cattle-ops · npalm · Dec 11, 2022 · May 20, 2022 · May 20, 2022 · May 20, 2022
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -6,7 +6,6 @@ repos:
         args:
           - --args=-recursive
       - id: terraform_tflint
-      - id: terraform_docs
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v4.2.0
     hooks:

diff --git a/README.md b/README.md
@@ -8,7 +8,8 @@ This examples shows:
   - You can log into the instance via SSM (Session Manager).
   - Registration via GitLab token.
   - Auto scaling using `docker+machine` executor.
-  - Addtional security groups that are allowed access to the runner agent
+  - Additional security groups that are allowed access to the runner agent
+  - Use of `runners.docker.services` to configure docker registry mirror (commented out - uncomment to apply)
 
 ![runners-default](https://github.com/npalm/assets/raw/main/images/terraform-aws-gitlab-runner/runner-default.png)
 
@@ -41,47 +42,47 @@ No output.
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
 
-| Name | Version |
-|------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.7 |
-| <a name="requirement_local"></a> [local](#requirement\_local) | ~> 2 |
-| <a name="requirement_null"></a> [null](#requirement\_null) | ~> 3.0 |
-| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.0 |
-| <a name="requirement_tls"></a> [tls](#requirement\_tls) | ~> 3 |
+| Name                                                                      | Version |
+| ------------------------------------------------------------------------- | ------- |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1    |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws)                   | ~> 4.7  |
+| <a name="requirement_local"></a> [local](#requirement\_local)             | ~> 2    |
+| <a name="requirement_null"></a> [null](#requirement\_null)                | ~> 3.0  |
+| <a name="requirement_random"></a> [random](#requirement\_random)          | ~> 3.0  |
+| <a name="requirement_tls"></a> [tls](#requirement\_tls)                   | ~> 3    |
 
 ## Providers
 
-| Name | Version |
-|------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.7 |
-| <a name="provider_null"></a> [null](#provider\_null) | ~> 3.0 |
+| Name                                                 | Version |
+| ---------------------------------------------------- | ------- |
+| <a name="provider_aws"></a> [aws](#provider\_aws)    | ~> 4.7  |
+| <a name="provider_null"></a> [null](#provider\_null) | ~> 3.0  |
 
 ## Modules
 
-| Name | Source | Version |
-|------|--------|---------|
-| <a name="module_runner"></a> [runner](#module\_runner) | ../../ | n/a |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 2.70 |
+| Name                                                   | Source                        | Version |
+| ------------------------------------------------------ | ----------------------------- | ------- |
+| <a name="module_runner"></a> [runner](#module\_runner) | ../../                        | n/a     |
+| <a name="module_vpc"></a> [vpc](#module\_vpc)          | terraform-aws-modules/vpc/aws | 2.70    |
 
 ## Resources
 
-| Name | Type |
-|------|------|
-| [null_resource.cancel_spot_requests](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| Name                                                                                                                                  | Type        |
+| ------------------------------------------------------------------------------------------------------------------------------------- | ----------- |
+| [null_resource.cancel_spot_requests](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource)           | resource    |
 | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
-| [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
+| [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group)           | data source |
 
