# ============================================================================= # GitLab Runner Helm Chart - Executor Kubernetes # ============================================================================= # # Configura GitLab Runner para executar jobs como pods no Kubernetes. # Suporta Docker-in-Docker para build de imagens. # # Valores dinâmicos (configurados via --set no setup.sh): # - gitlabUrl # - runnerToken (novo método) ou runnerRegistrationToken (legacy) # # ============================================================================= # Número máximo de jobs simultâneos concurrent: 2 # Intervalo de check por novos jobs (segundos) checkInterval: 30 # Intervalo de heartbeat (segundos) heartbeatInterval: 30 # ============================================================================= # CONFIGURAÇÃO DO RUNNER # ============================================================================= runners: # Executor: kubernetes (jobs rodam como pods) executor: kubernetes # Privileged mode necessário para Docker-in-Docker privileged: true # Namespace onde os jobs serão executados namespace: gitlab # Tags para identificar o runner tags: "kubernetes,docker,hetzner" # Rodar jobs sem tag também runUntagged: true # Proteger branches protegidas protected: false # Imagem padrão para jobs image: alpine:latest # Helper image (para git clone, artifacts, etc) helper: image: gitlab/gitlab-runner-helper:alpine-latest # Configuração TOML adicional config: | [[runners]] [runners.kubernetes] image = "alpine:latest" privileged = true # IMPORTANTE: Helper image para ARM64 (Hetzner CAX nodes) # Sem isso, o runner tenta usar x86_64 e falha helper_image = "gitlab/gitlab-runner-helper:arm64-latest" # Recursos para pods de job (aumentados para builds Docker) # CAX31 tem 8 vCPU e 16GB - aproveitar para builds rápidos cpu_request = "500m" cpu_limit = "4000m" memory_request = "1Gi" memory_limit = "8Gi" # Timeout para pods poll_timeout = 600 # Pull policy pull_policy = ["if-not-present"] # Node selector para usar o build-pool (CAX31) [runners.kubernetes.node_selector] "node-pool" = "build" # Toleration para o taint do build-pool [[runners.kubernetes.node_tolerations]] key = "dedicated" operator = "Equal" value = "builds" effect = "NoSchedule" # Volume para Docker certs (DinD) [[runners.kubernetes.volumes.empty_dir]] name = "docker-certs" mount_path = "/certs/client" medium = "Memory" # Volume para cache de build [[runners.kubernetes.volumes.empty_dir]] name = "build-cache" mount_path = "/cache" medium = "" # ============================================================================= # RECURSOS DO RUNNER (manager pod) # ============================================================================= resources: requests: memory: 128Mi cpu: 50m limits: memory: 256Mi cpu: 200m # ============================================================================= # RBAC # ============================================================================= rbac: create: true # Permissões para criar pods, secrets, configmaps rules: - apiGroups: [""] resources: ["pods", "pods/exec", "secrets", "configmaps"] verbs: ["get", "list", "watch", "create", "patch", "update", "delete"] - apiGroups: [""] resources: ["pods/attach", "pods/log"] verbs: ["get", "create"] # ============================================================================= # SERVICE ACCOUNT # ============================================================================= serviceAccount: create: true name: gitlab-runner # ============================================================================= # MÉTRICAS (opcional) # ============================================================================= metrics: enabled: false # ============================================================================= # POD SECURITY # ============================================================================= podSecurityContext: runAsNonRoot: true runAsUser: 100 securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: false capabilities: drop: ["ALL"]