97b4b50c96
- CLAUDE.md: Atualizar tabela com aulas 12 (Victoria Metrics) e 13 (Container Factory) - aula-11: Melhorias no setup do GitLab Runner
137 lines
4.0 KiB
YAML
137 lines
4.0 KiB
YAML
# =============================================================================
|
|
# GitLab Runner Helm Chart - Executor Kubernetes
|
|
# =============================================================================
|
|
#
|
|
# Configura GitLab Runner para executar jobs como pods no Kubernetes.
|
|
# Suporta Docker-in-Docker para build de imagens.
|
|
#
|
|
# Valores dinâmicos (configurados via --set no setup.sh):
|
|
# - gitlabUrl
|
|
# - runnerToken (novo método) ou runnerRegistrationToken (legacy)
|
|
#
|
|
# =============================================================================
|
|
|
|
# Número máximo de jobs simultâneos
|
|
concurrent: 2
|
|
|
|
# Intervalo de check por novos jobs (segundos)
|
|
checkInterval: 30
|
|
|
|
# Intervalo de heartbeat (segundos)
|
|
heartbeatInterval: 30
|
|
|
|
# =============================================================================
|
|
# CONFIGURAÇÃO DO RUNNER
|
|
# =============================================================================
|
|
runners:
|
|
# Executor: kubernetes (jobs rodam como pods)
|
|
executor: kubernetes
|
|
|
|
# Privileged mode necessário para Docker-in-Docker
|
|
privileged: true
|
|
|
|
# Namespace onde os jobs serão executados
|
|
namespace: gitlab
|
|
|
|
# Tags para identificar o runner
|
|
tags: "kubernetes,docker,hetzner"
|
|
|
|
# Rodar jobs sem tag também
|
|
runUntagged: true
|
|
|
|
# Proteger branches protegidas
|
|
protected: false
|
|
|
|
# Imagem padrão para jobs
|
|
image: alpine:latest
|
|
|
|
# Helper image (para git clone, artifacts, etc)
|
|
helper:
|
|
image: gitlab/gitlab-runner-helper:alpine-latest
|
|
|
|
# Configuração TOML adicional
|
|
config: |
|
|
[[runners]]
|
|
[runners.kubernetes]
|
|
image = "alpine:latest"
|
|
privileged = true
|
|
|
|
# IMPORTANTE: Helper image para ARM64 (Hetzner CAX nodes)
|
|
# Sem isso, o runner tenta usar x86_64 e falha
|
|
helper_image = "gitlab/gitlab-runner-helper:arm64-latest"
|
|
|
|
# Recursos para pods de job (aumentados para builds Docker)
|
|
cpu_request = "100m"
|
|
cpu_limit = "1000m"
|
|
memory_request = "256Mi"
|
|
memory_limit = "1Gi"
|
|
|
|
# Timeout para pods
|
|
poll_timeout = 600
|
|
|
|
# Pull policy
|
|
pull_policy = ["if-not-present"]
|
|
|
|
# Volume para Docker certs (DinD)
|
|
[[runners.kubernetes.volumes.empty_dir]]
|
|
name = "docker-certs"
|
|
mount_path = "/certs/client"
|
|
medium = "Memory"
|
|
|
|
# Volume para cache de build
|
|
[[runners.kubernetes.volumes.empty_dir]]
|
|
name = "build-cache"
|
|
mount_path = "/cache"
|
|
medium = ""
|
|
|
|
# =============================================================================
|
|
# RECURSOS DO RUNNER (manager pod)
|
|
# =============================================================================
|
|
resources:
|
|
requests:
|
|
memory: 128Mi
|
|
cpu: 50m
|
|
limits:
|
|
memory: 256Mi
|
|
cpu: 200m
|
|
|
|
# =============================================================================
|
|
# RBAC
|
|
# =============================================================================
|
|
rbac:
|
|
create: true
|
|
# Permissões para criar pods, secrets, configmaps
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["pods", "pods/exec", "secrets", "configmaps"]
|
|
verbs: ["get", "list", "watch", "create", "patch", "update", "delete"]
|
|
- apiGroups: [""]
|
|
resources: ["pods/attach", "pods/log"]
|
|
verbs: ["get", "create"]
|
|
|
|
# =============================================================================
|
|
# SERVICE ACCOUNT
|
|
# =============================================================================
|
|
serviceAccount:
|
|
create: true
|
|
name: gitlab-runner
|
|
|
|
# =============================================================================
|
|
# MÉTRICAS (opcional)
|
|
# =============================================================================
|
|
metrics:
|
|
enabled: false
|
|
|
|
# =============================================================================
|
|
# POD SECURITY
|
|
# =============================================================================
|
|
podSecurityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 100
|
|
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: false
|
|
capabilities:
|
|
drop: ["ALL"]
|