Integrate gitlab_runner role into hifis toolkit

Author: tobiashuste

.github/labeler.yml

@@ -10,6 +10,12 @@ keepalived:
           - "roles/keepalived/**"
           - "molecule/keepalived/**"
           - ".github/workflows/keepalived.yml"
+gitlab_runner:
+  - changed-files:
+      - any-glob-to-any-file:
+          - "roles/gitlab_runner/**"
+          - "molecule/gitlab_runner/**"
+          - ".github/workflows/gitlab_runner.yml"
 ssh_keys:
   - changed-files:
       - any-glob-to-any-file:

.github/workflows/gitlab_runner.yml

@@ -0,0 +1,74 @@
+# SPDX-FileCopyrightText: Helmholtz Centre for Environmental Research (UFZ)
+# SPDX-FileCopyrightText: Helmholtz-Zentrum Dresden-Rossendorf (HZDR)
+#
+# SPDX-License-Identifier: Apache-2.0
+
+---
+name: "hifis.toolkit.gitlab_runner"
+
+on:
+  pull_request:
+    paths:
+      - '.github/workflows/gitlab_runner.yml'
+      - 'roles/gitlab_runner/**'
+      - 'molecule/gitlab_runner/**'
+      - 'Pipfile'
+      - 'Pipfile.lock'
+  push:
+    branches:
+      - "main"
+    tags:
+      - "v*.*.*"
+    paths:
+      - '.github/workflows/gitlab_runner.yml'
+      - 'roles/gitlab_runner/**'
+      - 'molecule/gitlab_runner/**'
+      - 'Pipfile'
+      - 'Pipfile.lock'
+  schedule:
+    - cron: "0 0 * * *"
+env:
+  PY_COLORS: 1
+  ANSIBLE_FORCE_COLOR: 1
+
+jobs:
+
+  test:
+    name: Run Molecule tests.
+    runs-on: ubuntu-24.04
+    env:
+      PY_COLORS: 1
+      ANSIBLE_FORCE_COLOR: 1
+    strategy:
+      fail-fast: false
+      matrix:
+        image:
+          - "ghcr.io/hifis-net/ubuntu-systemd:20.04"
+          - "ghcr.io/hifis-net/ubuntu-systemd:22.04"
+          - "ghcr.io/hifis-net/ubuntu-systemd:24.04"
+          - "ghcr.io/hifis-net/debian-systemd:10"
+          - "ghcr.io/hifis-net/debian-systemd:11"
+          - "ghcr.io/hifis-net/debian-systemd:12"
+
+    steps:
+      - name: "Check out the codebase."
+        uses: "actions/checkout@v4"
+        with:
+          path: "ansible_collections/hifis/toolkit"
+
+      - name: "Prepare the job environment."
+        uses: "./ansible_collections/hifis/toolkit/.github/workflows/prepare-action"
+
+      # https://github.com/ansible/molecule/issues/3806
+      - name: "Help molecule to find the dependencies"
+        run: |
+          mkdir -p /home/runner/.ansible
+          ln -s /home/runner/work/ansible-collection-toolkit/ansible-collection-toolkit/ansible_collections/hifis/toolkit/roles \
+            /home/runner/.ansible/roles
+
+      - name: "Run Molecule tests."
+        run: "pipenv run molecule test -s gitlab_runner"
+        env:
+          MOLECULE_IMAGE: "${{ matrix.image }}"
+          AUTHENTICATION_TOKEN: ${{ secrets.authentication_token }}
+        working-directory: "ansible_collections/hifis/toolkit"

.github/workflows/prepare-action/action.yml

@@ -17,7 +17,7 @@ runs:
       uses: "actions/setup-python@v5"
       id: "setup-python"
       with:
-        python-version: "3.10"
+        python-version: "3.12"
         cache: "pipenv"
 
     - name: "Install dependencies via pipenv."

