Add ipv6 support

[thomas-alkaige]

trafficstars

Describe the solution you'd like

I would like to be able to use this module without using ipv4, since AWS will update their pricing soon: https://aws.amazon.com/fr/blogs/aws/new-aws-public-ipv4-address-charge-public-ip-insights/

Describe alternatives you've considered

I've trying to adjust the configuration of the module, it's working properly in provisioning, but it doesn't after deploying.

The main issue is in using aws ssm in the init script, aws ssm does not support ipv6 see: https://docs.aws.amazon.com/vpc/latest/userguide/aws-ipv6-support.html

Suggest a solution

Add options so we don't need to use any aws ssm command. It's only in gitlab-runner.tftpl.

[thomas-alkaige]

Since I really need it, I will try to fix it then propose a change. I think to add terraform configuration so I don't need to use aws ssm command, but maybe someone else has a better idea

[thomas-alkaige]

I did something but I faced an unexpected issue: I can't find a way to configure the url ussed by the runner-manager to spawn runner instances. The gitlab runner is using the ipv4 endpoint ... Any ideas ?

[kayman-mk]

I have seen the pricing change as well, but I didn't know that SSM does not support IPv6 at all. Nice hint.

I just checked my configuration, but I didn't found any public IPv4 address in my configuration.. Especially the Agent which connects to my GitLab instance is hidden in a private subnet and uses NAT to acces GitLab. Thus I do not have any public IPv4 address.

What is the reason to assign a public IPv4 address in your scenario? No NAT at all? Could you share some insights please?

[dsalaza4]

@kayman-mk

We do not use NAT gateways in order to avoid IP based rate limiting.

We basically want all our workers to have an exclusive IP so things like pulling dependencies, containers or cache does not get rate limited by the hosting services.

We use hundreds of workers on a daily basis, so making them all use the same IP address would most likely cause this.

It would be awesome to have an example showing how to configure the module to only use IPv6 workers.

[kayman-mk]

Understood, yes. We have a proxy in place for Docker, Maven, NPM and all the other stuff, so I haven't seen this problem so far.

As SSM is not ready for IPv6 we have to switch to the SecretsManager for the tokens which adds some additions costs ($0.40/secret + costs per 10,000 reads).

[kayman-mk]

Just found https://repost.aws/questions/QU4lcOfpvgQXS9SrXfHUErHg/is-there-a-plan-for-ssm-public-endpoints-to-support-ipv6

Is this helpful for your setup?

[thomas-alkaige]

I couldn't figure it out even with this for ssm ; I've saw this yes. But my main issue was on the code of gitlab-runner docker+machine itself when spawning new instance when a job is detected (that was working in only ipv6).

The URL is hard coded in ipv4 inside the gitlab-runner (or I didnt found the way to change it in conf) when asking EC2 to spawn minions, so it seems that it is not possible to do it currently :(

I just accepted the fact to pay a little bit more for now

I didn't took the time (and don't have much) to check if I can do a PR on gitlab-runner side to add this configuration

[kayman-mk]

Just added #1095 Could this solve your problem?

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 15 days.

[github-actions[bot]]

This issue was closed because it has been stalled for 15 days with no activity.