neilkuan / cdk-gitlab-runner Goto Github PK
View Code? Open in Web Editor NEWUse AWS CDK to create gitlab runner, and use gitlab runner to help you execute your Gitlab Pipeline Job.
License: Apache License 2.0
Use AWS CDK to create gitlab runner, and use gitlab runner to help you execute your Gitlab Pipeline Job.
License: Apache License 2.0
Imagine you have a (shared) runner already and would be able therefore to install this project runner with the execution of a pipeline based on an .gitlab-ci.yaml which includes all cmds running based on public docker images to install all what is required and execute the cdk-gitlab-runner setup.
use public ecr replace docker io
https://gallery.ecr.aws/gitlab/gitlab-runner
This is a ๐ Feature Request
First off thanks for creating this package. It has served me well but I have hit a bit of a wall when it comes to my CI jobs and access an RDS instance that is only available on the VPC from the Gitlab runner.
I am trying to find a way to grant the Gitlab runner to my RDS database but have not managed to do so and I am wondering if that is a limitation to this package or an error in my code. I granted access to the database from lambda by simply passing in to the lambda props a security group I created from the VPC. It appears this can also be done with EC2 in a similar fashion but the Gitlab runner creates it's own security group rather than taking one through props.
Is there a workaround to allow the Gitlab runner to access RDS? I have posted my code below to hopefully make clear what i'm trying to achieve. Apologies if anything unclear, I am fairly new to this
import { Construct } from 'constructs';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import * as cognito from 'aws-cdk-lib/aws-cognito';
import { CognitoIdentityProvider } from '@aws-sdk/client-cognito-identity-provider';
import { NodejsFunction } from 'aws-cdk-lib/aws-lambda-nodejs';
import { Runtime } from 'aws-cdk-lib/aws-lambda';
import { LambdaIntegration } from 'aws-cdk-lib/aws-apigateway';
export default class MyStack extends Construct {
constructor(scope: Construct, id: string) {
super(scope, id);
// my vpc
const vpc = new ec2.Vpc(this, `VPC`, {
cidr: '10.0.0.0/20',
natGateways: 1,
maxAzs: 2,
enableDnsHostnames: true,
enableDnsSupport: true,
subnetConfiguration: [
{
cidrMask: 22,
name: 'public',
subnetType: ec2.SubnetType.PUBLIC
},
{
cidrMask: 22,
name: 'private',
subnetType: ec2.SubnetType.PRIVATE_ISOLATED
}
]
});
// my sg
const defaultSecurityGroup = ec2.SecurityGroup.fromSecurityGroupId(
this,
'SG',
vpc.vpcDefaultSecurityGroup
);
defaultSecurityGroup.addIngressRule(
ec2.Peer.securityGroupId(defaultSecurityGroup.securityGroupId),
ec2.Port.tcp(5432),
'Opening RDS to Lambda'
);
// my rds cluster
const rdsCluster = new rds.DatabaseCluster(
this,
`Cluster`,
{
engine: rds.DatabaseClusterEngine.AURORA_POSTGRESQL,
parameterGroup: rds.ParameterGroup.fromParameterGroupName(
this,
'ParameterGroup',
'default.aurora-postgresql13'
),
instanceProps: {
vpc,
vpcSubnets: props.vpc.selectSubnets({
subnetType: ec2.SubnetType.PUBLIC
}),
instanceType: ec2.InstanceType.of(
ec2.InstanceClass.T3,
ec2.InstanceSize.MEDIUM
),
securityGroups: [defaultSecurityGroup]
},
instances: 1,
storageEncrypted: true,
credentials: rds.Credentials.fromSecret(databaseCredentialsSecret)
}
);
}
}
Describe the bug
As the system log below shows, a command on userData, 'usermod -aG docker ssm-user' does not work.
[ 93.182052] cloud-init[2486]: usermod: user 'ssm-user' does not exist
Expected behavior
ssm-user should have been existed before usermod.
Additional context
usermod command can be deleted If it's just for running docker command without sudo.
I would love to see this construct library being able to handle multiple GitLab CI tokens for one runner.
Creating a runner that is supposed to cover multiple projects but not a whole group.
