From 8bbc3236ac004fb14847e564a6696280ad159866 Mon Sep 17 00:00:00 2001 From: John Bohannon Date: Thu, 7 May 2020 11:15:18 -0400 Subject: [PATCH 01/34] docs: update README for Anthos usage --- .github/workflows/cicd.yml | 5 ++--- README.md | 24 ++++++++++++++++++------ 2 files changed, 20 insertions(+), 9 deletions(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index fd9c3dc..26ceb1f 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -14,9 +14,9 @@ env: GCP_PROJECT: ${{ secrets.GCP_PROJECT }} GKE_CLUSTER: self-hosted-runner-test-cluster GKE_SECRETS: self-hosted-runner-creds - GCP_REGION: us-central1 + GCP_REGION: us-west1 IMAGE: self-hosted-runner - GITHUB_REPO: owner/repo # should be a private repository, see https://help.github.com/en/actions/hosting-your-own-runners/adding-self-hosted-runners + GITHUB_REPO: ${{ secrets.REPO }} # should be a private repository, see https://help.github.com/en/actions/hosting-your-own-runners/adding-self-hosted-runners TOKEN: ${{ secrets.TOKEN }} # Personal Access Token used to register and deregister runners. GITHUB_TOKEN isn't good for most use cases because it is only valid for one hour. jobs: @@ -32,7 +32,6 @@ jobs: - name: Configure Google Cloud credentials uses: GoogleCloudPlatform/github-actions/setup-gcloud@master # until 0.2.0 release is available with: - version: 275.0.0 service_account_email: ${{ secrets.GCP_EMAIL }} service_account_key: ${{ secrets.GCP_KEY }} diff --git a/README.md b/README.md index 5372703..ea5b43f 100644 --- a/README.md +++ b/README.md @@ -48,18 +48,30 @@ gcloud projects add-iam-policy-binding self-hosted-runner-test \ gcloud services enable \ stackdriver.googleapis.com \ compute.googleapis.com \ - stackdriver.googleapis.com \ - container.googleapis.com + container.googleapis.com \ + anthos.googleapis.com ``` * Create GKE cluster ([docs](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster)) ``` -gcloud container clusters create self-hosted-runner-test-cluster \ - --zone us-central1 +gcloud container clusters create self-hosted-runner-test-cluster --region us-west1 +``` + +* Register cluster to the environ [docs](https://cloud.google.com/anthos/docs/setup/cloud#gcloud) +``` +gcloud container hub memberships register self-hosted-anthos-membership \ + --project=self-hosted-runner-test-897234 \ +◀ --gke-uri=https://container.googleapis.com/v1/projects/self-hosted-runner-test-897234/locations/us-west1/clusters/self-hosted-runner-test-cluster \ # +◀ --service-account-key-file=/path-to/service-account-key.json +``` + +* Get the credentails for this cluster +``` +gcloud container clusters get-credentials self-hosted-runner-test-cluster --region us-west1 ``` -* Instead of setting these values in a local `.env` file as above, create [Kubernetes secrets](https://kubernetes.io/docs/concepts/configuration/secret/) available to your pods at runtime. +* Which repository or organization will your self hosted runners be available to? Use [Kubernetes secrets](https://kubernetes.io/docs/concepts/configuration/secret/) to make these environment variables available to your pods. ``` kubectl create secret generic self-hosted-runner-creds \ @@ -68,7 +80,7 @@ kubectl create secret generic self-hosted-runner-creds \ ``` * Set these as secrets in your GitHub repository: - * `GCP_PROJECT`: Name of your Google Cloud Platform project, eg. `self-hosted-runner-test` + * `GCP_PROJECT`: ID of your Google Cloud Platform project, eg. `self-hosted-runner-test-897234` * `GCP_EMAIL`: Service Account email, eg. `runner-admin@self-hosted-runner-test.iam.gserviceaccount.com` * `GCP_KEY`: Download your [Service Account JSON credentials](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) and Base64 encode them, eg. output of `cat ~/path/to/my/credentials.json | base64` * `TOKEN`: Personal Access Token. From the [documentation](https://developer.github.com/v3/actions/self_hosted_runners/), "Access tokens require `repo scope` for private repos and `public_repo scope` for public repos". From 4417e77d3d376bab322a3935c1cd491cd108f13e Mon Sep 17 00:00:00 2001 From: John Bohannon Date: Thu, 7 May 2020 13:14:28 -0400 Subject: [PATCH 02/34] fix: clean up workflow and use kustomize --- .github/workflows/cicd.yml | 58 +++++++++++++++++++++++++++----------- deployment.yml | 3 +- kustomization.yml | 4 +++ 3 files changed, 46 insertions(+), 19 deletions(-) create mode 100644 kustomization.yml diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 26ceb1f..dcec48c 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -1,4 +1,4 @@ -# This workflow builds and deploys a GitHub Actions self hosted runner to Google Kubernetes Engine. +# This workflow builds and deploys a GitHub Actions self hosted runner to Anthos GKE. # # REQUIREMENTS: # - "Google Kubernetes Engine" setup steps in README, including adding appropriate secrets to repository @@ -20,8 +20,8 @@ env: TOKEN: ${{ secrets.TOKEN }} # Personal Access Token used to register and deregister runners. GITHUB_TOKEN isn't good for most use cases because it is only valid for one hour. jobs: - # Build and push image to GCR - publish: + # Test and build + test: runs-on: ubuntu-latest steps: @@ -39,22 +39,30 @@ jobs: - run: | gcloud auth configure-docker - # Build Docker image - - name: Build image - run: docker build . -t gcr.io/"$GCP_PROJECT"/"$IMAGE":latest - - # Push the Docker image to Google Container Registry - - name: Publish + # Necessary environment variables are not empty + - name: Check environment variables run: | - docker push gcr.io/$GCP_PROJECT/$IMAGE:latest + [ -z "$GCP_PROJECT" ] && echo "$GCP_PROJECT env must be set" && exit 1 + [ -z "$GKE_CLUSTER" ] && echo "$GKE_CLUSTER env must be set" && exit 1 + [ -z "$GKE_SECRETS" ] && echo "$GKE_SECRETS env must be set" && exit 1 + [ -z "$GCP_REGION" ] && echo "$GCP_REGION env must be set" && exit 1 + [ -z "$IMAGE" ] && echo "$IMAGE must be set" && exit 1 + [ -z "$GITHUB_REPO" ] && echo "$GITHUB_REPO must be set" && exit 1 + [ -z "$TOKEN" ] && echo "$TOKEN must be set" && exit 1 + + # Insert other testing and linting steps here, eg. container analysis (https://cloud.google.com/container-registry/docs/container-analysis) + + # Ensure Docker image can be built + - name: Build image + run: docker build . -t gcr.io/"$GCP_PROJECT"/"$IMAGE":"$GITHUB_SHA" - # Apply Kubernetes manifest to deploy image to cluster + # Build and publish image, apply Kubernetes manifest to deploy image to cluster deploy: - needs: publish + needs: test runs-on: ubuntu-latest # Only on push to master (a merged PR) - if: github.event_name == 