K8s 部署 Gitlab CI Runner

• K8s 版本：1.20.6
• GitLab CI 最大的作用是管理各个项目的构建状态。因此，运行构建任务这种浪费资源的事情交给一个独立的 Gitlab Runner 来做就会好很多，而且 Gitlab Runner 可以安装到不同的机器上
• 只要在项目中添加一个.gitlab-ci.yml文件，然后添加一个 Runner ，即可进行持续集成
• 官方文档：Install GitLab Runner | GitLab

1. 介绍

• Pipeline：相当于一次构建任务，里面可以包含多个流程，如安装依赖、运行测试、编译、部署测试服务器、部署生产服务器等。任何提交或者 Merge Request 的合并都可以触发 Pipeline 构建
• Stages：表示一个构建阶段。一次 Pipeline 中可定义多个 Stages
  • 所有 Stages 会顺序运行，即当一个 Stage 完成后，下一个 Stage 才会开始
  • 只有当所有 Stages 完成后，该构建任务才会成功
  • 如果任何一个 Stage 失败，那么后面的 Stages 不会执行，该构建任务失败
• Jobs：表示构建工作，即某个 Stage 里面执行的工作。一个 Stage 中可定义多个 Jobs
  • 相同 Stage 中的 Jobs 会并行执行
  • 相同 Stage 中的 Jobs 都执行成功时，该 Stage 才会成功
  • 如果任何一个 Job 失败，那么该 Stage 失败，即该构建任务失败
• Runner：执行 Gitlab CI 构建任务

2. Gitlab Runner

• gitlab-ci-runner-cm：Runner 镜像所需环境变量
  • 其他选项可在 Pod 中运行gitlab-ci-multi-runner register --help查看
• gitlab-ci-token：存放加密的 Gitlab CI runner token
  • http://gitlab.south.com/admin/runners -> K9Qhf4Sh1T7fqxHSWS5s
• gitlab-ci-runner-scripts：一个用于注册、运行和取消注册 Gitlab CI Runner 的脚本
  • 只有当 Pod 正常通过 Kubernetes（TERM 信号）终止时，才会触发取消注册。如果强制终止 Pod（SIGKILL 信号），Runner 将不会注销自身，必须手动完成对这种被杀死的 Runner 的清理
• gitlab-ci-runner：Runner 的 StatefulSet 控制器
  • 通过 K8s 生命周期钩子：开始运行时取消注册所有的同名 Runner；节点丢失时（即 NodeLost 事件）重新注册自己并开始运行；正常停止 Pod 时运行 unregister 命令来取消自己

apiVersion: v1
kind: ServiceAccount
metadata:
  name: gitlab-ci
  namespace: gitlab
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: gitlab-ci
  namespace: gitlab
rules:
  - apiGroups: [""]
    resources: ["*"]
    verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: gitlab-ci
  namespace: gitlab
subjects:
  - kind: ServiceAccount
    name: gitlab-ci
    namespace: gitlab
roleRef:
  kind: Role
  name: gitlab-ci
  apiGroup: rbac.authorization.k8s.io

