Skip to content

GitLab Runner operator 1.25 will not deploy the runner on a different namespace

Summary

In the Openshift Operator catalog, we are forced to install the operator so that it can create runner resources in any namespace.

However, in GitLab Runner Operator 1.25, the manager will only deploy the runner correctly on the namespace the operator is installed to.

Looking at the logs of the manager, it appears that it's only watching a single namespace:

Watching namespace      {"watchNamespace": "openshift-operators"}

Looking at the code, watchNamespace is dependent on both the KUBERNETES_NAMESPACE and WATCH_NAMESPACES environment variable: https://gitlab.com/gitlab-org/gl-openshift/gitlab-runner-operator/-/blob/master/main.go?ref_type=heads#L128

func getWatchedNamespace() string {
	ns, _ := os.LookupEnv("WATCH_NAMESPACES")
	if ns != "" {
		return ns
	}

	return os.Getenv("KUBERNETES_NAMESPACE")
}

Looking at the manager, it appears that WATCH_NAMESPACES and KUBERNETES_NAMESPACE are both set to the namespace where we installed the operator.

Issue

While you can still create a Runner resource in any namespace, the runner deployment will not get created as the manager will not attempt to create it.

Solution

Since we are forced to install the GitLab Runner operator to support all namespaces, WATCH_NAMESPACES and KUBERNETES_NAMESPACE should be an empty string.

It's also ideal that we only deploy the operator once and then we can create the runner in any namespace.

Workaround

EDIT: The workaround needs more testing as it appears that the operator is not creating the Role and Rolebinding correctly.

## edit how the manager is deployed
oc -n openshift-operators edit csv gitlab-runner-operator.v1.25.0

This should open your text editor, then locate KUBERNETES_NAMESPACE and WATCH_NAMESPACES and edit it to:

                      - name: KUBERNETES_NAMESPACE
                        value: ""
                      - name: WATCH_NAMESPACES
                        value: ""

After this change, the manager should be forced to watch all namespace:

2024-06-11T01:39:32.661Z        INFO    Watching namespace      {"watchNamespace": ""}

EDIT: The workaround might not have been enough. It was able to reconcile the deployment but not the role needed for the service account.

In the logs, it tried to reconcile the role in the default namespace:

2024-06-11T10:59:25.578Z        INFO    controllers.Runner      Reconciling role        {"roleKey": "default/gitlab-runner-app-role", "operatorKey": "openshift-operators/gitlab-runner-app-role"}

But the role is still missing:

oc get role
No resources found in default namespace.

It also didn't attempt to reconcile the needed Rolebinding.

Aside from the workaround listed above, the user might have to manually create the Role and Rolebinding for the ServiceAccount if they want to deploy the runner on a different namespace.

oc -n openshift-operators get role gitlab-runner-app-role  -o yaml  | sed '/openshift-operators/d' | oc -n <GITLAB_RUNNER_NAMESPACE> apply -f -
oc -n openshift-operators get rolebinding gitlab-runner-app-rolebinding  -o yaml  | sed '/openshift-operators/d' | oc -n <GITLAB_RUNNER_NAMESPACE> apply -f -
Edited by Julian Paul Dasmarinas