gitlab-runner helm

No introduction found. Create it?

Install

Install with:

helm repo add gitlab https://charts.gitlab.io/
helm install gitlab-runner gitlab/gitlab-runner -f values.yaml

Examples

See examples from other people.

Top Repositories (1 out of 6)

NameRepoStarsVersionTimestamp
gitlab-runnerpascaliske/infrastructure730.90.17 days ago

Values

See the most popular values for this chart:

KeyTypes
gitlabUrl (6)
https://gitlab.${SECRET_DOMAIN}
string
boolean
boolean
string
rbac.rules[].resources[] (1)
- pods
- pods/exec
- pods/attach
- pods/log
- secrets
- configmaps
- events
- serviceaccounts
- services
string
rbac.rules[].verbs[] (1)
- get
- list
- watch
- create
- update
- patch
- delete
- get
- list
- get
- list
- watch
- create
- update
- patch
- delete
- list
- watch
- get
- get
- create
string
number
string
runners.config (3)
[[runners]] executor = "kubernetes" # Keep job intake single-file so disk-heavy CI cannot pile onto the # same NVMe/OSD and amplify Ceph/etcd latency or SMART temperature. limit = 1 request_concurrency = 1 cache_dir = "/cache" [runners.cache] Type = "s3" Path = "gitlab-runner" Shared = true [runners.cache.s3] ServerAddress = "rook-ceph-rgw-gitlab-rgw.rook-ceph.svc:80" BucketName = "gitlab-runner-cache" BucketLocation = "us-east-1" Insecure = true # FF_* flags keep Kubernetes executor behavior safer and more # diagnosable: entrypoint parity, pod event logging, token-free Git # URLs, stricter Bash exit handling, script log sections, failed-cache # cleanup, and predictable TLS-chain behavior. # DOCKER_CONFIG: defense-in-depth default for Kaniko/Buildah jobs. # The build pod runs as uid 1000 (PSS=restricted), but the kaniko # image's /kaniko directory is root-owned 0755 — so writing Docker # auth to the default /kaniko/.docker/config.json fails with # `Permission denied` in step_script. /tmp is mounted as a # writable emptyDir on every build pod, and kaniko's executor # honors $DOCKER_CONFIG ahead of its /kaniko/.docker default. environment = [ "FF_USE_FASTZIP=true", "DOCKER_CONFIG=/tmp/.docker", "FF_KUBERNETES_HONOR_ENTRYPOINT=true", "FF_PRINT_POD_EVENTS=true", "FF_GIT_URLS_WITHOUT_TOKENS=true", "FF_ENABLE_BASH_EXIT_CODE_CHECK=true", "FF_USE_NEW_BASH_EVAL_STRATEGY=true", "FF_SCRIPT_SECTIONS=true", "FF_CLEAN_UP_FAILED_CACHE_EXTRACT=true", "FF_RESOLVE_FULL_TLS_CHAIN=false", ] [runners.kubernetes] namespace = "gitlab-runner" image = "docker.io/library/alpine:3.20" helper_image = "" helper_image_flavor = "ubuntu" # CI job images own their package database and often need root for # setup (`apk add`, apt, cargo toolchain installs). Namespace PSA is # baseline, and PolicyReports suppress this known CI surface only. # Runner-set contexts below keep no-priv-esc + dropped caps. privileged = false poll_interval = 5 poll_timeout = 600 pod_termination_grace_period_seconds = 30 cleanup_resources_timeout = "10m" # Cap job pods so bursty compile jobs cannot saturate the same # NVMe backing Ceph + etcd. Scheduler also gets real requests # instead of placing unbounded build/helper containers blind. cpu_request = "500m" cpu_limit = "1500m" memory_request = "1Gi" memory_limit = "4Gi" ephemeral_storage_request = "2Gi" ephemeral_storage_limit = "10Gi" helper_cpu_request = "50m" helper_cpu_limit = "250m" helper_memory_request = "128Mi" helper_memory_limit = "512Mi" helper_ephemeral_storage_request = "256Mi" helper_ephemeral_storage_limit = "1Gi" print_pod_warning_events = true service_account = "gitlab-runner" allow_privilege_escalation = false [runners.kubernetes.affinity] [runners.kubernetes.affinity.node_affinity] [runners.kubernetes.affinity.node_affinity.required_during_scheduling_ignored_during_execution] [[runners.kubernetes.affinity.node_affinity.required_during_scheduling_ignored_during_execution.node_selector_terms]] [[runners.kubernetes.affinity.node_affinity.required_during_scheduling_ignored_during_execution.node_selector_terms.match_expressions]] key = "kubernetes.io/hostname" operator = "NotIn" values = ["k8s-ghost"] [runners.kubernetes.pod_security_context] fs_group = 1000 [runners.kubernetes.pod_security_context.seccomp_profile] type = "RuntimeDefault" [runners.kubernetes.build_container_security_context] allow_privilege_escalation = false read_only_root_filesystem = false [runners.kubernetes.build_container_security_context.seccomp_profile] type = "RuntimeDefault" [runners.kubernetes.helper_container_security_context] allow_privilege_escalation = false read_only_root_filesystem = false [runners.kubernetes.helper_container_security_context.capabilities] drop = ["ALL"] [runners.kubernetes.helper_container_security_context.seccomp_profile] type = "RuntimeDefault" # Auto-injected svc-* service containers (e.g. Redis, Postgres # declared via `services:` in .gitlab-ci.yml) are job-owned images # like the build container, so don't force a UID; baseline PSA lets # them start while caps/no-priv-esc still apply. [runners.kubernetes.service_container_security_context] allow_privilege_escalation = false read_only_root_filesystem = false [runners.kubernetes.service_container_security_context.capabilities] drop = ["ALL"] [runners.kubernetes.service_container_security_context.seccomp_profile] type = "RuntimeDefault" # init-permissions defaults root; pin a non-root UID so kubelet admits it. [runners.kubernetes.init_permissions_container_security_context] allow_privilege_escalation = false read_only_root_filesystem = true run_as_non_root = true run_as_user = 1000 [runners.kubernetes.init_permissions_container_security_context.capabilities] drop = ["ALL"] [runners.kubernetes.init_permissions_container_security_context.seccomp_profile] type = "RuntimeDefault" [[runners.kubernetes.volumes.empty_dir]] name = "build-tmp" mount_path = "/builds" medium = "" mount_propagation = "None" [[runners.kubernetes.volumes.empty_dir]] name = "tmp" mount_path = "/tmp" medium = "" mount_propagation = "None" [[runners.kubernetes.volumes.empty_dir]] name = "cache" mount_path = "/cache" medium = "" mount_propagation = "None" [[runners.kubernetes.volumes.secret]] name = "buildkit-client-certs" mount_path = "/certs" read_only = true
string
runners.secret (3)
gitlab-runner-secret
string
string
runners.cache.secretName (1)
gitlab-runner-cache-credentials
string
string
string
string
string
string
string
boolean
imagePullSecrets[].name (2)
gitlab-registry-auth
string
string
boolean
boolean
number
string
string
string
string
string
boolean
boolean
number
extraEnv.HOME (1)
/home/gitlab-runner
string
string
string
string
string
string
number
string
boolean
number
secrets[].name (1)
gitlab-runner-token
string
boolean
string
boolean
boolean
string
sentryDsn (1)
${SENTRY_DSN_LEGACY}
string
boolean
string
string
number
number
strategy.type (1)
RollingUpdate
string
string
string
string