---
apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    app: gitlab-ci-runner
  name: gitlab-ci-runner-cm
  namespace: gitlab
data:
  REGISTER_NON_INTERACTIVE: "true"
  REGISTER_LOCKED: "false"
  METRICS_SERVER: "0.0.0.0:9100"
  CI_SERVER_URL: "http://gitlab.gitlab.svc.cluster.local/ci"  # *
  RUNNER_REQUEST_CONCURRENCY: "4"
  RUNNER_EXECUTOR: "kubernetes"
  KUBERNETES_NAMESPACE: "gitlab"  # *
  KUBERNETES_PRIVILEGED: "true"
  KUBERNETES_CPU_LIMIT: "1"
  KUBERNETES_MEMORY_LIMIT: "1Gi"
  KUBERNETES_SERVICE_CPU_LIMIT: "1"
  KUBERNETES_SERVICE_MEMORY_LIMIT: "1Gi"
  KUBERNETES_HELPER_CPU_LIMIT: "500m"
  KUBERNETES_HELPER_MEMORY_LIMIT: "100Mi"
  KUBERNETES_PULL_POLICY: "if-not-present"
  KUBERNETES_TERMINATIONGRACEPERIODSECONDS: "10"
  KUBERNETES_POLL_INTERVAL: "5"
  KUBERNETES_POLL_TIMEOUT: "360"
---
apiVersion: v1
kind: Secret
metadata:
  name: gitlab-ci-token
  namespace: gitlab
  labels:
    app: gitlab-ci-runner
data:
  GITLAB_CI_TOKEN: SzlRaGY0U2gxVDdmcXhIU1dTNXMK  # echo K9Qhf4Sh1T7fqxHSWS5s | base64 -w0
---
apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    app: gitlab-ci-runner
  name: gitlab-ci-runner-scripts
  namespace: gitlab
data:
  run.sh: |
    #!/bin/bash
    unregister() {
        kill %1
        echo "Unregistering runner ${RUNNER_NAME} ..."
        /usr/bin/gitlab-ci-multi-runner unregister -t "$(/usr/bin/gitlab-ci-multi-runner list 2>&1 | tail -n1 | awk '{print $4}' | cut -d'=' -f2)" -n ${RUNNER_NAME}
        exit $?
    }
    trap 'unregister' EXIT HUP INT QUIT PIPE TERM
    echo "Registering runner ${RUNNER_NAME} ..."
    /usr/bin/gitlab-ci-multi-runner register -r ${GITLAB_CI_TOKEN}
    sed -i 's/^concurrent.*/concurrent = '"${RUNNER_REQUEST_CONCURRENCY}"'/' /home/gitlab-runner/.gitlab-runner/config.toml
    echo "Starting runner ${RUNNER_NAME} ..."
    /usr/bin/gitlab-ci-multi-runner run -n ${RUNNER_NAME} &
    wait

---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: gitlab-ci-runner
  namespace: gitlab
  labels:
    app: gitlab-ci-runner
spec:
  updateStrategy:
    type: RollingUpdate
  replicas: 2
  serviceName: gitlab-ci-runner
  template:
    metadata:
      labels:
        app: gitlab-ci-runner
    spec:
      volumes:
      - name: gitlab-ci-runner-scripts
        projected:
          sources:
          - configMap:
              name: gitlab-ci-runner-scripts
              items:
              - key: run.sh
                path: run.sh
                mode: 0755
      serviceAccountName: gitlab-ci
      securityContext:
        runAsNonRoot: true
        runAsUser: 999
        supplementalGroups: [999]
      containers:
      - image: gitlab/gitlab-runner:latest
        name: gitlab-ci-runner
        command:
        - /scripts/run.sh
        envFrom:
        - configMapRef:
            name: gitlab-ci-runner-cm
        - secretRef:
            name: gitlab-ci-token
        env:
        - name: RUNNER_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        ports:
        - containerPort: 9100
          name: http-metrics
          protocol: TCP
        volumeMounts:
        - name: gitlab-ci-runner-scripts
          mountPath: "/scripts"
          readOnly: true
      restartPolicy: Always

创建：

$ kubectl create -f gitlab-runner.yaml
$ kubectl -n gitlab get pod
NAME                        READY   STATUS    RESTARTS   AGE
gitlab-7b894fcff-mnkb4      1/1     Running   0          69m
gitlab-ci-runner-0          1/1     Running   0          2m
gitlab-ci-runner-1          1/1     Running   0          2m
postgresql-6b6b478f-s6nj7   1/1     Running   0          69m
redis-7db89c7d46-fqdr5      1/1     Running   0          69m

结果：

在 http://gitlab.south.com/admin/runners 即可看到两个 Runner 实例

---

参考：在 Kubernetes 上安装 Gitlab CI Runner-阳明的博客