Unable to get gitlab runners registration token from database

Question

I'm trying to completely deploy my gitlab cicd stack with ansible and automatically register runners.

I use the below task in my playbook to get registration token and store it in facts for my runners further registration, as I saw in several tutorial that we can get the registration token from gitlab database.

The ansible playbook task :

- name: Extract Runner Registration Token directly from Gitlab DB
    become: true
    become_user: gitlab-psql
    vars:
        ansible_ssh_pipelining: true
        query: "SELECT runners_registration_token FROM application_settings ORDER BY id DESC LIMIT 1"
        psql_exec: "/opt/gitlab/embedded/bin/psql"
        gitlab_db_name: "gitlabhq_production"
    shell: '{{ psql_exec }} -h /var/opt/gitlab/postgresql/ -d {{ gitlab_db_name }} -t -A -c "{{ query }}"'
    register: gitlab_runner_registration_token_result

But this task doesn't get back any registration token (get an empty string) cause the runners_registration_token column does not exist in the application_settings table. However the runners_registration_token_encrypted column exists, but the runners_registration_token_encrypted string returned is rejected by runner-register api.

Thus I have to copy runners registration token from the gitlab gui (in admin/runners), hardcode it in the playbook and run the playbook again to succeed registration stack.

Can someone explain where gitlab stores its runners registration token displayed in the GUI (I noticed it's same after rebooting the gitlab server, it doesn't change)? Is it definitively impossible to automate gitlab runners registration token retrieval for automatic runners non-interactive registration? Do you guys have any idea about the right way to achieve this please?

Answer 1

This way using Ansible, I can obtain the Gitlab runner registration token from my private Gitlab server and use it on the runner host to register a docker runner automatically:

- name: obtain registration token
  when: gitlab_host is defined
  delegate_to: "{{ gitlab_host }}"
  command: 'gitlab-rails runner -e production "puts Gitlab::CurrentSettings.current_application_settings.runners_registration_token"'
  register: runners_registration_token
  changed_when: false

- name: set gitlab_runner_token
  when: gitlab_host is defined and runners_registration_token.rc == 0
  set_fact:
    gitlab_runner_token: "{{ runners_registration_token.stdout }}"

- name: register docker runner
  when: docker_runner|bool
  command: |
    gitlab-ci-multi-runner register \
    --non-interactive \
    --url "{{ gitlab_external_url }}" \
    --registration-token "{{ gitlab_runner_token|quote }}" \
    --description "docker-runner" \
    --executor "docker" \
    --docker-network-mode="host" \
    --docker-tlsverify=false \
    --docker-privileged \
    --tag-list '{{ gitlab_runner_tags | join(",") }}' \
    --docker-image='{{ gitlab_runner_image |default('alpine') }}'

Role is available dockpack.gitlab_runner

Answer 2

Maybe use the rails console on the application Server? Put the following in a shell or command, run it on the gitlab application server and catch the output:

gitlab-rails runner -e production "puts Gitlab::CurrentSettings.current_application_settings.runners_registration_token"

So with Ansible something like this:

- name: Extract Runner Registration Token directly from Gitlab Rails console
    become: true
    shell: 'gitlab-rails runner -e production "puts Gitlab::CurrentSettings.current_application_settings.runners_registration_token"'
    register: gitlab_runner_registration_token_result

Answer 3

Do you guys have any idea about the right way to achieve this please?

The correct way is via their API. It is very, very, very unwise to allow anyone -- ansible playbooks included -- to have access to the gitlab database.

Separately, while not especially relevant to your specific query, it is a very good habit to get into to using quote when feeding jinja variables into a shell string