feat: allow setting runners.docker.services. cattle-ops#489

Author: jonmcewen

examples/runner-default/README.md

@@ -8,7 +8,8 @@ This examples shows:
   - You can log into the instance via SSM (Session Manager).
   - Registration via GitLab token.
   - Auto scaling using `docker+machine` executor.
-  - Addtional security groups that are allowed access to the runner agent
+  - Additional security groups that are allowed access to the runner agent
+  - Use of `runners.docker.services` to configure docker registry mirror 
 
 ![runners-default](https://github.com/npalm/assets/raw/main/images/terraform-aws-gitlab-runner/runner-default.png)
 
@@ -41,47 +42,47 @@ No output.
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
 
-| Name | Version |
-|------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.7 |
-| <a name="requirement_local"></a> [local](#requirement\_local) | ~> 2 |
-| <a name="requirement_null"></a> [null](#requirement\_null) | ~> 3.0 |
-| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.0 |
-| <a name="requirement_tls"></a> [tls](#requirement\_tls) | ~> 3 |
+| Name                                                                      | Version |
+| ------------------------------------------------------------------------- | ------- |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1    |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws)                   | ~> 4.7  |
+| <a name="requirement_local"></a> [local](#requirement\_local)             | ~> 2    |
+| <a name="requirement_null"></a> [null](#requirement\_null)                | ~> 3.0  |
+| <a name="requirement_random"></a> [random](#requirement\_random)          | ~> 3.0  |
+| <a name="requirement_tls"></a> [tls](#requirement\_tls)                   | ~> 3    |
 
 ## Providers
 
-| Name | Version |
-|------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.7 |
-| <a name="provider_null"></a> [null](#provider\_null) | ~> 3.0 |
+| Name                                                 | Version |
+| ---------------------------------------------------- | ------- |
+| <a name="provider_aws"></a> [aws](#provider\_aws)    | ~> 4.7  |
+| <a name="provider_null"></a> [null](#provider\_null) | ~> 3.0  |
 
 ## Modules
 
-| Name | Source | Version |
-|------|--------|---------|
-| <a name="module_runner"></a> [runner](#module\_runner) | ../../ | n/a |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 2.70 |
+| Name                                                   | Source                        | Version |
+| ------------------------------------------------------ | ----------------------------- | ------- |
+| <a name="module_runner"></a> [runner](#module\_runner) | ../../                        | n/a     |
+| <a name="module_vpc"></a> [vpc](#module\_vpc)          | terraform-aws-modules/vpc/aws | 2.70    |
 
 ## Resources
 
-| Name | Type |
-|------|------|
-| [null_resource.cancel_spot_requests](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| Name                                                                                                                                  | Type        |
+| ------------------------------------------------------------------------------------------------------------------------------------- | ----------- |
+| [null_resource.cancel_spot_requests](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource)           | resource    |
 | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
-| [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
+| [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group)           | data source |
 
 ## Inputs
 
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | AWS region. | `string` | `"eu-west-1"` | no |
-| <a name="input_environment"></a> [environment](#input\_environment) | A name that identifies the environment, will used as prefix and for tagging. | `string` | `"runners-default"` | no |
-| <a name="input_gitlab_url"></a> [gitlab\_url](#input\_gitlab\_url) | URL of the gitlab instance to connect to. | `string` | `"https://gitlab.com"` | no |
-| <a name="input_registration_token"></a> [registration\_token](#input\_registration\_token) | n/a | `any` | n/a | yes |
-| <a name="input_runner_name"></a> [runner\_name](#input\_runner\_name) | Name of the runner, will be used in the runner config.toml | `string` | `"default-auto"` | no |
-| <a name="input_timezone"></a> [timezone](#input\_timezone) | Name of the timezone that the runner will be used in. | `string` | `"Europe/Amsterdam"` | no |
+| Name                                                                                       | Description                                                                  | Type     | Default                | Required |
+| ------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------- | -------- | ---------------------- | :------: |
+| <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region)                         | AWS region.                                                                  | `string` | `"eu-west-1"`          |    no    |
+| <a name="input_environment"></a> [environment](#input\_environment)                        | A name that identifies the environment, will used as prefix and for tagging. | `string` | `"runners-default"`    |    no    |
+| <a name="input_gitlab_url"></a> [gitlab\_url](#input\_gitlab\_url)                         | URL of the gitlab instance to connect to.                                    | `string` | `"https://gitlab.com"` |    no    |
+| <a name="input_registration_token"></a> [registration\_token](#input\_registration\_token) | n/a                                                                          | `any`    | n/a                    |   yes    |
+| <a name="input_runner_name"></a> [runner\_name](#input\_runner\_name)                      | Name of the runner, will be used in the runner config.toml                   | `string` | `"default-auto"`       |    no    |
+| <a name="input_timezone"></a> [timezone](#input\_timezone)                                 | Name of the timezone that the runner will be used in.                        | `string` | `"Europe/Amsterdam"`   |    no    |
 
