-
Notifications
You must be signed in to change notification settings - Fork 7
/
stack.yaml
426 lines (386 loc) · 12.4 KB
/
stack.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
---
heat_template_version: 2021-04-16
description: |-
Stack setup a GitLab Autoscaler Runners
parameters:
key_name:
type: string
label: Key Name
description: Name of key-pair to be used for manager instance
default: ci-admin
immutable: true
constraints:
- custom_constraint: nova.keypair
public_net:
type: string
label: Public Network
default: external
immutable: true
constraints:
- custom_constraint: neutron.network
public_ipv6_enabled:
type: boolean
label: Enable IPv6 support on Public Network
default: true
immutable: true
availability_zone:
type: string
label: Availability Zone
default: ""
manager_flavor:
type: string
label: Manager Flavor
description: Flavor for Manager instance.
default: m1.medium
immutable: true
constraints:
- custom_constraint: nova.flavor
runner_flavor:
type: string
label: Runner Flavor
description: Flavor for Runner instance.
default: gitlab-runner
immutable: true
constraints:
- custom_constraint: nova.flavor
dns_zone:
type: string
label: DNS Zone
# default: scalingrunner.cloud.
default: ""
immutable: true
gitlab_remote_ip:
type: string
label: GitLab server address
default: 1.2.3.4/32 # gitlab.server
immutable: true
constraints:
- custom_constraint: net_cidr
private_cidr:
type: string
label: Private Network CIDR
default: 10.42.0.0/24
immutable: true
constraints:
- custom_constraint: net_cidr
dns_servers:
type: comma_delimited_list
label: DNS Servers for private network
default: "8.8.8.8,9.9.9.9,1.1.1.1"
# immutable: true # XXX(vermakov): stack fails with "update failed"
# constraints: # XXX(vermakov): works only for strings
# - custom_constraint: ip_addr
gitlab_runner_image:
type: string
label: Gitlab runner image
default: gitlab/gitlab-runner:latest
conditions:
public_ipv6_enabled:
get_param: public_ipv6_enabled
dns_enabled:
not:
equals:
- get_param: dns_zone
- ''
dns_aaaa_enabled:
and:
- dns_enabled
- public_ipv6_enabled
resources:
# -*- network -*-
runner_net:
type: OS::Neutron::Net
properties:
shared: false
runner_subnet:
type: OS::Neutron::Subnet
properties:
cidr: &runner_cidr {get_param: private_cidr}
dns_nameservers: {get_param: dns_servers}
network: {get_resource: runner_net}
runner_router:
type: OS::Neutron::Router
properties:
external_gateway_info:
network: {get_param: public_net}
# enable_snat: true
router_interface:
type: OS::Neutron::RouterInterface
properties:
router_id: {get_resource: runner_router}
subnet_id: {get_resource: runner_subnet}
allow_gitlab_runner:
type: OS::Neutron::SecurityGroup
properties:
description: Security group for Gitlab Runner
rules:
- direction: egress
remote_ip_prefix: 0.0.0.0/0
- # Allow ICMP
direction: ingress
protocol: icmp
remote_ip_prefix: 0.0.0.0/0
- # Allow SSH
direction: ingress
protocol: tcp
remote_ip_prefix: 0.0.0.0/0
port_range_max: 22
port_range_min: 22
- # Allow session port (from gitlab)
direction: ingress
protocol: tcp
remote_ip_prefix: &scm_cidr {get_param: gitlab_remote_ip}
port_range_max: 8093
port_range_min: 8093
- # Allow session port (internal network)
direction: ingress
protocol: tcp
remote_ip_prefix: *runner_cidr
port_range_max: 8093
port_range_min: 8093
- # Allow metrics port (from gitlab)
direction: ingress
protocol: tcp
remote_ip_prefix: *scm_cidr
port_range_max: 8090
port_range_min: 8090
allow_gitlab_runner_ipv6:
type: OS::Neutron::SecurityGroup