'push' + if: github.ref == 'refs/heads/master' && github.event_name == 'push' steps: - name: Checkout @@ -64,17 +72,30 @@ jobs: - name: Configure Google Cloud credentials uses: GoogleCloudPlatform/github-actions/setup-gcloud@master # until 0.2.0 release is available with: - version: 275.0.0 service_account_email: ${{ secrets.GCP_EMAIL }} service_account_key: ${{ secrets.GCP_KEY }} + # Build Docker image + - name: Build image + run: docker build . -t gcr.io/"$GCP_PROJECT"/"$IMAGE":"$GITHUB_SHA" + + # Push the Docker image to Google Container Registry + - name: Publish + run: | + docker push gcr.io/"$GCP_PROJECT"/"$IMAGE":"$GITHUB_SHA" + # Configure Kubernetes - name: Configure Kubernetes run: | gcloud container clusters get-credentials $GKE_CLUSTER --region $GCP_REGION --project $GCP_PROJECT + # Set up kustomize + - name: Set up Kustomize + run: |- + curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 + chmod u+x ./kustomize + # Optional: Update secrets in Google Kubernetes Engine (GKE) cluster (to change repo the runner is available to or authentication token) - # Note that GITHUB_TOKEN is only valid for one hour. - name: Update secrets run: | kubectl get secrets $GKE_SECRETS -o json | @@ -84,5 +105,8 @@ jobs: # Deploy to Google Kubernetes Engine (GKE) cluster - name: Deploy - run: | - kubectl apply -f deployment.yml + run: |- + ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$GCP_PROJECT/$IMAGE:$GITHUB_SHA + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/$IMAGE + kubectl get services -o wide diff --git a/deployment.yml b/deployment.yml index 04fa3ae..dfa26fb 100644 --- a/deployment.yml +++ b/deployment.yml @@ -11,8 +11,7 @@ spec: spec: containers: - name: self-hosted-runner - # Update this image location - image: gcr.io/self-hosted-runner-test/self-hosted-runner:latest + image: gcr.io/PROJECT_ID/IMAGE:TAG imagePullPolicy: Always env: - name: GITHUB_REPO diff --git a/kustomization.yml b/kustomization.yml new file mode 100644 index 0000000..f3c9207 --- /dev/null +++ b/kustomization.yml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- deployment.yml \ No newline at end of file From cef4bd0088fd46f3010117db90de45ed93cb5547 Mon Sep 17 00:00:00 2001 From: John Bohannon Date: Thu, 7 May 2020 14:00:30 -0400 Subject: [PATCH 03/34] remove env check for now --- .github/workflows/cicd.yml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index dcec48c..42d6f01 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -39,17 +39,6 @@ jobs: - run: | gcloud auth configure-docker - # Necessary environment variables are not empty - - name: Check environment variables - run: | - [ -z "$GCP_PROJECT" ] && echo "$GCP_PROJECT env must be set" && exit 1 - [ -z "$GKE_CLUSTER" ] && echo "$GKE_CLUSTER env must be set" && exit 1 - [ -z "$GKE_SECRETS" ] && echo "$GKE_SECRETS env must be set" && exit 1 - [ -z "$GCP_REGION" ] && echo "$GCP_REGION env must be set" && exit 1 - [ -z "$IMAGE" ] && echo "$IMAGE must be set" && exit 1 - [ -z "$GITHUB_REPO" ] && echo "$GITHUB_REPO must be set" && exit 1 - [ -z "$TOKEN" ] && echo "$TOKEN must be set" && exit 1 - # Insert other testing and linting steps here, eg. container analysis (https://cloud.google.com/container-registry/docs/container-analysis) # Ensure Docker image can be built From 889bbbd176420f50aae60892d3c7ae27d40d145e Mon Sep 17 00:00:00 2001 From: John Bohannon Date: Thu, 7 May 2020 14:56:45 -0400 Subject: [PATCH 04/34] fix: docker auth --- .github/workflows/cicd.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 42d6f01..46c85e5 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -34,10 +34,6 @@ jobs: with: service_account_email: ${{ secrets.GCP_EMAIL }} service_account_key: ${{ secrets.GCP_KEY }} - - # Use gcloud CLI to configure docker authentication for subsequent push - - run: | - gcloud auth configure-docker # Insert other testing and linting steps here, eg. container analysis (https://cloud.google.com/container-registry/docs/container-analysis) @@ -64,20 +60,24 @@ jobs: service_account_email: ${{ secrets.GCP_EMAIL }} service_account_key: ${{ secrets.GCP_KEY }} + # Use gcloud CLI to configure docker authentication for subsequent push + - run: | + gcloud auth configure-docker + # Build Docker image - name: Build image run: docker build . -t gcr.io/"$GCP_PROJECT"/"$IMAGE":"$GITHUB_SHA" - # Push the Docker image to Google Container Registry - - name: Publish - run: | - docker push gcr.io/"$GCP_PROJECT"/"$IMAGE":"$GITHUB_SHA" - # Configure Kubernetes - name: Configure Kubernetes run: | gcloud container clusters get-credentials $GKE_CLUSTER --region $GCP_REGION --project $GCP_PROJECT + # Push the Docker image to Google Container Registry + - name: Publish + run: | + docker push gcr.io/"$GCP_PROJECT"/"$IMAGE":"$GITHUB_SHA" + # Set up kustomize - name: Set up Kustomize run: |- From de6e383a5026e159c5b8f735b12a672b95083899 Mon Sep 17 00:00:00 2001 From: John Bohannon Date: Thu, 7 May 2020 15:36:29 -0400 Subject: [PATCH 05/34] fix: deploy --- .github/workflows/cicd.yml | 2 +- Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 46c85e5..6bcbe87 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -98,4 +98,4 @@ jobs: ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$GCP_PROJECT/$IMAGE:$GITHUB_SHA ./kustomize build . | kubectl apply -f - kubectl rollout status deployment/$IMAGE - kubectl get services -o wide + kubectl get deployments -o wide diff --git a/Dockerfile b/Dockerfile index 85ea7fa..8fec5c4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM node:12 +FROM ubuntu:latest # Update and download dependencies RUN apt-get update From 374ac9284fd3547eaa644457187558dc8492f92c Mon Sep 17 00:00:00 2001 From: John Bohannon Date: Thu, 7 May 2020 15:52:52 -0400 Subject: [PATCH 06/34] CI: bump From 2f2cd398fd2f3cbeb5eb36e98276a4a7681d1339 Mon Sep 17 00:00:00 2001 From: John Bohannon Date: Thu, 7 May 2020 16:06:44 -0400 Subject: [PATCH 07/34] CI: bump From f4a1bf2956521d1f80cb76036dc85b5cdf28bf5e Mon Sep 17 00:00:00 2001 From: John Bohannon Date: Thu, 7 May 2020 16:10:41 -0400 Subject: [PATCH 08/34] chore: scale down replicas to 1 --- .github/workflows/cicd.yml | 3 +-- deployment.yml | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 6bcbe87..81d4854 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -97,5 +97,4 @@ jobs: run: |- ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$GCP_PROJECT/$IMAGE:$GITHUB_SHA ./kustomize build . | kubectl apply -f - - kubectl rollout status deployment/$IMAGE - kubectl get deployments -o wide + diff --git a/deployment.yml b/deployment.yml index dfa26fb..665bcdc 100644 --- a/deployment.yml +++ b/deployment.yml @@ -3,7 +3,7 @@ kind: Deployment metadata: name: self-hosted-runner spec: - replicas: 2 + replicas: 1 template: metadata: labels: From 2c701821e1b19ea14c4b345c5dcbdcf544f27688 Mon Sep 17 00:00:00 2001 From: John Bohannon Date: Thu, 7 May 2020 19:28:36 -0400 Subject: [PATCH 09/34] CI: bump From 198b116333e7bcb4eb640814d9b2dbd6eefa36e0 Mon Sep 17 00:00:00 2001 From: John Bohannon Date: Thu, 7 May 2020 19:29:02 -0400 Subject: [PATCH 10/34] chore: add echo statements for debugging --- startup.