GitLab/Gitlab Runner/Shared Runners

Current Gitlab Runner setup (T287279)

We're currently relying on WMCS VPSs for shared runner capacity. There is a project named gitlab-runners in which to provision new instances, and a profile to help provision Docker based runners on those instances. Note that a standalone puppetmaster in the same project stores the runner registration token under /etc/puppet/secret, and Puppet autosigning is turned off to protect the token value.

Setting up a new shared runner

To set up a new shared runner, following these steps.

1. Create a new WMCS VPS instance.
   1. Log in to https://horizon.wikimedia.org and navigate to the gitlab-runners project.
   2. Launch a new Debian bullseye instance, following the runner-{nnnn} naming convention.
   3. Choose the g3.cores8.ram24.disk20.ephemeral40.4xiops flavor
2. Wait until the new instance has fully provisioned and you can successfully ssh to the running instance using your authorized key and sudo as root. (This typically takes a few minutes.)
3. Check if there is an existing profile::gitlab::runner::token on the standalone puppetmaster in /etc/puppet/secret/hieradata. If not, generate a new token and add it there.
4. Fully configure instance with volume, profile and project puppetmaster
   1. Add the following to the instance's Hiera Config under the Puppet Configuration tab in horizon.

      profile::gitlab::runner::docker_volume: true
      puppetmaster: gitlab-runners-puppetmaster-01.gitlab-runners.eqiad1.wikimedia.cloud
      

   2. Add role::gitlab_runner to the instance's Puppet Classes under the Puppet Configuration tab.
5. Do the little SSL dance that is required of instances that use a standalone puppetmaster.
   1. On the new runner (runner-{nnnn}.gitlab-runners.eqiad1.wikimedia.cloud).
      1. Run sudo rm -rf /var/lib/puppet/ssl to remove the existing SSL certs used by the default puppetmaster.
      2. Run sudo -i puppet agent --test --verbose --server gitlab-runners-puppetmaster-01.gitlab-runners.eqiad1.wikimedia.cloud to have the puppet client generate a new SSL cert.
   2. On gitlab-runners-puppetmaster-01.gitlab-runners.eqiad1.wikimedia.cloud sign the new instance's SSL cert.
      1. Run sudo -i puppet cert list and find the new instance in the list.
      2. Run sudo -i puppet cert sign runner-{nnnn}.gitlab-runners.eqiad1.wikimedia.cloud to sign the client cert.
6. Run sudo -i puppet agent --test --verbose --server gitlab-runners-puppetmaster-01.gitlab-runners.eqiad1.wikimedia.cloud on the runner to ensure it has fully provisioned the role::gitlab_runner role.
7. Verify that the runner has successfully registered with our GitLab instance by viewing the runner list.