Orchestrating GitLab CI/CD Pipelines via the GitLab Runner Operator on Red Hat OpenShift

The integration of Continuous Integration and Continuous Deployment (CI/CD) pipelines into the modern software development lifecycle represents a fundamental shift in how engineering teams deliver value. By automating the build, test, and deployment phases, organizations can achieve significantly higher code quality, minimize human-induced errors, and accelerate the time-to-market for critical features. At the heart of this automation engine is the GitLab Runner, the specialized application responsible for executing the jobs defined within GitLab CI/CD pipelines. While GitLab.com provides shared hosted runners for general use, enterprise-grade workflows and highly regulated industries often necessitate the deployment of dedicated, private runners to maintain control over security, resource allocation, and environment consistency.

For organizations utilizing Red Hat OpenShift, the GitLab Runner Operator offers a sophisticated, cloud-native mechanism to deploy these runners. This operator-based approach abstracts the complexity of managing individual runner instances by leveraging the Kubernetes-native patterns inherent to the OpenShift Container Platform. By deploying runners as an operator, administrators can treat the runner infrastructure as code, ensuring that every job runs in its own isolated pod, thereby providing the granular resource control and security isolation required in multi-tenant or highly secure cluster environments. This deep exploration examines the architectural nuances, installation methodologies, and configuration complexities of deploying GitLab Runners on OpenShift, particularly addressing the evolving compatibility landscape of the OpenShift ecosystem.

Architectural Foundations of GitLab Runner on OpenShift

The deployment of GitLab Runners within an OpenShift environment is designed to align with the principles of container orchestration. Unlike traditional virtual machine-based runners, the OpenShift-native approach utilizes the Kubernetes pod abstraction to execute CI/CD tasks.

When a job is triggered in GitLab, the Runner instance communicates with the GitLab server to pull the job definition. The Runner then instructs the OpenShift cluster to spin up a new pod specifically for that job. This per-job pod lifecycle ensures that each execution environment is pristine, preventing "configuration drift" where leftovers from a previous job interfere with the current one.

The availability and tiering of the GitLab Runner Operator are structured to accommodate various organizational scales:

Feature/Tier GitLab.com GitLab Self-Managed GitLab Dedicated
GitLab Runner Operator Supported Supported Supported
Deployment Type Shared or Private Private/Dedicated Dedicated
Tier Access Free, Premium, Ultimate Free, Premium, Ultimate Enterprise-grade

This flexibility allows a company to use the same operator-driven workflow whether they are running a small-scale Free instance or a massive, highly regulated Ultimate deployment on GitLab Dedicated.

Navigating the OpenShift 4.17 Compatibility Shift

A critical development in the lifecycle of this deployment is the recent change in availability regarding the Red Hat OperatorHub. For users operating on older versions of the platform, the deployment process follows a standardized path via the web console. However, a significant architectural shift has occurred with the introduction of OpenShift 4.17.

In OpenShift 4.17, the GitLab Runner Operator was removed from the Red Hat OperatorHub. This removal was not a reflection of a failure in the software itself, but rather a strategic decision necessitated by the need to align the operator with the latest OpenShift standards to ensure long-term stability and performance. The removal addresses compatibility issues that arise as the underlying OpenShift Container Platform evolves its API and security constraints.

As of the current operational context, GitLab is actively working to address these compatibility requirements with the intent to reintroduce the operator once it meets the rigorous new standards of the OpenShift 4.17 environment. This creates a divergence in deployment strategies depending on the cluster version currently in use by the administrator.

Standard Installation via OpenShift OperatorHub

For administrators running OpenShift 4.x (prior to 4.17) or those utilizing compatible versions, the installation process is streamlined through the OpenShift web console. This method leverages the native OperatorHub to manage the lifecycle of the GitLab Runner Operator.

The prerequisite requirements for a successful installation include:

  • An OpenShift 4.x cluster where the user possesses administrator privileges.
  • A valid GitLab Runner registration token, which is essential for linking the runner to the GitLab instance.