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/startup.sh b/startup.sh index 3c8efc3..46339d3 100755 --- a/startup.sh +++ b/startup.sh @@ -11,18 +11,26 @@ function remove_runner { # Watch for EXIT signal to be able to shut down gracefully trap remove_runner EXIT +echo "## Finding latest release binary for Linux x64..." + # Get latest binary version for Linux x64 BINARY_URL=$(curl \ --url https://api.github.com/repos/$GITHUB_REPO/actions/runners/downloads \ --header "authorization: Bearer $TOKEN" | \ jq -r '.[] | select(.os=="linux") | select(.architecture=="x64") | .download_url') +echo "## Downloading ${BINARY_URL}..." + # Follow any redirects to download and unpack the binary curl -L $BINARY_URL | tar xz +echo "## Finished downloading ${BINARY_URL}." + # Generate CONFIG_TOKEN=$(curl --data "" --header "Authorization: Bearer $TOKEN" https://api.github.com/repos/$GITHUB_REPO/actions/runners/registration-token | jq -r '.token') +echo "Installing dependencies..." + # Install dependencies ./bin/installdependencies.sh From c5c568f4ced6e0d796ac2a38a9aef0a912b59bf7 Mon Sep 17 00:00:00 2001 From: John Bohannon Date: Thu, 7 May 2020 19:38:04 -0400 Subject: [PATCH 11/34] fix: ubuntu 18 --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 8fec5c4..a085a92 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,8 +1,8 @@ -FROM ubuntu:latest +FROM ubuntu:18.04 # Update and download dependencies RUN apt-get update -RUN apt-get install -y libssl-dev curl iputils-ping jq wget +RUN apt-get install -y libssl-dev curl iputils-ping jq wget libicu63 # Docker in docker for container builds on Kubernetes. Otherwise, follow this guidance: https://jpetazzo.github.io/2015/09/03/do-not-use-docker-in-docker-for-ci/. ENV DOCKER_CHANNEL stable From 3347c9bf8810bde3266b2eb40a189b2eafb552d0 Mon Sep 17 00:00:00 2001 From: John Bohannon Date: Thu, 7 May 2020 19:40:04 -0400 Subject: [PATCH 12/34] fix: let bin/installdependencies.sh take care of updates --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index a085a92..86181da 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM ubuntu:18.04 # Update and download dependencies RUN apt-get update -RUN apt-get install -y libssl-dev curl iputils-ping jq wget libicu63 +RUN apt-get install -y libssl-dev curl iputils-ping jq wget # Docker in docker for container builds on Kubernetes. Otherwise, follow this guidance: https://jpetazzo.github.io/2015/09/03/do-not-use-docker-in-docker-for-ci/. ENV DOCKER_CHANNEL stable From ea7fd4e092a4543818aee9cbae484a9f6058195f Mon Sep 17 00:00:00 2001 From: John Bohannon Date: Fri, 8 May 2020 09:53:29 -0400 Subject: [PATCH 13/34] feat: download actions runner in Dockerfile fix: resource constraints and dind storage --- Dockerfile | 17 ++++++++++++++--- deployment.yml | 15 ++++++++++++++- startup.sh | 25 +------------------------ 3 files changed, 29 insertions(+), 28 deletions(-) diff --git a/Dockerfile b/Dockerfile index 86181da..398afd4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,7 @@ FROM ubuntu:18.04 RUN apt-get update RUN apt-get install -y libssl-dev curl iputils-ping jq wget -# Docker in docker for container builds on Kubernetes. Otherwise, follow this guidance: https://jpetazzo.github.io/2015/09/03/do-not-use-docker-in-docker-for-ci/. +# Download Docker for container builds on Kubernetes ENV DOCKER_CHANNEL stable ENV DOCKER_VERSION 18.09.1 RUN wget -O docker.tgz "https://download.docker.com/linux/static/${DOCKER_CHANNEL}/x86_64/docker-${DOCKER_VERSION}.tgz" && \ @@ -15,8 +15,19 @@ RUN wget -O docker.tgz "https://download.docker.com/linux/static/${DOCKER_CHANNE RUN mkdir ./actions-runner WORKDIR /home/actions-runner -COPY startup.sh . +# Download Actions runner +# https://github.com/terraform-google-modules/terraform-google-github-actions-runners/blob/598a38a72b7bbaf56be431c07de04752c521fd60/examples/gh-runner-gke-dind/Dockerfile#L28-L31 +ARG GH_RUNNER_VERSION="2.169.1" +RUN curl -o actions.tar.gz --location "https://github.com/actions/runner/releases/download/v${GH_RUNNER_VERSION}/actions-runner-linux-x64-${GH_RUNNER_VERSION}.tar.gz" && \ + tar -zxf actions.tar.gz && \ + rm -f actions.tar.gz + +# Install dependencies +RUN ./bin/installdependencies.sh -EXPOSE 8080 +# Allow runner to run as root +ENV RUNNER_ALLOW_RUNASROOT=1 + +COPY startup.sh . ENTRYPOINT ["./startup.sh"] diff --git a/deployment.yml b/deployment.yml index 665bcdc..0cb9982 100644 --- a/deployment.yml +++ b/deployment.yml @@ -35,5 +35,18 @@ spec: # Docker-in-Docker not recommended for production - name: dind image: docker:18.09-dind + resources: + requests: + memory: "512Mi" + cpu: "500m" + limits: + memory: "1024Mi" + cpu: "1" securityContext: - privileged: true \ No newline at end of file + privileged: true + volumeMounts: + - name: dind-storage + mountPath: /var/lib/docker + volumes: + - name: dind-storage + emptyDir: {} \ No newline at end of file diff --git a/startup.sh b/startup.sh index 46339d3..b5b7ff4 100755 --- a/startup.sh +++ b/startup.sh @@ -11,34 +11,11 @@ function remove_runner { # Watch for EXIT signal to be able to shut down gracefully trap remove_runner EXIT -echo "## Finding latest release binary for Linux x64..." - -# Get latest binary version for Linux x64 -BINARY_URL=$(curl \ - --url https://api.github.com/repos/$GITHUB_REPO/actions/runners/downloads \ - --header "authorization: Bearer $TOKEN" | \ - jq -r '.