gitlab-runner helm

No introduction found. Create it?

Install

Install with:

helm repo add gitlab https://charts.gitlab.io/
helm install gitlab-runner gitlab/gitlab-runner -f values.yaml

Examples

See examples from other people.

Top Repositories (1 out of 6)

NameRepoStarsVersionTimestamp
gitlab-runnerpascaliske/infrastructure720.89.02 hours ago

Values

See the most popular values for this chart:

KeyTypes
gitlabUrl (6)
https://gitlab.${SECRET_DOMAIN}
string
rbac.create (5)
true
boolean
rbac.clusterWideAccess (1)
false
boolean
rbac.rules[].apiGroups[] (1)
-
-
-
-
-
-
string
rbac.rules[].resources[] (1)
- pods
- pods/exec
- pods/attach
- pods/log
- secrets
- configmaps
- events
- serviceaccounts
- services
string
rbac.rules[].verbs[] (1)
- get
- list
- watch
- create
- update
- patch
- delete
- get
- list
- get
- list
- watch
- create
- update
- patch
- delete
- list
- watch
- get
- get
- create
string
concurrent (3)
4
number
runnerRegistrationToken (3)

string
runners.config (3)
[[runners]] executor = "kubernetes" # Avoid long-polling request bottleneck (chart logs WARNING when =1). request_concurrency = 4 cache_dir = "/cache" [runners.cache] Type = "s3" Path = "gitlab-runner" Shared = true [runners.cache.s3] ServerAddress = "rook-ceph-rgw-gitlab-rgw.rook-ceph.svc:80" BucketName = "gitlab-runner-cache" BucketLocation = "us-east-1" Insecure = true # FF_* flags keep Kubernetes executor behavior safer and more # diagnosable: entrypoint parity, pod event logging, token-free Git # URLs, stricter Bash exit handling, script log sections, failed-cache # cleanup, and predictable TLS-chain behavior. # DOCKER_CONFIG: defense-in-depth default for Kaniko/Buildah jobs. # The build pod runs as uid 1000 (PSS=restricted), but the kaniko # image's /kaniko directory is root-owned 0755 — so writing Docker # auth to the default /kaniko/.docker/config.json fails with # `Permission denied` in step_script. /tmp is mounted as a # writable emptyDir on every build pod, and kaniko's executor # honors $DOCKER_CONFIG ahead of its /kaniko/.docker default. environment = [ "FF_USE_FASTZIP=true", "DOCKER_CONFIG=/tmp/.docker", "FF_KUBERNETES_HONOR_ENTRYPOINT=true", "FF_PRINT_POD_EVENTS=true", "FF_GIT_URLS_WITHOUT_TOKENS=true", "FF_ENABLE_BASH_EXIT_CODE_CHECK=true", "FF_USE_NEW_BASH_EVAL_STRATEGY=true", "FF_SCRIPT_SECTIONS=true", "FF_CLEAN_UP_FAILED_CACHE_EXTRACT=true", "FF_RESOLVE_FULL_TLS_CHAIN=false", ] [runners.kubernetes] namespace = "gitlab-runner" image = "docker.io/library/alpine:3.20" helper_image = "" # The default (alpine) helper image has no /etc/passwd entry for # uid 1000, so glibc's getpwuid(1000) returns NULL and git's # global-config lookup falls back to HOME='/'. Git then tries to # lock '//.gitconfig', which fails with EACCES (or EROFS, depending # on whether helper rootfs is read-only). The ubuntu-flavored # helper image ships an `ubuntu:x:1000:1000:Ubuntu:/home/ubuntu` # entry with /home/ubuntu pre-created (mode 0750, owner 1000:1000), # giving uid 1000 a real, writable HOME. helper_image_flavor = "ubuntu" privileged = false poll_interval = 5 poll_timeout = 600 pod_termination_grace_period_seconds = 30 cleanup_resources_timeout = "10m" print_pod_warning_events = true service_account = "gitlab-runner" allow_privilege_escalation = false [runners.kubernetes.pod_security_context] run_as_non_root = true run_as_user = 1000 fs_group = 1000 [runners.kubernetes.pod_security_context.seccomp_profile] type = "RuntimeDefault" [runners.kubernetes.build_container_security_context] allow_privilege_escalation = false read_only_root_filesystem = false run_as_non_root = true [runners.kubernetes.build_container_security_context.capabilities] drop = ["ALL"] [runners.kubernetes.build_container_security_context.seccomp_profile] type = "RuntimeDefault" [runners.kubernetes.helper_container_security_context] allow_privilege_escalation = false # The helper container runs `git` which writes ~/.gitconfig. # Under PSS run_as_non_root the runtime UID has no /etc/passwd # entry, so HOME resolves to "/", which fails with ROFS. read_only_root_filesystem = false run_as_non_root = true [runners.kubernetes.helper_container_security_context.capabilities] drop = ["ALL"] [runners.kubernetes.helper_container_security_context.seccomp_profile] type = "RuntimeDefault" # Auto-injected svc-* service containers (e.g. Redis, Postgres # declared via `services:` in .gitlab-ci.yml) inherit no security # context by default, violating the namespace's restricted PSS. # Mirror build/helper hardening; keep read_only_root_filesystem # false because service images typically need writable roots. [runners.kubernetes.service_container_security_context] allow_privilege_escalation = false read_only_root_filesystem = false run_as_non_root = true [runners.kubernetes.service_container_security_context.capabilities] drop = ["ALL"] [runners.kubernetes.service_container_security_context.seccomp_profile] type = "RuntimeDefault" # The auto-injected init-permissions container only drops NET_RAW by # default, which violates the namespace's restricted PSS. Mirror the # helper container's hardened context so build pods are admitted. [runners.kubernetes.init_permissions_container_security_context] allow_privilege_escalation = false read_only_root_filesystem = true run_as_non_root = true [runners.kubernetes.init_permissions_container_security_context.capabilities] drop = ["ALL"] [runners.kubernetes.init_permissions_container_security_context.seccomp_profile] type = "RuntimeDefault" [[runners.kubernetes.volumes.empty_dir]] name = "build-tmp" mount_path = "/builds" medium = "" mount_propagation = "None" [[runners.kubernetes.volumes.empty_dir]] name = "tmp" mount_path = "/tmp" medium = "" mount_propagation = "None" [[runners.kubernetes.volumes.empty_dir]] name = "cache" mount_path = "/cache" medium = "" mount_propagation = "None" [[runners.kubernetes.volumes.secret]] name = "buildkit-client-certs" mount_path = "/certs" read_only = true
string
runners.secret (3)
gitlab-runner-secret
string
runners.cache_dir (1)
cache
string
runners.cache.secretName (1)
gitlab-runner-cache-credentials
string
runners.env.DOCKER_HOST (1)
tcp://docker:2375
string
runners.env.DOCKER_TLS_CERTDIR (1)

