations. Written in Go, it allows to run CI/CD jobs and send the results back to Gitlab.
[Overview of Gitlab Runner](https://docs.gitlab.com/runner/)
Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement.
## TL;DR
```console
helm install my-release oci://registry-1.docker.io/bitnamicharts/gitlab-runner
```
Looking to use Gitlab Runner in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog.
## Introduction
This chart bootstraps a [Gitlab Runner](https://github.com/bitnami/containers/tree/main/bitnami/gitlab-runner) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters.
## Prerequisites
- Kubernetes 1.23+
- Helm 3.8.0+
## Installing the Chart
To install the chart with the release name `my-release`:
```console
helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/gitlab-runner
```
> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`.
These commands deploy Gitlab Runner on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation.
> **Tip**: List all releases using `helm list`
## Configuration and installation details
### Connect to Gitlab instance
Gitlab Runner requires connecting to an existing Gitlab installation. Follow these steps in your Gitlab installation:
- Create a runner in the [CI/CD admin panel](https://docs.gitlab.com/ci/runners/runners_scope/#create-an-instance-runner-with-a-runner-authentication-token)
- Obtain the registration token
- Deploy Gitlab Runner setting the `runnerToken` (or provide a secret with `existingSecret`) value with the previously obtained token, as well as the `gitlabUrl` value with the URL of the Gitlab instance.
- Check the registration status in your Gitlab instance.
### Setting the runner configuration
The Gitlab Runner chart deploys a runner with `kubernetes` as the executor. It is possible to modify the default configuration by changing the `runners.config` value. In the example below we change the default job image:
```yaml
runners:
config: |
[[runners]]
[runners.kubernetes]
namespace = "{{ include "common.names.namespace" . }}"
image = "bitnami/os-shell"
```
### Prometheus metrics
This chart can be integrated with Prometheus by setting `metrics.enabled` to true. This will expose the Gitlab Runner native Prometheus endpoint in a `metrics` service, which can be configured under the `metrics.service` section. It will have the necessary annotations to be automatically scraped by Prometheus.
#### Prometheus requirements
It is necessary to have a working installation of Prometheus or Prometheus Operator for the integration to work. Install the [Bitnami Prometheus helm chart](https://github.com/bitnami/charts/tree/main/bitnami/prometheus) or the [Bitnami Kube Prometheus helm chart](https://github.com/bitnami/charts/tree/main/bitnami/kube-prometheus) to easily have a working Prometheus in your cluster.
#### Integration with Prometheus Operator
The chart can deploy `ServiceMonitor` objects for integration with Prometheus Operator installations. To do so, set the value `metrics.serviceMonitor.enabled=true`. Ensure that the Prometheus Operator `CustomResourceDefinitions` are installed in the cluster or it will fail with the following error:
```text
no matches for kind "ServiceMonitor" in version "monitoring.coreos.com/v1"
```
Install the [Bitnami Kube Prometheus helm chart](https://github.com/bitnami/charts/tree/main/bitnami/kube-prometheus) for having the necessary CRDs and the Prometheus Operator.
### Resource requests and limits
Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case.
To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcesPreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
### [Rolling vs Immutable tags](https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-understand-rolling-tags-containers-index.html)
It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.
Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.
### Enable RBAC security
In order to enable Role-Based Access Control (RBAC) for Gitlab Runner, use the following parameter: `rbac.create=true`.
### Set Pod affinity
This chart allows you to set custom Pod affinity using the `affinity` parameter. Find more information about Pod affinity in the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity).
As an alternative, you can use one of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `podAffinityPreset`, `podAntiAffinityPreset`, or `nodeAffinityPreset` parameters.
### Ingress
This chart provides support for Ingress resources for the session server. If you have an ingress controller installed on your cluster, such as [nginx-ingress-controller](https://github.com/bitnami/charts/tree/main/bitnami/nginx-ingress-controller) or [contour](https://github.com/bitnami/charts/tree/main/bitnami/contour) you can utilize the ingress controller to serve your application.To enable Ingress integration, set `sessionServer.ingress.enabled` to `true`.
The most common scenario is to have one host name mapped to the deployment. In this case, the `sessionServer.ingress.hostname` property can be used to set the host name. The `sessionServer.ingress.tls` parameter can be used to add the TLS configuration for this host.
However, it is also possible to have more than one host. To facilitate this, the `sessionServer.ingress.extraHosts` parameter (if available) can be set with the host names specified as an array. The `sessionServer.ingress.extraTLS` parameter (if available) can also be used to add the TLS configuration for extra hosts.
> NOTE: For each host specified in the `sessionServer.ingress.extraHosts` parameter, it is necessary to set a name, path, and any annotations that the Ingress controller should know about. Not all annotations are supported by all Ingress controllers, but [this annotation reference document](https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md) lists the annotations supported by many popular Ingress controllers.
Adding the TLS parameter (where available) will cause the chart to generate HTTPS URLs, and the application will be available on port 443. The actual TLS secrets do not have to be generated by this chart. However, if TLS is enabled, the Ingress record will not work until the TLS secret exists.
[Learn more about Ingress controllers](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/).
## Parameters
### Global parameters
| Name | Description | Value |
| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
| `global.imageRegistry` | Global Docker image registry | `""` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
| `global.security.allowInsecureImages` | Allows skipping image verification | `false` |
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` |
### Common parameters
| Name | Description | Value |
| ------------------------ | -------------------------------------------------------------------------------------------- | --------------- |
| `kubeVersion` | Force target Kubernetes version (using Helm capabilities if not set) | `""` |
| `apiVersions` | Override Kubernetes API versions reported by .Capabilities | `[]` |
| `clusterDomain` | Kubernetes Cluster Domain | `cluster.local` |
| `nameOverride` | String to partially override common.names.fullname template (will maintain the release name) | `""` |
| `fullnameOverride` | String to fully override common.names.fullname template | `""` |
| `namespaceOverride` | String to fully override common.names.namespace | `""` |
| `commonLabels` | Add labels to all the deployed resources | `{}` |
| `commonAnnotations` | Add annotations to all the deployed resources | `{}` |
| `extraDeploy` | Array of extra objects to deploy with the release | `[]` |
| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` |
| `diagnosticMode.command` | Command to override all containers in the the deployment(s)/statefulset(s) | `["sleep"]` |
| `diagnosticMode.args` | Args to override all containers in the the deployment(s)/statefulset(s) | `["infinity"]` |
### Gitlab Runner parameters
| Name | Description | Value |
| --------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------- |
| `image.registry` | Gitlab Runner image registry | `REGISTRY_NAME` |
| `image.repository` | Gitlab Runner image repository | `REPOSITORY_NAME/gitlab-runner` |
| `image.digest` | Gitlab Runner image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `image.pullPolicy` | Gitlab Runner image pull policy | `IfNotPresent` |
| `image.pullSecrets` | Gitlab Runner image pull secrets | `[]` |
| `automountServiceAccountToken` | Mount Service Account token in pod | `true` |
| `hostAliases` | Add deployment host aliases | `[]` |
| `replicaCount` | Number of gitlab-runner nodes to deploy | `1` |
| `gitlabUrl` | GitLab Server URL (with protocol) to register the runner | `""` |
| `runnerToken` | Token for adding new Runners to the GitLab Server | `""` |
| `existingSecret` | Name of a secret containing the runner token | `""` |
| `existingCacheSecret` | Name of a secret containing the distributed cache credentials | `""` |
| `existingConfigMap` | Name of a ConfigMap containing the configuration and scripts | `""` |
| `extraConfig` | Append extra configuration to the default config file | `""` |
| `unregisterRunners` | Unregister all runners before termination | `true` |
| `existingCertsSecret` | Name of a secret containing custom certificates to connect to the Gitlab instance. | `""` |
| `concurrent` | Maximum number of concurrent jobs | `10` |
| `shutdownTimeout` | Time in seconds before a forceful shutdown | `0` |
| `checkInterval` | Time in seconds to check for Gitlab builds | `3` |
| `logLevel` | Runner logging level | `info` |
| `logFormat` | Runner logging format | `runner` |
| `sentryDsn` | Runner's Sentry DSN. | `""` |
| `connectionMaxAge` | Maximum connection age for TLS keepalive connections. | `15m` |
| `preEntrypointScript` | Commands to execute prior to the entrypoint | `""` |
| `updateStrategy.type` | Set up update strategy for gitlab-runner installation. | `RollingUpdate` |
| `autoscaling.vpa.enabled` | Enable VPA | `false` |
| `autoscaling.vpa.annotations` | Annotations for VPA resource | `{}` |
| `autoscaling.vpa.controlledResources` | VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory | `[]` |
| `autoscaling.vpa.maxAllowed` | VPA Max allowed resources for the pod | `{}` |
| `autoscaling.vpa.minAllowed` | VPA Min allowed resources for the pod | `{}` |
| `autoscaling.vpa.updatePolicy.updateMode` | Autoscaling update policy Specifies whether recommended updates are applied when a Pod is started and whether recommended updates are applied during the life of a Pod | `Auto` |
| `autoscaling.hpa.enabled` | Enable autoscaling for operator | `false` |
| `autoscaling.hpa.minReplicas` | Minimum number of operator replicas | `""` |
| `autoscaling.hpa.maxReplicas` | Maximum number of operator replicas | `""` |
| `autoscaling.hpa.targetCPU` | Target CPU utilization percentage | `""` |
| `autoscaling.hpa.targetMemory` | Target Memory utilization percentage | `""` |
| `rbac.create` | Enable RBAC authentication | `true` |
| `rbac.clusterWideAccess` | Allow runner cluster-wide access | `false` |
| `rbac.rules` | Define list of rules to be added to the rbac role permissions | `[]` |
| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
| `serviceAccount.name` | The name of the ServiceAccount to create | `""` |
| `serviceAccount.automountServiceAccountToken` | Automount API credentials for a service account | `false` |
| `serviceAccount.annotations` | Annotations for service account. Evaluated as a template. Only used if `create` is `true`. | `{}` |
| `containerPorts.metrics` | Port where gitlab-runner will expose metrics | `9252` |
| `containerPorts.sessionServer` | Port where gitlab-runner will use the sessionServer | `8093` |
| `dnsPolicy` | Default dnsPolicy setting | `ClusterFirst` |
| `command` | Override default container command (useful when using custom images) | `[]` |
| `args` | Override default container args (useful when using custom images) | `[]` |
| `lifecycleHooks` | for the gitlab-runner container(s) to automate configuration before or after startup | `{}` |
| `extraEnvVars` | Array with extra environment variables to add to gitlab-runner nodes | `[]` |
| `extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for gitlab-runner nodes | `""` |
| `extraEnvVarsSecret` | Name of existing Secret containing extra env vars for gitlab-runner nodes | `""` |
| `extraArgs` | Extra arguments to pass to gitlab-runner on start up | `[]` |
| `sidecars` | Add additional sidecar containers to the gitlab-runner pod(s) | `[]` |
| `initContainers` | Add additional init containers to the gitlab-runner pod(s) | `[]` |
| `podLabels` | Pod labels | `{}` |
| `podAnnotations` | Pod annotations | `{}` |
| `priorityClassName` | Priority class for pod scheduling | `""` |
| `schedulerName` | Name of the k8s scheduler (other than default) | `""` |
| `terminationGracePeriodSeconds` | In seconds, time the given to the gitlab-runner pod needs to terminate gracefully | `""` |
| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `pdb.create` | Create a PodDisruptionBudget | `true` |
| `pdb.minAvailable` | Minimum available instances | `""` |
| `pdb.maxUnavailable` | Maximum unavailable instances | `""` |
| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set. | `""` |
| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` |
| `affinity` | Affinity for pod assignment | `{}` |
| `topologySpreadConstraints` | Topology spread constraints for pod | `[]` |
| `nodeSelector` | Node labels for pod assignment | `{}` |
| `tolerations` | Tolerations for pod assignment | `[]` |
| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` |
| `networkPolicy.allowExternal` | The Policy model to apply | `true` |
| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
| `networkPolicy.kubeAPIServerPorts` | List of possible endpoints to kubernetes components like kube-apiserver or kubelet (limit to your cluster settings to increase security) | `[]` |
| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `small` |
| `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `startupProbe.enabled` | Enable startupProbe | `false` |
| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `0` |
| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `3` |
| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
| `livenessProbe.enabled` | Enable livenessProbe | `true` |
| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `0` |
| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` |
| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` |
| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `readinessProbe.enabled` | Enable readinessProbe | `true` |
| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `0` |
| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` |
| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` |
| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `customStartupProbe` | Custom liveness probe for the Web component | `{}` |
| `customLivenessProbe` | Custom Liveness probes for gitlab-runner | `{}` |
| `customReadinessProbe` | Custom Readiness probes gitlab-runner | `{}` |
| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` |
| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` |
| `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` |
| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `podSecurityContext.enabled` | Pod security context | `true` |
| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `podSecurityContext.fsGroup` | Set Pod's Security Context fsGroup | `1001` |
| `extraVolumes` | Extra volumes | `[]` |
| `extraVolumeMounts` | Mount extra volume(s) | `[]` |
| `runners.config` | configuration for the pods created by the runner | `""` |
| `runners.configPath` | Absolute path for an existing runner configuration file (to be used with volumes/extraVolumes) | `""` |
| `runners.executor` | Executor to be used by the runner | `kubernetes` |
| `runners.name` | Name of the runner. | `""` |
| `runners.maximumTimeout` | Specify the maximum timeout (in seconds) that will be set for job when using this Runner | `""` |
| `runners.runUntagged` | Allow running jobs without tags | `true` |
| `runners.protected` | Run only in protected branches | `true` |
### Session Server Parameters
| Name | Description | Value |
| ------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ |
| `sessionServer.enabled` | Enable Session Server | `false` |
| `sessionServer.sessionTimeout` | Session timeout in seconds | `1800` |
| `sessionServer.service.type` | Session Server service type | `ClusterIP` |
| `sessionServer.service.ports.sessionServer` | Session Server service port | `9000` |
| `sessionServer.service.nodePorts.sessionServer` | Node port for the Session Server | `""` |
| `sessionServer.service.labels` | Service labels | `{}` |
| `sessionServer.service.clusterIP` | Session Server service Cluster IP | `""` |
| `sessionServer.service.loadBalancerIP` | Session Server service Load Balancer IP | `""` |
| `sessionServer.service.loadBalancerSourceRanges` | Session Server service Load Balancer sources | `[]` |
| `sessionServer.service.externalTrafficPolicy` | Session Server service external traffic policy | `Cluster` |
| `sessionServer.service.annotations` | Additional custom annotations for Session Server service | `{}` |
| `sessionServer.service.extraPorts` | Extra ports to expose in Session Server service (normally used with the `sidecars` value) | `[]` |
| `sessionServer.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` |
| `sessionServer.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
| `sessionServer.ingress.enabled` | Enable ingress record generation for Session Server | `false` |
| `sessionServer.ingress.pathType` | Ingress path type | `ImplementationSpecific` |
| `sessionServer.ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` |
| `sessionServer.ingress.hostname` | Default host for the ingress record | `session-server.local` |
| `sessionServer.ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` |
| `sessionServer.ingress.path` | Default path for the ingress record | `/` |
| `sessionServer.ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` |
| `sessionServer.ingress.tls` | Enable TLS configuration for the host defined at `sessionServer.ingress.hostname` parameter | `false` |
| `sessionServer.ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` |
| `sessionServer.ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` |
| `sessionServer.ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` |
| `sessionServer.ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` |
| `sessionServer.ingress.secrets` | Custom TLS certificates as secrets | `[]` |
| `sessionServer.ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` |
| `metrics.enabled` | Enable the export of Prometheus metrics | `false` |
| `metrics.service.type` | Session Server service type | `ClusterIP` |
| `metrics.service.ports.metrics` | Session Server service http port | `9252` |
| `metrics.service.nodePorts.metrics` | Node port for HTTP | `""` |
| `metrics.service.labels` | Service labels | `{}` |
| `metrics.service.clusterIP` | Session Server service Cluster IP | `""` |
| `metrics.service.loadBalancerIP` | Session Server service Load Balancer IP | `""` |
| `metrics.service.loadBalancerSourceRanges` | Session Server service Load Balancer sources | `[]` |
| `metrics.service.externalTrafficPolicy` | Session Server service external traffic policy | `Cluster` |
| `metrics.service.annotations` | Additional custom annotations for Session Server service | `{}` |
| `metrics.service.extraPorts` | Extra ports to expose in Session Server service (normally used with the `sidecars` value) | `[]` |
| `metrics.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` |
| `metrics.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
| `metrics.serviceMonitor.enabled` | if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`) | `false` |
| `metrics.serviceMonitor.namespace` | Namespace in which Prometheus is running | `""` |
| `metrics.serviceMonitor.annotations` | Additional custom annotations for the ServiceMonitor | `{}` |
| `metrics.serviceMonitor.labels` | Extra labels for the ServiceMonitor | `{}` |
| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in Prometheus | `""` |
| `metrics.serviceMonitor.honorLabels` | honorLabels chooses the metric's labels on collisions with target labels | `false` |
| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `""` |
| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` |
| `metrics.serviceMonitor.metricRelabelings` | Specify additional relabeling of metrics | `[]` |
| `metrics.serviceMonitor.relabelings` | Specify general relabeling | `[]` |
| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
```console
helm install my-release \
--set rbac.create=true oci://REGISTRY_NAME/REPOSITORY_NAME/gitlab-runner
```
> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`.
The above command enables RBAC authentication.
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
```console
helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/gitlab-runner
```
> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`.
> **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/gitlab-runner/values.yaml)
## Troubleshooting
Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues).
## License
Copyright &copy; 2025 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
<http://www.apache.org/licenses/LICENSE-2.0>
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