[] | select(.os=="linux") | select(.architecture=="x64") | .download_url') - -echo "## Downloading ${BINARY_URL}..." - -# Follow any redirects to download and unpack the binary -curl -L $BINARY_URL | tar xz - -echo "## Finished downloading ${BINARY_URL}." - # Generate CONFIG_TOKEN=$(curl --data "" --header "Authorization: Bearer $TOKEN" https://api.github.com/repos/$GITHUB_REPO/actions/runners/registration-token | jq -r '.token') -echo "Installing dependencies..." - -# Install dependencies -./bin/installdependencies.sh - -# Allow runner to run as root -export RUNNER_ALLOW_RUNASROOT=1 - # Create the runner and configure it ./config.sh --url https://github.com/$GITHUB_REPO --token $CONFIG_TOKEN --unattended # Run it -./run.sh \ No newline at end of file +./runsvc.sh \ No newline at end of file From 617d68f54e7e4387603c85063d27f265c6a7e62e Mon Sep 17 00:00:00 2001 From: John Bohannon Date: Mon, 11 May 2020 09:25:30 -0400 Subject: [PATCH 14/34] docs: focus on kubernetes documentation --- .github/workflows/cicd.yml | 4 ++-- README.md | 25 ++++--------------------- 2 files changed, 6 insertions(+), 23 deletions(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 81d4854..00296b5 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -11,13 +11,13 @@ on: pull_request: env: + GITHUB_REPO: ${{ secrets.REPO }} # Should be a private repository, see https://help.github.com/en/actions/hosting-your-own-runners/adding-self-hosted-runners + TOKEN: ${{ secrets.TOKEN }} # Personal Access Token used to register and deregister runners. GITHUB_TOKEN isn't good for most use cases because it is only valid for one hour. GCP_PROJECT: ${{ secrets.GCP_PROJECT }} GKE_CLUSTER: self-hosted-runner-test-cluster GKE_SECRETS: self-hosted-runner-creds GCP_REGION: us-west1 IMAGE: self-hosted-runner - GITHUB_REPO: ${{ secrets.REPO }} # should be a private repository, see https://help.github.com/en/actions/hosting-your-own-runners/adding-self-hosted-runners - TOKEN: ${{ secrets.TOKEN }} # Personal Access Token used to register and deregister runners. GITHUB_TOKEN isn't good for most use cases because it is only valid for one hour. jobs: # Test and build diff --git a/README.md b/README.md index ea5b43f..74a7035 100644 --- a/README.md +++ b/README.md @@ -1,26 +1,11 @@ # GitHub Actions Self Hosted Runners on Anthos -This project shows an _example_ configuration and usage of GitHub Actions self hosted runners on Anthos, using the [self hosted runners API](https://developer.github.com/v3/actions/self_hosted_runners/). Under active development 🧪. +> An _example configuration and usage_ of GitHub Actions [self hosted runners](https://help.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners) on [Anthos GKE](https://cloud.google.com/anthos/gke). Under active development 🧪. A Continuous Integration [job](https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobs) builds the image and publishes it to Google Container Registry, and a Continuous Deployment job deploys it to Google Kubernetes Engine (GKE). The self hosted runners in this cluster are made available to the GitHub repository configured via the `GITHUB_REPO` environment variable below. -## Usage +## Setup -### Local - -#### Setup - -Set these in an `.env` file at the top level. Inject these into the Docker container at runtime; do _not_ check them in to Git in plaintext. -* `GITHUB_REPO` - repository to allow to use the self hosted runner (eg. `octocat/spoon-knife`) -* `TOKEN`: [Personal Access Token](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line) or [OAuth app token](https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps/) with `administration` permission, which is necessary for interacting with the [Self Hosted Runner API](https://developer.github.com/v3/actions/self_hosted_runners/). [`GITHUB_TOKEN`](https://help.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token) does not have `administration` permission. - -#### Run Docker container -* `docker build -t self-hosted-runner .` -* `docker run --env-file=.env -v /var/run/docker.sock:/var/run/docker.sock self-hosted-runner` (Docker-in-Docker not recommended for production) - -### Google Kubernetes Engine - -#### Setup * Create a new Google Cloud Platform project ([docs](https://cloud.google.com/sdk/gcloud/reference/projects/create)) ``` @@ -71,12 +56,12 @@ gcloud container hub memberships register self-hosted-anthos-membership \ gcloud container clusters get-credentials self-hosted-runner-test-cluster --region us-west1 ``` -* Which repository or organization will your self hosted runners be available to? Use [Kubernetes secrets](https://kubernetes.io/docs/concepts/configuration/secret/) to make these environment variables available to your pods. +* Use [Kubernetes secrets](https://kubernetes.io/docs/concepts/configuration/secret/) to provide a Personal Access Token (`TOKEN`) and repository/organization (`GITHUB_REPO`) as environment variables available to your pods. ``` kubectl create secret generic self-hosted-runner-creds \ --from-literal=GITHUB_REPO='https://github.com//' \ - --from-literal=GITHUB_TOKEN='token' + --from-literal=TOKEN='token' ``` * Set these as secrets in your GitHub repository: @@ -92,8 +77,6 @@ kubectl create secret generic self-hosted-runner-creds \ * `IMAGE`: Name of your image used in [`ci.yml`](.github/workflows/ci.yml) and [`deployment.yml`](.github/workflows/deployment.yml) * `GITHUB_REPO`: `owner/repo` of the repository that will use the self hosted runner, eg. `octocat/sandbox` -* Update values in `deployment.yml` to reflect your image name and desired configuration - #### Automation * Upon push of any image-related code to any branch, [`ci.yml`](.github/workflows/ci.yml) will kick off to build and push the Docker image. * Upon push of any code to master branch, [`cd.yml`](.github/workflows/cd.yml) will kick off to deploy to Google Cloud. From 185186cf098145b49ed79da13dd83ef9372408cd Mon Sep 17 00:00:00 2001 From: bharathkkb Date: Tue, 21 Apr 2020 17:07:01 -0500 Subject: [PATCH 15/34] lifecycle hook, runner as service docs: update README for Anthos usage fix: clean up workflow and use kustomize remove env check for now fix: docker auth fix: deploy CI: bump CI: bump chore: scale down replicas to 1 CI: bump chore: add echo statements for debugging fix: ubuntu 18 fix: let bin/installdependencies.sh take care of updates --- deployment.yml | 13 +++++++++++-- startup.sh | 4 ++-- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/deployment.yml b/deployment.yml index 0cb9982..c993bfb 100644 --- a/deployment.yml +++ b/deployment.yml @@ -23,11 +23,20 @@ spec: valueFrom: secretKeyRef: name: self-hosted-runner-creds - key: TOKEN + key: GITHUB_TOKEN - name: DOCKER_HOST value: 127.0.0.1 - name: DOCKER_BUILDKIT value: "1" + lifecycle: + preStop: + exec: + command: + [ + '/bin/bash', + '-c', + 'RUNNER_ALLOW_RUNASROOT=1 ./config.sh remove --token $(curl -sS --data "" -H "Authorization: Bearer $TOKEN" https://api.github.com/repos/$GITHUB_REPO/actions/runners/remove-token | jq -r .token)' + ] resources: limits: memory: "512Mi" @@ -49,4 +58,4 @@ spec: mountPath: /var/lib/docker volumes: - name: dind-storage - emptyDir: {} \ No newline at end of file + emptyDir: {} diff --git a/startup.sh b/startup.sh index b5b7ff4..e09ccc1 100755 --- a/startup.sh +++ b/startup.sh @@ -15,7 +15,7 @@ trap remove_runner EXIT CONFIG_TOKEN=$(curl --data "" --header "Authorization: Bearer $TOKEN" https://api.github.com/repos/$GITHUB_REPO/actions/runners/registration-token | jq -r '.token') # Create the runner and configure it -./config.sh --url https://github.com/$GITHUB_REPO --token $CONFIG_TOKEN --unattended +./config.sh --url https://github.com/$GITHUB_REPO --token $CONFIG_TOKEN --unattended --replace # Run it -./runsvc.sh \ No newline at end of file +./runsvc.sh From db34c3b778a9ed78063766ce8ae96948e4fd171f Mon Sep 17 00:00:00 2001 From: bharathkkb Date: Tue, 12 May 2020 09:22:17 -0500 Subject: [PATCH 16/34] use token --- deployment.yml | 2 +- startup.