chialab / aws-autoscaling-gitlab-runner Goto Github PK

CloudFormation template to deploy a GitLab Runner with auto-scaling on AWS.

License: MIT License

cloudformation aws gitlab-runner gitlab-ci autoscaling docker

aws-autoscaling-gitlab-runner's Introduction

Autoscaling GitLab Runner on AWS

This repository consists of an AWS CloudFormation template that may be used to deploy a GitLab runner with Docker executor and auto-scaling based on number of builds on AWS.

The runners have a shared cache to speed up builds. Objects in the bucket are automatically expired after a configurable number of days — 0 means that cache objects will never expire.

Resources created

1 S3 bucket to store runners' cache.
1 EC2 instance that is the runners' manager: it invokes AWS APIs to spawn and terminate other EC2 instances (via docker-machine) and runs Docker containers on them to process GitLab CI builds.

VPC consideration

If you want to create the stack within a specific VPC, you'll first need to create it manualy.

Please note that docker-machine uses availability zone A per default therefore you'll need to have at minimum the 'A' zone available in your vpc.

Note: This is something you can contribute to and propose a change request to add an availability zone selector...

Obtaining a GitLab Runner token

When you launch the stack you are required to pass a GitLab Runner token. This is not to be confused with a GitLab Runner registration token!

You can obtain a registration token by navigating to the "Settings › CI / CD" page of any project for which you have administrative rights. It'll be available under "Runners settings".

You can then obtain a GitLab Runner token by using the (undocumented) endpoint POST /runners:

# Assuming the GitLab instance is available at https://gitlab.example.org
# and the GitLab Runner registration token is "abcdef1234567890":

curl -XPOST -H 'Content-Type: application/json' -H 'Accept: application/json' \
  -d '{"token":"abcdef1234567890","run_untagged":true,"locked":false}' \
  https://gitlab.example.org/api/v4/runners

If everything goes fine, the response will be a JSON that has a token key: this is the GitLab Runner token you were looking for.

Security considerations

AWS credentials

Credentials must be rotated, and humans must remember to rotate credentials. But credentials are not always strictly necessary.

The runners' manager instance has an AWS Instance Profile attached that makes it possible to invoke EC2 and S3 APIs using dynamically obtained credentials, that have a short lifetime and therefore don't need to be rotated. Thus, no IAM access keys are involved in this stack — except the ones you may use to create or update the stack using the AWS APIs or the CLI, of course.

GitLab CI token

The only credential that is actually stored somewhere is the GitLab CI token. If stolen, it would allow a malicious user to "intercept" your builds and run them on their infrastructure, exposing other secrets as a consequence. You should treat this as a very sensitive information.

This stack doesn't provide any special security measure: the value is passed as plain text to CloudFormation at stack creation as a "sensitive parameter" (NoEcho: true), and is stored in plain text on the runners' manager in a file that is readable only by gitlab-runner user. The provisioning of said file happens via cfn-init. The value is then used by GitLab Runner itself, presumably in HTTP-over-TLS communications with the GitLab instance.

SSH

At stack creation you are required to specify an AWS Key Pair to provide access to the runners' manager instance. When the stack is created, you can access your instance with the following command:

ssh -i /PATH/TO/IDENTITY_FILE ec2-user@INSTANCE-PUBLIC-IP

The runners' manager Security Group allows connections on port 22 by any IPv4 address (CIDR: 0.0.0.0/0), and all other ports are unaccessible. This is far from being an optimal solution but, since SSH authentication requires an SSH key pair, it should be pretty safe anyways. Counter-measures like Fail2Ban are not deployed out of the box, either.

aws-autoscaling-gitlab-runner's People

Contributors

Stargazers

Watchers

aws-autoscaling-gitlab-runner's Issues

outdated docker machine image fails to load runners

I am unable to start runners using docker machine v0.14.0 but am successfully processing runners using v0.16.2.

EIP is not associated to EC2::Instance: no internet connection from Manager

Hello there,
first I want to thanks all the people that has contributed to this project. I think it a very good starting point to learn how to deploy gitlab runner cluster within AWS.

However I'm stacked with a problem related to internet connection from within the Manager EC2 Instance. When executing the UserData, there is not Internet Connection and the commands fail with connection refused. I've noticed that the Elastic IP defined in the stack is not automatically associated to the EC2::Instance resource defined, even if the correct InstanceId property is specified. Indeed, if I attach an elastic IP and execute the UserData commands by hand the stack is correctly created and a new Elastic IP is associated to the EC2::Instance.

I've tried to use EIPAssociation (without success) and also to define a NetworkInterface to be attached to the EC2 instance: same error result. My question is: there are specific requirements for the definition of the VPC that can block this association? I've defined a VPC with active InternetGateway: is there any other property/feature that needs to be set in the VPC?

Thanks for the attention to this matter.

Limited IAM profile

Hi,

Happen to stumble upon this while searching for ideas of how to do lifecycle management of runners with autoscaling groups. I hope that your'e aware that gitlab-runner will be able to terminate any instance in that VPC, since it can describe all instances and apply tags to any instance in that account.

I'm currently looking for a solution to this, but have yet to find anything fruitful.

zoneinfo.zip: no such file or directory error when using OffPeakTimezone

I had the following issue, documented here: https://docs.gitlab.com/runner/faq/#zoneinfozip-no-such-file-or-directory-error-when-using-offpeaktimezone

Used the newest AMI as described in this comment

Possible to pull from private aws ecr-registry

Hi, I'm trying to pull from our private ECR registry but having trouble authenticating, I believe this should be possible based on this post:

https://gitlab.com/gitlab-org/gitlab-runner/issues/1583#note_93170156

By adding the aws credential-helper (https://github.com/awslabs/amazon-ecr-credential-helper) to the main EC2 manager.

Currently, I've added this to the Userdata of the instance:

UserData:
        Fn::Base64: !Sub |
          #!/bin/bash -xe
          yum update -y aws-cfn-bootstrap
 >>>      yum install -y amazon-ecr-credential-helper

And an env var named DOCKER_AUTH_CONFIG to our gitlab project variables with the address of the registry:

{
  "credHelpers": {
    "123.dkr.ecr.eu-central-1.amazonaws.com": "ecr-login"
  }
}

But currently, I'm still getting a no basic credentials specified when trying to pull the image.

Is this a supported/out of scope feature or has anyone succeeded with this use case? (Sorry if a SO question would be a better place for this question but it seemed like this would be a common use case for this repo.

Missing Permission for Spot Instance Creation

I use spot instances for runners.
However, after setting GitLabRunnerSpotInstance to "Yes", the manager could not create the new machines and the logs stated that:

Error creating machine: Error in driver during machine creation: Error request spot instance: AuthFailure.ServiceLinkedRoleCreationNotPermitted: The provided
credentials do not have permission to create the service-linked role for EC2 Spot Instances.

I had to add "iam:CreateServiceLinkedRole" for resource "*" to the manager's inline policy "Runners".
I got the information from a related issue: LeanerCloud/AutoSpotting#187

Clarification on Manager Image

Im trying to deploy your aws template but not sure what i need to do for the Manager Image ID? Do i need to create my own server with docker and gitlab-runner installed on it first?