This...
new GitlabRunnerAutoscaling(stack, 'foo', {
gitlabToken: 'bar'
});
...becomes this:
new GitlabRunnerAutoscaling(stack, 'foo', {
gitlabTokens: ['bar', 'baz']
});
This is a ๐ Feature Request
The GitLab Runner should be able to dynamically resolve the GitLab token from AWS Secrets Manager.
Get rid of the need to pass a token and write it into the resulting CloudFormation template in clear text.
gitlabTokenSecretName
into the props.gitlabToken
is not specified and gitlabTokenSecretName
is, the construct adds the command $(aws secretsmanager get-secret-value --region ${Aws.REGION} --secret-id gitlab-runner --query SecretString --output text | grep -o '"registration-token":"[^"]*' | grep -o '[^"]*$')
instead of the clear text token into the user data.gitlabTokenSecretName
is specified, the constructs adds read permissions for the secrets to the instance role:
instanceRole.addToPrincipalPolicy(new PolicyStatement({
actions: [
"secretsmanager:GetSecretValue"
],
effect: Effect.ALLOW,
resources: [
`arn:aws:secretsmanager:${Aws.REGION}:${Aws.ACCOUNT_ID}:secret:gitlab-runner*`
]
}));
Successfully tested the proposed solution with the existing construct.
This is a ๐ Feature Request
I have been using the GitlabContainerRunner
construct for a while, and it has been working great. A while ago, we enabled AWS Security Hub and have been working through its findings.
Here are some of the findings:
I have been able to add fixes later, but the solution is not nice. Especially feature 2 is difficult to do, as it is easy to add new rules to a security group, but removing rules is very difficult.
Fixing finding 1 shouldn't incur any breaking changes for anyone, so this can be enabled with a simple option on the construct. Finding 2 might be a bit more complicate, maybe this could be an option along the lines of disable_ssh_access
that would be False
by default.
There are 2 deprecation warnings when using constructs provided by this repository.
CDK OUTPUT
[WARNING] aws-cdk-lib.aws_ec2.VpcProps#cidr is deprecated.
Use ipAddresses instead
This API will be removed in the next major release.
[WARNING] aws-cdk-lib.aws_ec2.MachineImage#latestAmazonLinux is deprecated.
use MachineImage.latestAmazonLinux2 instead
This API will be removed in the next major release.
Links:
cidr deprecation
latestAmazonLinux deprecation
Both of these are fairly easy to fix, as they are mostly a change in syntax. If you like, I could make these changes and submit a pull request. However, given how simple these changes are, it could be faster if you made these changes yourself.
Hello!
I hope you are doing well!
We are a security research team. Our tool automatically detected a vulnerability in this repository. We want to disclose it responsibly. GitHub has a feature called Private vulnerability reporting, which enables security research to privately disclose a vulnerability. Unfortunately, it is not enabled for this repository.
Can you enable it, so that we can report it?
Thanks in advance!
PS: you can read about how to enable private vulnerability reporting here: https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository
Install amazon-cloudwatch-agent.
If amazon-cloudwatch-agent sends metrics to cloudwatch, it enables further improvements below:
Use userData to Install amazon-cloudwatch-agent to instances.
This is a ๐ Feature Request
Terminates runner instance with low disk space in order to avoid run-time error.
As time goes by, free space of EBS volume is getting smaller. It causes "no space left on device" error at run-time. Gitlab runners have low free EBS space should be terminated before that.
Uses SNS topic and Cloudwatch alarm to call a lambda function, that terminates runner instance on low disk space using boto3.
This is a ๐ Feature Request
It would be useful to configure the number of concurrent jobs a runner can handle. This means that it is not needed to create multiple runners if you are running many simple tasks (such as linting and waiting for servers to come online).
Either a new configuration field is added to the GitlabContainerRunner construct like this
const runner = new GitlabContainerRunner(this, 'testing', {
gitlabtoken: '$GITLABTOKEN',
ec2type: 't3.large',
configuration: {
concurrent_jobs: 4,
}
});
or it is added as a new field
const runner = new GitlabContainerRunner(this, 'testing', {
gitlabtoken: '$GITLABTOKEN',
ec2type: 't3.large',
concurrent_jobs: 4,
});
https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section
๐ I may be able to implement this feature request
It has been a while since I wrote JavaScript code, but I could try to implement this.