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deployment.yml b/deployment.yml index c993bfb..52a5161 100644 --- a/deployment.yml +++ b/deployment.yml @@ -23,7 +23,7 @@ spec: valueFrom: secretKeyRef: name: self-hosted-runner-creds - key: GITHUB_TOKEN + key: TOKEN - name: DOCKER_HOST value: 127.0.0.1 - name: DOCKER_BUILDKIT diff --git a/startup.sh b/startup.sh index e09ccc1..a13d068 100755 --- a/startup.sh +++ b/startup.sh @@ -11,7 +11,7 @@ function remove_runner { # Watch for EXIT signal to be able to shut down gracefully trap remove_runner EXIT -# Generate +# Generate CONFIG_TOKEN=$(curl --data "" --header "Authorization: Bearer $TOKEN" https://api.github.com/repos/$GITHUB_REPO/actions/runners/registration-token | jq -r '.token') # Create the runner and configure it From ffa226e59cc1617ce4e31e3b8818bebf9897f415 Mon Sep 17 00:00:00 2001 From: John Bohannon Date: Wed, 13 May 2020 11:18:32 -0400 Subject: [PATCH 17/34] increase replicas to 2 --- deployment.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployment.yml b/deployment.yml index 52a5161..4cdf571 100644 --- a/deployment.yml +++ b/deployment.yml @@ -3,7 +3,7 @@ kind: Deployment metadata: name: self-hosted-runner spec: - replicas: 1 + replicas: 2 template: metadata: labels: From cb2ee160def13ec3fff256ea43804cafe9fb7e20 Mon Sep 17 00:00:00 2001 From: John Bohannon Date: Wed, 13 May 2020 12:06:15 -0400 Subject: [PATCH 18/34] decrease cpu and memory --- deployment.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/deployment.yml b/deployment.yml index 4cdf571..d64d7e6 100644 --- a/deployment.yml +++ b/deployment.yml @@ -46,11 +46,11 @@ spec: image: docker:18.09-dind resources: requests: - memory: "512Mi" - cpu: "500m" + memory: "256Mi" + cpu: "250m" limits: - memory: "1024Mi" - cpu: "1" + memory: "512Mi" + cpu: "250m" securityContext: privileged: true volumeMounts: From 8c003aa4705b6cb3c77396cf3188e190b3544eff Mon Sep 17 00:00:00 2001 From: John Bohannon Date: Wed, 13 May 2020 12:38:18 -0400 Subject: [PATCH 19/34] bump runner version --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 398afd4..904f401 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,7 +17,7 @@ WORKDIR /home/actions-runner # Download Actions runner # https://github.com/terraform-google-modules/terraform-google-github-actions-runners/blob/598a38a72b7bbaf56be431c07de04752c521fd60/examples/gh-runner-gke-dind/Dockerfile#L28-L31 -ARG GH_RUNNER_VERSION="2.169.1" +ARG GH_RUNNER_VERSION="2.262.1" RUN curl -o actions.tar.gz --location "https://github.com/actions/runner/releases/download/v${GH_RUNNER_VERSION}/actions-runner-linux-x64-${GH_RUNNER_VERSION}.tar.gz" && \ tar -zxf actions.tar.gz && \ rm -f actions.tar.gz From 08788960d32e78fb69ff760466799f6ae53a5f52 Mon Sep 17 00:00:00 2001 From: John Bohannon Date: Wed, 13 May 2020 12:45:43 -0400 Subject: [PATCH 20/34] fix: runsvc is in bin/ --- startup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/startup.sh b/startup.sh index a13d068..ce59f7f 100755 --- a/startup.sh +++ b/startup.sh @@ -18,4 +18,4 @@ CONFIG_TOKEN=$(curl --data "" --header "Authorization: Bearer $TOKEN" https://ap ./config.sh --url https://github.com/$GITHUB_REPO --token $CONFIG_TOKEN --unattended --replace # Run it -./runsvc.sh +./bin/runsvc.sh From 01ec84fe5e15567db2ecab2639422fa4bc72a2cf Mon Sep 17 00:00:00 2001 From: John Bohannon Date: Fri, 12 Jun 2020 10:48:08 -0400 Subject: [PATCH 21/34] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 74a7035..3303ee5 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # GitHub Actions Self Hosted Runners on Anthos -> An _example configuration and usage_ of GitHub Actions [self hosted runners](https://help.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners) on [Anthos GKE](https://cloud.google.com/anthos/gke). Under active development 🧪. +> An example configuration and usage of GitHub Actions [self hosted runners](https://help.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners) on [Anthos GKE](https://cloud.google.com/anthos/gke). A Continuous Integration [job](https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobs) builds the image and publishes it to Google Container Registry, and a Continuous Deployment job deploys it to Google Kubernetes Engine (GKE). The self hosted runners in this cluster are made available to the GitHub repository configured via the `GITHUB_REPO` environment variable below. From 8651087c331345be4a3295348a8ce1adab31929d Mon Sep 17 00:00:00 2001 From: John Bohannon Date: Thu, 9 Jul 2020 10:59:29 -0400 Subject: [PATCH 22/34] Update README.md --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 3303ee5..f2d9e0b 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,8 @@ A Continuous Integration [job](https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobs) builds the image and publishes it to Google Container Registry, and a Continuous Deployment job deploys it to Google Kubernetes Engine (GKE). The self hosted runners in this cluster are made available to the GitHub repository configured via the `GITHUB_REPO` environment variable below. +⚠️ Note that this emerging pattern is considered experimental and _not officially supported by GitHub at this time_. Additionally [it’s recommended](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners) not to use self-hosted runners on public repositories for a number of security reasons. + ## Setup * Create a new Google Cloud Platform project ([docs](https://cloud.google.com/sdk/gcloud/reference/projects/create)) From 6b55321f8a69115bdb26ef1bc382fa40fbb15ae7 Mon Sep 17 00:00:00 2001 From: John Bohannon Date: Mon, 3 Aug 2020 09:56:54 -0400 Subject: [PATCH 23/34] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f2d9e0b..ebda645 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ A Continuous Integration [job](https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobs) builds the image and publishes it to Google Container Registry, and a Continuous Deployment job deploys it to Google Kubernetes Engine (GKE). The self hosted runners in this cluster are made available to the GitHub repository configured via the `GITHUB_REPO` environment variable below. -⚠️ Note that this emerging pattern is considered experimental and _not officially supported by GitHub at this time_. Additionally [it’s recommended](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners) not to use self-hosted runners on public repositories for a number of security reasons. +⚠️ Note that this use case is considered experimental and _not officially supported by GitHub at this time_. Additionally [it’s recommended](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners) not to use self-hosted runners on public repositories for a number of security reasons. ## Setup From 22499d44606e522109ad161469c4b0441597783f Mon Sep 17 00:00:00 2001 From: John Bohannon Date: Mon, 3 Aug 2020 09:58:30 -0400 Subject: [PATCH 24/34] Update Dockerfile --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 904f401..e29fb45 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,7 +17,7 @@ WORKDIR /home/actions-runner # Download Actions runner # https://github.com/terraform-google-modules/terraform-google-github-actions-runners/blob/598a38a72b7bbaf56be431c07de04752c521fd60/examples/gh-runner-gke-dind/Dockerfile#L28-L31 -ARG GH_RUNNER_VERSION="2.262.1" +ARG GH_RUNNER_VERSION="2.267.1" RUN curl -o actions.tar.gz --location "https://github.com/actions/runner/releases/download/v${GH_RUNNER_VERSION}/actions-runner-linux-x64-${GH_RUNNER_VERSION}.tar.gz" && \ tar -zxf actions.tar.gz && \ rm -f actions.tar.gz From 53c4ad77b4c6052d17bc3fed23ff198a93f30bd3 Mon Sep 17 00:00:00 2001 From: John Bohannon Date: Mon, 3 Aug 2020 10:00:42 -0400 Subject: [PATCH 25/34] Update cicd.yml --- .github/workflows/cicd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 00296b5..5c2b90e 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -1,7 +1,7 @@ # This workflow builds and deploys a GitHub Actions self hosted runner to Anthos GKE. # # REQUIREMENTS: -# - "Google Kubernetes Engine" setup steps in README, including adding appropriate secrets to repository +# - Setup steps in README, including adding appropriate secrets to repository name: Self Hosted Runner CI/CD on: From d25ac6357bf865e87365770a7adee15856d297ac Mon Sep 17 00:00:00 2001 From: John Bohannon Date: Mon, 3 Aug 2020 10:51:38 -0400 Subject: [PATCH 26/34] docs: clean up chore: remove startup.sh --- .github/workflows/cicd.yml | 14 +++++++------- README.md | 13 +++++++------ script/setup.sh | 1 - startup.sh | 11 ----------- 4 files changed, 14 insertions(+), 25 deletions(-) delete mode 100644 script/setup.sh diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 5c2b90e..a6f52d0 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -12,11 +12,11 @@ on: env: GITHUB_REPO: ${{ secrets.REPO }} # Should be a private repository, see https://help.github.com/en/actions/hosting-your-own-runners/adding-self-hosted-runners - TOKEN: ${{ secrets.TOKEN }} # Personal Access Token used to register and deregister runners. GITHUB_TOKEN isn't good for most use cases because it is only valid for one hour. + TOKEN: ${{ secrets.TOKEN }} # Personal Access Token used to register and deregister runners since GITHUB_TOKEN is only valid for one hour. GCP_PROJECT: ${{ secrets.GCP_PROJECT }} GKE_CLUSTER: self-hosted-runner-test-cluster GKE_SECRETS: self-hosted-runner-creds - GCP_REGION: us-west1 + GCP_ZONE: us-west1-a IMAGE: self-hosted-runner jobs: @@ -30,10 +30,10 @@ jobs: # Configure Google Cloud credentials - name: Configure Google Cloud credentials - uses: GoogleCloudPlatform/github-actions/setup-gcloud@master # until 0.2.0 release is available + uses: GoogleCloudPlatform/github-actions/setup-gcloud@0.1.3 with: - service_account_email: ${{ secrets.GCP_EMAIL }} service_account_key: ${{ secrets.GCP_KEY }} + project_id: ${{ secrets.GCP_PROJECT }} # Insert other testing and linting steps here, eg. container analysis (https://cloud.google.com/container-registry/docs/container-analysis) @@ -55,10 +55,10 @@ jobs: # Configure Google Cloud credentials - name: Configure Google Cloud credentials - uses: GoogleCloudPlatform/github-actions/setup-gcloud@master # until 0.2.0 release is available + uses: GoogleCloudPlatform/github-actions/setup-gcloud@0.1.3 with: - service_account_email: ${{ secrets.GCP_EMAIL }} service_account_key: ${{ secrets.GCP_KEY }} + project_id: ${{ secrets.GCP_PROJECT }} # Use gcloud CLI to configure docker authentication for subsequent push - run: | @@ -71,7 +71,7 @@ jobs: # Configure Kubernetes - name: Configure Kubernetes run: | - gcloud container clusters get-credentials $GKE_CLUSTER --region $GCP_REGION --project $GCP_PROJECT + gcloud container clusters get-credentials $GKE_CLUSTER --zone $GCP_ZONE # Push the Docker image to Google Container Registry - name: Publish diff --git a/README.md b/README.md index ebda645..dfafb8a 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,9 @@ A Continuous Integration [job](https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobs) builds the image and publishes it to Google Container Registry, and a Continuous Deployment job deploys it to Google Kubernetes Engine (GKE). The self hosted runners in this cluster are made available to the GitHub repository configured via the `GITHUB_REPO` environment variable below. -⚠️ Note that this use case is considered experimental and _not officially supported by GitHub at this time_. Additionally [it’s recommended](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners) not to use self-hosted runners on public repositories for a number of security reasons. +Because a Docker-in-Docker sidecar pod has been used in this project, these self-hosted runners can also run container builds. Though this approach offers build flexibility, it requires a [`privileged` security context](https://github.com/github-developer/self-hosted-runners-anthos/blob/cb2ee160def13ec3fff256ea43804cafe9fb7e20/deployment.yml#L55) and therefore extends the trust boundary to the whole cluster. Extra caution is recommended with this approach or [removing the sidecar](https://github.com/github-developer/self-hosted-runners-anthos/blob/cb2ee160def13ec3fff256ea43804cafe9fb7e20/deployment.yml#L45) if your application doesn’t require container builds. + +⚠️ Note that this use case is considered