Terraform Gitlab Runner GKE module

This is a Terraform module to install and configure a Gitlab Runner in a GKE cluster using the official GitLab Runner Helm Chart.

The runner connect to an existing Gitlab instance using a provided registration token and use a Minio bucket (installed using the Bitnami Chart) in the same namespace of the runner, to host the Runner cache.

This module is provided without any kind of warranty and is GPL3 licensed.

Configuration of the Helm and Kubernetes providers

provider "kubernetes" {
  host                   = # reference cluster endpoint
  cluster_ca_certificate = # reference cluster ca certificate base64decode
  token                  = # reference access token
}

provider "helm" {
  kubernetes {
    host                   = # reference cluster endpoint
    cluster_ca_certificate = # reference cluster ca certificate base64decode
    token                  = # reference access token
  }
}

Configuration options.

This module allows the installation of a runner on a GKE cluster and is rather opinionated although it is highly configurable.

A workload identity is used that assigns default permissions to the runner, permissions that should allow applications to be installed in the cluster.

It is possible to override the permissions by changing the default roles entered in the runner_default_roles variable or by adding them to the runner_additional_roles variable.

If the runner needs to be able to access a CloudSQL instance or deploy applications to cloud run it is sufficient to enable two options by setting the two variables runner_consent_cloud_sql_dumps and runner_consent_deploy_cloudrun_apps to true.

The module supports the creation of a service account with cluster admin role needed for cluster integration in GitLab as described in the official documentation (create_gitlab_k8s_integration_service_account).

Finally, it is possible to install multiple runners on the same cluster by adding a suffix to the created resources (resources_suffix).

Providers

Name	Version
google	>= 3.86.0
helm	>= 2.3.0
kubernetes	>= 2.5.0
random	>= 3.2
template	>= 2.2.0

Requirements

Name	Version
terraform	>= 1
google	>= 3.86.0
helm	>= 2.3.0
kubernetes	>= 2.5.0
random	>= 3.2
template	>= 2.2.0

Inputs

Name	Description	Type	Default	Required
chart_version	The chart version. Be sure to use the version corresponding to your Gitlab version.	string	n/a	yes
container_registry_bucket	The name of container registry bucket. If not empty, the runner will get all needed the permissions to push and pull images to this bucket.	string	""	no
create_gitlab_k8s_integration_service_account	Set to true if you want to integrate the cluster in which you are deploing your runner in Gitlab using a cluster certificate and a service account token. More info at https://docs.gitlab.com/ee/user/project/clusters/add_existing_cluster.html	bool	false	no
gitlab_url_with_protocol	The GitLab Server URL (with protocol) that want to register the runner against. ref: https://docs.gitlab.com/runner/commands/index.html#gitlab-runner-register	string	n/a	yes
helm_release_name	The Helm release name. You can leave default, if you need only a release per namespace.	string	"gitlab"	no
minio_chart_version	The Bitnami Minio chart version.	string	"9.2.10"	no
namespace	Gitlab runner namespace name. If resouces_suffix is defined, the name of the namespace will be namespace-SUFFIX.	string	"gitlab-runner"	no
project_id	The GCP project ID.	string	n/a	yes
resources_suffix	The suffix for the generated resources. If null (default), the resources will not have a custom suffix.	string	""	no
run_untagged	Specify if the runner can or can't run untagged jobs.	bool	false	no
runner_additional_roles	A list of additional roles to be added to the runner service account.	list(string)	[]	no
runner_build_container_cpu_request	The CPU allocation requested for build containers.	string	"100m"	no
runner_build_container_memory_request	The amount of memory requested from build containers.	string	"128Mi"	no
runner_consent_cloud_sql_dumps	Set to true if you want to add permissions to the runner to dump CloudSQL databases using gcloud sql export sql command.	bool	false	no
runner_consent_deploy_cloudrun_apps	Set to true if you want to add permissions to the runner to manage and deploy applications in Cloud Run.	bool	false	no
runner_default_roles	Set the roles assigned to the runner SA via Workload Identity.	list(string)	[ "roles/container.developer", "roles/iam.serviceAccountUser" ]	no
runner_registration_token	The Gitlab runner registration token. You can retrieve it is from your Gitlab project or group backend in the CI/CD settings.	string	n/a	yes
runner_tags	Specify the tags associated with the runner. Comma-separated list of tags.	string	n/a	yes

Outputs

Name	Description
gitlab_cluster_admin_service_token	The service token scoped to kube-system with cluster-admin privileges. We use this token to integrate the cluster in Gitlab.
gitlab_runner_worker_service_account_email	The GCP service account used by the Gitlab runner worker.
minio_accesskey	The minio access key.
minio_credentials_k8s_secret_name	The name of the secret with minio credentials
minio_secretkey	The minio secret key.

Resources

Name	Type
google_project_iam_custom_role.gitlab_runner_custom_role	resource
google_storage_bucket_iam_member.runner_registry_admin	resource
google_storage_bucket_iam_member.runner_registry_writer	resource
helm_release.gitlab_runner	resource
helm_release.minio	resource
kubernetes_cluster_role_binding.gitlab_admin	resource
kubernetes_namespace.gitlab_runner	resource
kubernetes_secret.minio_credentials	resource
kubernetes_service_account.gitlab	resource
random_password.minio_accesskey	resource
random_password.minio_secretkey	resource
kubernetes_secret.gitlab_admin_token	data source
template_file.gitlab_runner_config	data source
template_file.minio_config	data source

Modules

Name	Source	Version
gitlab_runner_workload_identity_mapping	terraform-google-modules/kubernetes-engine/google//modules/workload-identity	16.1.0