update

dmz/gitlab-runner/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: gitlab-runner
+description: A Helm chart for Kubernetes
+type: application
+version: 0.0.1
+appVersion: 0.0.1
+
+dependencies:
+- name: gitlab-runner
+  repository: https://charts.gitlab.io/
+  version: 0.69.0

dmz/gitlab-runner/templates/secrets.yaml

@@ -0,0 +1,22 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: gitlab-secret
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: gitlab-secret
+  data:
+  - secretKey: runner-registration-token
+    remoteRef:
+      key: secrets/gitlab/runner
+      property: runner-registration-token
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault

dmz/gitlab-runner/values.yaml

@@ -0,0 +1,71 @@
+gitlab-runner:
+
+  image:
+    registry: registry.internal.durp.info
+    image: gitlab-org/gitlab-runner
+
+  imagePullPolicy: Always
+  gitlabUrl: https://gitlab.com/
+  unregisterRunner: false
+  terminationGracePeriodSeconds: 3600
+  concurrent: 10
+  checkInterval: 30
+
+  rbac:
+    create: true
+    rules: []
+    clusterWideAccess: false
+    podSecurityPolicy:
+      enabled: false
+      resourceNames:
+      - gitlab-runner
+
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true      
+  service:
+    enabled: true
+    annotations: {}  
+
+  runners:
+    config: |
+      [[runners]]
+        [runners.kubernetes]
+          namespace = "{{.Release.Namespace}}"
+          image = "ubuntu:22.04"
+          privileged = true
+
+    executor: kubernetes
+    name: "k3s"
+    runUntagged: true
+    privileged: true
+    secret: gitlab-secret
+    #builds: 
+      #cpuLimit: 200m
+      #cpuLimitOverwriteMaxAllowed: 400m
+      #memoryLimit: 256Mi
+      #memoryLimitOverwriteMaxAllowed: 512Mi
+      #cpuRequests: 100m
+      #cpuRequestsOverwriteMaxAllowed: 200m
+      #memoryRequests: 128Mi
+      #memoryRequestsOverwriteMaxAllowed: 256Mi
+
+  securityContext:
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: false
+    runAsNonRoot: true
+    privileged: false
+    capabilities:
+      drop: ["ALL"]
+
+  podSecurityContext:
+    runAsUser: 100
+    fsGroup: 65533
+
+  resources: 
+    limits:
+      memory: 2Gi
+    requests:
+      memory: 128Mi
+      cpu: 500m