Run the Runner behind firewall and only when needed?

@gitlab , @hchouraria , @olearycrew ,

Hi, hope I could get some help, please.

  1. How to run the runner behind firewall? Let’s say I have gitlab ci server (CE version) running on AWS. If I want to run the runner on GCP or Digital Ocean Or any other cloud or On-Premise & only configure runner in way it will have outbound internet connection to gitlab server only on certain port or URL. Is this possible setup and how (please provide some examples to achieve this behind-firewall setup) ?

  2. As a dev shop, we do run many runners. Some of our developers have dedicated runners for each project and these runners are running on k8s.

When there is a need to run a pipeline job runner do the execution of that pipeline job. But when there is nothing to do, the actual runner which got deployed in k8s is still running as a pod which consumes some resources. So when we have many many runners like that, it’s a lot of compute resources consumption.

So my question is, Is there a way to provision runner dynamically when only needed to run pipeline job? Maybe by using different executor? And how? OR maybe to write our own executor & how (please provide some examples on how to develop our own executor, if this is the best solution for #2 above)?
Please suggest.

=================================================
For above point #2…We were thinking it would be nice to have something like this,

You only register one runner for all your projects and then write a First step in the ci yml file for each project to provision another runner to actually run the pipeline job for the project.

OR

Prepare container image of the runner with all the necessary configurations it needs to connect to my gitlab server & add that in ci yml file to tell which image to use and then trigger pipeline using Trigger Pipeline API. So the runner image gets deployed into k8s & then run the project’s pipeline. In this case , do we still need to have another runner which is continuously running in k8s as a pod listening the project or not required because we are using Trigger API?

If there is already some guidance on how to use runners dynamically instead of running the runners continuously, please share the info.

@hchouraria , could you please respond to this?