Deploy GitLab Runner with autoscaling in Oracle Container Engine's Kubernetes cluster to automatically scale worker nodes based on load in your CI CD pipeline to keep tasks running smoothly. This architecture shows the GitLab Runner deployed by Oracle Container Engine on Oracle Cloud Infrastructure for a Kubernetes cluster. The following diagram illustrates this reference architecture. 
The schema consists of the following components:RegionAn Oracle Cloud Infrastructure region is a geographically constrained region that contains one or more data centers known as availability domains. Regions are independent of other regions and may be far apart (across countries or even continents).
Ailability domainsAn availability domain is an independent, autonomous data center within a region. The physical resources within each availability domain are isolated from the resources of the other availability domains, providing failure tolerance. Availability domains do not share infrastructure such as power or cooling systems, or internal availability domain networks. As a result, the failure of one availability domain is unlikely to affect other availability domains within that region.
Fault domainsA fault domain is a grouping of hardware and infrastructure within an availability domain. Each availability domain has three fault domains with independent power and hardware. When you distribute resources across multiple fault domains, your application is able to tolerate physical server failures, system maintenance, and power failures within the fault domains.
Virtual Cloud Networks (VCNs) and SubnetsA VCN is a customizable, software-defined network that you set up in an Oracle Cloud Infrastructure region. Like traditional data center networks, VCNs give you complete control over your network environment. A VCN can have multiple non-overlapping CIDR blocks, which you can change after you create the VCN. You can divide a VCN into subnets, which can be scoped to a region or an availability domain. Each subnet contains a series of contiguous addresses that do not overlap with other subnets in the VCN. You can change the size of the subnet after it has been created. Subnets can be public or private.
Service GatewayThe Services Gateway provides access from the VCN to other services, such as Oracle Cloud Infrastructure Object Storage. Traffic from the VCN to Oracle services travels through the Oracle network fabric and does not traverse the Internet.
Container Engine for KubernetesOracle Cloud Infrastructure Container Engine for Kubernetes is a fully managed, scalable, and highly available service that you can use to deploy containerized applications to the cloud. You specify the compute resources required for your application, and the container engine provisions them in an existing Oracle Cloud Infrastructure tenant for Kubernetes. Container Engine for Kubernetes uses Kubernetes to automate the deployment, scaling, and management of containerized applications across host clusters.
Cloud GuardYou can use Oracle Cloud Guard to monitor and maintain the security of resources in Oracle Cloud Infrastructure. Cloud Guard uses detector recipes that you can define to check for security weaknesses in your resources and monitor high-risk activities for operators and users. When any misconfiguration or unsafe activity is detected, Cloud Guard recommends corrective actions and assists with those actions based on responder recipes that you can define.
Security zoneSecurity Zones ensure Oracle's security best practices from the outset by enforcing policies such as encrypting data and blocking public access to the network. A security zone is associated with a partition with the same name and includes a security zone policy or "recipe" that applies to that partition and its subzones. You can't add or move a standard partition to a security zone partition.
Kubernetes cluster autoscalerKubernetes cluster autoscalers automatically increase or decrease the size of a node pool based on resource requests, rather than based on the resource utilization of the nodes in the node pool.
OKE ServicesA Kubernetes (OKE) service is an abstraction that defines a logical set of pods and the policies that access them. The pods group that a service targets is usually determined by a selector. Kubernetes service management autoscaling.
Oke Workers Node PoolA Kubernetes (OKE) worker pool is a subset of worker nodes with the same configuration within a cluster. Node pools allow you to create pools of machines with different configurations within a cluster. For example, you might create a node pool in a cluster as virtual machines and another node pool as bare metal. The cluster must have at least one node pool, but the node pool does not have to contain any worker nodes.
The minions in the node pool are connected to the minions subnet in the VCN.
Internet GatewayAn internet gateway allows traffic to be exchanged between a public subnet in a VCN and the public internet.
Network Address Translation (NAT) gatewaysThe NAT gateway enables private resources in the VCN to access hosts on the Internet without exposing those resources to incoming Internet connections.
Use the following suggestions as a starting point. Your needs may differ from the architecture described here. Virtual Cloud Network (VCN).When you create a VCN, determine the number of CIDR blocks you need and the size of each block based on the number of resources you plan to connect to the VCN subnet. Use CIDR blocks within a standard private IP address space.
Select a CIDR block that doesn't overlap with any other network (Oracle Cloud Infrastructure, your on-premises data center, or another cloud provider) so that you intend to set up a private connection.
Once you have created a VCN, you can change, add, and remove its CIDR blocks.
When designing subnets, consider where your traffic is going and your security needs. Connect all resources within a specific tier or role to the same subnet, which can serve as a security boundary.
Use regional subnets.
SecurityProactively use Oracle Cloud Guard to monitor and maintain the security of resources in Oracle Cloud Infrastructure. Cloud Guard uses detector recipes that you can define to check for security weaknesses in your resources and monitor high-risk activities for operators and users. When any misconfiguration or unsafe activity is detected, Cloud Guard recommends corrective actions and assists with those actions based on responder recipes that you can define.