The procedural steps for installation via the UI are as follows:

  1. Access the OpenShift Web Console and authenticate with an account holding administrator privileges.
  2. Navigate to the left-hand navigation pane and select the Operators section.
  3. Within the Operators menu, select OperatorHub.
  4. Use the search functionality in the main pane, under the All Items section, to search for the keyword "GitLab Runner".
  5. Select the GitLab Runner Operator from the search results.
  6. On the Operator summary page, click the Install button.
  7. Configure the installation parameters:
    • Set the Update Channel to "stable".
    • Designate the desired Installed Namespace.
  8. Execute the installation by clicking Install.
  9. Monitor the status on the Installed Operators page; the process is complete when the status transitions to "Succeeded".

Advanced Deployment via CatalogSource for Custom or Offline Environments

In environments where the standard OperatorHub does not provide the necessary operator, or in specialized configurations such as offline/air-gapped clusters, administrators can manually deploy a CatalogSource. This method is highly effective for pointing the OpenShift cluster to a specific registry containing the operator's metadata and images.

To implement a custom CatalogSource, a manifest must be created. For example, a manifest targeting a specific version of the catalog source might look like the following:

yaml apiVersion: operators.coreos.com/v1alpha1 kind: CatalogSource metadata: name: gitlab-runner-catalog namespace: openshift-marketplace spec: sourceType: grpc image: registry.gitlab.com/gitlab-org/gl-openshift/gitlab-runner-operator/gitlab-runner-operator-catalog-source:v0.0.1-f5a798af displayName: GitLab Runner Operators publisher: GitLab Community

Once the manifest is prepared, it is applied to the cluster using the OpenShift CLI (oc):

bash oc apply -f catalogsource.yaml

Upon application, the cluster will integrate the new catalog within approximately one minute, at which point the GitLab Runner Operator will become visible within the OpenShift OperatorHub section, allowing for standard installation procedures to proceed.

For offline environments, a critical prerequisite is ensuring that all container images required by the installation process are accessible within the local or private registry, as the operator requires a connection to the public internet to pull images unless these local mirrors are correctly configured.

Managing Operator Lifecycles and Troubleshooting

In advanced DevOps workflows, manual cleanup or version management of the Cluster Service Version (CSV) may be required. If an installation needs to be purged or reset, the administrator must interact with the kubectl or oc CLI to delete the specific CSV associated with the operator.

For instance, to remove a specific version of the GitLab Runner Operator, the following command is utilized:

bash kubectl delete clusterserviceversion gitlab-runner-operator.v1.7.0 -n operators

This command removes the operator's orchestration logic from the cluster, allowing for a clean state before a re-installation or an upgrade to a newer version.

Secure Configuration and Secret Management

Security is a paramount concern when deploying runners in a multi-tenant OpenShift environment. The connection between the GitLab server and the Runner is established using a registration token. In a Kubernetes/OpenShift context, this sensitive information must not be stored in plain text within the Runner specification. Instead, it must be encapsulated within a Kubernetes Secret.

The creation of a Secret involves defining the token within an Opaque type object. A common configuration for a secret used to facilitate runner registration is as follows:

yaml apiVersion: v1 kind: Secret metadata: name: gitlab-runner-secret namespace: gitlab-testing type: Opaque stringData: runner-registration-token: "YOUR_TOKEN_HERE"

To deploy this secret to the cluster, the following command is executed:

bash oc apply -f gitlab-runner-secret.yml

By using stringData instead of data, administrators can provide the token in plain text during the creation process, which Kubernetes then automatically encodes into base64 for storage.

The Runner Custom Resource

Once the secret is established, the actual GitLab Runner instance is instantiated using a custom resource (CR) of the type Runner. This resource defines how the runner interacts with the GitLab instance and how it is tagged for specific CI/CD jobs.