Pipfile

@@ -19,4 +19,4 @@ reuse = "~=3.0.2"
 ansible = "~=9.5.1"
 
 [requires]
-python_version = "3.10"
+python_version = "3.12"

Pipfile.lock

@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: Helmholtz Centre for Environmental Research (UFZ)
+# SPDX-FileCopyrightText: Helmholtz-Zentrum Dresden - Rossendorf (HZDR)
+#
+# SPDX-License-Identifier: Apache-2.0
+
+---
+- name: Converge
+  hosts: all
+  tasks:
+    - name: "Include gitlab_runner role"
+      ansible.builtin.include_role:
+        name: "hifis.toolkit.gitlab_runner"

molecule/gitlab_runner/converge.yml

@@ -0,0 +1,137 @@
+# SPDX-FileCopyrightText: Helmholtz Centre for Environmental Research (UFZ)
+# SPDX-FileCopyrightText: Helmholtz-Zentrum Dresden - Rossendorf (HZDR)
+#
+# SPDX-License-Identifier: Apache-2.0
+
+---
+dependency:
+  name: galaxy
+  options:
+    requirements-file: "molecule/gitlab_runner/requirements.yml"
+driver:
+  name: podman
+platforms:
+  - name: instancegitlabciopenstack1
+    image: ${MOLECULE_IMAGE:-ghcr.io/hifis-net/ubuntu-systemd:24.04}
+    pre_build_image: true
+    override_command: false
+    privileged: true  # Required to run Docker in Podman
+    systemd: true
+    tty: true
+  - name: instancegitlabciopenstack2
+    image: ${MOLECULE_IMAGE:-ghcr.io/hifis-net/ubuntu-systemd:24.04}
+    pre_build_image: true
+    override_command: false
+    privileged: true  # Required to run Docker in Podman
+    systemd: true
+    tty: true
+provisioner:
+  name: ansible
+  playbooks:
+    prepare: prepare.yml
+    converge: converge.yml
+  inventory:
+    hosts:
+      all:
+        vars:
+          gitlab_runner_concurrent: 4
+    host_vars:
+      instancegitlabciopenstack1:
+        gitlab_runner_version: "16.11.0"
+        gitlab_runner_deb_file: "https://packages.gitlab.com/runner/gitlab-runner/packages/{{ ansible_distribution | lower }}/{{ ansible_distribution_release | lower }}/gitlab-runner_{{ gitlab_runner_pkg_version }}_amd64.deb/download.deb"
+        gitlab_runner_install_docker: true
+        gitlab_runner_ssh_public_key: "test_key.pub"
+        gitlab_runner_ssh_private_key: "test_key"
+        gitlab_runner_sentry_dsn: "https://[email protected]/1"
+        gitlab_runner_registry_mirrors:
+          - "http://registry-mirror1.example"
+          - "https://registry-mirror2.example"
+        gitlab_runner_insecure_registries:
+          - "registry-mirror1.example"
+        gitlab_runner_enable_session_server: true
+        gitlab_runner_list:
+          - name: "test01"
+            url: "https://gitlab.com"
+            description: "Molecule test runner"
+            authentication_token: ${AUTHENTICATION_TOKEN}
+            executor: "docker"
+            environment: ["CI_CPUS=8", "DOCKER_TLS_CERTDIR=/certs"]
+            docker_security_opts: ["seccomp=unconfined"]
+            docker_volumes: ["/cache", "/certs/client"]
+            docker_devices: ["/dev/kfd", "/dev/dri"]
+            docker_cpus: 2
+            docker_gpus: "all"
+            docker_memory: "2g"
+            docker_image: "python:3.8"
+            docker_network_mtu: 1442
+            tags: ["docker", "hifis"]
+            locked: True
+            limit: 10
+      instancegitlabciopenstack2:
+        gitlab_runner_version: "16.11.0"
+        gitlab_runner_install_docker: false
+        gitlab_runner_ssh_public_key: ""
+        gitlab_runner_ssh_private_key: ""
+        gitlab_runner_registry_mirror: "https://registry-mirror.example"
+        gitlab_runner_listen_address: "127.0.0.1:9252"
+        gitlab_runner_set_default_network_opts: true
+        gitlab_runner_list:
+          - name: "test01"
+            url: "https://gitlab.com"
+            description: "Molecule test runner"
+            authentication_token: ${AUTHENTICATION_TOKEN}
+            executor: "docker+machine"
+            environment: ["CI_CPUS=8", "DOCKER_TLS_CERTDIR=/certs"]
+            docker_volumes: ["/cache", "/certs/client", "/opt/docker/daemon.json:/etc/docker/daemon.json:ro"]
+            docker_image: "python:3.8"
+            docker_shm_size: 2147483648
+            docker_disable_cache: True
+            tags: ["docker", "hifis"]
+            locked: True
+            limit: 10
+            machine_idle_count: 5
+            machine_idle_time: 7200
+            machine_max_builds: 4
+            machine_max_growth_rate: 2
+            machine_driver: "openstack"
+            machine_name: "auto-scale-%s"
+            machine_options:
+              - "openstack-auth-url=https://openstack.example:5000/v3"
+              - "openstack-image-id=73f07dd3-fa8b-468f-b6bc-b0cd4510f5d0"
+              - "openstack-flavor-name=m1.small"
+              - "openstack-net-id=7834deeb-8bd5-4fc7-b35b-24035d8f47a7"
+              - "openstack-username=gitlab-runner"
+              - "openstack-password=secret"
+              - "openstack-tenant-id=123456"
+              - "openstack-domain-name=default"
+              - "openstack-ssh-user=core"
+              - "openstack-sec-groups=Internal"
+              - "openstack-keypair-name=runners-internal"
+              - "openstack-private-key-file=/etc/gitlab-runner/gitlab_runner_key"
+              - "openstack-user-data-file=/etc/gitlab-runner/ignition.json"
+              - "openstack-active-timeout=300"
+              - "engine-registry-mirror=https://registry-mirror.example"
+            cache_type: "s3"
+            cache_server_address: "https://cache.example"
+            cache_access_key: "key"
+            cache_secret_key: "secret"
+            cache_bucket_name: "bucket"
+            cache_bucket_location: "eu-west-1"
+            cache_insecure: "false"
+verifier:
+  name: ansible
+scenario:
+  name: gitlab_runner
+  test_sequence:
+    - destroy
+    - dependency
+    - syntax
+    - create
+    - prepare
+    - check
+    - converge
+    - idempotence
+    - check
+    - side_effect
+    - verify
+    - destroy