For resources that require the highest level of security, Oracle recommends that you use security zones. A security zone is a partition that is associated with a best-practice-based security policy recipe defined by Oracle. For example, resources in a secure zone must not be accessible from the public internet and must be encrypted with customer-managed keys. When resources are created and updated in a security zone, Oracle Cloud Infrastructure validates the operation against the policies in the security zone recipe and rejects any policy violations.
Cloud GuardClone and customize the default recipes provided by Oracle to create custom detector and responder recipes. These recipes enable you to specify what types of security violations generate warnings and what actions are allowed to be taken on them. For example, you might want to detect an object storage bucket that is set to public visibility.
Apply Cloud Guard at the tenant level to provide the broadest coverage and reduce the administrative burden of maintaining multiple configurations.
You can also use the Managed List feature to apply specific configurations to detectors.
Network Security Group (NSGS).You can use NSGS to define a set of inbound and outbound rules that apply to a specific VNIC. We recommend using NSGS instead of a security list because NSGS allows you to separate the subnet architecture of your VCN from the security requirements of your application.
Container engine for KubernetesWhile the operator supports any general-purpose Kubernetes cluster, this architecture uses Oracle Container Engine's Kubernetes cluster. These clusters have three worker nodes in different availability and fault domains. The cluster shown has worker nodes distributed across different physical hosts. You can create up to 1000 nodes in a cluster.
Security zonesFor resources that require the highest level of security, Oracle recommends that you use security zones. A security zone is a partition that is associated with a best-practice-based security policy recipe defined by Oracle. For example, resources in a secure zone must not be accessible from the public internet and must be encrypted with customer-managed keys. When resources are created and updated in a security zone, Oracle Cloud Infrastructure validates the operation against the policies in the security zone recipe and rejects any policy violations.
ComputeChoose a shape with the appropriate combination of ocpus and memory based on the needs of the Kubernetes cluster nodes, and configure local NVMe and/or block storage for the nodes as needed.
When deploying this reference architecture, consider the following:PerformanceCluster autoscaling is based on deployment resource reservations, which you can do by editing gitlab-ciyaml file to control the booking of job resources.
SecurityUse policies to restrict who can access which Oracle Cloud Infrastructure (OCI) resources for your company and how.
Oracle Cloud Infrastructure Container Engine integrates with Oracle Cloud Infrastructure identity and access management for Kubernetes. Oracle Cloud Infrastructure Identity and Access Management provides easy-to-use authentication with native OCI identity capabilities.
Use the following variables to control resource bookings for jobs
ScalabilityDepending on the load, you can scale your application by updating the number of worker nodes in your Kubernetes cluster. Similarly, by reducing the number of worker nodes in your cluster, you can achieve scale-down. When you create a service on a Kubernetes cluster, you can create a load balancer to distribute service traffic to the nodes assigned to that service. Cluster autoscaling is based on the deployment resource reservation, which you can editgitlab-ci.yamlfile to control the booking. Cost is free for Kubernetes with Oracle Container Engine, and free for Oracle Container Registry. Nodes in a Kubernetes cluster are charged at the same rate as other compute instances with the same shape. Terraform for creating Oracle Container Engine Kubernetes (OKE) clusters with all dependent resources (network, worker pools), deploying cluster autoscaling, and GitLab Runner is available on GitHub. Deploy using Oracle Cloud Infrastructure Resource Manager:
Click to enter the login screen, and if you are not already logged in, enter your tenant and user credentials.
Review and accept the terms and conditions.
Select the region where you want to deploy the stack.
Follow the on-screen prompts and instructions to create a stack.
Once the stack is created, click the Terraform action and select Plan.
Wait for the job to complete and review the plan.
If you need to make any changes, return to the stack details page, click Edit Stack, and make the necessary changes. Then, run the plan action again.
If you don't need to make any further changes, go back to the stack details page, click the Terraform action, and select Apply.
Deploy using Terraform in GitHub:Visit GitHub. Clone or repositorate to your local computer. Follow the instructions in the README documentation. As an Oracle Premier Partner, Agilewing is redefining the way enterprises experience Oracle Cloud Services. With its streamlined account opening process and best-in-class technical support, Agilewing transforms the complex process of account opening and operation into an easy, intuitive experience. With our one-stop shop, you can quickly get up and running with the full range of Oracle Cloud services, so you can seamlessly integrate into the cloud. Agilewing's AgileCDN service, combined with OCI's cloud-based services, provides a best-in-class global content acceleration solution. A strong network of more than 2,800 global POP nodes and 7,000 direct connection points ensures efficient and stable operation no matter where your business expands to the world. Leveraging the advanced technology of Oracle Cloud, Agilewing is committed to simplifying the process of cloud service building, cloud migration, and business going global. "Our partnership model provides customers with cost-effective solutions that allow them to focus more on their core business while enjoying the high performance and security of Oracle Cloud." Oracle Cloud Service, as a promising field, opens the door to new opportunities for enterprises with its high performance, security, and globally consistent service standards. Through Agilewing's professional services, both individual users and enterprises can easily enter this new era full of technological innovation and high performance. Let Agilewing start exploring Oracle Cloud Services and open the door to a whole new world today.