Merge pull request #216 from tobiashuste/210-include-hifisgitlab_runner-role-into-collection

Integrate gitlab_runner role into hifis toolkit

Author: tobiashuste

.github/labeler.yml

@@ -10,6 +10,12 @@ keepalived:
           - "roles/keepalived/**"
           - "molecule/keepalived/**"
           - ".github/workflows/keepalived.yml"
+gitlab_runner:
+  - changed-files:
+      - any-glob-to-any-file:
+          - "roles/gitlab_runner/**"
+          - "molecule/gitlab_runner/**"
+          - ".github/workflows/gitlab_runner.yml"
 ssh_keys:
   - changed-files:
       - any-glob-to-any-file:

.github/workflows/gitlab_runner.yml

@@ -0,0 +1,74 @@
+# SPDX-FileCopyrightText: Helmholtz Centre for Environmental Research (UFZ)
+# SPDX-FileCopyrightText: Helmholtz-Zentrum Dresden-Rossendorf (HZDR)
+#
+# SPDX-License-Identifier: Apache-2.0
+
+---
+name: "hifis.toolkit.gitlab_runner"
+
+on:
+  pull_request:
+    paths:
+      - '.github/workflows/gitlab_runner.yml'
+      - 'roles/gitlab_runner/**'
+      - 'molecule/gitlab_runner/**'
+      - 'Pipfile'
+      - 'Pipfile.lock'
+  push:
+    branches:
+      - "main"
+    tags:
+      - "v*.*.*"
+    paths:
+      - '.github/workflows/gitlab_runner.yml'
+      - 'roles/gitlab_runner/**'
+      - 'molecule/gitlab_runner/**'
+      - 'Pipfile'
+      - 'Pipfile.lock'
+  schedule:
+    - cron: "0 0 * * *"
+env:
+  PY_COLORS: 1
+  ANSIBLE_FORCE_COLOR: 1
+
+jobs:
+
+  test:
+    name: "Run Molecule tests."
+    runs-on: "ubuntu-24.04"
+    env:
+      PY_COLORS: 1
+      ANSIBLE_FORCE_COLOR: 1
+    strategy:
+      fail-fast: false
+      matrix:
+        image:
+          - "ghcr.io/hifis-net/ubuntu-systemd:20.04"
+          - "ghcr.io/hifis-net/ubuntu-systemd:22.04"
+          - "ghcr.io/hifis-net/ubuntu-systemd:24.04"
+          - "ghcr.io/hifis-net/debian-systemd:10"
+          - "ghcr.io/hifis-net/debian-systemd:11"
+          - "ghcr.io/hifis-net/debian-systemd:12"
+
+    steps:
+      - name: "Check out the codebase."
+        uses: "actions/checkout@v4"
+        with:
+          path: "ansible_collections/hifis/toolkit"
+
+      - name: "Prepare the job environment."
+        uses: "./ansible_collections/hifis/toolkit/.github/workflows/prepare-action"
+
+      # https://github.com/ansible/molecule/issues/3806
+      - name: "Help molecule to find the dependencies"
+        run: |
+          mkdir -p /home/runner/.ansible
+          ln -s /home/runner/work/ansible-collection-toolkit/ansible-collection-toolkit/ansible_collections/hifis/toolkit/roles \
+            /home/runner/.ansible/roles
+
+      - name: "Run Molecule tests."
+        run: "pipenv run molecule test -s gitlab_runner"
+        env:
+          MOLECULE_IMAGE: "${{ matrix.image }}"
+          AUTHENTICATION_TOKEN: "${{ secrets.authentication_token }}"
+        working-directory: "ansible_collections/hifis/toolkit"

.github/workflows/prepare-action/action.yml

@@ -17,7 +17,7 @@ runs:
       uses: "actions/setup-python@v5"
       id: "setup-python"
       with:
-        python-version: "3.10"
+        python-version: "3.12"
         cache: "pipenv"
 
     - name: "Install dependencies via pipenv."