107
bitnami/gitlab-runner/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,107 @@
CHART NAME: {{ .Chart.Name }}
CHART VERSION: {{ .Chart.Version }}
APP VERSION: {{ .Chart.AppVersion }}
Did you know there are enterprise versions of the Bitnami catalog? For enhanced secure software supply chain features, unlimited pulls from Docker, LTS support, or application customization, see Bitnami Premium or Tanzu Application Catalog. See https://www.arrow.com/globalecs/na/vendors/bitnami for more information.
** Please be patient while the chart is being deployed **
{{- if not (include "gitlab-runner.canDeploy" .) }}
######################################################################################################
### ERROR: You did not provide the Gitlab URL and the Runner Token in the 'helm install' call ###
######################################################################################################
Complete your Gitlab Runner deployment by running:
helm upgrade --namespace {{ include "common.names.namespace" . }} {{ .Release.Name }} oci://registry-1.docker.io/bitnamicharts/gitlab-runner \
--set gitlabUrl=YOUR_GITLAB_HOST,runnerToken=YOUR_RUNNER_TOKEN
Replacing "YOUR_GITLAB_HOST" and "YOUR_RUNNER_TOKEN" placeholders by the proper values of your Gitlab deployment.
or
helm upgrade --namespace {{ include "common.names.namespace" . }} {{ .Release.Name }} oci://registry-1.docker.io/bitnamicharts/gitlab-runner \
--set gitlabUrl=YOUR_GITLAB_HOST,existingSecret=YOUR_SECRET
Replacing "YOUR_GITLAB_HOST" and "YOUR_SECRET" placeholders by the proper values of your Gitlab deployment.
{{- else }}
{{- if .Values.diagnosticMode.enabled }}
The chart has been deployed in diagnostic mode. All probes have been disabled and the command has been overwritten with:
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 4 }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 4 }}
Get the list of pods by executing:
kubectl get pods --namespace {{ include "common.names.namespace" . }} -l app.kubernetes.io/instance={{ .Release.Name }}
Access the pod you want to debug by executing
kubectl exec --namespace {{ include "common.names.namespace" . }} -ti <NAME OF THE POD> -- bash
{{- else }}
Check the status of the pods by running this command:
kubectl get pods --namespace {{ include "common.names.namespace" . | quote }} -l app.kubernetes.io/instance={{ .Release.Name }}
Check the integration status in your Gitlab instance:
https://docs.gitlab.com/runner/register/
{{- if .Values.sessionServer.enabled }}
Session Server:
Your Session Server site can be accessed through the following DNS name from within your cluster:
{{ include "gitlab-runner.session-server.fullname" . }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }} (port {{ .Values.sessionServer.service.ports.sessionServer }})
To access your Session Server from outside the cluster follow the steps below:
{{- if .Values.sessionServer.ingress.enabled }}
1. Get the Session Server URL and associate Session Server hostname to your cluster external IP:
export CLUSTER_IP=$(minikube ip) # On Minikube. Use: `kubectl cluster-info` on others K8s clusters
echo "Session Server URL: http{{ if .Values.sessionServer.ingress.tls }}s{{ end }}://{{ .Values.sessionServer.ingress.hostname }}/"
echo "$CLUSTER_IP {{ .Values.sessionServer.ingress.hostname }}" | sudo tee -a /etc/hosts
{{- else }}
{{- $port := .Values.sessionServer.service.ports.sessionServer | toString }}
1. Get the Session Server URL by running these commands:
{{- if contains "NodePort" .Values.sessionServer.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ include "common.names.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "gitlab-runner.session-server.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ include "common.names.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo "Session Server URL: http://$NODE_IP:$NODE_PORT/"
{{- else if contains "LoadBalancer" .Values.sessionServer.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
Watch the status with: 'kubectl get svc --namespace {{ include "common.names.namespace" . }} -w {{ include "gitlab-runner.session-server.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.names.namespace" . }} {{ include "gitlab-runner.session-server.fullname" . }} --include "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}")
echo "Session Sever URL: http://$SERVICE_IP{{- if ne $port "80" }}:{{ .Values.sessionServer.service.ports.sessionServer }}{{ end }}/"
{{- else if contains "ClusterIP" .Values.sessionServer.service.type }}
kubectl port-forward --namespace {{ include "common.names.namespace" . }} svc/{{ include "gitlab-runner.session-server.fullname" . }} {{ .Values.sessionServer.service.ports.sessionServer }}:{{ .Values.sessionServer.service.ports.sessionServer }} &
echo "Session Server URL: http://127.0.0.1{{- if ne $port "80" }}:{{ .Values.sessionServer.service.ports.sessionServer }}{{ end }}//"
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- include "gitlab-runner.validateValues" . }}
{{- include "gitlab-runner.checkRollingTags" . }}
{{- include "common.warnings.resources" (dict "sections" (list "") "context" $) }}
{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image) "context" $) }}
{{- include "common.errors.insecureImages" (dict "images" (list .Values.image) "context" $) }}
{{- end }}