condition: public_ipv6_enabled
properties:
description: Security group for Gitlab Runner
rules:
- direction: egress
remote_ip_prefix: ::/0
ethertype: IPv6
- # Allow ICMP
direction: ingress
protocol: ipv6-icmp
remote_ip_prefix: ::/0
ethertype: IPv6
- # Allow SSH
direction: ingress
protocol: tcp
remote_ip_prefix: ::/0
port_range_max: 22
port_range_min: 22
ethertype: IPv6
# yamllint disable
# - # Allow session port (from gitlab)
# direction: ingress
# protocol: tcp
# remote_ip_prefix: &scm_cidr {get_param: gitlab_remote_ip}
# port_range_max: 8093
# port_range_min: 8093
# - # Allow metrics port (from gitlab)
# direction: ingress
# protocol: tcp
# remote_ip_prefix: *scm_cidr
# port_range_max: 8090
# port_range_min: 8090
# yamllint enable
# -*- DNS -*-
zone:
type: OS::Designate::Zone
condition: dns_enabled
properties:
name: {get_param: dns_zone}
email: noreply@sardinasystems.com
ttl: 300
manager_a_record:
type: OS::Designate::RecordSet
condition: dns_enabled
properties:
name: &mgr_record_name "mgr"
zone: {get_resource: zone}
ttl: 300
type: A
records:
- &mgr_port_ip {get_attr: [manager_port, fixed_ips, 0, ip_address]}
manager_aaaa_record:
type: OS::Designate::RecordSet
condition: dns_aaaa_enabled
properties:
name: *mgr_record_name
zone: {get_resource: zone}
ttl: 300
type: AAAA
records:
- {get_attr: [manager_port, fixed_ips, 1, ip_address]}
gw_a_record:
type: OS::Designate::RecordSet
condition: dns_enabled
properties:
name: &gw_record_name "gw"
zone: {get_resource: zone}
ttl: 300
type: A
records:
- &gw_port_ip {get_attr: [runner_router, external_gateway_info, external_fixed_ips, 0, ip_address]}
gw_aaaa_record:
type: OS::Designate::RecordSet
condition: dns_aaaa_enabled
properties:
name: *gw_record_name
zone: {get_resource: zone}
ttl: 300
type: AAAA
records:
- {get_attr: [runner_router, external_gateway_info, external_fixed_ips, 1, ip_address]}
# -*- manager instance -*-
flatcar_image:
type: OS::Glance::WebImage
properties:
name: {list_join: ['-', ['flatcar', {get_param: 'OS::stack_name'}, {get_param: 'OS::stack_id'}]]}
container_format: bare
disk_format: qcow2
location: "https://repo.geo.sardinasystems.com/mirror/images/flatcar_production_openstack_4081.2.0_amd64.img"
architecture: x86_64
min_disk: 10
min_ram: 4096
os_distro: flatcar
os_version: '4081.2.0'
extra_properties:
hw_qemu_guest_agent: 'yes'
# hw_firmware_type: uefi
hw_machine_type: q35
# hw_watchdog_action: reset
os_admin_user: core
os_type: linux
# precalculated checksum from index.yml
# os_hash_algo: sha256
# os_hash_value: 2c3616725bb6335c784883477258be97cab74c84dabef6786dc1776eb82719f0
owner_specified.openstack.sha256: 2c3616725bb6335c784883477258be97cab74c84dabef6786dc1776eb82719f0
tags: [Gitlab, CI, Flatcar]
protected: false
manager_port:
type: OS::Neutron::Port
properties:
network: {get_param: public_net}
security_groups:
if:
- public_ipv6_enabled
- [{get_resource: allow_gitlab_runner}, {get_resource: allow_gitlab_runner_ipv6}]
- [{get_resource: allow_gitlab_runner}]
manager_server:
type: OS::Nova::Server
properties:
name: runner-manager
flavor: {get_param: manager_flavor}
image: {get_resource: flatcar_image}
key_name: {get_param: key_name}
availability_zone: {get_param: availability_zone}
tags: [Gitlab, CI, Manager]
networks:
- port: {get_resource: manager_port}
- network: {get_resource: runner_net}
metadata:
# ipa_enroll: "true" # we don't have novajoin support for CoreOS
hostname: &mgr_hostname
yaql:
expression: regex(".$").replace($.data.name_and_zone, "")
data:
name_and_zone:
if:
