manage entire config.toml

[KlavsKlavsen]

for some reason I've hit a docker issue with DNS lookups.. so I need to add:
extra_hosts = ["mygiturl:mygithostip"] - to config.toml - under runners.docker.

The module does not support this currently.. and does not handle if config.toml file is missing :(

I'd also like to set priviledged to true.

(issue migrated from voxpupuli/puppet-gitlab#121 )

[LongLiveCHIEF]

Thanks for re-opening. I know it can be a pain, but when it's feasible, i prefer the original authorship of the issue to be retained.

[baurmatt]

I was about to implement this when I discovered the suboptimal registering process of Gitlab runners...

1. Get a registration token from your Gitlab instance
2. Call the gitlab-runner binary with the register argument
3. The gitlab-runner binary will go to your Gitlab instance and register the Runner. By this it will get a runner token from Gitlab which gets then placed in the config file.

As we can never really know the runner token when configuring it in Puppet, we need to do the registration process ourself as explained in https://gitlab.com/gitlab-org/gitlab-runner/issues/985#note_3175185

[KlavsKlavsen]

@baurmatt we COULD have a fact that pulls the token from what the current sets up in config.. and then WHEN we have something in that fact.. trigger a rewrite of the config toml file ?

[baurmatt]

I don't like to abuse facts for this especially since Puppet runs aren't idempotent anymore.

I think we should go with the self registration of the runner --> https://docs.gitlab.com/ee/api/runners.html#register-a-new-runner

I see two options here:

• Doing the registration process on the Puppetmaster

  • Pro:
    • Only a Puppet function is required - easier to implement
  • Contra:
    • The Puppetmaster needs to have access to Gitlab

• Doing the registration process on the Gitlab Runner server

  • Pro:
    • The Puppetmaster doesn't need access Gitlab
    • With Puppet 6 we could implement this as a Deferred function as well
  • Contra:
    • As we probably can't make this module Puppet 6 only, we need to implement this in a type/provider.

[KlavsKlavsen]

As we probably can't make this module Puppet 6 only, we need to implement this in a type/provider.

It could be an optional feature - that happens to depend on puppet6 (if that can be done cleanly)

Deferred values are cleaner - but not much different from using a fact for the task (and they are from puppet 5.6.. )

[baurmatt]

Hmm thought about this over lunch... This isn't going to work as the function/type would register a new runner on every run :(

[Dan33l]

If more people show interest to get this issue solved, we will got a path:
https://gitlab.com/gitlab-org/gitlab-runner/issues/3022

Please consider to add comment there.

[baurmatt]

@Dan33l as we're a paying customer of Gitlab Enterprise, I've directly contacted the official support channel. Perhaps this draw's some attention on this issue :)

[baurmatt]

Looks like this isn't going to happen. How about this: We're dropping the support of register/unregister a runner but expect people to give gitlab_ci_runner::runner a already valid runner token.

We could provide a simple script (Bolt task?) which does the registration/unregistration in the first place.

This would allow us to drop the exec foo in gitlab_ci_runner::runner and would make it possible to manage the whole config.toml.

Looking forward to your opinions! :)

[baurmatt]

I've completely refactored gitlab_ci_runner::runner to welcome it in a world where we don't have Puppet 3 anymore. But it still uses exec's to (un)register the runner.

I've also added Bolt tasks in #73 because however we decide, I think they're good to have.

Now its your turn: Please decide if you think it is ok to drop the (un)registration from gitlab_ci_runner::runner to allow us the complete management of config.toml or if you prefer to keep it as it is.

[baurmatt]

I've build this in #75. Take a look and tell me what you think! :)

[KlavsKlavsen]

I love this solution.. very cool using the defined params in puppets class, and just convert directly to toml for the file.. no template actually needed :)
It does mean we should probably extend the runners part from a Hash to an actual list of supported params by https://docs.gitlab.com/runner/configuration/advanced-configuration.html - but current addition is no worse than what currently exists.. I'm hoping @LongLiveCHIEF also likes it :)

[baurmatt]

@KlavsKlavsen Absolutely, I already have some of the data types laying around but they're HUGE. So I thought it's easier to review in an additional pull request.

