Add Gitlab runners role #19
Conversation
| logging { | ||
| type = "loki" | ||
| } |
There was a problem hiding this comment.
Shouldn't this be checked based on platform?
| task "gitlab-runner-register" { | ||
| driver = "docker" | ||
| config { | ||
| image = "{{ nomad_gitlab_runner_docker_image }}" | ||
| command = "register" | ||
| args = [ | ||
| "--non-interactive", | ||
| "--config", | ||
| "{{ nomad_gitlab_runner_shared_config_file_path }}", | ||
| "--executor", | ||
| "docker", | ||
| "--docker-image", | ||
| "{{ nomad_gitlab_runner_container_ci_docker_image }}", | ||
| "--docker-volumes", | ||
| "/var/run/docker.sock:/var/run/docker.sock", | ||
| "--url", | ||
| "https://gitlab.{{ zone }}", | ||
| "--registration-token", | ||
| "{{ nomad_gitlab_shared_runner_token }}", | ||
| "--description", | ||
| "docker-runner-${env["NOMAD_SHORT_ALLOC_ID"]}", | ||
| "--tag-list", | ||
| "docker", | ||
| "--run-untagged=true", | ||
| "--locked=false", | ||
| "--access-level=not_protected" | ||
| ] | ||
| network_mode = "host" | ||
| } |
There was a problem hiding this comment.
Why can't you set the volumes the nomad way?
a lot of these args can be set in nomad config.
There was a problem hiding this comment.
I think this was mistakenly left over from a register command a job spec running the runner using the exec driver where that was required.
Will remove and add to the config stanza instead.
| @@ -0,0 +1,22 @@ | |||
| job "debug" { | |||
| datacenters = ["ewandc1"] | |||
| @@ -125,7 +125,9 @@ entryPoint = "traefik" | |||
| email = "{{ job_fact.certificate_email }}" | |||
| storage = "/config/{{ nomad_datacenter }}.json" | |||
| # comment for production | |||
| {% if gitlab_runners_enabled is false %} | |||
| caServer = "https://acme-staging-v02.api.letsencrypt.org/directory" | |||
There was a problem hiding this comment.
Why only when gitlab_runners_enabled? This makes no sense.
Create a letsencrypt caServer variable where you put both, and depending on a prd/dev environment you select which one you want to test with.
There was a problem hiding this comment.
Gitlab Runners do not easily register with a Gitlab instance using self-signed certs or LE staging certs.
I put a conditional as an easier way to get the runners to register, but it does break things a bit.
The only way to get them to work when using a self-signed or staging cert is to provide the Gitlab instance's certificate in PEM to the runner.
This would require some additional steps to download the cert, convert it to PEM and make it available to the Gitlab Runner task (Self-signed certificates or custom Certification Authorities - Gitlab Docs).
These steps could be put in a pre-task in the job spec that it is only included if a variable like nomad_le_ca_server is equal to dev.
There was a problem hiding this comment.
Good! That seems like a better solution.
This role sets up 3 (by default) runners on the Nomad cluster and registers them with the previously provisioned Gitlab instance.
Currently it is only implemented to run using the Nomad Docker driver due to difficulties implementing with isolated exec driver. The issues were mainly around access to the hosts Docker socket and sharing the
config.tomlgenerated after registering the runner in Gitlab.However the solution used in this role for sharing the config (using the
/allocdirectory that is shared between all tasks in a job that are in the same group) may also work with the isolated exec driver.Furthermore, in order to solve a persistent issue where Traefik would randomly switch to the Traefik default cert with little to no explanation in the logs, I have changed the Traefik instance to 1.
I changed it after observing that in the logs of one of the nodes running one of the Traefik instances, no entry would show up when Traefik would issue the default cert on an http request rather than the LE cert. On requests that used the LE cert, a log entry would show the http GET request.
Changing to only one instance seems to have solved the issue.
I will do further investigation to solve the root cause of this and hopefully make a future pull request to restore the count to the original 3.