# ─── ServiceAccount ───────────────────────────────────────────────
apiVersion: v1
kind: ServiceAccount
metadata:
  name: gitlab-runner
  namespace: gitlab

---
# ─── Role ─────────────────────────────────────────────────────────
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: gitlab-runner
  namespace: gitlab
rules:
  - apiGroups: [""]
    resources: ["pods", "pods/exec", "pods/attach", "pods/log", "secrets", "configmaps", "services"]
    verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]

---
# ─── RoleBinding ──────────────────────────────────────────────────
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: gitlab-runner
  namespace: gitlab
subjects:
  - kind: ServiceAccount
    name: gitlab-runner
    namespace: gitlab
roleRef:
  kind: Role
  apiGroup: rbac.authorization.k8s.io
  name: gitlab-runner

---
# ─── Secret (Runner Authentication Token, GitLab 16+) ────────────
apiVersion: v1
kind: Secret
metadata:
  name: gitlab-runner-secret
  namespace: gitlab
type: Opaque
stringData:
  runner-token: "glrt-3nNma_nEvL1Bq2zc8m5Zu286MQpwOjIKdDozCnU6MTAQ.01.181jg6jja"

---
# ─── ConfigMap (config.toml) ──────────────────────────────────────
apiVersion: v1
kind: ConfigMap
metadata:
  name: gitlab-runner-config
  namespace: gitlab
data:
  config.toml: |
    concurrent = 4
    check_interval = 10
    log_level = "info"

    [session_server]
      session_timeout = 1800

---
# ─── Deployment ───────────────────────────────────────────────────
apiVersion: apps/v1
kind: Deployment
metadata:
  name: gitlab-runner
  namespace: gitlab
  labels:
    app: gitlab-runner
spec:
  replicas: 1
  selector:
    matchLabels:
      app: gitlab-runner
  template:
    metadata:
      labels:
        app: gitlab-runner
    spec:
      serviceAccountName: gitlab-runner

      initContainers:
        - name: register-runner
          image: gitlab/gitlab-runner:latest
          imagePullPolicy: IfNotPresent
          command:
            - sh
            - -c
            - |
              gitlab-runner register \
                --non-interactive \
                --url "$CI_SERVER_URL" \
                --token "$RUNNER_TOKEN" \
                --executor kubernetes \
                --kubernetes-namespace gitlab \
                --kubernetes-service-account gitlab-runner \
                --kubernetes-pull-policy if-not-present \
                --kubernetes-privileged true \
                --output-limit 4096 \
                --kubernetes-cpu-request "100m" \
                --kubernetes-cpu-limit "500m" \
                --kubernetes-memory-request "256Mi" \
                --kubernetes-memory-limit "4Gi"
          env:
            - name: CI_SERVER_URL
              value: "https://gitlab.henryathome.home64.de"
            - name: RUNNER_TOKEN
              valueFrom:
                secretKeyRef:
                  name: gitlab-runner-secret
                  key: runner-token
          volumeMounts:
            - name: runner-config
              mountPath: /etc/gitlab-runner

      containers:
        - name: gitlab-runner
          image: gitlab/gitlab-runner:latest
          imagePullPolicy: IfNotPresent
          command: ["gitlab-runner", "run", "--user=gitlab-runner", "--working-directory=/home/gitlab-runner"]
          env:
            - name: CI_SERVER_URL
              value: "https://gitlab.henryathome.home64.de"
          resources:
            requests:
              memory: "128Mi"
              cpu: "100m"
            limits:
              memory: "512Mi"
              cpu: "1000m"
          volumeMounts:
            - name: runner-config
              mountPath: /etc/gitlab-runner

      volumes:
        - name: runner-config
          emptyDir: {}