[baurmatt]

Sooo, after some testing I've realized that, at least in our environment, registering a runner is often crucial and shouldn't be an extra Bolt task.

After playing around with it for some time, it turns out that the best option is to use a Deferred function. Due to this being a Puppet 6 only functionality, there will like be no support for automatically registering runners on Puppet 5 (everything below is already EOL). Users requiring Puppet 5 and auto-registration would need to stay on a version which included the current exec approach.

But this gives us the ability to full support auto registration and full config management. I'm not yet fully satisfied with the code, but if you want to take a look go over here --> https://github.com/syseleven/puppet-gitlab_ci_runner/tree/move-to-concat-deferred

High level overview how it works:

• The module generates a concat file containing the global config and runner specific config
• The config is rendered with the help of a to_toml function
• If the runner config includes a registration-token key, it gets converted to token key which has a Deferrred function as its value. This function will call the Gitlab server, request the auth token and write it to disk (e.g. /etc/gitlab-runner/auth-token-testrunner) where it can be read on every subsequent Puppet run.
• As the final value of the token key gets now determined only on the Agent run, we need to delay the config generation until then hence the to_toml function needs to be a Deferred function as well.

Only problem with this is, that the to_toml function requires the toml-rb gem to be available on the Agent before the Deferred function gets called. As Deferred functions are currently evaluated before anything is applied, there is basically no good way to install the toml-rb gem before the function uses it. I'm currently considering to include a TOML dumper functionality directly in the module to work around this problem.

I will polish that branch over the next weeks and submit a PR after my current PRs are reviewed - don't want to overload the PR queue :)

[alexjfisher]

@baurmatt Sorry your PR didn't get the attention it deserved at the time. Are you interested in reviving this work now that we can drop support for Puppet 5 if we want?

[baurmatt]

@alexjfisher I would absolutely be interested in getting #75 merged! If you're up to reviewing the PR, I'm happy to rebase it and solve all merge conflicts. As I'm currently not working very much with Puppet anymore, I need to find some time to get back into the code again.

[alexjfisher]

I'm also thinking I need autoregistration and full management of the config file. Which branch of yours am I best looking at?

move-to-concat-deferred or clean-move-to-concat-deferred?

Only problem with this is, that the to_toml function requires the toml-rb gem to be available on the Agent before the Deferred function gets called. As Deferred functions are currently evaluated before anything is applied, there is basically no good way to install the toml-rb gem before the function uses it. I'm currently considering to include a TOML dumper functionality directly in the module to work around this problem.

Maybe just a toml-rb-gem-version fact or similar would be ok for this? (Even if it does then take 2 puppet runs)

[alexjfisher]

I'm liking your clean-move-to-concat-deferred branch. Seems to work well. In my environment, I had to hack it to get it to register via an http proxy, but I think to keep it small (or at least not make the change any bigger!), I could submit proxy support changes in a separate PR.

(FWIW, in the current module version, I could hack proxy support during registration in my profile)

# outrageous hack to get runner registration to use proxy
Exec <| title == 'Register_runner_testrpms' |> {
  environment => [
    "HTTPS_PROXY=http://${proxy_host}:${proxy_port}",
    "https_proxy=http://${proxy_host}:${proxy_port}",
  ],
}

What are your thoughts? Would you like to rebase and put up a new PR based on this branch? Now that Puppet 5 is EOL and we've already dropped support for it in many modules, feel free to rip out any compatibility code if you think that makes things simpler.

[baurmatt]

Uff, wow this is really a mess :( Sorry about that! We're currently using the branch move-to-concat-deferred, to be more specific the commit 22ef708204212488b003689bef7fd5cb8434b531.

I could successfully rebase #75 and was also able to fix some unrelated CI issues in #103. Please review and merge #103 first.