From 97b4b50c96b4ce51e0ec06157e243a0a5312a9ea Mon Sep 17 00:00:00 2001 From: ArgoCD Setup Date: Thu, 8 Jan 2026 18:30:08 -0300 Subject: [PATCH] refactor: Atualizar CLAUDE.md e melhorias aula-11 - CLAUDE.md: Atualizar tabela com aulas 12 (Victoria Metrics) e 13 (Container Factory) - aula-11: Melhorias no setup do GitLab Runner --- CLAUDE.md | 8 +++- aula-11/README.md | 69 +++++++++++++++++++++++++++++++ aula-11/gitlab-runner-values.yaml | 10 +++-- aula-11/setup.sh | 17 ++++++++ 4 files changed, 99 insertions(+), 5 deletions(-) diff --git a/CLAUDE.md b/CLAUDE.md index 155078e..5929cc3 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -22,6 +22,8 @@ App de demonstração: `node-bugado` - trava após N requests para demonstrar he | 09 | n8n multi-tenant | Hetzner | | 10 | GitLab + Registry + SSH | Hetzner | | 11 | ArgoCD + GitLab Runner | Hetzner | +| 12 | Victoria Metrics (Observabilidade) | Hetzner | +| 13 | Container Factory (eStargz) | Hetzner | ## Comandos Rápidos @@ -29,11 +31,13 @@ App de demonstração: `node-bugado` - trava após N requests para demonstrar he # Aulas 01-06 (Local) cd aula-XX && ./setup.sh # ou kubectl apply -f . -# Aulas 07-11 (Hetzner) +# Aulas 07-13 (Hetzner) cd aula-08 && ./setup.sh # Cluster base cd aula-09 && ./setup.sh # n8n cd aula-10 && ./setup.sh # GitLab cd aula-11 && ./setup.sh # ArgoCD +cd aula-12 && ./setup.sh # Victoria Metrics +cd aula-13 && ./setup.sh # Container Factory ``` ## App node-bugado @@ -52,7 +56,7 @@ Demonstra: ## Variáveis de Ambiente - `MAX_REQUESTS`: Requests antes de travar (default: 3) -- `HCLOUD_TOKEN`: Token da Hetzner Cloud (aulas 08-11) +- `HCLOUD_TOKEN`: Token da Hetzner Cloud (aulas 08-13) ## Padrões do Projeto diff --git a/aula-11/README.md b/aula-11/README.md index 7f6c3b4..25c3cb0 100644 --- a/aula-11/README.md +++ b/aula-11/README.md @@ -216,6 +216,39 @@ Alternativas (mais seguras, mas mais complexas): - **Kaniko**: Build sem Docker daemon - **Buildah**: Build rootless +### Requisitos para Docker-in-Docker + +#### 1. Pod Security (Kubernetes 1.25+) + +Kubernetes 1.25+ aplica Pod Security Admission por padrão. O namespace `gitlab` +precisa permitir pods privilegiados: + +```bash +kubectl label namespace gitlab \ + pod-security.kubernetes.io/enforce=privileged \ + pod-security.kubernetes.io/warn=privileged \ + --overwrite +``` + +> **Nota**: O `setup.sh` já configura isso automaticamente. + +#### 2. Helper Image para ARM64 + +Em clusters com nodes ARM64 (como Hetzner CAX), o runner precisa usar +o helper image correto. Configure em `gitlab-runner-values.yaml`: + +```toml +# Dentro de runners.config +[[runners]] + [runners.kubernetes] + helper_image = "gitlab/gitlab-runner-helper:arm64-latest" +``` + +Sem isso, você verá erros como: +``` +no match for platform in manifest: not found +``` + ## Troubleshooting ### ArgoCD não sincroniza @@ -254,6 +287,42 @@ kubectl get pods -n gitlab kubectl logs -n gitlab runner-xxxxx-project-xxx-concurrent-xxx ``` +### Erro "violates PodSecurity" + +``` +violates PodSecurity "baseline:latest": privileged +(containers must not set securityContext.privileged=true) +``` + +**Solução**: Configure o namespace para permitir pods privilegiados: +```bash +kubectl label namespace gitlab \ + pod-security.kubernetes.io/enforce=privileged \ + --overwrite +``` + +### Erro "no match for platform in manifest" + +``` +image pull failed: no match for platform in manifest: not found +``` + +**Causa**: O runner está tentando usar imagem x86_64 em node ARM64. + +**Solução**: Configure o helper image ARM64 no `gitlab-runner-values.yaml`: +```toml +[[runners]] + [runners.kubernetes] + helper_image = "gitlab/gitlab-runner-helper:arm64-latest" +``` + +Depois faça upgrade do runner: +```bash +helm upgrade gitlab-runner gitlab/gitlab-runner \ + -n gitlab --reuse-values \ + -f gitlab-runner-values.yaml +``` + ### Erro SSH ao conectar repositório ```bash diff --git a/aula-11/gitlab-runner-values.yaml b/aula-11/gitlab-runner-values.yaml index dd79686..809e2d0 100644 --- a/aula-11/gitlab-runner-values.yaml +++ b/aula-11/gitlab-runner-values.yaml @@ -56,11 +56,15 @@ runners: image = "alpine:latest" privileged = true - # Recursos para pods de job + # IMPORTANTE: Helper image para ARM64 (Hetzner CAX nodes) + # Sem isso, o runner tenta usar x86_64 e falha + helper_image = "gitlab/gitlab-runner-helper:arm64-latest" + + # Recursos para pods de job (aumentados para builds Docker) cpu_request = "100m" - cpu_limit = "500m" + cpu_limit = "1000m" memory_request = "256Mi" - memory_limit = "512Mi" + memory_limit = "1Gi" # Timeout para pods poll_timeout = 600 diff --git a/aula-11/setup.sh b/aula-11/setup.sh index 4bb1ed4..8a1d771 100755 --- a/aula-11/setup.sh +++ b/aula-11/setup.sh @@ -77,6 +77,23 @@ fi log_success "Pré-requisitos verificados" +# ============================================================================= +# CONFIGURAR POD SECURITY PARA DOCKER-IN-DOCKER +# ============================================================================= +# +# Docker-in-Docker requer pods privilegiados. Kubernetes 1.25+ aplica +# Pod Security Admission por padrão, bloqueando containers privilegiados +# no modo "baseline". Precisamos configurar o namespace gitlab para +# permitir pods privilegiados. +# +log_info "Configurando PodSecurity para Docker-in-Docker..." +kubectl label namespace gitlab \ + pod-security.kubernetes.io/enforce=privileged \ + pod-security.kubernetes.io/warn=privileged \ + pod-security.kubernetes.io/audit=privileged \ + --overwrite +log_success "PodSecurity configurado para permitir Docker-in-Docker" + # ============================================================================= # CARREGAR CONFIGURAÇÃO EXISTENTE # =============================================================================