Skip to main content

Configuration

Targets that don't have an internet-accessible endpoint need additional setup. We need a way to access the private network resources. Runops supports two models: self-hosted agents and Bastion hosts. This guide explains how to set up each one of them.

Self-hosted agents#

When Targets don't have public endpoints, one option is to set up self-hosted agents in your network, somewhere the target is accessible. Runops uses these agents to run tasks on private targets.

To use a self-hosted runner, you need to create the Target with the runner flag set to self-hosted. You will get the RUNNER_URL & RUNNER_TOKEN in the response.

runops targets create \
--id my-private-db \
--message "My first private RunOps Target" \
--runer self-hosted \
--secrets \
PG_HOST="my.db.com:5432", \
PG_USER="abc", \
PG_PASS="123"

Kubernetes#

Pasting the below snippets in the terminal will automatically create the Kubernetes resources. Make sure you update the variables and set the namespace of your choice before running them.

Create a Kubernetes Secret with the token and url of the Target:

export RUNNER_URL=**AVAILABLE IN THE RESPONSE FROM TARGETS CREATE COMMAND**
export RUNNER_TOKEN=**AVAILABLE IN THE RESPONSE FROM TARGETS CREATE COMMAND**
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
name: runops-postgres-runner
type: Opaque
data:
RUNNER_URL: $(echo -n ${RUNNER_URL} | base64 -w 0)
RUNNER_TOKEN: $(echo -n ${RUNNER_TOKEN} | base64 -w 0)
EOF

Create a Kubernetes Deployment with the Runner image required for you Target. In this example we are using the Postgres runner image:

cat <<EOF | kubectl apply -f -
apiVersion: apps/v1
kind: Deployment
metadata:
name: runops-runner
labels:
app: runops-runner
spec:
replicas: 1
selector:
matchLabels:
app: runops-runner
template:
metadata:
labels:
app: runops-runner
spec:
containers:
- name: runops-runner
image: runops/postgres-runner:latest
imagePullPolicy: Always
envFrom:
- secretRef:
name: runops-postgres-runner
EOF

Standalone server#

# Export the target secret token and url
export TARGET_NAME=NAME_OF_THE_TARGET
export RUNNER_URL=URL_RETURNED_WHEN_CREATING_THE_TARGET
export RUNNER_TOKEN=TOKEN_RETURNED_WHEN_CREATING_THE_TARGET
# Create a folder
mkdir $TARGET_NAME && cd $TARGET_NAME
# Download the latest runner package
curl -O -L https://github.com/actions/runner/releases/download/v2.276.1/actions-runner-linux-x64-2.276.1.tar.gz
# Extract the installer
tar xzf ./actions-runner-linux-x64-2.276.1.tar.gz
# Create the runner and start the configuration experience
./config.sh --url $RUNNER_URL --token $RUNNER_TOKEN
# Last step, run it!
nohup ./run.sh &

Bastion hosts#

You can reach Targets in private networks using a Bastion host as the proxy for RunOps. To set up a Bastion proxy you need to do two things: create additional secrets in the Target, and sufix the type of the Target with -proxy.

Additional secrets#

Add these secrets to the Target with the proxy configurations:

PROXY_KEY - A base64 encoded SSH key for the Bastion host user. You can encode the key using:cat ~/.ssh/my-bastion-key | base64.

PROXY_USER - The SSH username configured in the Bastion host.

PROXY_HOST - The publicly accessible hostname of the Bastion host proxy.

This is how you would add these to your Target:

runops targets update \
--id db-prod-a \
--secrets \
PROXY_HOST='my-bastion-host.company.com',\
PROXY_USER='ec2-user',\
PROXY_KEY=$(cat ~/.ssh/my-bastion-key.pem | base64)

Type Suffix#

Suffix the type (-t) flag with -proxy when creating Targets.

Say you have a Mysql instance Target setup with the proxy Secrets and want to run a SQL query through the proxy, here is how you can do it:

runops targets update \
--id db-prod-a \
--type mysql-proxy
Custom markup