add docker builder using kubernetes natively

infrastructure/gitea/README.md

@@ -0,0 +1,31 @@
+# Using gitea actions
+The actions deployment allows to use gitea actions from repositories within this instance.
+
+### Building docker images
+Docker builds use the kubernetes runner to build the images. For this to work, the pipeline needs to be able to access the kube-api. A service-account is created for this purpose.
+
+To use the correct docker builder use the following action
+```yaml
+    ...
+
+    - name: Create Kubeconfig
+      run: |
+        mkdir $HOME/.kube
+        echo "${{ secrets.BUILDX_KUBECONFIG }}" > $HOME/.kube/config
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+      with:
+        driver: kubernetes
+        driver-opts: |
+          namespace=act-runner
+          qemu.install=true
+
+    ...
+
+    - name: Build and push
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        <other config>
+```

infrastructure/gitea/actions.rbac.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: builder-service-account
+  namespace: gitea
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: builder-rolebinding
+  namespace: target
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: edit
+subjects:
+- namespace: gitea
+  kind: ServiceAccount
+  name: builder-service-account
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: builder-service-account-secret
+  annotations:
+    kubernetes.io/service-account.name: builder-service-account
+type: kubernetes.io/service-account-token

infrastructure/gitea/drone-kube-runner.deployment.yaml

@@ -1,84 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: drone-runner
----
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: drone-runner
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - create
-  - delete
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  - pods/log
-  verbs:
-  - get
-  - create
-  - delete
-  - list
-  - watch
-  - update
-
----
-
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: drone-runner
-subjects:
-- kind: ServiceAccount
-  name: drone-runner
-roleRef:
-  kind: Role
-  name: drone-runner
-  apiGroup: rbac.authorization.k8s.io
-
----
-
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: drone-runner
-  labels:
-    app.kubernetes.io/name: drone-runner
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: drone-runner
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: drone-runner
-    spec:
-      serviceAccountName: drone-runner
-      containers:
-      - name: runner
-        image: drone/drone-runner-kube:latest
-        ports:
-        - containerPort: 3000
-        env:
-        - name: DRONE_RPC_HOST
-          value: drone-server:80
-        - name: DRONE_RPC_PROTO
-          value: http
-        - name: DRONE_RPC_SECRET
-          valueFrom:
-            secretKeyRef:
-              name: drone-server-secret
-              key: rpc_secret
-        - name: DRONE_NAMESPACE_DEFAULT
-          value: gitea
-        # - name: DRONE_NAMESPACE_RULES
-        #   value: "drone-runner:*"
-        - name: DRONE_SERVICE_ACCOUNT_DEFAULT
-          value: drone-runner

infrastructure/gitea/drone-server.deployment.yaml

@@ -1,117 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: drone-server
-  labels:
-    app: drone-server
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: drone-server
-  template:
-    metadata:
-      labels:
-        app: drone-server
-    spec:
-      containers:
-      - name: drone
-        image: drone/drone:latest
-        env:
-          - name: DRONE_SERVER_PORT # because the deployment is called drone-server, override this var again!
-            value: ":80"
-          - name: DRONE_GITEA_SERVER
-            value: https://git.kluster.moll.re
-          - name: DRONE_USER_CREATE
-            value: username:remoll,admin:true
-          - name: DRONE_GITEA_CLIENT_ID
-            valueFrom:
-              secretKeyRef:
-                name: drone-server-secret
-                key: client_id
-          - name: DRONE_GITEA_CLIENT_SECRET
-            valueFrom:
-              secretKeyRef:
-                name: drone-server-secret
-                key: client_secret
-          - name: DRONE_RPC_SECRET
-            valueFrom:
-              secretKeyRef:
-                name: drone-server-secret
-                key: rpc_secret
-          - name: DRONE_SERVER_HOST
-            value: drone.kluster.moll.re
-          - name: DRONE_SERVER_PROTO
-            value: https
-        resources:
-          requests:
-            memory: "1Gi"
-            cpu: 1.5
-        volumeMounts:
-        - mountPath: /data
-          name: drone-data-nfs
-      volumes:
-      - name: drone-data-nfs
-        persistentVolumeClaim:
-          claimName: drone-data-nfs
-
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: drone-server
-  labels:
-    app: drone-server
-
-spec:
-  type: ClusterIP
-  ports:
-  - port: 80
-    name: http
-  selector:
-    app: drone-server
----
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: drone-server-ingress
-
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`drone.kluster.moll.re`)
-    kind: Rule
-    services:
-    - name: drone-server
-      port: 80
-  tls:
-    certResolver: default-tls
-
-
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: drone-data-nfs
-spec:
-  capacity:
-    storage: "1Gi"
-  accessModes:
-    - ReadWriteOnce
-  nfs:
-    path: /export/kluster/drone
-    server: 192.168.1.157
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: drone-data-nfs
-spec:
-  storageClassName: ""
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: "1Gi"
-  volumeName: drone-data-nfs

