gitea revert to dind runner

2024-05-25 10:45:27 +02:00 · 2024-05-25 10:45:27 +02:00 · 9f8ae4b0fa
commit 9f8ae4b0fa
parent d53ee0079e
6 changed files with 42 additions and 124 deletions
--- a/infrastructure/external/kustomization.yaml
+++ b/infrastructure/external/kustomization.yaml
@ -9,4 +9,3 @@ resources:
  - omv-s3.ingress.yaml
  - openmediavault.ingress.yaml
  - proxmox.ingress.yaml
-  - wireguard.ingress.yaml
--- a/infrastructure/external/wireguard.ingress.yaml
+++ b/infrastructure/external/wireguard.ingress.yaml
@ -1,38 +0,0 @@
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: wireguard-ingressroute
-  namespace: external
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`wireguard.kluster.moll.re`)
-    kind: Rule
-    services:
-    - name: wireguard
-      port: 443
-      scheme: https
-  tls:
-    certResolver: default-tls
---
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: wireguard
-  namespace: external
-subsets:
-  - addresses:
-      - ip: 192.168.2.1
-    ports:
-      - port: 443
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: wireguard
-  namespace: external
-spec:
-  ports:
-    - port: 443
-      targetPort: 443
--- a/infrastructure/gitea/actions.deployment.yaml
+++ b/infrastructure/gitea/actions.deployment.yaml
@ -1,28 +1,24 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: actions-runner
+  labels:
+    app: act-runner
+  name: act-runner
 spec:
+  replicas: 1
  selector:
    matchLabels:
-      app: actions-runner
+      app: act-runner
  template:
    metadata:
      labels:
-        app: actions-runner
+        app: act-runner
    spec:
-      hostname: kube-runner
-      serviceAccountName: actions-runner
+      restartPolicy: Always
      containers:
-      - name: actions-runner
-        image: actions-runner
-        resources:
-          requests:
-            memory: "128Mi"
-            cpu: "500m"
-          limits:
-            memory: "2Gi"
-            cpu: "2"
+      - name: runner
+        image: runner
+        command: ["sh", "-c", "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; /sbin/tini -- /opt/act/run.sh"]
        env:
        - name: DOCKER_HOST
          value: tcp://localhost:2376
@ -37,30 +33,40 @@ spec:
            secretKeyRef:
              name: actions-runner-secret
              key: runner-token
-        # - name: GITEA_RUNNER_LABELS
-        #   value: ubuntu-latest:docker://node:16-bullseye,ubuntu-22.04:docker://node:16-bullseye
        - name: ACTIONS_RUNNER_POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
-        - name: ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER
-          value: "true"
-        - name: ACTIONS_RUNNER_CONTAINER_HOOKS
-          value: /home/runner/k8s/index.js
-        - name: ACTIONS_RUNNER_CLAIM_NAME
-          value: runner-workdir
-        - name: GITEA_RUNNER_LABELS
-          value: k8s
        volumeMounts:
-        - name: runner-workdir
-          mountPath: /home/runner/_work
+        - name: docker-certs
+          mountPath: /certs
        - name: runner-data
          mountPath: /data
-    
+        resources:
+          limits:
+            memory: "1Gi"
+            cpu: "1"
+
+      - name: daemon
+        image: daemon
+        env:
+        - name: DOCKER_TLS_CERTDIR
+          value: /certs
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - name: docker-certs
+          mountPath: /certs
+        resources:
+          requests:
+            memory: "128Mi"
+            cpu: "500m"
+          limits:
+            memory: "4Gi"
+            cpu: "4"    
      volumes:
-      - name: runner-workdir
-        persistentVolumeClaim:
