Opstella Core (Back-end) Additional Resources Installation

There’re resources used by Opstella that will be stored in Kubernetes ConfigMap which managable by you (intentionally) and often requires customisation from you.

Opstella-managed GitLab Runner Deployment Template Customization

Opstella will deploy and register GitLab Runner for you on 🟢 Management Kubernetes Cluster once Opstella is fully configured.

This deployment template is stored as Kuberntes ConfigMap and allow for customisation and flexibility on any envionment that YOU may want to add or adjust.

1. Create a copy of GitLab Deployment Template from assets directory.

   cp $HOME/opstella-installation/assets/kubernetes-manifests/opstella-core-gitlab-runner.go.tpl.yaml \
     $HOME/opstella-installation/opstella-configs/opstella-core-gitlab-runner.go.tpl.yaml

2. You MAY EDIT the copied GitLab Deployment Template. (You may use Text Editor of your choice.)

   vim $HOME/opstella-installation/opstella-configs/opstella-core-gitlab-runner.go.tpl.yaml

   OR Follow along if you decided using Text Editor is too hard for you.

GitLab Runner use S3 API-compatible Object Storage as its Runner Caches

Prerequisites

• 🔑 Credentials to Access S3 Bucket: Access Key, Secret Key
  • These credentials should be from the ones you defined in the SeaweedFS (HA) Installation guide (specifically SEAWEEDFS_HA_S3_GITLAB_CI_PASSWORD as the secret and gitlab-ci as the access key).

1. Set S3(-compatible) Storage Connection

   • S3 Domain: seaweedfs-api.${BASE_DOMAIN}
   • S3 Bucket Name: gitlab-ci-caches
   • S3 Bucket Region: us-east-1
   • S3 Access Key: gitlab-ci
   • S3 Secret Key: CHANGEME ; Use the value of SEAWEEDFS_HA_S3_GITLAB_CI_PASSWORD

   export OPSTELLA_MANAGED_GITLAB_RUNNERS_S3_DOMAIN="seaweedfs-api.${BASE_DOMAIN}"
   export OPSTELLA_MANAGED_GITLAB_RUNNERS_S3_BUCKET_NAME="gitlab-ci-caches"
   export OPSTELLA_MANAGED_GITLAB_RUNNERS_S3_BUCKET_REGION="us-east-1"
   export OPSTELLA_MANAGED_GITLAB_RUNNERS_S3_ACCESS_KEY="gitlab-ci"
   export OPSTELLA_MANAGED_GITLAB_RUNNERS_S3_ACCESS_SECRET="${SEAWEEDFS_HA_S3_GITLAB_CI_PASSWORD}"

2. Create Kubernetes Secret named gitlab-runners-s3-access that store Credentials for GitLab Runner to Access S3 Bucket on opstella-shared-runner Namespace

   Connect to 🟢 Management Kubernetes Cluster ; i.e w/ Kubeconfig File

   Ensure you have defined and loaded your Global Shell Variables as described in Shell Variables.

   source $HOME/opstella-installation/shell-values/kubernetes/management_cluster.vars.sh

   export KUBECONFIG="$HOME/opstella-installation/kubeconfigs/management_cluster.yaml"

   Ensure BASE_DOMAIN, HARBOR_DOMAIN, MIRROR_REGISTRY_PATH are defined as per the Shell Variables guide.

   kubectl create secret generic gitlab-runners-s3-access \
     --namespace opstella-shared-runner \
     --from-literal=accesskey=${OPSTELLA_MANAGED_GITLAB_RUNNERS_S3_ACCESS_KEY} \
     --from-literal=secretkey=${OPSTELLA_MANAGED_GITLAB_RUNNERS_S3_ACCESS_SECRET}

3. Edit GitLab Deployment Template, Go to ConfigMap section

     ... (deducted)
   apiVersion: v1
   kind: ConfigMap
   metadata:
     name: {{ .Name }}
     labels:
       app: {{ .Name }}
   