- dns_enabled
# XXX YAQL is a piece of shit. Always makes weird thing with get_attr.
# > No method \"replace\" for receiver re.compile('.$') matches supplied arguments
# - {get_attr: [manager_a_record, show, name]}
- {list_join: [".", [*mgr_record_name, {get_param: dns_zone}]]}
- {list_join: [".", [*mgr_record_name, {get_param: "OS::stack_name"}, "local."]]}
user_data_format: RAW
user_data:
# NOTE(vermakov): HOT version >= 2015-10-15 does JSON marshaling
str_replace:
template: $data
params:
$data: {get_attr: [manager_ign, value]}
manager_ign:
type: OS::Heat::Value
properties:
# compiled manager.bu.yml -> ign
value:
ignition:
version: 3.4.0
storage:
directories:
- path: /etc/gitlab-runner
mode: 448
files:
- path: /etc/systemd/network/20-eth1.network
contents:
compression: ""
source: data:,%5BMatch%5D%0AName%3Deth1%0A%0A%5BNetwork%5D%0ADHCP%3Dipv4%0A%0A%5BDHCP%5D%0AUseRoutes%3Dfalse%0AUseGateway%3Dfalse%0ARouteMetric%3D2000%0A
systemd:
units:
- contents:
str_replace:
template: |
[Unit]
Description=GitLab Runner
ConditionFileNotEmpty=/etc/gitlab-runner/config.toml
After=network-online.target docker.service
Wants=network-online.target
Requires=docker.service
[Service]
Environment=IMAGE=$RUNNER_IMAGE
EnvironmentFile=-/etc/sysconfig/gitlab-runner
ExecStartPre=-/usr/bin/docker rm --force gitlab-runner
ExecStartPre=-/usr/bin/docker volume create plugins
ExecStartPre=/usr/bin/docker run --rm --name gitlab-runner-plugin-install --pull always --network=host --ipc=host \
-v /etc/gitlab-runner:/etc/gitlab-runner \
-v /var/run/docker.sock:/var/run/docker.sock \
-v plugins:/root/.config/fleeting/plugins \
$IMAGE fleeting install
ExecStart=/usr/bin/docker run --name gitlab-runner --network=host --ipc=host \
-v /etc/gitlab-runner:/etc/gitlab-runner \
-v /var/run/docker.sock:/var/run/docker.sock \
-v plugins:/root/.config/fleeting/plugins \
$IMAGE
ExecStop=/usr/bin/docker stop gitlab-runner
StartLimitInterval=5
StartLimitBurst=10
Restart=always
RestartSec=120
# StandardOutput=journal+console
# StandardError=inherit
[Install]
WantedBy=multi-user.target
params:
$RUNNER_IMAGE: {get_param: gitlab_runner_image}
enabled: true
name: gitlab-runner.service
# -*- runner cluster -*-
runner_aa:
type: OS::Nova::ServerGroup
properties:
policies:
- soft-anti-affinity
outputs:
cluster_id:
description: Cluster ID
value: {get_param: 'OS::stack_id'}
manager_hostname:
description: Manager DNS name
value: *mgr_hostname
manager_ip_address:
description: Manager IP Address
value: *mgr_port_ip
runner_gw_ip_address:
description: Runner Gateway router IP Address
value: *gw_port_ip
network_id:
description: Network
value: {get_resource: runner_net}
gitlab_sg:
description: Security Group
value: {get_resource: allow_gitlab_runner}
runner_aa_sg:
description: Runner Server Group
value: {get_resource: runner_aa}
runner_image_id:
description: Runner image
value: {get_resource: flatcar_image}
runner_flavor_name:
description: Runner flavor
value: {get_param: runner_flavor}