98
bitnami/gitlab-runner/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,98 @@
{{/*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*
Create the name of the service account to use
*/}}
{{- define "gitlab-runner.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "common.names.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Return the proper gitlab-runner image name
*/}}
{{- define "gitlab-runner.image" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }}
{{- end -}}
{{/*
Return the proper gitlab-runner image name
*/}}
{{- define "gitlab-runner.session-server.fullname" -}}
{{ printf "%s-session-server" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names
*/}}
{{- define "gitlab-runner.imagePullSecrets" -}}
{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image ) "context" $) -}}
{{- end -}}
{{/*
Name of the Runner Secret
*/}}
{{- define "gitlab-runner.secretName" -}}
{{- if .Values.existingSecret -}}
{{- include "common.tplvalues.render" (dict "value" .Values.existingSecret "context" $) -}}
{{- else -}}
{{- include "common.names.fullname" . -}}
{{- end -}}
{{- end -}}
{{/*
Name of the Runner ConfigMap
*/}}
{{- define "gitlab-runner.configmapName" -}}
{{- if .Values.existingConfigMap -}}
{{- include "common.tplvalues.render" (dict "value" .Values.existingConfigMap "context" $) -}}
{{- else -}}
{{- include "common.names.fullname" . -}}
{{- end -}}
{{- end -}}
{{/*
Return true if the server can be deployed
*/}}
{{- define "gitlab-runner.canDeploy" -}}
{{- if and .Values.gitlabUrl (coalesce .Values.runnerToken .Values.existingSecret) -}}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Compile all warnings into a single message, and call fail.
*/}}
{{- define "gitlab-runner.validateValues" -}}
{{- $messages := list -}}
{{- $messages := append $messages (include "gitlab-runner.validateValues.sessionServer" .) -}}
{{- $messages := without $messages "" -}}
{{- $message := join "\n" $messages -}}
{{- if $message -}}
{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}}
{{- end -}}
{{- end -}}
{{/* Validate values of gitlab-runner - Session server configuration */}}
{{- define "gitlab-runner.validateValues.sessionServer" -}}
{{- if and .Values.sessionServer.enabled (gt (.Values.replicaCount | int) 1) -}}
gitlab-runner: Incorrect Session Server configuration
When enabling the session server the number of replicas must be 1
{{- end -}}
{{- end -}}
{{/*
Check if there are rolling tags in the images
*/}}
{{- define "gitlab-runner.checkRollingTags" -}}
{{- include "common.warnings.rollingTag" .Values.image }}
{{- end -}}

26
bitnami/gitlab-runner/templates/cluster-role.yaml Normal file
View File

@@ -0,0 +1,26 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.rbac.create -}}
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: {{ ternary "ClusterRole" "Role" .Values.rbac.clusterWideAccess }}
metadata:
name: {{ template "common.names.fullname.namespace" . }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: gitlab-runner
app.kubernetes.io/component: gitlab-runner
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
{{- /* Mimicking the logic from the upstream chart. When rbac.rules is not set, add all objects from the core API Group */}}
{{- if not .Values.rbac.rules }}
- apiGroups: [""]
resources: ["*"]
verbs: ["*"]
{{- else }}
{{- include "common.tplvalues.render" ( dict "value" .Values.rbac.rules "context" $ ) | nindent 2 }}
{{- end }}
{{- end -}}

256
bitnami/gitlab-runner/templates/configmap-scripts.yaml Normal file
View File

@@ -0,0 +1,256 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ printf "%s-scripts" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: gitlab-runner
app.kubernetes.io/component: gitlab-runner
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
# Taken from the upstream chart with miminal value adaptations
# https://gitlab.com/gitlab-org/charts/gitlab-runner/-/blob/main/templates/configmap.yaml?ref_type=heads
entrypoint: |
#!/bin/bash
set -e
export CONFIG_PATH_FOR_INIT="{{ ternary "/etc/gitlab-runner/" "/home/gitlab-runner/.gitlab-runner/" (eq 0 (.Values.containerSecurityContext.runAsUser | int64)) }}"
mkdir -p ${CONFIG_PATH_FOR_INIT}
cp /configmaps/config.toml ${CONFIG_PATH_FOR_INIT}
{{- if .Values.sessionServer.enabled }}
quit() {
kill -TERM "$child"
}
trap quit QUIT TERM
bash /configmaps/set-session-server-address &
child=$!
wait "$child"
bash /configmaps/set-session-server-port &
child=$!
wait "$child"
{{- end }}
# Set up environment variables for cache
if [[ -f /secrets/accesskey && -f /secrets/secretkey ]]; then
export CACHE_S3_ACCESS_KEY=$(cat /secrets/accesskey)
export CACHE_S3_SECRET_KEY=$(cat /secrets/secretkey)
fi
if [[ -f /secrets/gcs-applicaton-credentials-file ]]; then
export GOOGLE_APPLICATION_CREDENTIALS="/secrets/gcs-applicaton-credentials-file"
elif [[ -f /secrets/gcs-application-credentials-file ]]; then
export GOOGLE_APPLICATION_CREDENTIALS="/secrets/gcs-application-credentials-file"
else
if [[ -f /secrets/gcs-access-id && -f /secrets/gcs-private-key ]]; then
export CACHE_GCS_ACCESS_ID=$(cat /secrets/gcs-access-id)
# echo -e used to make private key multiline (in google json auth key private key is oneline with \n)
export CACHE_GCS_PRIVATE_KEY=$(echo -e $(cat /secrets/gcs-private-key))
fi
fi
if [[ -f /secrets/azure-account-name && -f /secrets/azure-account-key ]]; then
export CACHE_AZURE_ACCOUNT_NAME=$(cat /secrets/azure-account-name)
export CACHE_AZURE_ACCOUNT_KEY=$(cat /secrets/azure-account-key)
fi
if [[ -f /secrets/runner-registration-token ]]; then
export REGISTRATION_TOKEN=$(cat /secrets/runner-registration-token)
fi
if [[ -f /secrets/runner-token ]]; then
export CI_SERVER_TOKEN=$(cat /secrets/runner-token)
fi
# Register the runner
if ! sh /configmaps/register-the-runner; then
exit 1
fi
# Run pre-entrypoint-script
if ! bash /configmaps/pre-entrypoint-script; then
exit 1
fi
# Start the runner
exec /entrypoint run \
{{- if and .Values.runners.executor (ne "shell" ((.Values.runners.executor) | toString)) }}
--user=gitlab-runner \
{{- end }}
--working-directory=/home/gitlab-runner
register-the-runner: |
#!/bin/sh
signal_handler() {
if [ ! -d "/proc/$register_pid" ]; then
wait $register_pid
fi
exit
}
trap 'signal_handler' QUIT INT
MAX_REGISTER_ATTEMPTS=30
# Reset/unset the not needed flags when an authentication token
RUN_UNTAGGED="{{ ternary "--run-untagged=true" "" .Values.runners.runUntagged }}"
ACCESS_LEVEL="{{ ternary "--access-level=ref_protected" "" .Values.runners.protected }}"
if [ -n "$CI_SERVER_TOKEN" ] && [ "${CI_SERVER_TOKEN#glrt-}" != "$CI_SERVER_TOKEN" ]; then
RUN_UNTAGGED=""
ACCESS_LEVEL=""
unset REGISTER_LOCKED
unset RUNNER_TAG_LIST
fi
for i in $(seq 1 "${MAX_REGISTER_ATTEMPTS}"); do
echo "Registration attempt ${i} of ${MAX_REGISTER_ATTEMPTS}"
/entrypoint register \
{{- if .Values.runners.name }}
--name={{ .Values.runners.name | quote -}} \
{{- end }}
{{- if .Values.runners.maximumTimeout }}
--maximum-timeout={{ .Values.runners.maximumTimeout | quote -}} \
{{- end }}
${RUN_UNTAGGED} \
${ACCESS_LEVEL} \
{{- if .Values.runners.config }}
--template-config /configmaps/config.template.toml \
{{- else if .Values.runners.configPath }}
--template-config {{ .Values.runners.configPath }} \
{{- end }}
--non-interactive &
register_pid=$!
wait $register_pid
retval=$?
if [ ${retval} = 0 ]; then
break
elif [ ${i} = ${MAX_REGISTER_ATTEMPTS} ]; then
exit 1
fi
sleep 5
done
check-live: |
#!/bin/bash
set -eou pipefail
# default timeout is 3 seconds, can be overriden
VERIFY_TIMEOUT=${1:-${VERIFY_TIMEOUT:-3}}
if ! /usr/bin/pgrep -f ".*register-the-runner" > /dev/null && ! /usr/bin/pgrep -f "gitlab.*runner" > /dev/null ; then
exit 1
fi
status=0
# empty --url= helps `gitlab-runner verify` select all configured runners (otherwise filters for $CI_SERVER_URL)
verify_output=$(timeout "${VERIFY_TIMEOUT}" gitlab-runner verify --url= 2>&1) || status=$?
# timeout exit code is 143 with busybox, and 124 with coreutils
if (( status == 143 )) || (( status == 124 )) ; then
echo "'gitlab-runner verify' terminated by timeout, not a conclusive failure" >&2
exit 0
elif (( status > 0 )) ; then
exit ${status}
fi
grep -qE "is (alive|valid)" <<<"${verify_output}"
{{- if .Values.sessionServer.enabled }}
set-session-server-address: |
#!/bin/bash
if [[ -n "${SESSION_SERVER_ADDRESS}" ]]; then
sed -i -e "s/SESSION_SERVER_ADDRESS/$SESSION_SERVER_ADDRESS/g" ${CONFIG_PATH_FOR_INIT}/config.toml
else
APISERVER=https://${KUBERNETES_SERVICE_HOST:-kubernetes.default.svc}:${KUBERNETES_SERVICE_PORT:-443} \
&& SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount \
&& NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) \
&& TOKEN=$(cat ${SERVICEACCOUNT}/token) \
&& CACERT=${SERVICEACCOUNT}/ca.crt \
&& header="Authorization: Bearer ${TOKEN}"
SERVICEURL=${APISERVER}/api/v1/namespaces/${NAMESPACE}/services/{{ include "gitlab-runner.session-server.fullname" . }}
has_address=false
while [ "${has_address}" = false ]; do
SERVICEIP=$(curl —-silent \
--cacert ${CACERT} \
--header "${header}" \
-X GET ${SERVICEURL} 2>/dev/null \
| grep '"ip":' | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | head -1)
# for aws, the hostname is available but not the external IP
SERVICEHOSTNAME=$(curl —-silent \
--cacert ${CACERT} \
--header "${header}" \
-X GET ${SERVICEURL} 2>/dev/null \
| grep '"hostname":' | cut -d ":" -f2 | xargs)
ADDRESS="${SERVICEHOSTNAME:-$SERVICEIP}"
if [ -z "${ADDRESS}" ]
then
echo "Service LoadBalancer External Address not yet available"
has_address=false
sleep 5
else
has_address=true
sed -i -e "s/SESSION_SERVER_ADDRESS/$ADDRESS/g" ${CONFIG_PATH_FOR_INIT}/config.toml
fi
done
fi
set-session-server-port: |
#!/bin/bash
{{- if and (eq .Values.sessionServer.service.type "NodePort") (not .Values.sessionServer.service.nodePorts.sessionServer) }}
APISERVER=https://${KUBERNETES_SERVICE_HOST:-kubernetes.default.svc}:${KUBERNETES_SERVICE_PORT:-443} \
&& SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount \
&& NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) \
&& TOKEN=$(cat ${SERVICEACCOUNT}/token) \
&& CACERT=${SERVICEACCOUNT}/ca.crt \
&& header="Authorization: Bearer ${TOKEN}"
SERVICEURL=${APISERVER}/api/v1/namespaces/${NAMESPACE}/services/{{ include "gitlab-runner.session-server.fullname" . }}
has_port=false
while [ "${has_port}" = false ]; do
SERVICEPORT=$(curl —-silent \
--cacert ${CACERT} \
--header "${header}" \
-X GET ${SERVICEURL} 2>/dev/null \
| grep '"nodePort":' | cut -d ":" -f2 | xargs)
if [ -z "${SERVICEPORT}" ]; then
echo "Service nodePort not yet available"
sleep 5
else
has_port=true
sed -i -e "s/SESSION_SERVER_PORT/${SERVICEPORT}/g" ${CONFIG_PATH_FOR_INIT}/config.toml
fi
done
{{- else if .Values.sessionServer.service.nodePorts.sessionServer }}
sed -i -e "s/SESSION_SERVER_PORT/{{ .Values.sessionServer.service.nodePorts.sessionServer }}/g" ${CONFIG_PATH_FOR_INIT}/config.toml
{{- else }}
sed -i -e "s/SESSION_SERVER_PORT/{{ .Values.sessionServer.service.ports.sessionServer }}/g" ${CONFIG_PATH_FOR_INIT}/config.toml
{{- end }}
{{ end }}
pre-entrypoint-script: |
{{- include "common.tplvalues.render" (dict "values" .Values.preEntrypointScript "context" $) | nindent 4 }}

51
bitnami/gitlab-runner/templates/configmap.yaml Normal file
View File

@@ -0,0 +1,51 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if not .Values.existingConfigMap }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: gitlab-runner
app.kubernetes.io/component: gitlab-runner
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
# Taken from the upstream chart with miminal value adaptations
# https://gitlab.com/gitlab-org/charts/gitlab-runner/-/blob/main/templates/configmap.yaml?ref_type=heads
config.toml: |
shutdown_timeout = {{ .Values.shutdownTimeout }}
concurrent = {{ .Values.concurrent }}
check_interval = {{ .Values.checkInterval }}
log_level = {{ default "info" .Values.logLevel | quote }}
{{- if .Values.logFormat }}
log_format = {{ .Values.logFormat | quote }}
{{- end }}
{{- if .Values.metrics.enabled }}
listen_address = ":{{ .Values.containerPorts.metrics }}"
{{- end }}
{{- if .Values.sentryDsn }}
sentry_dsn = "{{ .Values.sentryDsn }}"
{{- end }}
{{- if .Values.connectionMaxAge }}
connection_max_age = "{{ .Values.connectionMaxAge }}"
{{- end }}
{{- if .Values.sessionServer.enabled }}
[session_server]
session_timeout = {{ .Values.sessionServer.sessionTimeout }}
listen_address = "0.0.0.0:{{ .Values.containerPorts.sessionServer }}"
advertise_address = "SESSION_SERVER_ADDRESS:SESSION_SERVER_PORT"
{{- end }}
{{- if .Values.extraConfig }}
{{- include "common.tplvalues.render" (dict "values" .Values.extraConfig "context" $) | nindent 4 }}
{{- end }}
{{ if .Values.runners.config }}
config.template.toml: |
{{- include "common.tplvalues.render" (dict "value" .Values.runners.config "context" $) | nindent 4 }}
{{ end }}
{{- end }}

250
bitnami/gitlab-runner/templates/deployment.yaml Normal file
View File

@@ -0,0 +1,250 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if (include "gitlab-runner.canDeploy" .) }}
apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
kind: Deployment
metadata:
name: {{ template "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: gitlab-runner
app.kubernetes.io/component: gitlab-runner
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- if and (not .Values.autoscaling.hpa.enabled) (not .Values.sessionServer.enabled) }}
replicas: {{ .Values.replicaCount }}
{{- end }}
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
selector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
{{- if .Values.updateStrategy }}
strategy: {{- include "common.tplvalues.render" (dict "value" .Values.updateStrategy "context" $) | nindent 4 }}
{{- end }}
template:
metadata:
labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
app.kubernetes.io/part-of: gitlab-runner
app.kubernetes.io/component: gitlab-runner
{{- if .Values.podAnnotations }}
annotations: {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }}
{{- end }}
spec:
{{- include "gitlab-runner.imagePullSecrets" . | nindent 6 }}
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName | quote }}
{{- end }}
serviceAccountName: {{ template "gitlab-runner.serviceAccountName" . }}
{{- if .Values.affinity }}
affinity: {{- include "common.tplvalues.render" (dict "value" .Values.affinity "context" $) | nindent 8 }}
{{- else }}
affinity:
podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }}
podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }}
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }}
{{- end }}
{{- if .Values.topologySpreadConstraints }}
topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.schedulerName }}
schedulerName: {{ .Values.schedulerName | quote }}
{{- end }}
{{- if .Values.nodeSelector }}
nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.nodeSelector "context" $) | nindent 8 }}
{{- end }}
automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
{{- if .Values.hostAliases }}
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.tolerations }}
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.podSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
dnsPolicy: {{ .Values.dnsPolicy }}
{{- if .Values.terminationGracePeriodSeconds }}
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
{{- end }}
{{- if .Values.initContainers }}
initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }}
{{- end }}
containers:
- name: gitlab-runner
image: {{ template "gitlab-runner.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
{{- if .Values.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.diagnosticMode.enabled }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
{{- else if .Values.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }}
{{- else }}
command:
- dumb-init
{{- end }}
{{- if .Values.diagnosticMode.enabled }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
{{- else if .Values.args }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }}
{{- else }}
args:
- --
- /bin/bash
- /configmaps/entrypoint
{{- if .Values.extraArgs }}
{{- include "common.tplvalues.render" (dict "value" .Values.extraArgs "context" $) | nindent 12 }}
{{- end }}
{{- end }}
{{- if .Values.lifecycleHooks }}
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }}
{{- else if .Values.unregisterRunners }}
lifecycle:
preStop:
exec:
command:
- /entrypoint
- unregister
- --all-runners
{{- end }}
env:
- name: HOME
value: /home/gitlab-runner
- name: CI_SERVER_URL
value: {{ .Values.gitlabUrl | quote }}
- name: RUNNER_EXECUTOR
value: {{ .Values.runners.executor | quote }}
- name: KUBERNETES_NAMESPACE
value: {{ include "common.names.namespace" . | quote }}
{{- if .Values.sessionServer.enabled }}
- name: SESSION_SERVER_ADDRESS
{{- if .Values.sessionServer.service.loadBalancerIP }}
value: {{ .Values.sessionServer.service.loadBalancerIP }}
{{- else if eq .Values.sessionServer.service.type "ClusterIP" }}
value: {{ printf "%s.%s" (include "gitlab-runner.session-server.fullname" .) (include "common.names.namespace" .) }}
{{- else if eq .Values.sessionServer.service.type "NodePort" }}
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.hostIP
{{- end }}
{{- end }}
{{- if .Values.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
envFrom:
{{- if .Values.extraEnvVarsCM }}
- configMapRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsCM "context" $) }}
{{- end }}
{{- if .Values.extraEnvVarsSecret }}
- secretRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }}
{{- end }}
{{- if .Values.resources }}
resources: {{- toYaml .Values.resources | nindent 12 }}
{{- else if ne .Values.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }}
{{- end }}
ports:
{{- if .Values.metrics.enabled }}
- name: http-metrics
containerPort: {{ .Values.containerPorts.metrics }}
{{- end }}
{{- if .Values.sessionServer.enabled }}
- name: http-session
containerPort: {{ .Values.containerPorts.sessionServer }}
protocol: TCP
{{- end }}
{{- if not .Values.diagnosticMode.enabled }}
{{- if .Values.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }}
{{- else if .Values.livenessProbe.enabled }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.livenessProbe "enabled") "context" $) | nindent 12 }}
exec:
command:
- /bin/bash
- /configmaps/check-live
- {{ .Values.livenessProbe.timeoutSeconds | add -1 | max 1 | quote }}
{{- end }}
{{- if .Values.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }}
{{- else if .Values.readinessProbe.enabled }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readinessProbe "enabled") "context" $) | nindent 12 }}
exec:
command:
- pgrep
- "gitlab.*runner"
{{- end }}
{{- if .Values.customStartupProbe }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }}
{{- else if .Values.startupProbe.enabled }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.startupProbe "enabled") "context" $) | nindent 12 }}
command:
- pgrep
- "gitlab.*runner"
{{- end }}
{{- end }}
volumeMounts:
- name: projected-secrets
mountPath: /secrets
- name: empty-dir
mountPath: /home/gitlab-runner/.gitlab-runner
subPath: app-gitlab-runner-dir
- name: empty-dir
mountPath: /etc/gitlab-runner
subPath: etc-gitlab-runner-dir
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: configmaps
mountPath: /configmaps
{{- if .Values.existingCertsSecret }}
- name: custom-certs
readOnly: true
mountPath: /home/gitlab-runner/.gitlab-runner/certs/
{{- end }}
{{- if .Values.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.sidecars }}
{{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
- name: empty-dir
emptyDir: {}
# The gitlab script expect all secrets mounted in the same folder, so we need to use projected secrets
- name: projected-secrets
projected:
sources:
{{- if .Values.existingCacheSecret }}
- secret:
name: {{ include "common.tplvalues.render" (dict "value" .Values.existingCacheSecret "context" $) }}
{{- end }}
- secret:
name: {{ include "gitlab-runner.secretName" . }}
items:
- key: runner-token
path: runner-token
{{- if .Values.existingCertsSecret }}
- name: custom-certs
secret:
secretName: {{ include "common.tplvalues.render" (dict "value" .Values.existingCertsSecret "context" $) }}
{{- end }}
# The gitlab script expect all scripts and configuration files to be mounted in the same folder
- name: configmaps
projected:
sources:
- configMap:
name: {{ include "gitlab-runner.configmapName" . }}
- configMap:
name: {{ printf "%s-scripts" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
{{- if .Values.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }}
{{- end }}
{{- end }}

9
bitnami/gitlab-runner/templates/extra-list.yaml Normal file
View File

@@ -0,0 +1,9 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- range .Values.extraDeploy }}
---
{{ include "common.tplvalues.render" (dict "value" . "context" $) }}
{{- end }}

50
bitnami/gitlab-runner/templates/hpa.yaml Normal file
View File

@@ -0,0 +1,50 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.autoscaling.hpa.enabled }}
apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ ) }}
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: gitlab-runner
app.kubernetes.io/component: gitlab-runner
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
scaleTargetRef:
apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
kind: Deployment
name: {{ template "common.names.fullname" . }}
minReplicas: {{ .Values.autoscaling.hpa.minReplicas }}
maxReplicas: {{ .Values.autoscaling.hpa.maxReplicas }}
metrics:
{{- if .Values.autoscaling.hpa.targetCPU }}
- type: Resource
resource:
name: cpu
{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }}
targetAverageUtilization: {{ .Values.autoscaling.hpa.targetCPU }}
{{- else }}
target:
type: Utilization
averageUtilization: {{ .Values.autoscaling.hpa.targetCPU }}
{{- end }}
{{- end }}
{{- if .Values.autoscaling.hpa.targetMemory }}
- type: Resource
resource:
name: memory
{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }}
targetAverageUtilization: {{ .Values.autoscaling.hpa.targetMemory }}
{{- else }}
target:
type: Utilization
averageUtilization: {{ .Values.autoscaling.hpa.targetMemory }}
{{- end }}
{{- end }}
{{- end }}

48
bitnami/gitlab-runner/templates/ingress-tls-secret.yaml Normal file
View File

@@ -0,0 +1,48 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.sessionServer.enabled .Values.sessionServer.ingress.enabled }}
{{- if .Values.sessionServer.ingress.secrets }}
{{- range .Values.sessionServer.ingress.secrets }}
apiVersion: v1
kind: Secret
metadata:
name: {{ .name }}
namespace: {{ include "common.names.namespace" $ | quote }}
labels: {{- include "common.labels.standard" (dict "customLabels" $.Values.commonLabels "context" $) | nindent 4 }}
app.kubernetes.io/part-of: gitlab-runner
app.kubernetes.io/component: gitlab-runner
{{- if $.Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: kubernetes.io/tls
data:
tls.crt: {{ .certificate | b64enc }}
tls.key: {{ .key | b64enc }}
---
{{- end }}
{{- end }}
{{- if and .Values.sessionServer.ingress.tls .Values.sessionServer.ingress.selfSigned }}
{{- $secretName := printf "%s-tls" .Values.sessionServer.ingress.hostname }}
{{- $ca := genCA "sessionServer-ca" 365 }}
{{- $cert := genSignedCert .Values.sessionServer.ingress.hostname nil (list .Values.sessionServer.ingress.hostname) 365 $ca }}
apiVersion: v1
kind: Secret
metadata:
name: {{ $secretName }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" (dict "customLabels" .Values.commonLabels "context" $) | nindent 4 }}
app.kubernetes.io/part-of: gitlab-runner
app.kubernetes.io/component: gitlab-runner
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: kubernetes.io/tls
data:
tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }}
tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }}
ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }}
{{- end }}
{{- end }}

59
bitnami/gitlab-runner/templates/metrics-svc.yaml Normal file
View File

@@ -0,0 +1,59 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.metrics.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ printf "%s-metrics" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
namespace: {{ include "common.names.namespace" . | quote }}
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.service.labels .Values.commonLabels ) "context" . ) }}
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: gitlab-runner
app.kubernetes.io/component: gitlab-runner
{{- if or .Values.metrics.service.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.service.annotations .Values.commonAnnotations ) "context" . ) }}
{{- $defaultMetricsAnnotations := dict "prometheus.io/scrape" "true" "prometheus.io/port" .Values.metrics.service.ports.metrics "prometheus.io/path" "/metrics" }}
{{- $annotations = include "common.tplvalues.merge" (dict "values" (list $annotations $defaultMetricsAnnotations) "context" .) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.metrics.service.type }}
{{- if and .Values.metrics.service.clusterIP (eq .Values.metrics.service.type "ClusterIP") }}
clusterIP: {{ .Values.metrics.service.clusterIP }}
{{- end }}
{{- if .Values.metrics.service.sessionAffinity }}
sessionAffinity: {{ .Values.metrics.service.sessionAffinity }}
{{- end }}
{{- if .Values.metrics.service.sessionAffinityConfig }}
sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.service.sessionAffinityConfig "context" $) | nindent 4 }}
{{- end }}
{{- if or (eq .Values.metrics.service.type "LoadBalancer") (eq .Values.metrics.service.type "NodePort") }}
externalTrafficPolicy: {{ .Values.metrics.service.externalTrafficPolicy | quote }}
{{- end }}
{{- if and (eq .Values.metrics.service.type "LoadBalancer") (not (empty .Values.metrics.service.loadBalancerSourceRanges)) }}
loadBalancerSourceRanges: {{ .Values.metrics.service.loadBalancerSourceRanges }}
{{- end }}
{{- if and (eq .Values.metrics.service.type "LoadBalancer") (not (empty .Values.metrics.service.loadBalancerIP)) }}
loadBalancerIP: {{ .Values.metrics.service.loadBalancerIP }}
{{- end }}
ports:
- name: http-metrics
port: {{ .Values.metrics.service.ports.metrics }}
protocol: TCP
targetPort: http-metrics
{{- if and (or (eq .Values.metrics.service.type "NodePort") (eq .Values.metrics.service.type "LoadBalancer")) (not (empty .Values.metrics.service.nodePorts.metrics)) }}
nodePort: {{ .Values.metrics.service.nodePorts.metrics }}
{{- else if eq .Values.metrics.service.type "ClusterIP" }}
nodePort: null
{{- end }}
{{- if .Values.metrics.service.extraPorts }}
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.service.extraPorts "context" $) | nindent 4 }}
{{- end }}
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: gitlab-runner
app.kubernetes.io/component: gitlab-runner
{{- end }}

73
bitnami/gitlab-runner/templates/networkpolicy.yaml Normal file
View File

@@ -0,0 +1,73 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.networkPolicy.enabled }}
kind: NetworkPolicy
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
metadata:
name: {{ template "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: gitlab-runner
app.kubernetes.io/component: gitlab-runner
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
policyTypes:
- Ingress
- Egress
{{- if .Values.networkPolicy.allowExternalEgress }}
egress:
- {}
{{- else }}
egress:
- ports:
# Allow dns resolution
- port: 53
protocol: UDP
- port: 53
protocol: TCP
{{- range $port := .Values.networkPolicy.kubeAPIServerPorts }}
- port: {{ $port }}
{{- end }}
{{- if .Values.networkPolicy.extraEgress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
ingress:
- ports:
{{- if .Values.metrics.enabled }}
- port: {{ .Values.containerPorts.metrics }}
{{- end }}
{{- if .Values.sessionServer.enabled }}
- port: {{ .Values.containerPorts.sessionServer }}
{{- end }}
{{- if not .Values.networkPolicy.allowExternal }}
from:
- podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
{{- if .Values.networkPolicy.ingressNSMatchLabels }}
- namespaceSelector:
matchLabels:
{{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- if .Values.networkPolicy.ingressNSPodMatchLabels }}
podSelector:
matchLabels:
{{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.networkPolicy.extraIngress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}

28
bitnami/gitlab-runner/templates/pdb.yaml Normal file
View File

@@ -0,0 +1,28 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.pdb.create }}
apiVersion: {{ include "common.capabilities.policy.apiVersion" . }}
kind: PodDisruptionBudget
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: gitlab-runner
app.kubernetes.io/component: gitlab-runner
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- if .Values.pdb.minAvailable }}
minAvailable: {{ .Values.pdb.minAvailable }}
{{- end }}
{{- if or .Values.pdb.maxUnavailable ( not .Values.pdb.minAvailable ) }}
maxUnavailable: {{ .Values.pdb.maxUnavailable | default 1 }}
{{- end }}
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
selector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
{{- end }}

25
bitnami/gitlab-runner/templates/role-binding.yaml Normal file
View File

@@ -0,0 +1,25 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.rbac.create -}}
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: {{ ternary "ClusterRoleBinding" "RoleBinding" .Values.rbac.clusterWideAccess }}
metadata:
name: {{ template "common.names.fullname.namespace" . }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: gitlab-runner
app.kubernetes.io/component: gitlab-runner
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: {{ ternary "ClusterRole" "Role" .Values.rbac.clusterWideAccess }}
name: {{ template "common.names.fullname.namespace" . }}
subjects:
- kind: ServiceAccount
name: {{ template "gitlab-runner.serviceAccountName" . }}
namespace: {{ include "common.names.namespace" . | quote }}
{{- end -}}

21
bitnami/gitlab-runner/templates/secret.yaml Normal file
View File

@@ -0,0 +1,21 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if not .Values.existingSecret }}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: gitlab-runner
app.kubernetes.io/component: gitlab-runner
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: Opaque
data:
runner-token: {{ include "common.secrets.passwords.manage" (dict "secret" (include "common.names.fullname" .) "key" "runner-token" "length" 16 "providedValues" (list "runnerToken") "context" $) }}
{{- end }}

20
bitnami/gitlab-runner/templates/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,20 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "gitlab-runner.serviceAccountName" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: gitlab-runner
app.kubernetes.io/component: gitlab-runner
{{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
{{- end -}}

50
bitnami/gitlab-runner/templates/servicemonitor.yaml Normal file
View File

@@ -0,0 +1,50 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ printf "%s-metrics" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
namespace: {{ default (include "common.names.namespace" .) .Values.metrics.serviceMonitor.namespace | quote }}
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.labels .Values.commonLabels ) "context" . ) }}
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: gitlab-runner
app.kubernetes.io/component: gitlab-runner
{{- if or .Values.metrics.serviceMonitor.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.annotations .Values.commonAnnotations ) "context" . ) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
spec:
jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel | quote }}
selector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }}
app.kubernetes.io/part-of: gitlab-runner
app.kubernetes.io/component: gitlab-runner
{{- if .Values.metrics.serviceMonitor.selector }}
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 6 }}
{{- end }}
endpoints:
- port: http-metrics
path: "/metrics"
{{- if .Values.metrics.serviceMonitor.interval }}
interval: {{ .Values.metrics.serviceMonitor.interval }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.honorLabels }}
honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.metricRelabelings }}
metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.relabelings }}
relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 8 }}
{{- end }}
namespaceSelector:
matchNames:
- {{ include "common.names.namespace" . | quote }}
{{- end }}

61
bitnami/gitlab-runner/templates/session-server-ingress.yaml Normal file
View File

@@ -0,0 +1,61 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.sessionServer.enabled .Values.sessionServer.ingress.enabled }}
apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }}
kind: Ingress
metadata:
name: {{ include "gitlab-runner.session-server.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" (dict "customLabels" .Values.commonLabels "context" $) | nindent 4 }}
app.kubernetes.io/part-of: gitlab-runner
app.kubernetes.io/component: gitlab-runner
{{- if or .Values.sessionServer.ingress.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.sessionServer.ingress.annotations .Values.commonAnnotations ) "context" . ) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
spec:
{{- if and .Values.sessionServer.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }}
ingressClassName: {{ .Values.sessionServer.ingress.ingressClassName | quote }}
{{- end }}
rules:
{{- if .Values.sessionServer.ingress.hostname }}
- host: {{ .Values.sessionServer.ingress.hostname }}
http:
paths:
{{- if .Values.sessionServer.ingress.extraPaths }}
{{- toYaml .Values.sessionServer.ingress.extraPaths | nindent 10 }}
{{- end }}
- path: {{ .Values.sessionServer.ingress.path }}
{{- if eq "true" (include "common.ingress.supportsPathType" .) }}
pathType: {{ .Values.sessionServer.ingress.pathType }}
{{- end }}
backend: {{- include "common.ingress.backend" (dict "serviceName" (include "gitlab-runner.session-server.fullname" .) "servicePort" "http-session" "context" $) | nindent 14 }}
{{- end }}
{{- range .Values.sessionServer.ingress.extraHosts }}
- host: {{ .name | quote }}
http:
paths:
- path: {{ default "/" .path }}
{{- if eq "true" (include "common.ingress.supportsPathType" $) }}
pathType: {{ default "ImplementationSpecific" .pathType }}
{{- end }}
backend: {{- include "common.ingress.backend" (dict "serviceName" (include "gitlab-runner.session-server.fullname" .) "servicePort" "http-session" "context" $) | nindent 14 }}
{{- end }}
{{- if .Values.sessionServer.ingress.extraRules }}
{{- include "common.tplvalues.render" (dict "value" .Values.sessionServer.ingress.extraRules "context" $) | nindent 4 }}
{{- end }}
{{- if or (and .Values.sessionServer.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.sessionServer.ingress.annotations )) .Values.sessionServer.ingress.selfSigned)) .Values.sessionServer.ingress.extraTls }}
tls:
{{- if and .Values.sessionServer.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.sessionServer.ingress.annotations )) .Values.sessionServer.ingress.selfSigned) }}
- hosts:
- {{ .Values.sessionServer.ingress.hostname | quote }}
secretName: {{ printf "%s-tls" .Values.sessionServer.ingress.hostname }}
{{- end }}
{{- if .Values.sessionServer.ingress.extraTls }}
{{- include "common.tplvalues.render" (dict "value" .Values.sessionServer.ingress.extraTls "context" $) | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

57
bitnami/gitlab-runner/templates/session-server-svc.yaml Normal file
View File

@@ -0,0 +1,57 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.sessionServer.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "gitlab-runner.session-server.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.sessionServer.service.labels .Values.commonLabels ) "context" . ) }}
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: gitlab-runner
app.kubernetes.io/component: gitlab-runner
{{- if or .Values.sessionServer.service.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.sessionServer.service.annotations .Values.commonAnnotations ) "context" . ) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.sessionServer.service.type }}
{{- if and .Values.sessionServer.service.clusterIP (eq .Values.sessionServer.service.type "ClusterIP") }}
clusterIP: {{ .Values.sessionServer.service.clusterIP }}
{{- end }}
{{- if .Values.sessionServer.service.sessionAffinity }}
sessionAffinity: {{ .Values.sessionServer.service.sessionAffinity }}
{{- end }}
{{- if .Values.sessionServer.service.sessionAffinityConfig }}
sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.sessionServer.service.sessionAffinityConfig "context" $) | nindent 4 }}
{{- end }}
{{- if or (eq .Values.sessionServer.service.type "LoadBalancer") (eq .Values.sessionServer.service.type "NodePort") }}
externalTrafficPolicy: {{ .Values.sessionServer.service.externalTrafficPolicy | quote }}
{{- end }}
{{- if and (eq .Values.sessionServer.service.type "LoadBalancer") (not (empty .Values.sessionServer.service.loadBalancerSourceRanges)) }}
loadBalancerSourceRanges: {{ .Values.sessionServer.service.loadBalancerSourceRanges }}
{{- end }}
{{- if and (eq .Values.sessionServer.service.type "LoadBalancer") (not (empty .Values.sessionServer.service.loadBalancerIP)) }}
loadBalancerIP: {{ .Values.sessionServer.service.loadBalancerIP }}
{{- end }}
ports:
- name: http-session
port: {{ .Values.sessionServer.service.ports.sessionServer }}
protocol: TCP
targetPort: http-session
{{- if and (or (eq .Values.sessionServer.service.type "NodePort") (eq .Values.sessionServer.service.type "LoadBalancer")) (not (empty .Values.sessionServer.service.nodePorts.sessionServer)) }}
nodePort: {{ .Values.sessionServer.service.nodePorts.sessionServer }}
{{- else if eq .Values.sessionServer.service.type "ClusterIP" }}
nodePort: null
{{- end }}
{{- if .Values.sessionServer.service.extraPorts }}
{{- include "common.tplvalues.render" (dict "value" .Values.sessionServer.service.extraPorts "context" $) | nindent 4 }}
{{- end }}
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: gitlab-runner
app.kubernetes.io/component: gitlab-runner
{{- end }}

45
bitnami/gitlab-runner/templates/vpa.yaml Normal file
View File

@@ -0,0 +1,45 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and (include "common.capabilities.apiVersions.has" ( dict "version" "autoscaling.k8s.io/v1/VerticalPodAutoscaler" "context" . )) .Values.autoscaling.vpa.enabled }}
apiVersion: {{ include "common.capabilities.vpa.apiVersion" . }}
kind: VerticalPodAutoscaler
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: gitlab-runner
app.kubernetes.io/component: gitlab-runner
{{- if or .Values.autoscaling.vpa.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.autoscaling.vpa.annotations .Values.commonAnnotations ) "context" . ) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
spec:
resourcePolicy:
containerPolicies:
- containerName: gitlab-runner
{{- with .Values.autoscaling.vpa.controlledResources }}
controlledResources:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.autoscaling.vpa.maxAllowed }}
maxAllowed:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.autoscaling.vpa.minAllowed }}
minAllowed:
{{- toYaml . | nindent 8 }}
{{- end }}
targetRef:
apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
kind: Deployment
name: {{ include "common.names.fullname" . }}
{{- if .Values.autoscaling.vpa.updatePolicy }}
updatePolicy:
{{- with .Values.autoscaling.vpa.updatePolicy.updateMode }}
updateMode: {{ . }}
{{- end }}
{{- end }}
{{- end }}

874
bitnami/gitlab-runner/values.yaml Normal file
View File

@@ -0,0 +1,874 @@
# Copyright Broadcom, Inc. All Rights Reserved.
# SPDX-License-Identifier: APACHE-2.0
## @section Global parameters
## Global Docker image parameters
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
## @param global.imageRegistry Global Docker image registry
## @param global.imagePullSecrets Global Docker registry secret names as an array
##
global:
imageRegistry: ""
## E.g.
## imagePullSecrets:
## - myRegistryKeySecretName
##
imagePullSecrets: []
## Security parameters
##
security:
## @param global.security.allowInsecureImages Allows skipping image verification
allowInsecureImages: false
## Compatibility adaptations for Kubernetes platforms
##
compatibility:
## Compatibility adaptations for Openshift
##
openshift:
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
##
adaptSecurityContext: auto
## @section Common parameters
## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set)
##
kubeVersion: ""
## @param apiVersions Override Kubernetes API versions reported by .Capabilities
##
apiVersions: []
## @param clusterDomain Kubernetes Cluster Domain
##
clusterDomain: cluster.local
## @param nameOverride String to partially override common.names.fullname template (will maintain the release name)
##
nameOverride: ""
## @param fullnameOverride String to fully override common.names.fullname template
##
fullnameOverride: ""
## @param namespaceOverride String to fully override common.names.namespace
##
namespaceOverride: ""
## @param commonLabels Add labels to all the deployed resources
##
commonLabels: {}
## @param commonAnnotations Add annotations to all the deployed resources
##
commonAnnotations: {}
## @param extraDeploy Array of extra objects to deploy with the release
##
extraDeploy: []
## Enable diagnostic mode in the deployment(s)/statefulset(s)
##
diagnosticMode:
## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
##
enabled: false
## @param diagnosticMode.command Command to override all containers in the the deployment(s)/statefulset(s)
##
command:
- sleep
## @param diagnosticMode.args Args to override all containers in the the deployment(s)/statefulset(s)
##
args:
- infinity
## @section Gitlab Runner parameters
## Bitnami Gitlab Runner image version
## ref: https://hub.docker.com/r/bitnami/gitlab-runner/tags/
## @param image.registry [default: REGISTRY_NAME] Gitlab Runner image registry
## @param image.repository [default: REPOSITORY_NAME/gitlab-runner] Gitlab Runner image repository
## @skip image.tag Gitlab Runner image tag (immutable tags are recommended)
## @param image.digest Gitlab Runner image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
## @param image.pullPolicy Gitlab Runner image pull policy
## @param image.pullSecrets Gitlab Runner image pull secrets
##
image:
registry: docker.io
repository: bitnami/gitlab-runner
tag: 17.9.1-debian-12-r1
digest: ""
## Specify a imagePullPolicy
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
##
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
## e.g:
## pullSecrets:
## - myRegistryKeySecretName
##
pullSecrets: []
## @param automountServiceAccountToken Mount Service Account token in pod
##
automountServiceAccountToken: true
## @param hostAliases Add deployment host aliases
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
##
hostAliases: []
## @param replicaCount Number of gitlab-runner nodes to deploy
##
replicaCount: 1
## @param gitlabUrl GitLab Server URL (with protocol) to register the runner
##
gitlabUrl: ""
## @param runnerToken Token for adding new Runners to the GitLab Server
##
runnerToken: ""
## @param existingSecret Name of a secret containing the runner token
##
existingSecret: ""
## @param existingCacheSecret Name of a secret containing the distributed cache credentials
##
existingCacheSecret: ""
## @param existingConfigMap Name of a ConfigMap containing the configuration and scripts
##
existingConfigMap: ""
## @param extraConfig Append extra configuration to the default config file
##
extraConfig: ""
## @param unregisterRunners Unregister all runners before termination
unregisterRunners: true
## @param existingCertsSecret Name of a secret containing custom certificates to connect to the Gitlab instance.
##
existingCertsSecret: ""
## @param concurrent Maximum number of concurrent jobs
##
concurrent: 10
## @param shutdownTimeout Time in seconds before a forceful shutdown
##
shutdownTimeout: 0
## @param checkInterval Time in seconds to check for Gitlab builds
##
checkInterval: 3
## @param logLevel Runner logging level
##
logLevel: info
## @param logFormat Runner logging format
##
logFormat: runner
## @param sentryDsn Runner's Sentry DSN.
##
sentryDsn: ""
## @param connectionMaxAge Maximum connection age for TLS keepalive connections.
## ref https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section
##
connectionMaxAge: "15m"
## @param preEntrypointScript Commands to execute prior to the entrypoint
##
preEntrypointScript: ""
## @param updateStrategy.type Set up update strategy for gitlab-runner installation.
## Set to Recreate if you use persistent volume that cannot be mounted by more than one pods to make sure the pods is destroyed first.
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
## Example:
## updateStrategy:
## type: RollingUpdate
## rollingUpdate:
## maxSurge: 25%
## maxUnavailable: 25%
##
updateStrategy:
type: RollingUpdate
## Autoscaling configuration
## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
##
autoscaling:
vpa:
## @param autoscaling.vpa.enabled Enable VPA
##
enabled: false
## @param autoscaling.vpa.annotations Annotations for VPA resource
##
annotations: {}
## @param autoscaling.vpa.controlledResources VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory
##
controlledResources: []
## @param autoscaling.vpa.maxAllowed VPA Max allowed resources for the pod
## cpu: 200m
## memory: 100Mi
maxAllowed: {}
## @param autoscaling.vpa.minAllowed VPA Min allowed resources for the pod
## cpu: 200m
## memory: 100Mi
minAllowed: {}
updatePolicy:
## @param autoscaling.vpa.updatePolicy.updateMode Autoscaling update policy Specifies whether recommended updates are applied when a Pod is started and whether recommended updates are applied during the life of a Pod
## Possible values are "Off", "Initial", "Recreate", and "Auto".
##
updateMode: Auto
hpa:
## @param autoscaling.hpa.enabled Enable autoscaling for operator
##
enabled: false
## @param autoscaling.hpa.minReplicas Minimum number of operator replicas
##
minReplicas: ""
## @param autoscaling.hpa.maxReplicas Maximum number of operator replicas
##
maxReplicas: ""
## @param autoscaling.hpa.targetCPU Target CPU utilization percentage
##
targetCPU: ""
## @param autoscaling.hpa.targetMemory Target Memory utilization percentage
##
targetMemory: ""
## Role Based Access
## ref: https://kubernetes.io/docs/admin/authorization/rbac/
##
rbac:
## @param rbac.create Enable RBAC authentication
##
create: true
## @param rbac.clusterWideAccess Allow runner cluster-wide access
##
clusterWideAccess: false
## @param rbac.rules Define list of rules to be added to the rbac role permissions
##
rules: []
## Pods Service Account
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
##
serviceAccount:
## @param serviceAccount.create Specifies whether a ServiceAccount should be created
##
create: true
## @param serviceAccount.name The name of the ServiceAccount to create
## If not set and create is true, a name is generated using the common.names.fullname template
name: ""
## @param serviceAccount.automountServiceAccountToken Automount API credentials for a service account
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server
##
automountServiceAccountToken: false
## @param serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`.
##
annotations: {}
## @param containerPorts.metrics Port where gitlab-runner will expose metrics
## @param containerPorts.sessionServer Port where gitlab-runner will use the sessionServer
##
containerPorts:
metrics: 9252
sessionServer: 8093
## @param dnsPolicy Default dnsPolicy setting
## If you enable hostNetwork then you may need to set your dnsPolicy to something other
## than "ClusterFirst" depending on your requirements.
dnsPolicy: "ClusterFirst"
## @param command Override default container command (useful when using custom images)
##
command: []
## @param args Override default container args (useful when using custom images)
##
args: []
## @param lifecycleHooks for the gitlab-runner container(s) to automate configuration before or after startup
##
lifecycleHooks: {}
## @param extraEnvVars Array with extra environment variables to add to gitlab-runner nodes
## e.g:
## extraEnvVars:
## - name: FOO
## value: "bar"
##
extraEnvVars: []
## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars for gitlab-runner nodes
##
extraEnvVarsCM: ""
## @param extraEnvVarsSecret Name of existing Secret containing extra env vars for gitlab-runner nodes
##
extraEnvVarsSecret: ""
## @param extraArgs Extra arguments to pass to gitlab-runner on start up
## ref: https://github.com/kubernetes-incubator/gitlab-runner#flags
##
## extraArgs:
## - --kubelet-insecure-tls=true
## - --kubelet-preferred-address-types=InternalIP
##
extraArgs: []
## @param sidecars Add additional sidecar containers to the gitlab-runner pod(s)
## e.g:
## sidecars:
## - name: your-image-name
## image: your-image
## imagePullPolicy: Always
## ports:
## - name: portname
## containerPort: 1234
##
sidecars: []
## @param initContainers Add additional init containers to the gitlab-runner pod(s)
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
## e.g:
## initContainers:
## - name: your-image-name
## image: your-image
## imagePullPolicy: Always
## command: ['sh', '-c', 'echo "hello world"']
##
initContainers: []
## @param podLabels Pod labels
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
##
podLabels: {}
## @param podAnnotations Pod annotations
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
##
podAnnotations: {}
## @param priorityClassName Priority class for pod scheduling
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
priorityClassName: ""
## @param schedulerName Name of the k8s scheduler (other than default)
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
##
schedulerName: ""
## @param terminationGracePeriodSeconds In seconds, time the given to the gitlab-runner pod needs to terminate gracefully
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
##
terminationGracePeriodSeconds: ""
## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
##
podAffinityPreset: ""
## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
##
podAntiAffinityPreset: soft
## Pod disruption budget
## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/#pod-disruption-budgets
## @param pdb.create Create a PodDisruptionBudget
## @param pdb.minAvailable Minimum available instances
## @param pdb.maxUnavailable Maximum unavailable instances
##
pdb:
create: true
minAvailable: ""
maxUnavailable: ""
## Node affinity preset
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
##
nodeAffinityPreset:
## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
##
type: ""
## @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set.
## E.g.
## key: "kubernetes.io/e2e-az-name"
##
key: ""
## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set.
## E.g.
## values:
## - e2e-az1
## - e2e-az2
##
values: []
## @param affinity Affinity for pod assignment
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set
##
affinity: {}
## @param topologySpreadConstraints Topology spread constraints for pod
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints
##
topologySpreadConstraints: []
## @param nodeSelector Node labels for pod assignment
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
##
nodeSelector: {}
## @param tolerations Tolerations for pod assignment
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
##
tolerations: []
## Network Policy configuration
## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
##
networkPolicy:
## @param networkPolicy.enabled Enable creation of NetworkPolicy resources
##
enabled: true
## @param networkPolicy.allowExternal The Policy model to apply
## When set to false, only pods with the correct client label will have network access to the ports Gitlab Runner is
## listening on. When true, Gitlab Runner will accept connections from any source (with the correct destination port).
##
allowExternal: true
## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
##
allowExternalEgress: true
## @param networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kubernetes components like kube-apiserver or kubelet (limit to your cluster settings to increase security)
##
kubeAPIServerPorts: [443, 6443, 8443, 10250]
## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
## e.g:
## extraIngress:
## - ports:
## - port: 1234
## from:
## - podSelector:
## - matchLabels:
## - role: frontend
## - podSelector:
## - matchExpressions:
## - key: role
## operator: In
## values:
## - frontend
##
extraIngress: []
## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
## e.g:
## extraEgress:
## - ports:
## - port: 1234
## to:
## - podSelector:
## - matchLabels:
## - role: frontend
## - podSelector:
## - matchExpressions:
## - key: role
## operator: In
## values:
## - frontend
##
extraEgress: []
## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
##
ingressNSMatchLabels: {}
ingressNSPodMatchLabels: {}