experimental and _not officially supported by GitHub at this time_. Additionally [it’s recommended](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners) not to use self-hosted runners on public repositories for a number of security reasons. ## Setup @@ -42,15 +44,15 @@ gcloud services enable \ * Create GKE cluster ([docs](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster)) ``` -gcloud container clusters create self-hosted-runner-test-cluster --region us-west1 +gcloud container clusters create self-hosted-runner-test-cluster ``` * Register cluster to the environ [docs](https://cloud.google.com/anthos/docs/setup/cloud#gcloud) ``` gcloud container hub memberships register self-hosted-anthos-membership \ - --project=self-hosted-runner-test-897234 \ -◀ --gke-uri=https://container.googleapis.com/v1/projects/self-hosted-runner-test-897234/locations/us-west1/clusters/self-hosted-runner-test-cluster \ # -◀ --service-account-key-file=/path-to/service-account-key.json + --project=self-hosted-runner-test-myid \ + --gke-uri=https://container.googleapis.com/v1/projects/self-hosted-runner-test-myid/locations/us-west1/clusters/self-hosted-runner-test-cluster \ + --service-account-key-file=/path-to/service-account-key.json ``` * Get the credentails for this cluster @@ -68,7 +70,6 @@ kubectl create secret generic self-hosted-runner-creds \ * Set these as secrets in your GitHub repository: * `GCP_PROJECT`: ID of your Google Cloud Platform project, eg. `self-hosted-runner-test-897234` - * `GCP_EMAIL`: Service Account email, eg. `runner-admin@self-hosted-runner-test.iam.gserviceaccount.com` * `GCP_KEY`: Download your [Service Account JSON credentials](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) and Base64 encode them, eg. output of `cat ~/path/to/my/credentials.json | base64` * `TOKEN`: Personal Access Token. From the [documentation](https://developer.github.com/v3/actions/self_hosted_runners/), "Access tokens require `repo scope` for private repos and `public_repo scope` for public repos". diff --git a/script/setup.sh b/script/setup.sh deleted file mode 100644 index 59ae13c..0000000 --- a/script/setup.sh +++ /dev/null @@ -1 +0,0 @@ -# Setup scripts go here \ No newline at end of file diff --git a/startup.sh b/startup.sh index ce59f7f..575c496 100755 --- a/startup.sh +++ b/startup.sh @@ -1,16 +1,5 @@ #!/bin/bash -# Remove runner upon receiving an EXIT signal -function remove_runner { - echo "\nCaught EXIT signal. Removing runner and exiting.\n" - REMOVE_TOKEN=$(curl --data "" -H "Authorization: Bearer $TOKEN" https://api.github.com/repos/$GITHUB_REPO/actions/runners/remove-token | jq -r '.token') - ./config.sh remove --token $REMOVE_TOKEN - exit $? -} - -# Watch for EXIT signal to be able to shut down gracefully -trap remove_runner EXIT - # Generate CONFIG_TOKEN=$(curl --data "" --header "Authorization: Bearer $TOKEN" https://api.github.com/repos/$GITHUB_REPO/actions/runners/registration-token | jq -r '.token') From 6e01330f459dd2b45b6f474a295d81b4a8c6d65f Mon Sep 17 00:00:00 2001 From: John Bohannon Date: Mon, 3 Aug 2020 10:57:02 -0400 Subject: [PATCH 27/34] docs: add build badge to README --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index dfafb8a..b478d72 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,8 @@ > An example configuration and usage of GitHub Actions [self hosted runners](https://help.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners) on [Anthos GKE](https://cloud.google.com/anthos/gke). +![Self Hosted Runner CI/CD ](https://github.com/github-developer/self-hosted-runners-anthos/workflows/.github/workflows/cicd.yml/badge.svg) + A Continuous Integration [job](https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobs) builds the image and publishes it to Google Container Registry, and a Continuous Deployment job deploys it to Google Kubernetes Engine (GKE). The self hosted runners in this cluster are made available to the GitHub repository configured via the `GITHUB_REPO` environment variable below. Because a Docker-in-Docker sidecar pod has been used in this project, these self-hosted runners can also run container builds. Though this approach offers build flexibility, it requires a [`privileged` security context](https://github.com/github-developer/self-hosted-runners-anthos/blob/cb2ee160def13ec3fff256ea43804cafe9fb7e20/deployment.yml#L55) and therefore extends the trust boundary to the whole cluster. Extra caution is recommended with this approach or [removing the sidecar](https://github.com/github-developer/self-hosted-runners-anthos/blob/cb2ee160def13ec3fff256ea43804cafe9fb7e20/deployment.yml#L45) if your application doesn’t require container builds. From 748064b190f8d389f028492a58b1b8234828e72e Mon Sep 17 00:00:00 2001 From: John Bohannon Date: Mon, 3 Aug 2020 11:06:33 -0400 Subject: [PATCH 28/34] docs: fix GITHUB_REPO example --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b478d72..ead9291 100644 --- a/README.md +++ b/README.md @@ -66,7 +66,7 @@ gcloud container clusters get-credentials self-hosted-runner-test-cluster --regi ``` kubectl create secret generic self-hosted-runner-creds \ - --from-literal=GITHUB_REPO='https://github.com//' \ + --from-literal=GITHUB_REPO='/' \ --from-literal=TOKEN='token' ``` From 4550dac00be08941f182b1c4d5b7ccdfcd96fec3 Mon Sep 17 00:00:00 2001 From: John Bohannon Date: Mon, 3 Aug 2020 11:20:41 -0400 Subject: [PATCH 29/34] docs: fix build badge chore: reduce resource limits in deployment.yml --- README.md | 2 +- deployment.yml | 11 ++++------- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index ead9291..5cd702b 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ > An example configuration and usage of GitHub Actions [self hosted runners](https://help.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners) on [Anthos GKE](https://cloud.google.com/anthos/gke). -![Self Hosted Runner CI/CD ](https://github.com/github-developer/self-hosted-runners-anthos/workflows/.github/workflows/cicd.yml/badge.svg) +![Build status](https://github.com/github-developer/self-hosted-runners-anthos/workflows/Self%20Hosted%20Runner%20CI/CD/badge.svg) A Continuous Integration [job](https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobs) builds the image and publishes it to Google Container Registry, and a Continuous Deployment job deploys it to Google Kubernetes Engine (GKE). The self hosted runners in this cluster are made available to the GitHub repository configured via the `GITHUB_REPO` environment variable below. diff --git a/deployment.yml b/deployment.yml index d64d7e6..49312a0 100644 --- a/deployment.yml +++ b/deployment.yml @@ -39,18 +39,15 @@ spec: ] resources: limits: - memory: "512Mi" - cpu: "250m" + memory: "256Mi" + cpu: "100m" # Docker-in-Docker not recommended for production - name: dind image: docker:18.09-dind resources: - requests: - memory: "256Mi" - cpu: "250m" limits: - memory: "512Mi" - cpu: "250m" + memory: "256Mi" + cpu: "100m" securityContext: privileged: true volumeMounts: From e8f3a1c59c7cc76e4beb5bb594df9ac6e3393d4b Mon Sep 17 00:00:00 2001 From: John Bohannon Date: Sat, 8 Aug 2020 18:57:17 -0400 Subject: [PATCH 30/34] Update README.md --- README.