-          claimName: runner-workdir
+      - name: docker-certs
+        emptyDir: {}
      - name: runner-data
        persistentVolumeClaim:
          claimName: runner-data
@ -77,16 +83,3 @@ spec:
  volumeMode: Filesystem
  accessModes:
    - ReadWriteMany
---
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: runner-workdir
-spec:
-  resources:
-    requests:
-      storage: 5Gi
-  storageClassName: "nfs-client"
-  volumeMode: Filesystem
-  accessModes:
-    - ReadWriteMany
--- a/infrastructure/gitea/actions.rbac.yaml
+++ b/infrastructure/gitea/actions.rbac.yaml
@ -1,38 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: actions-runner
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: actions-role
-rules:
- apiGroups: [""]
-  resources: ["pods"]
-  verbs: ["get", "list", "create", "delete"]
- apiGroups: [""]
-  resources: ["pods/exec"]
-  verbs: ["get", "create"]
- apiGroups: [""]
-  resources: ["pods/log"]
-  verbs: ["get", "list", "watch",]
- apiGroups: ["batch"]
-  resources: ["jobs"]
-  verbs: ["get", "list", "create", "delete"]
- apiGroups: [""]
-  resources: ["secrets"]
-  verbs: ["get", "list", "create", "delete"]
---
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: actions-role-binding
-subjects:
- kind: ServiceAccount
-  name: actions-runner
-  apiGroup: ""
-roleRef:
-  kind: Role
-  name: actions-role
-  apiGroup: rbac.authorization.k8s.io
--- a/infrastructure/gitea/actions.sealedsecret.yaml
+++ b/infrastructure/gitea/actions.sealedsecret.yaml
@ -7,7 +7,7 @@ metadata:
  namespace: gitea
 spec:
  encryptedData:
-    runner-token: AgBHwek/Aj/0oOnI/bnZ4FgtRoeJw4tIKvcDzBhaPdQ7bMVHyHUKYUNP7lkPgZrIN+7rhMY7C/j13iGWx4iTdhTgipLiJvyZ70pXKLSix4IpcypJTElggWkW0JW79x1HyJfBtn9iJiHnEZXPi7sEnyKhA0asAOR0ae8NS6mxxei0TIImaPaC2RHL6MOi40xsXpHz2ZaVhDQaTSRWjv0U6+WkCGcueqM2HLYfF1gqqkzGCjjhdOTK1CKvIvApZ5n8x6x94IiywCXJraDCwLz+acF2c2vA/Jb/3p7TwyyRZ5uIF5LZufhTJ6+5sFJSReHYxO4CpPA8KvM880vtiEjN7LxVo/Jruj2459OvjviKZS03ZwLHHrjanom1+HA9Sx2ffRLiR5ayGkfj/6kvpIRt5x1F7BbPp+a0LXuxJX+1nGDyEa1D1WzVKvZASav6/v7cXcom/nKGO91Zb8qHlOv7ZTs5guGQ9G9VCOHOG8szwpW3ZmQwWfFoWsShzqbDqszBYOGeIjIiDllLzTZ8A9dv9J2ELngZ1IPGIkfpQNEW8hsbNXTYhdVIrkh7BIFkRWfYDNWxqZd4iE6XllQcT1rqndusgiNEJX2r+P4nT8dPewATXQ79wzvZU3kB+VHzM8cLymlVGADi7v/qTY9RcrhuE0oMLzHRShr6JU05VfLGbMsttrYKmW7smvBp3lRJitO5A8+r8cRniS1+Xr8mIx87vCvnoWSH6BKkl9pCdDeCGylAWfkJN9UpkaKg
+    runner-token: AgCexZDTtbYOdG3XgvmOh9CwxzTT+dhPVCPYv/arp8cM9R45PFIfwDvFCThnTHQYZJIYpsaUvoxdXSYYdhLyBVhmuAdD0NeH47q7qRh4U6WYUF6RMqUV3Dpri00nrROx2MN8Q+uGN+wq2xloSbkDzLiS+0sD8m+ItIKhEjIMcn9PyA2OheUmbCVfyOVzCEEaOt98nweTlOXgQLJBLPhxUJFCMePfGHudAlu2lZO3dH+T8G9cC86akZnAODuI69iScuIVOtGJvj1EhPNg9d7QjmjWZOKlk0ryPdwEoR/+kD069Jp4STX7IsVqKxZcvnY8yUICbmvj2TzJWzUDMit3leBopO+8+ECSng4uANGwp3QyankmyWD8SXN3fTuASoeoWa5mYN/qCih9m5ih7FxsDNqAFumUzX1QtAN3LDmzgcomdC7D6FHc1PIaOjoEF96TaDgBc8ODMRBWDtjCzD5sTLQ3zGLRieFsOxkdb0d9E+E4pestmnbdtwNTpfgtyT0pr2847FyAmS0DhA6bb4i+JohNswo+83koJQWf1UNyKhQ14kPhPiBRp1cnYieswFjSuvBbWAjB+SYrFIns97qJon2UjwcnlJ6/KewKj5KTOWnTel1Sgxgn4y7qXFnLvReIEKc6SCz+aFFEa4qAqJVmS1STMEwcqkiM7gA+he/8mdEB0BmfwdnGK0pA1I+RD4hOhDqIQlGyTtWGQINqFulbNUS2PcLmf5nX/ERRRPLlwmZNwR27pP3iQg29
  template:
    metadata:
      creationTimestamp: null
--- a/infrastructure/gitea/kustomization.yaml
+++ b/infrastructure/gitea/kustomization.yaml
@ -10,15 +10,17 @@ resources:
  - drone-server.sealedsecret.yaml
  - actions.deployment.yaml
  - actions.sealedsecret.yaml
-  - actions.rbac.yaml


 namespace: gitea

 images:
-  - name: actions-runner
-    newName: ghcr.io/christopherhx/gitea-actions-runner
+  - name: runner
+    newName: gitea/act_runner
    newTag: nightly
+  - name: daemon
+    newName: docker
+    newTag: 23.0.6-dind


 helmCharts: