AlexeySetevoi · February 5, 2022 02:08
diff --git a/readme.txt b/readme.txt
 Problem:
  By default - when you using official charts.gitlab.io chart for gitlab-runner in k8s, you have some changes in build process,
  in comparsion with good old hosted docker runners. On hosted runners, you can build docker images transparently with
  service docker-dind(or without it, from Gitlab 12+), and all works great.
  
  But, if you want move you runners in your own-hosted k8s, your service docker-dind will run in same pod,
  not in build-container, and default lookup for local docker socket /var/run/docker.sock for build will fail. 
  As official way, you need to add in every pipepine(.gitlab-ci.yml) environment variable DOCKER_HOST: "tcp://localhost:2375",
  or same with port 2376 if you using tls variant 19+ docker.
  If you have a many projects - update pipelines for every project is hard. If you in migration process from hosts runners to k8s runners and have both types of runners - its a pain.
  
 Proposed temporary solution in this deployment. Main position of this solution is:
  1) You deploy gitlab-runners chart with answers.yml includes podLabel for build pods.
  2) You enable podPreset api(currenlty in alpha) and use podPreset api to inject DOCKER_HOST variable.
  3) Optional: You run separate docker deployments and make them accessible via service.
     this allow you to run gitlab-runners in unprivileged mode and move docker-dind pods to separate machine.

 This not ideal, but give you some peaceful time for migration.
  
diff --git a/answers.yml b/answers.yml
 ## GitLab Runner Image
 ##
 ## By default it's using gitlab/gitlab-runner:alpine-v{VERSION}
 ## where {VERSION} is taken from Chart.yaml from appVersion field
 ##
 ## ref: https://hub.docker.com/r/gitlab/gitlab-runner/tags/
 ##
 # image: gitlab/gitlab-runner:alpine-v12.1.0

 ## Specify a imagePullPolicy
 ## 'Always' if imageTag is 'latest', else set to 'IfNotPresent'
 ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
 ##
 imagePullPolicy: IfNotPresent

 ## The GitLab Server URL (with protocol) that want to register the runner against
 ## ref: https://docs.gitlab.com/runner/commands/README.html#gitlab-runner-register
 ##
 gitlabUrl: <INSERT YOUR OWN URL>

 ## The Registration Token for adding new Runners to the GitLab Server. This must
 ## be retrieved from your GitLab Instance.
 ## ref: https://docs.gitlab.com/ce/ci/runners/README.html
 ##
 runnerRegistrationToken: "<INSERT YOUR OWN TOKEN>"

 ## The Runner Token for adding new Runners to the GitLab Server. This must
 ## be retrieved from your GitLab Instance. It is token of already registered runner.
 ## ref: (we don't yet have docs for that, but we want to use existing token)
 ##
 # runnerToken: ""
 #
 ## Unregister all runners before termination
 ##
 ## Updating the runner's chart version or configuration will cause the runner container
 ## to be terminated and created again. This may cause your Gitlab instance to reference
 ## non-existant runners. Un-registering the runner before termination mitigates this issue.
 ## ref: https://docs.gitlab.com/runner/commands/README.html#gitlab-runner-unregister
 ##
 unregisterRunners: true

 ## Set the certsSecretName in order to pass custom certficates for GitLab Runner to use
 ## Provide resource name for a Kubernetes Secret Object in the same namespace,
 ## this is used to populate the /etc/gitlab-runner/certs directory
 ## ref: https://docs.gitlab.com/runner/configuration/tls-self-signed.html#supported-options-for-self-signed-certificates
 ##
 # certsSecretName:

 ## Configure the maximum number of concurrent jobs
 ## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section
 ##
 concurrent: 1

 ## Defines in seconds how often to check GitLab for a new builds
 ## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section
 ##
 checkInterval: 10

 ## Configure GitLab Runner's logging level. Available values are: debug, info, warn, error, fatal, panic
 ## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section
 ##
 # logLevel:

 ## For RBAC support:
 rbac:
  create: true
  ## Define specific rbac permissions.
  # resources: ["pods", "pods/exec", "secrets"]
  # verbs: ["get", "list", "watch", "create", "patch", "delete"]

  ## Run the gitlab-bastion container with the ability to deploy/manage containers of jobs
  ## cluster-wide or only within namespace
  clusterWideAccess: false

  ## Use the following Kubernetes Service Account name if RBAC is disabled in this Helm chart (see rbac.create)
  ##
  # serviceAccountName: default

 ## Configure integrated Prometheus metrics exporter
 ## ref: https://docs.gitlab.com/runner/monitoring/#configuration-of-the-metrics-http-server
 metrics:
  enabled: false

 ## Configuration for the Pods that that the runner launches for each new job
 ##
 runners:
  ## Default container image to use for builds when none is specified
  ##
  image: centos:7

  podLabels:
    component: gitlab-k8s-runner

  ## Specify one or more imagePullSecrets
  ##
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
  ##
  # imagePullSecrets: []

  ## Specify the image pull policy: never, if-not-present, always. The cluster default will be used if not set.
  ##
  # imagePullPolicy: ""

  ## Defines number of concurrent requests for new job from GitLab
  ## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-section
  ##
  requestConcurrency: 1

  ## Specify whether the runner should be locked to a specific project: true, false. Defaults to true.
  ##
  locked: false

  ## Specify the tags associated with the runner. Comma-separated list of tags.
  ##
  ## ref: https://docs.gitlab.com/ce/ci/runners/#using-tags
  ##
  tags: "kubernetes,default,centos,docker"

  ## Run all containers with the privileged flag enabled
  ## This will allow the docker:dind image to run if you need to run Docker
  ## commands. Please read the docs before turning this on:
  ## ref: https://docs.gitlab.com/runner/executors/kubernetes.html#using-docker-dind
  ##
  privileged: false

  ## The name of the secret containing runner-token and runner-registration-token
  # secret: gitlab-runner

  ## Namespace to run Kubernetes jobs in (defaults to the same namespace of this release)
  ##
  namespace: gitlab-runner

  ## Distributed runners caching
  ## ref: https://gitlab.com/gitlab-org/gitlab-runner/blob/master/docs/configuration/autoscale.md#distributed-runners-caching
  ##
  ## If you want to use s3 based distributing caching:
  ## First of all you need to uncomment General settings and S3 settings sections.
  ##
  ## Create a secret 's3access' containing 'accesskey' & 'secretkey'
  ## ref: https://aws.amazon.com/blogs/security/wheres-my-secret-access-key/
  ##
  ## $ kubectl create secret generic s3access \
  ##   --from-literal=accesskey="YourAccessKey" \
  ##   --from-literal=secretkey="YourSecretKey"
  ## ref: https://kubernetes.io/docs/concepts/configuration/secret/
  ##
  ## If you want to use gcs based distributing caching:
  ## First of all you need to uncomment General settings and GCS settings sections.
  ##
  ## Access using credentials file:
  ## Create a secret 'google-application-credentials' containing your application credentials file.
  ## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnerscachegcs-section
  ## You could configure
  ## $ kubectl create secret generic google-application-credentials \
  ##   --from-file=gcs-applicaton-credentials-file=./path-to-your-google-application-credentials-file.json
  ## ref: https://kubernetes.io/docs/concepts/configuration/secret/
  ##
  ## Access using access-id and private-key:
  ## Create a secret 'gcsaccess' containing 'gcs-access-id' & 'gcs-private-key'.
  ## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-cache-gcs-section
  ## You could configure
  ## $ kubectl create secret generic gcsaccess \
  ##   --from-literal=gcs-access-id="YourAccessID" \
  ##   --from-literal=gcs-private-key="YourPrivateKey"
  ## ref: https://kubernetes.io/docs/concepts/configuration/secret/
  cache: {}
 ## Affinity for pod assignment
 ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
 ##
 affinity: {}

 ## Node labels for pod assignment
 ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
 ##
 nodeSelector: {}
  # Example: The gitlab runner manager should not run on spot instances so you can assign
  # them to the regular worker nodes only.
  # node-role.kubernetes.io/worker: "true"

 ## List of node taints to tolerate (requires Kubernetes >= 1.6)
 ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
 ##
 tolerations: []
  # Example: Regular worker nodes may have a taint, thus you need to tolerate the taint
  # when you assign the gitlab runner manager with nodeSelector or affinity to the nodes.
  # - key: "node-role.kubernetes.io/worker"
  #   operator: "Exists"

 ## Configure environment variables that will be present when the registration command runs
 ## This provides further control over the registration process and the config.toml file
 ## ref: `gitlab-runner register --help`
 ## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html
 ##
 envVars: {}

 ## list of hosts and IPs that will be injected into the pod's hosts file
 hostAliases: []
  # Example:
  # - ip: "127.0.0.1"
  #   hostnames:
  #   - "foo.local"
  #   - "bar.local"
  # - ip: "10.1.2.3"
  #   hostnames:
  #   - "foo.remote"
  #   - "bar.remote"

 ## Annotations to be added to manager pod
 ##
 podAnnotations: {}
  # Example:
  # iam.amazonaws.com/role: <my_role_arn>
diff --git a/gitlab-dind-deployment.yml b/gitlab-dind-deployment.yml
 apiVersion: v1
 kind: Service
 metadata:
  name: docker
  namespace: gitlab-runner
 spec:
  clusterIP: None
  ports:
  - name: docker
    port: 2375
    protocol: TCP
    targetPort: 2375
  selector:
    app: gitlab-dind
    name: docker
  sessionAffinity: ClientIP
  sessionAffinityConfig:
    clientIP:
      timeoutSeconds: 300
  type: ClusterIP

 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: docker
  namespace: gitlab-runner
 spec:
  replicas: 1
  selector:
    matchLabels:
      name: docker
  template:
    metadata:
      labels:
        name: docker
        app: gitlab-dind
    spec:
      containers:
        - image: docker:19.03-dind
          imagePullPolicy: Always
          name: docker
          env:
            - name: DOCKER_TLS_CERTDIR
              value: ""
          ports:
            - containerPort: 2375
          securityContext:
            privileged: true
      restartPolicy: Always

 ---

 apiVersion: settings.k8s.io/v1alpha1
 kind: PodPreset
 metadata:
  name: add-docker-host
  namespace: gitlab-runner
 spec:
  selector:
    matchLabels:
      component: gitlab-k8s-runner
  env:
    - name: DOCKER_HOST
      value: "tcp://docker:2375"
	Problem:
	By default - when you using official charts.gitlab.io chart for gitlab-runner in k8s, you have some changes in build process,
	in comparsion with good old hosted docker runners. On hosted runners, you can build docker images transparently with
	service docker-dind(or without it, from Gitlab 12+), and all works great.

	But, if you want move you runners in your own-hosted k8s, your service docker-dind will run in same pod,
	not in build-container, and default lookup for local docker socket /var/run/docker.sock for build will fail.
	As official way, you need to add in every pipepine(.gitlab-ci.yml) environment variable DOCKER_HOST: "tcp://localhost:2375",
	or same with port 2376 if you using tls variant 19+ docker.
	If you have a many projects - update pipelines for every project is hard. If you in migration process from hosts runners to k8s runners and have both types of runners - its a pain.

	Proposed temporary solution in this deployment. Main position of this solution is:
	1) You deploy gitlab-runners chart with answers.yml includes podLabel for build pods.
	2) You enable podPreset api(currenlty in alpha) and use podPreset api to inject DOCKER_HOST variable.
	3) Optional: You run separate docker deployments and make them accessible via service.
	this allow you to run gitlab-runners in unprivileged mode and move docker-dind pods to separate machine.

	This not ideal, but give you some peaceful time for migration.
	## GitLab Runner Image
	##
	## By default it's using gitlab/gitlab-runner:alpine-v{VERSION}
	## where {VERSION} is taken from Chart.yaml from appVersion field
	##
	## ref: https://hub.docker.com/r/gitlab/gitlab-runner/tags/
	##
	# image: gitlab/gitlab-runner:alpine-v12.1.0

	## Specify a imagePullPolicy
	## 'Always' if imageTag is 'latest', else set to 'IfNotPresent'
	## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
	##
	imagePullPolicy: IfNotPresent

	## The GitLab Server URL (with protocol) that want to register the runner against
	## ref: https://docs.gitlab.com/runner/commands/README.html#gitlab-runner-register
	##
	gitlabUrl: <INSERT YOUR OWN URL>

	## The Registration Token for adding new Runners to the GitLab Server. This must
	## be retrieved from your GitLab Instance.
	## ref: https://docs.gitlab.com/ce/ci/runners/README.html
	##
	runnerRegistrationToken: "<INSERT YOUR OWN TOKEN>"

	## The Runner Token for adding new Runners to the GitLab Server. This must
	## be retrieved from your GitLab Instance. It is token of already registered runner.
	## ref: (we don't yet have docs for that, but we want to use existing token)
	##
	# runnerToken: ""
	#
	## Unregister all runners before termination
	##
	## Updating the runner's chart version or configuration will cause the runner container
	## to be terminated and created again. This may cause your Gitlab instance to reference
	## non-existant runners. Un-registering the runner before termination mitigates this issue.
	## ref: https://docs.gitlab.com/runner/commands/README.html#gitlab-runner-unregister
	##
	unregisterRunners: true

	## Set the certsSecretName in order to pass custom certficates for GitLab Runner to use
	## Provide resource name for a Kubernetes Secret Object in the same namespace,
	## this is used to populate the /etc/gitlab-runner/certs directory
	## ref: https://docs.gitlab.com/runner/configuration/tls-self-signed.html#supported-options-for-self-signed-certificates
	##
	# certsSecretName:

	## Configure the maximum number of concurrent jobs
	## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section
	##
	concurrent: 1

	## Defines in seconds how often to check GitLab for a new builds
	## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section
	##
	checkInterval: 10

	## Configure GitLab Runner's logging level. Available values are: debug, info, warn, error, fatal, panic
	## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section
	##
	# logLevel:

	## For RBAC support:
	rbac:
	create: true
	## Define specific rbac permissions.
	# resources: ["pods", "pods/exec", "secrets"]
	# verbs: ["get", "list", "watch", "create", "patch", "delete"]

	## Run the gitlab-bastion container with the ability to deploy/manage containers of jobs
	## cluster-wide or only within namespace
	clusterWideAccess: false

	## Use the following Kubernetes Service Account name if RBAC is disabled in this Helm chart (see rbac.create)
	##
	# serviceAccountName: default

	## Configure integrated Prometheus metrics exporter
	## ref: https://docs.gitlab.com/runner/monitoring/#configuration-of-the-metrics-http-server
	metrics:
	enabled: false

	## Configuration for the Pods that that the runner launches for each new job
	##
	runners:
	## Default container image to use for builds when none is specified
	##
	image: centos:7

	podLabels:
	component: gitlab-k8s-runner

	## Specify one or more imagePullSecrets
	##
	## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
	##
	# imagePullSecrets: []

	## Specify the image pull policy: never, if-not-present, always. The cluster default will be used if not set.
	##
	# imagePullPolicy: ""

	## Defines number of concurrent requests for new job from GitLab
	## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-section
	##
	requestConcurrency: 1

	## Specify whether the runner should be locked to a specific project: true, false. Defaults to true.
	##
	locked: false

	## Specify the tags associated with the runner. Comma-separated list of tags.
	##
	## ref: https://docs.gitlab.com/ce/ci/runners/#using-tags
	##
	tags: "kubernetes,default,centos,docker"

	## Run all containers with the privileged flag enabled
	## This will allow the docker:dind image to run if you need to run Docker
	## commands. Please read the docs before turning this on:
	## ref: https://docs.gitlab.com/runner/executors/kubernetes.html#using-docker-dind
	##
	privileged: false