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 5cd702b..6d69820 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,15 @@ # GitHub Actions Self Hosted Runners on Anthos -> An example configuration and usage of GitHub Actions [self hosted runners](https://help.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners) on [Anthos GKE](https://cloud.google.com/anthos/gke). +> Build and deploy GitHub Actions [self hosted runners](https://help.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners) to Google Cloud [Anthos GKE](https://cloud.google.com/anthos/gke), making them available to a given GitHub repository. ![Build status](https://github.com/github-developer/self-hosted-runners-anthos/workflows/Self%20Hosted%20Runner%20CI/CD/badge.svg) +## About + +This project accompanies the "GitHub Actions self-hosted runners on Google Cloud" [blog post](https://github.blog/2020-08-04-github-actions-self-hosted-runners-on-google-cloud/). + +![image](https://github.blog/wp-content/uploads/2020/08/hybrid-runners-with-anthos.png?resize=1024%2C654?w=1384) + A Continuous Integration [job](https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobs) builds the image and publishes it to Google Container Registry, and a Continuous Deployment job deploys it to Google Kubernetes Engine (GKE). The self hosted runners in this cluster are made available to the GitHub repository configured via the `GITHUB_REPO` environment variable below. Because a Docker-in-Docker sidecar pod has been used in this project, these self-hosted runners can also run container builds. Though this approach offers build flexibility, it requires a [`privileged` security context](https://github.com/github-developer/self-hosted-runners-anthos/blob/cb2ee160def13ec3fff256ea43804cafe9fb7e20/deployment.yml#L55) and therefore extends the trust boundary to the whole cluster. Extra caution is recommended with this approach or [removing the sidecar](https://github.com/github-developer/self-hosted-runners-anthos/blob/cb2ee160def13ec3fff256ea43804cafe9fb7e20/deployment.yml#L45) if your application doesn’t require container builds. From 99abab1304483cd2b1adb2c83b89368dcbe4f102 Mon Sep 17 00:00:00 2001 From: Johannes Nicolai Date: Fri, 12 Mar 2021 17:50:59 +0100 Subject: [PATCH 31/34] Add project to awesome-runners list --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6d69820..826ef91 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ > Build and deploy GitHub Actions [self hosted runners](https://help.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners) to Google Cloud [Anthos GKE](https://cloud.google.com/anthos/gke), making them available to a given GitHub repository. -![Build status](https://github.com/github-developer/self-hosted-runners-anthos/workflows/Self%20Hosted%20Runner%20CI/CD/badge.svg) +[![awesome-runners](https://img.shields.io/badge/listed%20on-awesome--runners-blue.svg)](https://github.com/jonico/awesome-runners)![Build status](https://github.com/github-developer/self-hosted-runners-anthos/workflows/Self%20Hosted%20Runner%20CI/CD/badge.svg) ## About From 95452b314fe760dd44ba7547d48ad0a4291a8854 Mon Sep 17 00:00:00 2001 From: Johannes Nicolai Date: Fri, 12 Mar 2021 17:56:28 +0100 Subject: [PATCH 32/34] Fixing CI/CD workflow * use newer gcp setup action that uses new way of setting env variables --- .github/workflows/cicd.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index a6f52d0..1d314c4 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -30,7 +30,7 @@ jobs: # Configure Google Cloud credentials - name: Configure Google Cloud credentials - uses: GoogleCloudPlatform/github-actions/setup-gcloud@0.1.3 + uses: GoogleCloudPlatform/github-actions/setup-gcloud@v0.2.1 with: service_account_key: ${{ secrets.GCP_KEY }} project_id: ${{ secrets.GCP_PROJECT }} @@ -55,7 +55,7 @@ jobs: # Configure Google Cloud credentials - name: Configure Google Cloud credentials - uses: GoogleCloudPlatform/github-actions/setup-gcloud@0.1.3 + uses: GoogleCloudPlatform/github-actions/setup-gcloud@v0.2.1 with: service_account_key: ${{ secrets.GCP_KEY }} project_id: ${{ secrets.GCP_PROJECT }} From 39e6a81ba244ec23ea8e5f6377d35563fa8c2bc5 Mon Sep 17 00:00:00 2001 From: Johannes Nicolai Date: Mon, 29 Mar 2021 18:58:45 +0200 Subject: [PATCH 33/34] Used new location of gcloud actions * use google-github-actions/setup-gcloud --- .github/workflows/cicd.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 1d314c4..50c35f3 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -30,7 +30,7 @@ jobs: # Configure Google Cloud credentials - name: Configure Google Cloud credentials - uses: GoogleCloudPlatform/github-actions/setup-gcloud@v0.2.1 + uses: google-github-actions/setup-gcloud@v0.2.1 with: service_account_key: ${{ secrets.GCP_KEY }} project_id: ${{ secrets.GCP_PROJECT }} @@ -55,7 +55,7 @@ jobs: # Configure Google Cloud credentials - name: Configure Google Cloud credentials - uses: GoogleCloudPlatform/github-actions/setup-gcloud@v0.2.1 + uses: google-github-actions/setup-gcloud@v0.2.1 with: service_account_key: ${{ secrets.GCP_KEY }} project_id: ${{ secrets.GCP_PROJECT }} From 052a2d0ded9f9534360ccda05298cab1e50d438c Mon Sep 17 00:00:00 2001 From: John Bohannon Date: Thu, 8 Apr 2021 09:39:15 -0400 Subject: [PATCH 34/34] Update cicd.yml --- .github/workflows/cicd.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index a6f52d0..15050ff 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -28,13 +28,6 @@ jobs: - name: Checkout uses: actions/checkout@v2 - # Configure Google Cloud credentials - - name: Configure Google Cloud credentials - uses: GoogleCloudPlatform/github-actions/setup-gcloud@0.1.3 - with: - service_account_key: ${{ secrets.GCP_KEY }} - project_id: ${{ secrets.GCP_PROJECT }} - # Insert other testing and linting steps here, eg. container analysis (https://cloud.google.com/container-registry/docs/container-analysis) # Ensure Docker image can be built