Pipfile

@@ -19,4 +19,4 @@ reuse = "~=3.0.2"
 ansible = "~=9.5.1"
 
 [requires]
-python_version = "3.10"
+python_version = "3.12"

Pipfile.lock

@@ -18,18 +18,18 @@ This collection provides production-ready Ansible roles used for providing servi
 software engineers, but not exclusively. The following use cases are supported:
 
 * DevOps platform:
-  * [GitLab](https://github.com/hifis-net/ansible-role-gitlab) (*coming soon!*)
-  * [GitLab-Runner](https://github.com/hifis-net/ansible-role-gitlab-runner) (*coming soon!*)
-  * [Redis](https://github.com/hifis-net/ansible-role-redis) (*coming soon!*)
+    * [GitLab](https://github.com/hifis-net/ansible-role-gitlab) (**coming soon!**)
+    * deploy [**GitLab-Runner**](roles/gitlab_runner) with a focus, but not limited, on Openstack autoscaling
+    * [Redis](https://github.com/hifis-net/ansible-role-redis) (**coming soon!**)
 * Help desk:
-  * [**Zammad**](roles/zammad)
+    * [**Zammad**](roles/zammad)
 * High Availability (HA) / Load Balancing:
-  * [HAProxy](https://github.com/hifis-net/ansible-role-haproxy) (*coming soon!*)
-  * [**Keepalived**](roles/keepalived)
+    * [HAProxy](https://github.com/hifis-net/ansible-role-haproxy) (*coming soon!*)
+    * [**Keepalived**](roles/keepalived)
 * OS-related:
-  * [**unattended-upgrades**](roles/unattended_upgrades)
-  * [netplan](https://github.com/hifis-net/ansible-role-gitlab-netplan) (*coming soon!*)
-  * distribute authorized [**SSH keys**](role/ssh_keys) to users
+    * [**unattended-upgrades**](roles/unattended_upgrades)
+    * [netplan](https://github.com/hifis-net/ansible-role-gitlab-netplan) (*coming soon!*)
+    * distribute authorized [**SSH keys**](role/ssh_keys) to users
 
 ## Minimum required Ansible-version
 

README.md

@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: Helmholtz Centre for Environmental Research (UFZ)
+# SPDX-FileCopyrightText: Helmholtz-Zentrum Dresden - Rossendorf (HZDR)
+#
+# SPDX-License-Identifier: Apache-2.0
+
+---
+- name: "Converge"
+  hosts: "all"
+  tasks:
+    - name: "Include gitlab_runner role"
+      ansible.builtin.include_role:
+        name: "hifis.toolkit.gitlab_runner"