 ## Inputs
 
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | AWS region. | `string` | `"eu-west-1"` | no |
-| <a name="input_environment"></a> [environment](#input\_environment) | A name that identifies the environment, will used as prefix and for tagging. | `string` | `"runners-default"` | no |
-| <a name="input_gitlab_url"></a> [gitlab\_url](#input\_gitlab\_url) | URL of the gitlab instance to connect to. | `string` | `"https://gitlab.com"` | no |
-| <a name="input_registration_token"></a> [registration\_token](#input\_registration\_token) | n/a | `any` | n/a | yes |
-| <a name="input_runner_name"></a> [runner\_name](#input\_runner\_name) | Name of the runner, will be used in the runner config.toml | `string` | `"default-auto"` | no |
-| <a name="input_timezone"></a> [timezone](#input\_timezone) | Name of the timezone that the runner will be used in. | `string` | `"Europe/Amsterdam"` | no |
+| Name                                                                                       | Description                                                                  | Type     | Default                | Required |
+| ------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------- | -------- | ---------------------- | :------: |
+| <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region)                         | AWS region.                                                                  | `string` | `"eu-west-1"`          |    no    |
+| <a name="input_environment"></a> [environment](#input\_environment)                        | A name that identifies the environment, will used as prefix and for tagging. | `string` | `"runners-default"`    |    no    |
+| <a name="input_gitlab_url"></a> [gitlab\_url](#input\_gitlab\_url)                         | URL of the gitlab instance to connect to.                                    | `string` | `"https://gitlab.com"` |    no    |
+| <a name="input_registration_token"></a> [registration\_token](#input\_registration\_token) | n/a                                                                          | `any`    | n/a                    |   yes    |
+| <a name="input_runner_name"></a> [runner\_name](#input\_runner\_name)                      | Name of the runner, will be used in the runner config.toml                   | `string` | `"default-auto"`       |    no    |
+| <a name="input_timezone"></a> [timezone](#input\_timezone)                                 | Name of the timezone that the runner will be used in.                        | `string` | `"Europe/Amsterdam"`   |    no    |
 
 ## Outputs
 

diff --git a/examples/runner-default/jon.tfvars b/examples/runner-default/jon.tfvars
@@ -0,0 +1 @@
+registration_token = "GR1348941EEPc63Lgud5D3DReD4nM"
@@ -94,6 +94,37 @@ module "runner" {
   EOT
 
   runners_post_build_script = "\"echo 'single line'\""
+
+  # Uncomment the HCL code below to configure a docker service so that registry mirror is used in auto-devops jobs
+  # See https://gitlab.com/gitlab-org/gitlab-runner/-/issues/27171 and https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#the-service-in-the-gitlab-runner-configuration-file
+  # You can check this works with a CI job like:
+  # <pre>
+  # default:
+  #    tags:
+  #        - "docker_spot_runner"
+  # docker-mirror-check:
+  #    image: docker:20.10.16
+  #    stage: build
+  #    variables: 
+  #        DOCKER_TLS_CERTDIR: ''
+  #    script:
+  #        - |
+  #        - docker info
+  #          if ! docker info | grep -i mirror
+  #            then
+  #              exit 1
+  #              echo "No mirror config found"
+  #          fi
+  # </pre>
+  #
+  # If not using an official docker image for your job, you may need to specify `DOCKER_HOST: tcp://docker:2375`
+  ## UNCOMMENT 6 LINES BELOW
+  # runners_docker_services = [{
+  #   name       = "docker:20.10.16-dind"
+  #   alias      = "docker"
+  #   command    = ["--registry-mirror", "https://mirror.gcr.io"]
+  #   entrypoint = ["dockerd-entrypoint.sh"]
+  # }]
 }
 
 resource "null_resource" "cancel_spot_requests" {

@@ -26,4 +26,9 @@ locals {
     runners_machine_autoscaling = var.runners_machine_autoscaling
     }
   )
+
+  runners_docker_services = templatefile("${path.module}/template/runners_docker_services.tpl", {
+    runners_docker_services = var.runners_docker_services
+    }
+  )
 }
@@ -128,6 +128,7 @@ locals {
       runners_check_interval            = var.runners_check_interval
       runners_volumes_tmpfs             = join("\n", [for v in var.runners_volumes_tmpfs : format("\"%s\" = \"%s\"", v.volume, v.options)])
       runners_services_volumes_tmpfs    = join("\n", [for v in var.runners_services_volumes_tmpfs : format("\"%s\" = \"%s\"", v.volume, v.options)])
+      runners_docker_services           = local.runners_docker_services
       bucket_name                       = local.bucket_name
       shared_cache                      = var.cache_shared
       sentry_dsn                        = var.sentry_dsn

diff --git a/template/eip.tpl b/template/eip.tpl
@@ -6,5 +6,5 @@ python3 get-pip.py --user
 export PATH=~/.local/bin:$PATH
 