     ... (deducted)
   data:
     config.template.toml: |
       [[runners]]
         clone_url = "{{ .GitlabServer }}"
         [runners.cache]
         Type = "s3"
         Shared = true
           [runners.cache.s3]
           ServerAddress = "seaweedfs-api.${BASE_DOMAIN}"
           BucketName = "gitlab-ci-caches"
           BucketLocation = "us-east-1"
           AuthenticationType = "access-key"
     ... (deducted)

   Edit the file by the following

   • [runners.cache.s3] section, to configure Runners to use S3 API-compatible Object Storage.
     • Edit ServerAddress for SeaweedFS API Domain seaweedfs-api.${BASE_DOMAIN}
     • Edit BucketName for Bucket Name gitlab-ci-caches ; Leave Default
     • Edit BucketLocation for Bucket Region us-east-1 ; Leave Default

   Or Simply run this.

   sed -i "s@\${OPSTELLA_MANAGED_GITLAB_RUNNERS_S3_DOMAIN}@$OPSTELLA_MANAGED_GITLAB_RUNNERS_S3_DOMAIN@g" \
     $HOME/opstella-installation/opstella-configs/opstella-core-gitlab-runner.go.tpl.yaml

   sed -i "s@\${OPSTELLA_MANAGED_GITLAB_RUNNERS_S3_BUCKET_NAME}@$OPSTELLA_MANAGED_GITLAB_RUNNERS_S3_BUCKET_NAME@g" \
     $HOME/opstella-installation/opstella-configs/opstella-core-gitlab-runner.go.tpl.yaml

   sed -i "s@\${OPSTELLA_MANAGED_GITLAB_RUNNERS_S3_BUCKET_REGION}@$OPSTELLA_MANAGED_GITLAB_RUNNERS_S3_BUCKET_REGION@g" \
     $HOME/opstella-installation/opstella-configs/opstella-core-gitlab-runner.go.tpl.yaml

4. Go to Deployment section, Add extra volume from Kubernetes Secret gitlab-runners-s3-access to existing projected-secrets volume.

   Note

   This step is just to make sure it is configured. It may already existed. If so, you don’t need to edit anything.

     - secret:
         name: gitlab-runners-s3-access
         optional: true

   ... (deducted)
   apiVersion: apps/v1
   kind: Deployment
   metadata:
   ... (deducted)
   spec:
     ... (deducted)
     template:
       ... (deducted)
       volumes:
         ... (deducted)
         - name: projected-secrets
           projected:
             sources:
               ### ADD THIS IF NOT EXIST ###
               - secret:
                   name: gitlab-runners-s3-access
                   optional: true
               ### ADD THIS IF NOT EXIST ###
               - secret:
                 ... (deducted)

GitLab Runner with imagePullSecrets to Pull Artifacts from a Registry

Note

The following steps are for pulling Artifacts from Harbor Registry that you have deployed in DevSecOps Installation.

Prerequisites

• 🔑 Credentials to Access Registry: Harbor Robot Account
  • Harbor Domain: Use HARBOR_DOMAIN from the Shell Variables guide.
  • Username: robot$opstella-gitlab-runners
  • Password: CHANGEME ; Change to the one you retrieved once you created Robot Account

1. Store Pull Credentials as Kubernetes Secret

   Caution

   Robot Account will have ”$” character. USE SINGLE QUOTE for character esacpe.

   ## For security reasons turn off bash history momentarily
   set +o history
   export REGISTRY_USERNAME='robot$opstella-gitlab-runners'
   export REGISTRY_PASSWORD="CHANGEME"

   Create Kubernetes Secret

   You will be creating Kubernetes Secret named gitlab-runners-harbor-${BASE_DOMAIN}

   export OPSTELLA_MANAGED_GITLAB_RUNNERS_IMAGEPULLSECRET_NAME="gitlab-runners-harbor-${BASE_DOMAIN}"

