This is the Experimental version (Latest). It is under active development and may change. For the most reliable documentation, use the version selector in the top-right to switch to Stable, or click here to go to the Stable version's homepage.

Opstella Core (Back-end) Additional Resources Installation

Last updated: Mar 13, 2026

There’re resources used by Opstella that will be stored in Kubernetes ConfigMap which managable by you (intentionally) and often requires customisation from you.

Opstella-managed GitLab Runner Deployment Template Customization

Opstella will deploy and register GitLab Runner for you on 🟢 Management Kubernetes Cluster once Opstella is fully configured.

This deployment template is stored as Kuberntes ConfigMap and allow for customisation and flexibility on any envionment that YOU may want to add or adjust.

Create a copy of GitLab Deployment Template from assets directory.

cp $BASE_WORKING_DIR/assets/kubernetes-manifests/opstella-core-gitlab-runner.go.tpl.yaml \
  $BASE_WORKING_DIR/opstella-configs/opstella-core-gitlab-runner.go.tpl.yaml

You MAY EDIT the copied GitLab Deployment Template. (You may use Text Editor of your choice.)
Terminal window
```
vim $BASE_WORKING_DIR/opstella-configs/opstella-core-gitlab-runner.go.tpl.yaml
```
OR Follow along if you decided using Text Editor is too hard for you.

GitLab Runner use S3 API-compatible Object Storage as its Runner Caches

Prerequisites

🔑 Credentials to Access S3 Bucket: Access Key, Secret Key
- These credentials should be from the ones you defined in the SeaweedFS (HA) Installation guide (specifically SEAWEEDFS_HA_S3_GITLAB_CI_PASSWORD as the secret and gitlab-ci as the access key).

Set S3(-compatible) Storage Connection
- S3 Domain: ${SEAWEEDFS_HA_API_DOMAIN}
- S3 Bucket Name: gitlab-ci-caches
- S3 Bucket Region: us-east-1
- S3 Access Key: gitlab-ci
- S3 Secret Key: CHANGEME ; Use the value of SEAWEEDFS_HA_S3_GITLAB_CI_PASSWORD
(Ensure these S3 GitLab Runners variables are exported from your shell values)
Create Kubernetes Secret named gitlab-runners-s3-access that store Credentials for GitLab Runner to Access S3 Bucket on opstella-shared-runner Namespace

Connect to 🟢 Management Kubernetes Cluster ; i.e w/ Kubeconfig File

Ensure you have defined and loaded your Global Shell Variables as described in Shell Variables.
Terminal window
```
source $BASE_WORKING_DIR/shell-values/kubernetes/management_cluster.vars.sh
```
Ensure BASE_DOMAIN, HARBOR_DOMAIN, MIRROR_REGISTRY_PATH are defined as per the Shell Variables guide.
Terminal window
```
kubectl create secret generic gitlab-runners-s3-access \
  --namespace opstella-shared-runner \
  --from-literal=accesskey=gitlab-ci \
  --from-literal=secretkey=${SEAWEEDFS_HA_S3_GITLAB_CI_PASSWORD}
```

Edit GitLab Deployment Template, Go to ConfigMap section

  ... (deducted)
apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ .Name }}
  labels:
    app: {{ .Name }}

  ... (deducted)
data:
  config.template.toml: |
    [[runners]]
      clone_url = "{{ .GitlabServer }}"
      [runners.cache]
      Type = "s3"
      Shared = true
        [runners.cache.s3]
        ServerAddress = "${SEAWEEDFS_HA_API_DOMAIN}"
        BucketName = "gitlab-ci-caches"
        BucketLocation = "us-east-1"
        AuthenticationType = "access-key"
  ... (deducted)

Edit the file by the following

[runners.cache.s3] section, to configure Runners to use S3 API-compatible Object Storage.
- Edit ServerAddress for SeaweedFS API Domain ${SEAWEEDFS_HA_API_DOMAIN}
- Edit BucketName for Bucket Name gitlab-ci-caches ; Leave Default
- Edit BucketLocation for Bucket Region us-east-1 ; Leave Default

Or Simply run this.

sed -i "s@\${OPSTELLA_MANAGED_GITLAB_RUNNERS_S3_DOMAIN}@$SEAWEEDFS_HA_API_DOMAIN@g" \
  $BASE_WORKING_DIR/opstella-configs/opstella-core-gitlab-runner.go.tpl.yaml

sed -i "s@\${OPSTELLA_MANAGED_GITLAB_RUNNERS_S3_BUCKET_NAME}@gitlab-ci-caches@g" \
  $BASE_WORKING_DIR/opstella-configs/opstella-core-gitlab-runner.go.tpl.yaml

sed -i "s@\${OPSTELLA_MANAGED_GITLAB_RUNNERS_S3_BUCKET_REGION}@us-east-1@g" \
  $BASE_WORKING_DIR/opstella-configs/opstella-core-gitlab-runner.go.tpl.yaml

Go to Deployment section, Add extra volume from Kubernetes Secret gitlab-runners-s3-access to existing projected-secrets volume.