 ## Outputs
 

examples/runner-default/main.tf

@@ -94,6 +94,15 @@ module "runner" {
   EOT
 
   runners_post_build_script = "\"echo 'single line'\""
+
+  # Configure a docker service so that registry mirror is used in auto-devops jobs
+  # See https://gitlab.com/gitlab-org/gitlab-runner/-/issues/27171 and https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#the-service-in-the-gitlab-runner-configuration-file
+  runners_docker_services = [{
+    name       = "docker:20.10.16-dind"
+    alias      = "docker"
+    command    = ["--registry-mirror", "https://mirror.gcr.io"]
+    entrypoint = ["dockerd-entrypoint.sh"]
+  }]
 }
 
 resource "null_resource" "cancel_spot_requests" {

locals.tf

@@ -26,4 +26,9 @@ locals {
     runners_machine_autoscaling = var.runners_machine_autoscaling
     }
   )
+
+  runners_docker_services = templatefile("${path.module}/template/runners_docker_services.tpl", {
+    runners_docker_services = var.runners_docker_services
+    }
+  )
 }

main.tf

@@ -128,6 +128,7 @@ locals {
       runners_check_interval            = var.runners_check_interval
       runners_volumes_tmpfs             = join("\n", [for v in var.runners_volumes_tmpfs : format("\"%s\" = \"%s\"", v.volume, v.options)])
       runners_services_volumes_tmpfs    = join("\n", [for v in var.runners_services_volumes_tmpfs : format("\"%s\" = \"%s\"", v.volume, v.options)])
+      runners_docker_services           = local.runners_docker_services
       bucket_name                       = local.bucket_name
       shared_cache                      = var.cache_shared
       sentry_dsn                        = var.sentry_dsn

template/runner-config.tpl

@@ -26,6 +26,7 @@ listen_address = "${prometheus_listen_address}"
     pull_policy = "${runners_pull_policy}"
     runtime = "${runners_docker_runtime}"
     helper_image = "${runners_helper_image}"
+    ${runners_docker_services}
   [runners.docker.tmpfs]
     ${runners_volumes_tmpfs}
   [runners.docker.services_tmpfs]

template/runners_docker_services.tpl

@@ -0,0 +1,7 @@
+%{ for config in runners_docker_services ~}
+[[runners.docker.services]]
+      name = "${config.name}"
+      alias = "${config.alias}"
+      entrypoint = [${replace(format("\"%s\"", join("\",\"", config.entrypoint)), "/\"{2,}/", "\"")}]
+      command = [${replace(format("\"%s\"", join("\",\"", config.command)), "/\"{2,}/", "\"")}]
+%{ endfor ~}

variables.tf

@@ -670,6 +670,16 @@ variable "runners_services_volumes_tmpfs" {
   default = []
 }
 
+variable "runners_docker_services" {
+  type = list(object({
+    name       = string
+    alias      = string
+    entrypoint = list(string)
+    command    = list(string)
+  }))
+  default = []
+}
+
 variable "kms_key_id" {
   description = "KMS key id to encrypted the CloudWatch logs. Ensure CloudWatch has access to the provided KMS key."
   type        = string