molecule/gitlab_runner/converge.yml

@@ -0,0 +1,137 @@
+# SPDX-FileCopyrightText: Helmholtz Centre for Environmental Research (UFZ)
+# SPDX-FileCopyrightText: Helmholtz-Zentrum Dresden - Rossendorf (HZDR)
+#
+# SPDX-License-Identifier: Apache-2.0
+
+---
+dependency:
+  name: "galaxy"
+  options:
+    requirements-file: "molecule/gitlab_runner/requirements.yml"
+driver:
+  name: "podman"
+platforms:
+  - name: "instancegitlabciopenstack1"
+    image: "${MOLECULE_IMAGE:-ghcr.io/hifis-net/ubuntu-systemd:24.04}"
+    pre_build_image: true
+    override_command: false
+    privileged: true  # Required to run Docker in Podman
+    systemd: true
+    tty: true
+  - name: "instancegitlabciopenstack2"
+    image: "${MOLECULE_IMAGE:-ghcr.io/hifis-net/ubuntu-systemd:24.04}"
+    pre_build_image: true
+    override_command: false
+    privileged: true  # Required to run Docker in Podman
+    systemd: true
+    tty: true
+provisioner:
+  name: "ansible"
+  playbooks:
+    prepare: "prepare.yml"
+    converge: "converge.yml"
+  inventory:
+    hosts:
+      all:
+        vars:
+          gitlab_runner_concurrent: 4
+    host_vars:
+      instancegitlabciopenstack1:
+        gitlab_runner_version: "16.11.0"
+        gitlab_runner_deb_file: "https://packages.gitlab.com/runner/gitlab-runner/packages/{{ ansible_distribution | lower }}/{{ ansible_distribution_release | lower }}/gitlab-runner_{{ gitlab_runner_pkg_version }}_amd64.deb/download.deb"
+        gitlab_runner_install_docker: true
+        gitlab_runner_ssh_public_key: "test_key.pub"
+        gitlab_runner_ssh_private_key: "test_key"
+        gitlab_runner_sentry_dsn: "https://[email protected]/1"
+        gitlab_runner_registry_mirrors:
+          - "http://registry-mirror1.example"
+          - "https://registry-mirror2.example"
+        gitlab_runner_insecure_registries:
+          - "registry-mirror1.example"
+        gitlab_runner_enable_session_server: true
+        gitlab_runner_list:
+          - name: "test01"
+            url: "https://gitlab.com"
+            description: "Molecule test runner"
+            authentication_token: "${AUTHENTICATION_TOKEN}"
+            executor: "docker"
+            environment: ["CI_CPUS=8", "DOCKER_TLS_CERTDIR=/certs"]
+            docker_security_opts: ["seccomp=unconfined"]
+            docker_volumes: ["/cache", "/certs/client"]
+            docker_devices: ["/dev/kfd", "/dev/dri"]
+            docker_cpus: 2
+            docker_gpus: "all"
+            docker_memory: "2g"
+            docker_image: "python:3.8"
+            docker_network_mtu: 1442
+            tags: ["docker", "hifis"]
+            locked: true
+            limit: 10
+      instancegitlabciopenstack2:
+        gitlab_runner_version: "16.11.0"
+        gitlab_runner_install_docker: false
+        gitlab_runner_ssh_public_key: ""
+        gitlab_runner_ssh_private_key: ""
+        gitlab_runner_registry_mirror: "https://registry-mirror.example"
+        gitlab_runner_listen_address: "127.0.0.1:9252"
+        gitlab_runner_set_default_network_opts: true
+        gitlab_runner_list:
+          - name: "test01"
+            url: "https://gitlab.com"
+            description: "Molecule test runner"
+            authentication_token: "${AUTHENTICATION_TOKEN}"
+            executor: "docker+machine"
+            environment: ["CI_CPUS=8", "DOCKER_TLS_CERTDIR=/certs"]
+            docker_volumes: ["/cache", "/certs/client", "/opt/docker/daemon.json:/etc/docker/daemon.json:ro"]
+            docker_image: "python:3.8"
+            docker_shm_size: 2147483648
+            docker_disable_cache: true
+            tags: ["docker", "hifis"]
+            locked: true
+            limit: 10
+            machine_idle_count: 5
+            machine_idle_time: 7200
+            machine_max_builds: 4
+            machine_max_growth_rate: 2
+            machine_driver: "openstack"
+            machine_name: "auto-scale-%s"
+            machine_options:
+              - "openstack-auth-url=https://openstack.example:5000/v3"
+              - "openstack-image-id=73f07dd3-fa8b-468f-b6bc-b0cd4510f5d0"
+              - "openstack-flavor-name=m1.small"
+              - "openstack-net-id=7834deeb-8bd5-4fc7-b35b-24035d8f47a7"
+              - "openstack-username=gitlab-runner"
+              - "openstack-password=secret"
+              - "openstack-tenant-id=123456"
+              - "openstack-domain-name=default"
+              - "openstack-ssh-user=core"
+              - "openstack-sec-groups=Internal"
+              - "openstack-keypair-name=runners-internal"
+              - "openstack-private-key-file=/etc/gitlab-runner/gitlab_runner_key"
+              - "openstack-user-data-file=/etc/gitlab-runner/ignition.json"
+              - "openstack-active-timeout=300"
+              - "engine-registry-mirror=https://registry-mirror.example"
+            cache_type: "s3"
+            cache_server_address: "https://cache.example"
+            cache_access_key: "key"
+            cache_secret_key: "secret"
+            cache_bucket_name: "bucket"
+            cache_bucket_location: "eu-west-1"
+            cache_insecure: "false"
+verifier:
+  name: "ansible"
+scenario:
+  name: "gitlab_runner"
+  test_sequence:
+    - "destroy"
+    - "dependency"
+    - "syntax"
+    - "create"
+    - "prepare"
+    - "check"
+    - "converge"
+    - "idempotence"
+    - "check"
+    - "side_effect"
+    - "verify"
+    - "destroy"