The following manifest demonstrates how to create a Runner named dev in the gitlab-testing namespace, referencing the previously created secret:

yaml apiVersion: apps.gitlab.com/v1beta2 kind: Runner metadata: name: dev namespace: gitlab-testing spec: gitlabUrl: https://gitlab.example.com token: gitlab-runner-secret tags: "Your,Tags,Here"

In this configuration, the token field does not contain the literal registration token, but rather the name of the Kubernetes Secret containing that token. This separation of concerns is vital for maintaining a secure and compliant CI/CD infrastructure.

Customizing Build Environments with ConfigMaps

While the Runner CR defines the high-level identity of the runner, the actual behavior of the runner's executor—such as how it handles environment variables, volume mounts, or specific security contexts—is often managed through a ConfigMap.

In a standard GitLab installation, these settings are held in a config.toml file. In the OpenShift/Kubernetes paradigm, this file is injected into the runner pods via a ConfigMap. This is particularly important for OpenShift users because of the platform's strict security posture. OpenShift environments typically enforce non-root execution and prevent the use of escalated privileges.

When designing the ConfigMap for a GitLab Runner, administrators must ensure that the build containers are configured to run as non-root users. While there are advanced methods to allow privileged builds, the standard best practice is to adhere to the non-root security model to maintain the integrity of the OpenShift cluster.

Monitoring and Observability

Deployment is only the first step in a mature DevOps lifecycle. For the GitLab Runner Operator to be effectively managed, administrators must implement monitoring to track the health and performance of the runner pods and the operator itself.

Monitoring capabilities can be enabled to collect metrics and telemetry data, providing visibility into:

  • Pod startup latency for CI/CD jobs.
  • Resource consumption (CPU/Memory) of the runner pods.
  • Success and failure rates of the runner executor.

Enabling these features ensures that the infrastructure can scale appropriately and that performance bottlenecks are identified before they impact the development velocity of the engineering teams.

Technical Summary of Deployment Components

The following table summarizes the key objects and their roles in a standard GitLab Runner deployment on OpenShift:

Object Type Name/Example Primary Function
Operator GitLab Runner Operator Manages the lifecycle and deployment of Runner instances.
CatalogSource gitlab-runner-catalog Provides the operator's metadata to the OpenShift OperatorHub.
Secret gitlab-runner-secret Stores the sensitive GitLab registration token securely.
Custom Resource Runner (kind: Runner) Defines the specific configuration and identity of the runner.
ConfigMap config.toml mapping Provides granular customization for the runner's executor.

Analytical Conclusion

The deployment of GitLab Runners on Red Hat OpenShift via the GitLab Runner Operator represents a sophisticated convergence of CI/CD automation and cloud-native orchestration. By utilizing the Operator pattern, organizations move away from manual, error-prone infrastructure management toward a model where the runner lifecycle is managed as a standard Kubernetes object. This approach provides the necessary isolation for CI/CD jobs through per-job pods, ensuring that the build environment remains consistent and secure.

However, the transition to OpenShift 4.17 introduces a new layer of complexity, as the removal of the operator from the standard Red Hat OperatorHub necessitates a deeper understanding of CatalogSource management and manual manifest application. This shift highlights the importance of being prepared for the evolving security and architectural standards of the OpenShift platform.

Successful implementation requires a multi-faceted approach: securing credentials through Kubernetes Secrets, managing runtime configurations via ConfigMaps to respect OpenShift's non-root security constraints, and maintaining observability through integrated monitoring. As the ecosystem moves toward more stringent security models, the ability to deploy runners that are both powerful enough to execute complex builds and compliant enough to run in a restricted, non-privileged environment will be the hallmark of an expert DevOps engineer.

Sources

  1. GitLab Runner Operator Installation Documentation
  2. GitLab Issue: GitLab Runner Operator availability in OpenShift 4.17
  3. Red Hat Blog: Guide to GitLab Runner Operator on OpenShift
  4. GitLab Forum: How to register OpenShift Runner

Related Posts