Merge pull request #36 from tipu-zlatan/gitlab-runner-chart

Add Gitlab-runner Helm Chart

charts/gitlab-runner/CONTRIBUTING.md

@@ -0,0 +1,16 @@
+## Developer Certificate of Origin + License
+
+By contributing to GitLab B.V., You accept and agree to the following terms and
+conditions for Your present and future Contributions submitted to GitLab B.V.
+Except for the license granted herein to GitLab B.V. and recipients of software
+distributed by GitLab B.V., You reserve all right, title, and interest in and to
+Your Contributions. All Contributions are subject to the following DCO + License
+terms.
+
+[DCO + License](https://gitlab.com/gitlab-org/dco/blob/master/README.md)
+
+All Documentation content that resides under the [docs/ directory](/docs) of this
+repository is licensed under Creative Commons:
+[CC BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0/).
+
+_This notice should stay as the first item in the CONTRIBUTING.md file._

charts/gitlab-runner/Chart.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+name: gitlab-runner
+version: 0.69.0-beta
+appVersion: bleeding
+description: GitLab Runner
+keywords:
+- git
+- ci
+- deploy
+sources:
+- https://gitlab.com/gitlab-org/charts/gitlab-runner
+- https://gitlab.com/gitlab-org/gitlab-runner
+- https://docs.gitlab.com/runner/
+icon: https://gitlab.com/uploads/-/system/project/avatar/250833/runner_logo.png
+maintainers:
+- name: GitLab Inc.
+  email: [email protected]

charts/gitlab-runner/DEVELOPMENT.md

@@ -0,0 +1,12 @@
+# Developement
+
+## Running tests
+
+1. install helm unittest plugin:
+    ```bash
+    helm plugin install https://github.com/helm-unittest/helm-unittest.git
+    ```
+2. run tests:
+    ```bash
+    helm unittest .
+    ```

charts/gitlab-runner/LICENSE

@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (c) 2018-2019 GitLab B.V.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+

charts/gitlab-runner/Makefile

@@ -0,0 +1,20 @@
+GITLAB_CHANGELOG_VERSION ?= master
+GITLAB_CHANGELOG = .tmp/gitlab-changelog-$(GITLAB_CHANGELOG_VERSION)
+
+.PHONY: generate_changelog
+generate_changelog: export CHANGELOG_RELEASE ?= dev
+generate_changelog: $(GITLAB_CHANGELOG)
+	# Generating new changelog entries
+	@$(GITLAB_CHANGELOG) -project-id 6329679 \
+		-release $(CHANGELOG_RELEASE) \
+		-starting-point-matcher "v[0-9]*.[0-9]*.[0-9]*" \
+		-config-file .gitlab/changelog.yml \
+		-changelog-file CHANGELOG.md
+
+$(GITLAB_CHANGELOG): OS_TYPE ?= $(shell uname -s | tr '[:upper:]' '[:lower:]')
+$(GITLAB_CHANGELOG): DOWNLOAD_URL = "https://storage.googleapis.com/gitlab-runner-tools/gitlab-changelog/$(GITLAB_CHANGELOG_VERSION)/gitlab-changelog-$(OS_TYPE)-amd64"
+$(GITLAB_CHANGELOG):
+	# Installing $(DOWNLOAD_URL) as $(GITLAB_CHANGELOG)
+	@mkdir -p $(shell dirname $(GITLAB_CHANGELOG))
+	@curl -sL "$(DOWNLOAD_URL)" -o "$(GITLAB_CHANGELOG)"
+	@chmod +x "$(GITLAB_CHANGELOG)"

charts/gitlab-runner/NOTICE

@@ -0,0 +1,30 @@
+With regard to the GitLab Software:
+
+The MIT License (MIT)
+
+Copyright (c) 2018-2019 GitLab B.V.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
+---
+
+For all third party components incorporated into the GitLab Software, those
+components are licensed under the original license provided by the owner of the
+applicable component.
+

charts/gitlab-runner/README.md

@@ -0,0 +1,8 @@
+# GitLab Runner Helm Chart
+
+This chart deploys a GitLab Runner instance into your Kubernetes
+cluster. For more information, please review [our documentation](https://docs.gitlab.com/charts/charts/gitlab/gitlab-runner).
+
+# Development
+
+Please follow [development documentation](DEVELOPMENT.md).