	## The name of the secret containing runner-token and runner-registration-token
	# secret: gitlab-runner

	## Namespace to run Kubernetes jobs in (defaults to the same namespace of this release)
	##
	namespace: gitlab-runner

	## Distributed runners caching
	## ref: https://gitlab.com/gitlab-org/gitlab-runner/blob/master/docs/configuration/autoscale.md#distributed-runners-caching
	##
	## If you want to use s3 based distributing caching:
	## First of all you need to uncomment General settings and S3 settings sections.
	##
	## Create a secret 's3access' containing 'accesskey' & 'secretkey'
	## ref: https://aws.amazon.com/blogs/security/wheres-my-secret-access-key/
	##
	## $ kubectl create secret generic s3access \
	## --from-literal=accesskey="YourAccessKey" \
	## --from-literal=secretkey="YourSecretKey"
	## ref: https://kubernetes.io/docs/concepts/configuration/secret/
	##
	## If you want to use gcs based distributing caching:
	## First of all you need to uncomment General settings and GCS settings sections.
	##
	## Access using credentials file:
	## Create a secret 'google-application-credentials' containing your application credentials file.
	## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnerscachegcs-section
	## You could configure
	## $ kubectl create secret generic google-application-credentials \
	## --from-file=gcs-applicaton-credentials-file=./path-to-your-google-application-credentials-file.json
	## ref: https://kubernetes.io/docs/concepts/configuration/secret/
	##
	## Access using access-id and private-key:
	## Create a secret 'gcsaccess' containing 'gcs-access-id' & 'gcs-private-key'.
	## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-cache-gcs-section
	## You could configure
	## $ kubectl create secret generic gcsaccess \
	## --from-literal=gcs-access-id="YourAccessID" \
	## --from-literal=gcs-private-key="YourPrivateKey"
	## ref: https://kubernetes.io/docs/concepts/configuration/secret/
	cache: {}
	## Affinity for pod assignment
	## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
	##
	affinity: {}

	## Node labels for pod assignment
	## Ref: https://kubernetes.io/docs/user-guide/node-selection/
	##
	nodeSelector: {}
	# Example: The gitlab runner manager should not run on spot instances so you can assign
	# them to the regular worker nodes only.
	# node-role.kubernetes.io/worker: "true"

	## List of node taints to tolerate (requires Kubernetes >= 1.6)
	## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
	##
	tolerations: []
	# Example: Regular worker nodes may have a taint, thus you need to tolerate the taint
	# when you assign the gitlab runner manager with nodeSelector or affinity to the nodes.
	# - key: "node-role.kubernetes.io/worker"
	# operator: "Exists"

	## Configure environment variables that will be present when the registration command runs
	## This provides further control over the registration process and the config.toml file
	## ref: `gitlab-runner register --help`
	## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html
	##
	envVars: {}

	## list of hosts and IPs that will be injected into the pod's hosts file
	hostAliases: []
	# Example:
	# - ip: "127.0.0.1"
	# hostnames:
	# - "foo.local"
	# - "bar.local"
	# - ip: "10.1.2.3"
	# hostnames:
	# - "foo.remote"
	# - "bar.remote"

	## Annotations to be added to manager pod
	##
	podAnnotations: {}
	# Example:
	# iam.amazonaws.com/role: <my_role_arn>
	apiVersion: v1
	kind: Service
	metadata:
	name: docker
	namespace: gitlab-runner
	spec:
	clusterIP: None
	ports:
	- name: docker
	port: 2375
	protocol: TCP
	targetPort: 2375
	selector:
	app: gitlab-dind
	name: docker
	sessionAffinity: ClientIP
	sessionAffinityConfig:
	clientIP:
	timeoutSeconds: 300
	type: ClusterIP

	---
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	name: docker
	namespace: gitlab-runner
	spec:
	replicas: 1
	selector:
	matchLabels:
	name: docker
	template:
	metadata:
	labels:
	name: docker
	app: gitlab-dind
	spec:
	containers:
	- image: docker:19.03-dind
	imagePullPolicy: Always
	name: docker
	env:
	- name: DOCKER_TLS_CERTDIR
	value: ""
	ports:
	- containerPort: 2375
	securityContext:
	privileged: true
	restartPolicy: Always

	---

	apiVersion: settings.k8s.io/v1alpha1
	kind: PodPreset
	metadata:
	name: add-docker-host
	namespace: gitlab-runner
	spec:
	selector:
	matchLabels:
	component: gitlab-k8s-runner
	env:
	- name: DOCKER_HOST
	value: "tcp://docker:2375"