infrastructure/gitea/drone-server.sealedsecret.yaml

@@ -1,23 +0,0 @@
-{
-  "kind": "SealedSecret",
-  "apiVersion": "bitnami.com/v1alpha1",
-  "metadata": {
-    "name": "drone-server-secret",
-    "namespace": "gitea",
-    "creationTimestamp": null
-  },
-  "spec": {
-    "template": {
-      "metadata": {
-        "name": "drone-server-secret",
-        "namespace": "gitea",
-        "creationTimestamp": null
-      }
-    },
-    "encryptedData": {
-      "client_id": "AgA53a7kGJ6zZcx2ooTvTNwxaW2FvfzHJnxg6co54+HXinTJKsc4+GJ1PtdIbsZ7Dgu/sLi/4X90fT+PT2sgEx9jIilmHPdJeRtwV1UID3Y46A7cJlfcAKwNOFzp2PWvBvizbNp7tbJwxeAYnVX8GfN6fi700QxBGqAI3u8qQvLpU6UGW2RM96gCXI7s1QhE1Le6TgoESy5HX95pB7csDRNSwVE02OWfDHKEjH8QD8UvBB9xct6uwDfu7KrsJiNJvWMP6arvpfhy/X+UtCTFmj5wmFYL7oc6vSiCkq+QyHgQTEHTmGpEjEGKcQxPQaus3KhbhcxQBYLMEMYRlLPH0AEAA4dzbSpoVXM3LuIe9FppgrTCknK1uRB8wyrHUeInWO8mG7UraV6m5PUS+UYODMvfjwY3PyiGhTSf6LgMlhMl8e+2rb+OsWphT8Pbeom33PucrYaRFr9RpQkJSwE6HU3JEh25YLfIJ7caqRND8C/p8kD679C8UMcNpBN8WS4Cswn5jzmwbeJNM5DGp9yQVZNx7Bv3dHzx9i3ShjJ6QQnR/zWJZ/dWLy6weGYmdZMMXRAO8CCdruvcX5YyeieXZfchSIlZ/GqqBHptdcLpwLiZsfmyTWeBvk5pMAsZaKJ1tfWpQ84s4epzMoieTfhTueGXmeRKX+DJBBcriU+5YoqNxpU1lPL+LoInorJSKN7c3ouFx78N3GDOCq7mlWI94lY0bIs5zhrfUN137ITCcED62AJ7vks=",
-      "client_secret": "AgDQXU7x6RLhE9Hc+goeR2+3rW316SLLLA8tfqx3tsykL+vxhRkY5UCEaak3Rgei0k14jB/Rmme+/O/D1/5tc/i885+sGn0yjU7Jo4L5nkIssUOHlmRSGkRJDb9ABPauFXAjap9KLix9bd8ewI7R0lS3tOK9ZhThYhcfDUqV9qkkbSHzwNptkH7gYWt9qzG/rqqqpFP+PCtjzKVve4LCBgaxetcnh1t+d5oh7VAFnSI9Bt1G/DRzi+K3YZ+YG5+XKevBp06GMiLUMiv/eUvmOfAB/KO79LnNVbOcRsAHfnqLbXgNjFzspr5xDiGMC/ma1245LavywqXDp0S9jjNEe48i51PPQMwHWV8XEovsM6LHcteluNogt+VkL4mOnmP+sba/V3NO51rt1WXl+ca+U4kBq4dLMsdpWUKemz9BlIRC4etEXjwKJ5DznT7u6GUTrXx2RCm1j0OYWM++P10SdyD6tGjKnZf88a33Wrwm8Y7c47JrPTlP4PqLq9gzvD310uVfs1vGYGULaToGy+D/th8qiWWlu7BIfwqlIj8lruVnOhQ4GeEZmUAsqYf8JfsBwuDc0Y+8qbwjFrr2z+5x+2XBL8KGZVopyme45SHijlBZs7YsJqTBsg5oW09grM8/oO731GtzSYmpat2VZlaILuTjALqo/cu//kxwmqh7UX+jnTJ/2N3bKKSAfHWbHDeHeS2XJ+eKaI4onNYW9J70EfAP3vOpU+zmQ8rOzJuJjRt0HarLwzc5CXb1Xhlgsaoj7zKXPQMnqIDngg==",
-      "rpc_secret": "AgAcJNCFtOhK28vnLredkTgsVpnMPwaXss5NT5ysc0IbVid2vWRk2CTjBZc5DzjxxLwI1Ok88MFXHP08ZGCYy4rIbwoi7Ei1OEevGWfaI4n5CvAxr4ZamQHSfIX9dVAm9BSSx2M/mDtCKqVEGJEzyHCedrxf6LXM/YTNgjD43BuCZZMu35mRsHItpYFZQSttlHiUvR8y2YKrhV2P7fiWRD3cCVao8ldzKfGuvRfal8ByGoxpsYLj2D9CdtPvRF/TQsWUJJWwzbI9DmbW1MMI4/b26Jfa5TBvHxS1MQxFJpSXuMIengO+b0bi7WaR36y/FrKSNxIrQDHI7XCb00yYaSfj3RkSBVoAD0a2p8vNupHCqsKBoaWd8tMv/wGP8wbBk4DgGeQiTIvfhbQZU/Q2/LVDDficjXVn3IuKP/cqgGVf6lUh5YsUSs8qwpMil7XySiHvaZn+iFAnsXoejd4S2e/pbRvyaxP1aa7TCxnINjpU7IrnUEUiI4glQmAte3MqZWLXcc0Uk3Qz9PP0cD+V8qCOryrPMP2kTAI8LT/K4DgcEMAEGes4Vx1l0oBMF0xJvhM2kZXcEcf0NzuQJvYTgZpQF5xp0TchezLshmEUSIkII9NvAvn+iEYJeHsJUDijjmBloSYe4+QTgdYh6FakVUwYI5U4ztDNrvgqhWjExfbn8HxaFzsNTsuzGoYs+jwXH8Wk2z1Q1oQjDdO5YTjmdqvkSTdin/5CiuCDHaQX6a4gNQ=="
-    }
-  }
-}

infrastructure/gitea/kustomization.yaml

@@ -5,11 +5,9 @@ resources:
   - gitea.pvc.yaml
   - gitea.ingress.yaml
   - gitea.servicemonitor.yaml
-  - drone-kube-runner.deployment.yaml
-  - drone-server.deployment.yaml
-  - drone-server.sealedsecret.yaml
   - actions.deployment.yaml
   - actions.sealedsecret.yaml
+  - actions.rbac.yaml
 
 
 namespace: gitea