charts/gitlab-runner/scripts/check_token.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+# Two types of token are supported:
+# - Registration Token (registration)
+# - Authentication Token (authentication)
+tokenType=$1
+token=$2
+
+variableName=""
+
+case $tokenType in
+    "registration")
+        variableName="REGISTRATION_TOKEN"
+        ;;
+    "authentication")
+        variableName="AUTHENTICATION_TOKEN"
+        ;;
+esac
+
+if [[ -z "$token" ]]; then
+    echo -e "\033[0;31mThe $variableName variable must be set for the (fork) project" && exit 1
+else
+    echo -e "The $variableName variable found and is not empty"
+fi

charts/gitlab-runner/scripts/empty-dir.yaml

@@ -0,0 +1,62 @@
+# Defaults from https://gitlab.com/gitlab-org/charts/gitlab-runner/blob/main/values.yaml
+image:
+  registry: registry.gitlab.com
+  image: gitlab-org/gitlab-runner
+imagePullPolicy: Always
+
+gitlabUrl: https://gitlab.com/
+checkInterval: 30
+concurrent: 1
+unregisterRunners: true
+terminationGracePeriodSeconds: 0
+
+metrics:
+  enabled: true
+  portName: metrics
+  port: 9252
+
+service:
+  enabled: true
+
+rbac:
+  create: true
+  rules:
+    - apiGroups: [""]
+      resources: ["pods"]
+      verbs: ["list", "get", "watch", "create", "delete"]
+    - apiGroups: [""]
+      resources: ["pods/exec"]
+      verbs: ["create"]
+    - apiGroups: [""]
+      resources: ["pods/log"]
+      verbs: ["get"]
+    - apiGroups: [""]
+      resources: ["pods/attach"]
+      verbs: ["list", "get", "create", "delete", "update"]
+    - apiGroups: [""]
+      resources: ["secrets"]
+      verbs: ["list", "get", "create", "delete", "update"]
+    - apiGroups: [""]
+      resources: ["configmaps"]
+      verbs: ["list", "get", "create", "delete", "update"]
+    - apiGroups: [""]
+      resources: ["events"]
+      verbs: ["list"]
+
+podSecurityContext:
+  runAsUser: 100
+  fsGroup: 65533
+
+runners:
+  name: "Multi words name"
+  config: |
+    [[runners]]
+      [runners.kubernetes]
+        namespace = "{{.Release.Namespace}}"
+        image = "alpine"
+      [[runners.kubernetes.volumes.empty_dir]]
+        name = "empty-dir"
+        mount_path = "/var/my_empty_dir/"
+        path = "/var/my_empty_dir/"
+        medium = "Memory"
+

charts/gitlab-runner/scripts/integration.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+# Two types of token are supported:
+# - Registration Token (registration)
+# - Authentication Token (authentication)
+tokenType=$1
+token=$2
+valueYamlPath=$3
+
+INTEGRATION_RUNNER_NAME=${INTEGRATION_RUNNER_NAME:-integration-runner}
+INTEGRATION_HELM_POD_RELEASE_LABEL=${INTEGRATION_HELM_POD_RELEASE_LABEL:-release=$INTEGRATION_RUNNER_NAME}
+
+case $tokenType in
+    "authentication")
+        helm install -f "$valueYamlPath" --timeout 5m --wait --set gitlabUrl="$CI_SERVER_URL",runnerToken="$token" "$INTEGRATION_RUNNER_NAME" .
+        ;;
+    *)
+        echo "Token provided is not supported"
+        exit 1
+        ;;
+esac
+
+kubectl describe pod -l "$INTEGRATION_HELM_POD_RELEASE_LABEL"
+
+timeout 60s grep -m1 "Starting multi-runner" <(kubectl logs -f -l "$INTEGRATION_HELM_POD_RELEASE_LABEL" --tail=-1)
+
+exit_code="$?"
+
+kubectl logs --tail=-1 -l "$INTEGRATION_HELM_POD_RELEASE_LABEL"
+
+exit $exit_code
+