molecule/gitlab_runner/molecule.yml

@@ -0,0 +1,39 @@
+# SPDX-FileCopyrightText: Helmholtz Centre for Environmental Research (UFZ)
+# SPDX-FileCopyrightText: Helmholtz-Zentrum Dresden-Rossendorf (HZDR)
+#
+# SPDX-License-Identifier: Apache-2.0
+
+---
+- name: Prepare
+  hosts: all
+  tasks:
+    - name: Install necessary packages
+      when: ansible_os_family == 'Debian'
+      block:
+        - name: Install missing dependencies
+          ansible.builtin.apt:
+            name:
+              - sudo              # for `become` privilege escalation
+              - iproute2          # for gathering network facts
+              - ca-certificates   # for Gitlab-Runner download
+              - gpg
+              - python3-debian
+            state: present
+            update_cache: yes
+    - name: Set up iptables
+      when: ansible_distribution == 'Debian'
+      block:
+        - name: "Install missing dependencies"
+          ansible.builtin.apt:
+            name:
+              - "iptables"
+            state: "present"
+            update_cache: yes
+        - name: "Use legacy iptables"
+          community.general.alternatives:
+            name: "iptables"
+            path: "/usr/sbin/iptables-legacy"
+        - name: "Use legacy ip6tables"
+          community.general.alternatives:
+            name: "ip6tables"
+            path: "/usr/sbin/ip6tables-legacy"

molecule/gitlab_runner/prepare.yml

@@ -0,0 +1,8 @@
+# SPDX-FileCopyrightText: Helmholtz Centre for Environmental Research (UFZ)
+# SPDX-FileCopyrightText: Helmholtz-Zentrum Dresden - Rossendorf (HZDR)
+#
+# SPDX-License-Identifier: Apache-2.0
+
+---
+roles:
+  - name: geerlingguy.docker

molecule/gitlab_runner/requirements.yml

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACAZxWIoT1CX3FFjc3+Em53Hy5ht8AbF8QHWQb25c3H2hQAAAJCiuPqvorj6
+rwAAAAtzc2gtZWQyNTUxOQAAACAZxWIoT1CX3FFjc3+Em53Hy5ht8AbF8QHWQb25c3H2hQ
+AAAEBQMNsWaiJGO+9HM245p+bcdI6mucBBHnD+880/zEOOERnFYihPUJfcUWNzf4SbncfL
+mG3wBsXxAdZBvblzcfaFAAAACXVzZXJAaG9zdAECAwQ=
+-----END OPENSSH PRIVATE KEY-----