molecule/gitlab_runner/molecule.yml

@@ -0,0 +1,39 @@
+# SPDX-FileCopyrightText: Helmholtz Centre for Environmental Research (UFZ)
+# SPDX-FileCopyrightText: Helmholtz-Zentrum Dresden-Rossendorf (HZDR)
+#
+# SPDX-License-Identifier: Apache-2.0
+
+---
+- name: "Prepare"
+  hosts: "all"
+  tasks:
+    - name: "Install necessary packages"
+      when: "ansible_os_family == 'Debian'"
+      block:
+        - name: "Install missing dependencies"
+          ansible.builtin.apt:
+            name:
+              - "sudo"              # for `become` privilege escalation
+              - "iproute2"          # for gathering network facts
+              - "ca-certificates"   # for Gitlab-Runner download
+              - "gpg"
+              - "python3-debian"
+            state: "present"
+            update_cache: true
+    - name: "Set up iptables"
+      when: "ansible_distribution == 'Debian'"
+      block:
+        - name: "Install missing dependencies"
+          ansible.builtin.apt:
+            name:
+              - "iptables"
+            state: "present"
+            update_cache: true
+        - name: "Use legacy iptables"
+          community.general.alternatives:
+            name: "iptables"
+            path: "/usr/sbin/iptables-legacy"
+        - name: "Use legacy ip6tables"
+          community.general.alternatives:
+            name: "ip6tables"
+            path: "/usr/sbin/ip6tables-legacy"

molecule/gitlab_runner/prepare.yml

@@ -0,0 +1,8 @@
+# SPDX-FileCopyrightText: Helmholtz Centre for Environmental Research (UFZ)
+# SPDX-FileCopyrightText: Helmholtz-Zentrum Dresden - Rossendorf (HZDR)
+#
+# SPDX-License-Identifier: Apache-2.0
+
+---
+roles:
+  - name: "geerlingguy.docker"

molecule/gitlab_runner/requirements.yml

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACAZxWIoT1CX3FFjc3+Em53Hy5ht8AbF8QHWQb25c3H2hQAAAJCiuPqvorj6
+rwAAAAtzc2gtZWQyNTUxOQAAACAZxWIoT1CX3FFjc3+Em53Hy5ht8AbF8QHWQb25c3H2hQ
+AAAEBQMNsWaiJGO+9HM245p+bcdI6mucBBHnD+880/zEOOERnFYihPUJfcUWNzf4SbncfL
+mG3wBsXxAdZBvblzcfaFAAAACXVzZXJAaG9zdAECAwQ=
+-----END OPENSSH PRIVATE KEY-----

molecule/gitlab_runner/test_key

@@ -0,0 +1,4 @@
+SPDX-FileCopyrightText: Helmholtz Centre for Environmental Research (UFZ)
+SPDX-FileCopyrightText: Helmholtz-Zentrum Dresden - Rossendorf (HZDR)
+
+SPDX-License-Identifier: Apache-2.0

molecule/gitlab_runner/test_key.license

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBnFYihPUJfcUWNzf4SbncfLmG3wBsXxAdZBvblzcfaF

molecule/gitlab_runner/test_key.pub

@@ -0,0 +1,4 @@
+SPDX-FileCopyrightText: Helmholtz Centre for Environmental Research (UFZ)
+SPDX-FileCopyrightText: Helmholtz-Zentrum Dresden - Rossendorf (HZDR)
+
+SPDX-License-Identifier: Apache-2.0