charts/gitlab-runner/scripts/integration_cleanup.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+INTEGRATION_RUNNER_NAME=${INTEGRATION_RUNNER_NAME:-integration-runner}
+HELM_POD_RELEASE_LABEL=${HELM_POD_RELEASE_LABEL:-release=$INTEGRATION_RUNNER_NAME}
+
+helm uninstall --timeout=2m --wait "$INTEGRATION_RUNNER_NAME"

charts/gitlab-runner/scripts/kind-config.yaml

@@ -0,0 +1,5 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+networking:
+  apiServerAddress: "0.0.0.0"
+  apiServerPort: 6443

charts/gitlab-runner/scripts/security-harness

@@ -0,0 +1,100 @@
+#!/usr/bin/env ruby
+
+# frozen_string_literal: true
+
+require 'digest'
+require 'fileutils'
+
+if ENV['NO_COLOR']
+  SHELL_RED    = ''
+  SHELL_GREEN  = ''
+  SHELL_YELLOW = ''
+  SHELL_CLEAR  = ''
+else
+  SHELL_RED    = "\e[1;31m"
+  SHELL_GREEN  = "\e[1;32m"
+  SHELL_YELLOW = "\e[1;33m"
+  SHELL_CLEAR  = "\e[0m"
+end
+
+HOOK_PATH = File.expand_path("../.git/hooks/pre-push", __dir__)
+HOOK_DATA = <<~HOOK
+  #!/usr/bin/env bash
+
+  set -e
+
+  url="$2"
+  harness=`dirname "$0"`/../security_harness
+
+  if [ -e "$harness" ]
+  then
+    if [[ "$url" != *"gitlab-org/security/"* ]]
+    then
+      echo "Pushing to remotes other than gitlab.com/gitlab-org/security has been disabled!"
+      echo "Run scripts/security-harness to disable this check."
+      echo
+
+      exit 1
+    fi
+  fi
+HOOK
+
+def write_hook
+  FileUtils.mkdir_p(File.dirname(HOOK_PATH))
+  File.open(HOOK_PATH, 'w') do |file|
+    file.write(HOOK_DATA)
+  end
+  File.chmod(0755, HOOK_PATH)
+end
+
+# Toggle the harness on or off
+def toggle
+  harness_path = File.expand_path('../.git/security_harness', __dir__)
+
+  if File.exist?(harness_path)
+    FileUtils.rm(harness_path)
+
+    puts "#{SHELL_YELLOW}Security harness removed -- you can now push to all remotes.#{SHELL_CLEAR}"
+  else
+    FileUtils.touch(harness_path)
+
+    puts "#{SHELL_GREEN}Security harness installed -- you will only be able to push to gitlab.com/gitlab-org/security!#{SHELL_CLEAR}"
+  end
+end
+
+# If we were to change the script and then check for a pre-existing hook before
+# writing, the check would fail even if the user had an unmodified version of
+# the old hook. Checking previous version hashes allows us to safely overwrite a
+# script that differs from the current version, as long as it's an old one and
+# not custom.
+def previous_version?(dest_sum)
+  # SHA256 hashes of previous iterations of the script contained in `DATA`
+  %w[
+    010bf0363a911ebab2bd5728d80795ed02388da51815f0b2530d08ae8ac574f0
+  ].include?(dest_sum)
+end
+
+if !File.exist?(HOOK_PATH)
+  write_hook
+  toggle
+else
+  # Deal with a pre-existing hook
+  source_sum = Digest::SHA256.hexdigest(HOOK_DATA)
+  dest_sum   = Digest::SHA256.file(HOOK_PATH).hexdigest
+
+  if previous_version?(dest_sum)
+    # Upgrading from a previous version, update in-place
+    write_hook
+    toggle
+  elsif source_sum != dest_sum
+    # Pre-existing hook we didn't create; do nothing
+    puts "#{SHELL_RED}#{HOOK_PATH} exists and is different from our hook!"
+    puts "Remove it and re-run this script to continue.#{SHELL_CLEAR}"
+
+    exit 1
+  else
+    # No hook update needed, just toggle
+    toggle
+  end
+end
+