## Gitlab Runner containers' resource requests and limits
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
## We usually recommend not to specify default resources and to leave this as a conscious
## choice for the user. This also increases chances charts run on environments with little
## resources, such as Minikube. If you do want to specify resources, uncomment the following
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "small"
## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
## requests:
## cpu: 2
## memory: 512Mi
## limits:
## cpu: 3
## memory: 1024Mi
##
resources: {}
## Configure extra options for gitlab-runner containers' liveness, readiness and startup probes
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
## @param startupProbe.enabled Enable startupProbe
## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
## @param startupProbe.periodSeconds Period seconds for startupProbe
## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe
## @param startupProbe.failureThreshold Failure threshold for startupProbe
## @param startupProbe.successThreshold Success threshold for startupProbe
startupProbe:
enabled: false
initialDelaySeconds: 0
periodSeconds: 10
timeoutSeconds: 1
failureThreshold: 3
successThreshold: 1
## @param livenessProbe.enabled Enable livenessProbe
## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
## @param livenessProbe.periodSeconds Period seconds for livenessProbe
## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
## @param livenessProbe.failureThreshold Failure threshold for livenessProbe
## @param livenessProbe.successThreshold Success threshold for livenessProbe
##
livenessProbe:
enabled: true
initialDelaySeconds: 0
periodSeconds: 10
timeoutSeconds: 1
failureThreshold: 3
successThreshold: 1
## @param readinessProbe.enabled Enable readinessProbe
## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
## @param readinessProbe.periodSeconds Period seconds for readinessProbe
## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
## @param readinessProbe.failureThreshold Failure threshold for readinessProbe
## @param readinessProbe.successThreshold Success threshold for readinessProbe
##
readinessProbe:
enabled: true
initialDelaySeconds: 0
periodSeconds: 10
timeoutSeconds: 1
failureThreshold: 3
successThreshold: 1
## @param customStartupProbe Custom liveness probe for the Web component
##
customStartupProbe: {}
## @param customLivenessProbe Custom Liveness probes for gitlab-runner
##
customLivenessProbe: {}
## @param customReadinessProbe Custom Readiness probes gitlab-runner
##
customReadinessProbe: {}
## Container security context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## @param containerSecurityContext.enabled Enabled containers' Security Context
## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param containerSecurityContext.privileged Set container's Security Context privileged
## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped
## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
##
containerSecurityContext:
enabled: true
seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
seccompProfile:
type: "RuntimeDefault"
## Pod security context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param podSecurityContext.enabled Pod security context
## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface
## @param podSecurityContext.supplementalGroups Set filesystem extra groups
## @param podSecurityContext.fsGroup Set Pod's Security Context fsGroup
##
podSecurityContext:
enabled: true
fsGroupChangePolicy: Always
sysctls: []
supplementalGroups: []
fsGroup: 1001
## Extra volumes to mount
## @param extraVolumes Extra volumes
## @param extraVolumeMounts Mount extra volume(s)
## Example Use Case: mount an `emptyDir` to allow running with a `readOnlyRootFilesystem: true`
## extraVolumes:
## - name: tmpdir
## emptyDir: {}
##
extraVolumes: []
## extraVolumeMounts:
## - name: tmpdir
## mountPath: /tmp
##
extraVolumeMounts: []
## Configuration for the Pods that the runner launches for each new job
##
runners:
## @param runners.config [string] configuration for the pods created by the runner
##
config: |
[[runners]]
[runners.kubernetes]
namespace = "{{ include "common.names.namespace" . }}"
image = "{{ include "gitlab-runner.image" . }}"
## @param runners.configPath Absolute path for an existing runner configuration file (to be used with volumes/extraVolumes)
##
configPath: ""
## @param runners.executor Executor to be used by the runner
##
executor: kubernetes
## @param runners.name Name of the runner.
##
name: ""
## @param runners.maximumTimeout Specify the maximum timeout (in seconds) that will be set for job when using this Runner
maximumTimeout: ""
## @param runners.runUntagged Allow running jobs without tags
runUntagged: true
## @param runners.protected Run only in protected branches
##
protected: true
## @section Session Server Parameters
##
sessionServer:
## @param sessionServer.enabled Enable Session Server
##
enabled: false
## @param sessionServer.sessionTimeout Session timeout in seconds
##
sessionTimeout: 1800
## Service parameters
##
service:
## @param sessionServer.service.type Session Server service type
##
type: ClusterIP
## @param sessionServer.service.ports.sessionServer Session Server service port
##
ports:
sessionServer: 9000
## Node ports to expose
## @param sessionServer.service.nodePorts.sessionServer Node port for the Session Server
## NOTE: choose port between <30000-32767>
##
nodePorts:
sessionServer: ""
## @param sessionServer.service.labels Service labels
##
labels: {}
## @param sessionServer.service.clusterIP Session Server service Cluster IP
## e.g.:
## clusterIP: None
##
clusterIP: ""
## @param sessionServer.service.loadBalancerIP Session Server service Load Balancer IP
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
##
loadBalancerIP: ""
## @param sessionServer.service.loadBalancerSourceRanges Session Server service Load Balancer sources
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
## e.g:
## loadBalancerSourceRanges:
## - 10.10.10.0/24
##
loadBalancerSourceRanges: []
## @param sessionServer.service.externalTrafficPolicy Session Server service external traffic policy
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
##
externalTrafficPolicy: Cluster
## @param sessionServer.service.annotations [object] Additional custom annotations for Session Server service
##
annotations: {}
## @param sessionServer.service.extraPorts Extra ports to expose in Session Server service (normally used with the `sidecars` value)
##
extraPorts: []
## @param sessionServer.service.sessionAffinity Control where client requests go, to the same pod or round-robin
## Values: ClientIP or None
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
##
sessionAffinity: None
## @param sessionServer.service.sessionAffinityConfig Additional settings for the sessionAffinity
## sessionAffinityConfig:
## clientIP:
## timeoutSeconds: 300
##
sessionAffinityConfig: {}
## ref: http://kubernetes.io/docs/concepts/services-networking/ingress/
##
ingress:
## @param sessionServer.ingress.enabled Enable ingress record generation for Session Server
##
enabled: false
## @param sessionServer.ingress.pathType Ingress path type
##
pathType: ImplementationSpecific
## @param sessionServer.ingress.apiVersion Force Ingress API version (automatically detected if not set)
##
apiVersion: ""
## @param sessionServer.ingress.hostname Default host for the ingress record
##
hostname: session-server.local
## @param sessionServer.ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
##
ingressClassName: ""
## @param sessionServer.ingress.path Default path for the ingress record
## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers
##
path: /
## @param sessionServer.ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
## Use this parameter to set the required annotations for cert-manager, see
## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
## e.g:
## annotations:
## kubernetes.io/ingress.class: nginx
## cert-manager.io/cluster-issuer: cluster-issuer-name
##
annotations: {}
## @param sessionServer.ingress.tls Enable TLS configuration for the host defined at `sessionServer.ingress.hostname` parameter
## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`
## You can:
## - Use the `sessionServer.ingress.secrets` parameter to create this TLS secret
## - Rely on cert-manager to create it by setting the corresponding annotations
## - Rely on Helm to create self-signed certificates by setting `sessionServer.ingress.selfSigned=true`
##
tls: false
## @param sessionServer.ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
##
selfSigned: false
## @param sessionServer.ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record
## e.g:
## extraHosts:
## - name: Session Server.local
## path: /
##
extraHosts: []
## @param sessionServer.ingress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host
## e.g:
## extraPaths:
## - path: /*
## backend:
## serviceName: ssl-redirect
## servicePort: use-annotation
##
extraPaths: []
## @param sessionServer.ingress.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
## e.g:
## extraTls:
## - hosts:
## - Session Server.local
## secretName: Session Server.local-tls
##
extraTls: []
## @param sessionServer.ingress.secrets Custom TLS certificates as secrets
## NOTE: 'key' and 'certificate' are expected in PEM format
## NOTE: 'name' should line up with a 'secretName' set further up
## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates
## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days
## It is also possible to create and manage the certificates outside of this helm chart
## Please see README.md for more information
## e.g:
## secrets:
## - name: Session Server.local-tls
## key: |-
## -----BEGIN RSA PRIVATE KEY-----
## ...
## -----END RSA PRIVATE KEY-----
## certificate: |-
## -----BEGIN CERTIFICATE-----
## ...
## -----END CERTIFICATE-----
##
secrets: []
## @param sessionServer.ingress.extraRules Additional rules to be covered with this ingress record
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
## e.g:
## extraRules:
## - host: example.local
## http:
## path: /
## backend:
## service:
## name: example-svc
## port:
## name: http
##
extraRules: []
## Prometheus metrics
##
metrics:
## @param metrics.enabled Enable the export of Prometheus metrics
##
enabled: false
## Service parameters
##
service:
## @param metrics.service.type Session Server service type
##
type: ClusterIP
## @param metrics.service.ports.metrics Session Server service http port
##
ports:
metrics: 9252
## Node ports to expose
## @param metrics.service.nodePorts.metrics Node port for HTTP
## NOTE: choose port between <30000-32767>
##
nodePorts:
metrics: ""
## @param metrics.service.labels Service labels
##
labels: {}
## @param metrics.service.clusterIP Session Server service Cluster IP
## e.g.:
## clusterIP: None
##
clusterIP: ""
## @param metrics.service.loadBalancerIP Session Server service Load Balancer IP
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
##
loadBalancerIP: ""
## @param metrics.service.loadBalancerSourceRanges Session Server service Load Balancer sources
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
## e.g:
## loadBalancerSourceRanges:
## - 10.10.10.0/24
##
loadBalancerSourceRanges: []
## @param metrics.service.externalTrafficPolicy Session Server service external traffic policy
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
##
externalTrafficPolicy: Cluster
## @param metrics.service.annotations [object] Additional custom annotations for Session Server service
##
annotations: {}
## @param metrics.service.extraPorts Extra ports to expose in Session Server service (normally used with the `sidecars` value)
##
extraPorts: []
## @param metrics.service.sessionAffinity Control where client requests go, to the same pod or round-robin
## Values: ClientIP or None
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
##
sessionAffinity: None
## @param metrics.service.sessionAffinityConfig Additional settings for the sessionAffinity
## sessionAffinityConfig:
## clientIP:
## timeoutSeconds: 300
##
sessionAffinityConfig: {}
## Prometheus Operator ServiceMonitor configuration
##
serviceMonitor:
## @param metrics.serviceMonitor.enabled if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`)
##
enabled: false
## @param metrics.serviceMonitor.namespace Namespace in which Prometheus is running
##
namespace: ""
## @param metrics.serviceMonitor.annotations Additional custom annotations for the ServiceMonitor
##
annotations: {}
## @param metrics.serviceMonitor.labels Extra labels for the ServiceMonitor
##
labels: {}
## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in Prometheus
##
jobLabel: ""
## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels
##
honorLabels: false
## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped.
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
## e.g:
## interval: 10s
##
interval: ""
## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
## e.g:
## scrapeTimeout: 10s
##
scrapeTimeout: ""
## @param metrics.serviceMonitor.metricRelabelings Specify additional relabeling of metrics
##
metricRelabelings: []
## @param metrics.serviceMonitor.relabelings Specify general relabeling
##
relabelings: []
## @param metrics.serviceMonitor.selector Prometheus instance selector labels
## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration
## selector:
## prometheus: my-prometheus
##
selector: {}