This is a ๐ Feature Request
link this issue at gitlab
git
sudo amazon-linux-extras install docker
to install docker on Amazon Linux2.This is a ๐ Feature Request
Describe the bug
I had an EC2 instance with GitLab runner which stopped working. So, I attempted to simplify redeploy the stack that contained the runner; however, no runner is created after the stack has been redeployed.
When logging into the instance using ec2 connect, there are no docker containers running.
To Reproduce
Expected behavior
Runner is created
Additional context
Created using Python CDK using the following arguments:
from cdk_gitlab_runner import GitlabContainerRunner
...
runner = GitlabContainerRunner(
self, 'gitlabRunner',
gitlabtoken=gitlab_token.string_value,
ec2type='t3.small',
concurrent_jobs=3,
tags=[],
runner_description='Group Runner',
)
Describe the bug
When using runner versions after 15.10, there is a check here which checks if the token contains the substring 'glrt'. When fetching the token from SSM, you are given a token which is resolved deployment time. This token does not contain glrt
which stops the execution
To Reproduce
Steps to reproduce the behavior:
gitlab_token = ssm.StringParameter.from_string_parameter_name(
self, 'gitlabRunnerRegisterToken',
string_parameter_name='/gitlab/groupToken',
)
runner = GitlabContainerRunner(
self, 'gitlabRunner',
gitlabtoken=gitlab_token.string_value,
gitlab_runner_version='16.8',
ec2type='t3.small',
concurrent_jobs=3,
tags=[],
runner_description='Group Runner',
)
Additional context
I am using python.
add dockerVolumesList() in GitlabRunnerAutoscaling()
This is a ๐ Feature Request
The initial design is to provision ASG with launch configuration for spot instances and will require to specify the spotPrice
I believe we can replace it with ASG+LaunchTemplate in which we don't have to specify maxPrice and eventaully we can remove the spotPrice
This is a ๐ Feature Request
gitlab deprecated the registration-token.
for further reading check this:
https://docs.gitlab.com/ee/ci/runners/new_creation_workflow.html
Describe the bug
Life cycle policy for auto scaling group is deleted before it runs on destroying cloudformation stack.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Registered Gitlab runner have to be deleted on stack destroy.
Additional context
Add any other context about the problem here.
Socket binding causes problem when job uses dind: https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#use-docker-socket-bindi
make it optional.
This is a ๐ Feature Request
Describe the bug
A clear and concise description of what the bug is.
Unable to deploy construct configured to use spot instances.
To Reproduce
Steps to reproduce the behavior:
class DevelopmentResourcesStack(Stack):
def __init__(self, scope: Construct, construct_id: str, **kwargs):
super().__init__(scope, construct_id, **kwargs)
runner = GitlabContainerRunner(
self, 'gitlabRunner',
gitlabtoken='[REDACTED]',
ec2type='t3.large',
block_duration=BlockDuration.ONE_HOUR,
spot_fleet=True,
tags=['spot']
)
runner.expire_after(Duration.hours(1))
unregisterRunnerCR
Task timed out after 60.00 seconds
(404 follows soon after this message)
OR
[ERROR] ClientError: An error occurred (404) when calling the HeadObject operation: Not Found
Traceback (most recent call last):
File "/var/task/unregister_runner.py", line 37, in on_event
return on_delete(event)
File "/var/task/unregister_runner.py", line 62, in on_delete
s3.download_file(props['BucketName'], 'runnertoken.txt', '/tmp/runnertoken.txt')
File "/var/runtime/boto3/s3/inject.py", line 171, in download_file
return transfer.download_file(
File "/var/runtime/boto3/s3/transfer.py", line 315, in download_file
future.result()
File "/var/runtime/s3transfer/futures.py", line 103, in result
return self._coordinator.result()
File "/var/runtime/s3transfer/futures.py", line 266, in result
raise self._exception
File "/var/runtime/s3transfer/tasks.py", line 269, in _main
self._submit(transfer_future=transfer_future, **kwargs)
File "/var/runtime/s3transfer/download.py", line 354, in _submit
response = client.head_object(
File "/var/runtime/botocore/client.py", line 391, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/var/runtime/botocore/client.py", line 719, in _make_api_call
raise error_class(parsed_response, operation_name)
Expected behavior
A clear and concise description of what you expected to happen.
Resource deploy normally.
Additional info
The bucket created by the construct appears to be empty for its entire lifetime. Region is eu-central-1
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.