... (deducted)
apiVersion: apps/v1
kind: Deployment
metadata:
... (deducted)
spec:
  ... (deducted)
  template:
    ... (deducted)
    volumes:
      ... (deducted)
      - name: projected-secrets
        projected:
          sources:
            ### ADD THIS IF NOT EXIST ###
            - secret:
                name: gitlab-runners-s3-access
                optional: true
            ### ADD THIS IF NOT EXIST ###
            - secret:
              ... (deducted)

GitLab Runner with imagePullSecrets to Pull Artifacts from a Registry

Prerequisites

🔑 Credentials to Access Registry: Harbor Robot Account
- Harbor Domain: Use HARBOR_DOMAIN from the Shell Variables guide.
- Username: robot$opstella-gitlab-runners
- Password: CHANGEME ; Change to the one you retrieved once you created Robot Account

Store Pull Credentials as Kubernetes Secret

Replace HARBOR_ROBOT_GITLAB_USER and HARBOR_ROBOT_GITLAB_PASSWORD with your Harbor Robot Account username and password.

# Create .dockerconfig JSON file
kubectl create secret docker-registry gitlab-runners-harbor-pullsecret -n opstella-shared-runner \
  --docker-server=${HARBOR_DOMAIN} \
  --docker-username=HARBOR_ROBOT_GITLAB_USER \
  --docker-password=HARBOR_ROBOT_GITLAB_PASSWORD

Edit GitLab Deployment Template, Go to ConfigMap section

  ... (deducted)
apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ .Name }}
  labels:
    app: {{ .Name }}

  ... (deducted)
data:
  config.template.toml: |
    [[runners]]
      clone_url = "{{ .GitlabServer }}"
      [runners.cache]
      Type = "s3"
      Shared = true
        [runners.cache.s3]
          ... (deducted)
        [runners.kubernetes]
          namespace = "{{ .Namespace }}"
          image = "ubuntu:24.04"
          ### ADD THIS ###
          image_pull_secrets = ['gitlab-runners-harbor-pullsecret']
          ### ADD THIS ###
          ... (deducted)

Edit the file by the following

[runners.kubernetes] section
- Add image_pull_secrets = ['gitlab-runners-harbor-pullsecret'] for the imagePullSecrets that you have created.

Or Simply run this.

sed -i "s#\${OPSTELLA_MANAGED_GITLAB_RUNNERS_IMAGEPULLSECRET_TOML}#image_pull_secrets = ['gitlab-runners-harbor-pullsecret']#g" \
  $BASE_WORKING_DIR/opstella-configs/opstella-core-gitlab-runner.go.tpl.yaml

Extra Opstella-managed GitLab CI/CD Variables

Opstella will managed certain pre-defined CI/CD Variables and Extra CI/CD Variables are needed to be create once you start using Opstella.

Mirrored Container Image Registry Path
- On Harbor, you have been setup Proxy Cache Project for mirroring Container Images.
- This CI/CD variable will allow to patch in CI/CD Runtime.

cat $BASE_WORKING_DIR/assets/kubernetes-manifests/opstella-core-gitlab-variables.tpl.yaml \
  | sed "s@\${MIRROR_REGISTRY_PATH}@$HARBOR_DOMAIN/mirror-@g" \
  > $BASE_WORKING_DIR/opstella-configs/opstella-core-gitlab-variables.yaml

Create Kubernetes ConfigMap

Connect to 🟢 Management Kubernetes Cluster ; i.e w/ Kubeconfig File

Ensure you have defined and loaded your Global Shell Variables as described in Shell Variables.
Terminal window
```
source $BASE_WORKING_DIR/shell-values/kubernetes/management_cluster.vars.sh
```
Ensure BASE_DOMAIN is defined as per the Shell Variables guide.

Create Kubernetes ConfigMap named opstella-core-gitlab-configs in opstella-system Namespace

kubectl create configmap opstella-core-gitlab-configs --namespace opstella-system \
  --from-file=gitlab-runner-template.yaml=$BASE_WORKING_DIR/opstella-configs/opstella-core-gitlab-runner.go.tpl.yaml \
  --from-file=variables.yaml=$BASE_WORKING_DIR/opstella-configs/opstella-core-gitlab-variables.yaml

Finished?

Use the below navigation to proceed

Previous
Opstella Workers Installation Next
Opstella Core (Back-end) Installation