string
runners.executor (1)
kubernetes
string
runners.imagePullPolicy (1)
if-not-present
string
runners.name (1)
BB-8
string
runners.namespace (1)
default
string
runners.privileged (1)
true
boolean
imagePullSecrets[].name (2)
gitlab-registry-auth
string
logLevel (2)
info
string
metrics.enabled (2)
true
boolean
metrics.serviceMonitor.enabled (2)
true
boolean
replicas (2)
1
number
resources.limits.memory (2)
256Mi
string
resources.limits.cpu (1)
200m
string
resources.requests.cpu (2)
50m
string
resources.requests.memory (2)
128Mi
string
runnerToken (2)

string
service.enabled (2)
true
boolean
unregisterRunners (2)
true
boolean
checkInterval (1)
3
number
extraEnv.HOME (1)
/home/gitlab-runner
string
fullnameOverride (1)
gitlab-runner
string
imagePullPolicy (1)
IfNotPresent
string
logFormat (1)
json
string
podAnnotations."reloader.stakater.com/auto" (1)
true
string
podAnnotations."reloader.stakater.com/search" (1)
true
string
podSecurityContext.fsGroup (1)
1000
number
podSecurityContext.fsGroupChangePolicy (1)
OnRootMismatch
string
podSecurityContext.runAsNonRoot (1)
true
boolean
podSecurityContext.runAsUser (1)
1000
number
secrets[].name (1)
gitlab-runner-token
string
securityContext.allowPrivilegeEscalation (1)
false
boolean
securityContext.capabilities.drop[] (1)
- ALL
string
securityContext.readOnlyRootFilesystem (1)
true
boolean
securityContext.runAsNonRoot (1)
true
boolean
securityContext.seccompProfile.type (1)
RuntimeDefault
string
sentryDsn (1)
${SENTRY_DSN_LEGACY}
string
serviceAccount.create (1)
true
boolean
serviceAccount.imagePullSecrets[] (1)
- gitlab-registry-auth
string
serviceAccount.name (1)
gitlab-runner
string
volumeMounts[].mountPath (1)
/tmp
string
volumeMounts[].name (1)
tmp
string
volumes[].name (1)
tmp
string