Terraform for running GitLab CI/CD jobs on cloud.gov or another CloudFoundry based PaaS.
Include this repository as a module in your terraform setup to deploy a gitlab-runner-cloudgov system.
module "gitlab-runner" {
source = "github.com/gsa-tts/gitlab-runner-cloudgov?ref=main" # TODO: releases via tags
cf_space_prefix = "SPACEPREFIX"
ci_server_token = "TOKEN"
docker_hub_user = "docker-username"
docker_hub_token = "docker-personal-access-token"
worker_egress_allowlist = [
"hostname.to.allow", # explanation of why it's allowed
"other.hostname.to.allow" # explanation of why it's allowed
]
}For local development, there is a sandbox-deploy module set up to deploy the root module that will use local state storage.
-
Log in to cloud.gov and select your ORGNAME when prompted
cf login -a api.fr.cloud.gov --sso
-
Create a management space, if it does not already exist.
cf create-space SPACEPREFIX-mgmt
-
Switch working directory
cd sandbox-deploy -
Copy
vars.tfvars-exampletovars.auto.tfvars.cp vars.tfvars-example vars.auto.tfvars
-
Edit
vars.auto.tfvarsand modify the values there as needed. In particular, you must:- for sandbox/developer deployments, set
cf_space_prefixto the same asSPACEPREFIXused for the management space - supply the
ci_server_tokenprovided when you configure the runner at the target GitLab URL - supply a docker hub username and personal access token to avoid rate limiting
- set
developer_emailsto whoever might need to debug this deployment - set
worker_egress_allowlistto the package hosts needed for your supported programming languages
- for sandbox/developer deployments, set
-
Run
./terraform.sh -s SPACEPREFIX-mgmt -c validateto setup terraform and check that the config is valid -
Run
./terraform.shand double check that the changes are what is expected -
Apply your changes with
./terraform.sh -c apply -
Check to see that the runner has registered itself in GitLab under your project repository under
Settings -> CI/CD -> Runners (Expand)
At this point the runner should be available to run jobs. See Use GitLab - Use CI/CD to build your application - Getting started for much more on GitLab CI/CD and runners.
Once you are done with your sandbox, or to completely remove it before re-creating, run:
./terraform.sh -c destroy
This will remove the full runner setup, delete the deployer service account, and remove obsolete credentials files.
Problems with runner registration often requiring viewing its logs.
cf target -s SPACEPREFIX-manager
cf logs --recent devtools-runner-managerThe manager and workers run in restricted-egress spaces. There are two places to edit in order to allow traffic.
- If the runner-manager cannot download something, or the runner-workers are failing during the
prepare.shsteps then thelocal.devtools_egress_allowlistinmain.tfshould be updated - If the runner-workers cannot download a dependency required because of the programming language in use by the project, then it should likely be added to the
var.worker_egress_allowlistinvars.auto.tfvarsor your module include.
It is also possible that additional configuration is required for the package manager in question to direct traffic over the proxy.
Recent versions of gitlab-runner expose almost all initial configuration
variables for the register subcommand as environment variables. This allows
us to do almost all configuration in manifest.yml and skip modifying
command line options in runner/.profile or having a .toml add on.
To run the terraform tests:
- create a service account user with OrgManager permissions and set the
CF_USERandCF_PASSWORDenvironment variables with that accounts details - From the root directory, run
terraform init - Run
./bin/run_tests.sh