   # Create .dockerconfig JSON file
   kubectl create secret docker-registry ${OPSTELLA_MANAGED_GITLAB_RUNNERS_IMAGEPULLSECRET_NAME} -n opstella-shared-runner \
     --docker-server=${HARBOR_DOMAIN} \
     --docker-username=${REGISTRY_USERNAME} \
     --docker-password=${REGISTRY_PASSWORD}
   
   set -o history

2. Edit GitLab Deployment Template, Go to ConfigMap section

     ... (deducted)
   apiVersion: v1
   kind: ConfigMap
   metadata:
     name: {{ .Name }}
     labels:
       app: {{ .Name }}
   
     ... (deducted)
   data:
     config.template.toml: |
       [[runners]]
         clone_url = "{{ .GitlabServer }}"
         [runners.cache]
         Type = "s3"
         Shared = true
           [runners.cache.s3]
             ... (deducted)
           [runners.kubernetes]
             namespace = "{{ .Namespace }}"
             image = "ubuntu:24.04"
             ### ADD THIS ###
             image_pull_secrets = ['gitlab-runners-harbor-${BASE_DOMAIN}']
             ### ADD THIS ###
             ... (deducted)

   Edit the file by the following

   • [runners.kubernetes] section
     • Add image_pull_secrets = ['gitlab-runners-harbor-${BASE_DOMAIN}'] for the imagePullSecrets that you have created.

   Or Simply run this.

   export OPSTELLA_MANAGED_GITLAB_RUNNERS_IMAGEPULLSECRET_NAME="gitlab-runners-harbor-${BASE_DOMAIN}"

   export OPSTELLA_MANAGED_GITLAB_RUNNERS_IMAGEPULLSECRET_TOML="image_pull_secrets = ['${OPSTELLA_MANAGED_GITLAB_RUNNERS_IMAGEPULLSECRET_NAME}']"

   sed -i "s#\${OPSTELLA_MANAGED_GITLAB_RUNNERS_IMAGEPULLSECRET_TOML}#$OPSTELLA_MANAGED_GITLAB_RUNNERS_IMAGEPULLSECRET_TOML#g" \
     $HOME/opstella-installation/opstella-configs/opstella-core-gitlab-runner.go.tpl.yaml

Extra Opstella-managed GitLab CI/CD Variables

Opstella will managed certain pre-defined CI/CD Variables and Extra CI/CD Variables are needed to be create once you start using Opstella.

• Mirrored Container Image Registry Path
  • On Harbor, you have been setup Proxy Cache Project for mirroring Container Images.
  • This CI/CD variable will allow to patch in CI/CD Runtime.

export MIRROR_REGISTRY_PATH="${HARBOR_DOMAIN}/mirror-"

cat $HOME/opstella-installation/assets/kubernetes-manifests/opstella-core-gitlab-variables.tpl.yaml \
  | sed "s@\${MIRROR_REGISTRY_PATH}@$MIRROR_REGISTRY_PATH@g" \
  > $HOME/opstella-installation/opstella-configs/opstella-core-gitlab-variables.yaml

Create Kubernetes ConfigMap

1. Connect to 🟢 Management Kubernetes Cluster ; i.e w/ Kubeconfig File

   Ensure you have defined and loaded your Global Shell Variables as described in Shell Variables.

   source $HOME/opstella-installation/shell-values/kubernetes/management_cluster.vars.sh

   export KUBECONFIG="$HOME/opstella-installation/kubeconfigs/management_cluster.yaml"

   Ensure BASE_DOMAIN is defined as per the Shell Variables guide.

2. Create Kubernetes ConfigMap named opstella-core-gitlab-configs in opstella-system Namespace

   kubectl create configmap opstella-core-gitlab-configs --namespace opstella-system \
     --from-file=gitlab-runner-template.yaml=$HOME/opstella-installation/opstella-configs/opstella-core-gitlab-runner.go.tpl.yaml \
     --from-file=variables.yaml=$HOME/opstella-installation/opstella-configs/opstella-core-gitlab-variables.yaml