 pip install aws-ec2-assign-elastic-ip
-export AWS_DEFAULT_REGION=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | grep region | awk -F\" '{print $4}')
+export AWS_DEFAULT_REGION=$(curl -s -H "X-aws-ec2-metadata-token: $token" http://169.254.169.254/latest/dynamic/instance-identity/document | grep region | awk -F\" '{print $4}')
 /usr/local/bin/aws-ec2-assign-elastic-ip --valid-ips ${eip}
diff --git a/template/logging.tpl b/template/logging.tpl
@@ -33,11 +33,11 @@ initial_position = start_of_file
 EOF
 
 # Set the region to send CloudWatch Logs data to (the region where the instance is located)
-region=$(curl -s 169.254.169.254/latest/dynamic/instance-identity/document | jq -r .region)
+region=$(curl -s -H "X-aws-ec2-metadata-token: $token" http://169.254.169.254/latest/dynamic/instance-identity/document | jq -r .region)
 sed -i -e "s/region = us-east-1/region = $region/g" /etc/awslogs/awscli.conf
 
 # Replace instance id.
-instanceId=$(curl -s 169.254.169.254/latest/dynamic/instance-identity/document | jq -r .instanceId)
+instanceId=$(curl -s -H "X-aws-ec2-metadata-token: $token" http://169.254.169.254/latest/dynamic/instance-identity/document | jq -r .instanceId)
 sed -i -e "s/{instanceId}/$instanceId/g" /etc/awslogs/awslogs.conf
 
 if grep -q ':2$' /etc/system-release-cpe  ; then

@@ -26,6 +26,7 @@ listen_address = "${prometheus_listen_address}"
     pull_policy = "${runners_pull_policy}"
     runtime = "${runners_docker_runtime}"
     helper_image = "${runners_helper_image}"
+    ${runners_docker_services}
   [runners.docker.tmpfs]
     ${runners_volumes_tmpfs}
   [runners.docker.services_tmpfs]

@@ -0,0 +1,7 @@
+%{ for config in runners_docker_services ~}
+[[runners.docker.services]]
+      name = "${config.name}"
+      alias = "${config.alias}"
+      entrypoint = [${replace(format("\"%s\"", join("\",\"", config.entrypoint)), "/\"{2,}/", "\"")}]
+      command = [${replace(format("\"%s\"", join("\",\"", config.command)), "/\"{2,}/", "\"")}]
+%{ endfor ~}
diff --git a/template/user-data.tpl b/template/user-data.tpl
@@ -10,6 +10,8 @@ tee /etc/hosts <<EOL
 127.0.0.1   localhost localhost.localdomain $(hostname)
 EOL
 
+token=$(curl -f -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 300")
+
 ${eip}
 
 for i in {1..7}; do

@@ -670,6 +670,17 @@ variable "runners_services_volumes_tmpfs" {
   default = []
 }
 
+variable "runners_docker_services" {
+  description = "adds `runners.docker.services` blocks to config.toml.  All fields must be set (examine the Dockerfile of the service image for the entrypoint - see ./examples/runner-default/main.tf)"
+  type = list(object({
+    name       = string
+    alias      = string
+    entrypoint = list(string)
+    command    = list(string)
+  }))
+  default = []
+}
+
 variable "kms_key_id" {
   description = "KMS key id to encrypted the CloudWatch logs. Ensure CloudWatch has access to the provided KMS key."
   type        = string
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		registration_token = "GR1348941EEPc63Lgud5D3DReD4nM"
jonmcewen marked this conversation as resolved. Show resolved Hide resolved
-Original file line number
+Diff line change
@@ Expand Up / @@ -10,6 +10,8 @@ tee /etc/hosts <<EOL @@
 .0.0.1   localhost localhost.localdomain $(hostname)
     EOL
+    token=$(curl -f -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 300")
     ${eip}
     for i in {1..7}; do
@@ Expand Down @@