From 1724f21938cff2a4fc8554ed32ea013fbc3e5c07 Mon Sep 17 00:00:00 2001 From: James Andariese Date: Sun, 25 Feb 2024 19:53:34 -0600 Subject: [PATCH] add gitea to kustomize also fix gitea runners and add automated docker login to runners --- gitea/kustomization.yaml | 14 ++++++ gitea/package-registry-secret.yaml | 39 +++++++++++++++ gitea/runner-config.yaml | 79 ++++++++++++++++++++++++++++++ gitea/runner.yaml | 40 +++++++++++++-- gitea/update-runner-token.sh | 12 +++++ 5 files changed, 181 insertions(+), 3 deletions(-) create mode 100644 gitea/kustomization.yaml create mode 100644 gitea/package-registry-secret.yaml create mode 100644 gitea/runner-config.yaml create mode 100644 gitea/update-runner-token.sh diff --git a/gitea/kustomization.yaml b/gitea/kustomization.yaml new file mode 100644 index 0000000..9c900a6 --- /dev/null +++ b/gitea/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - cm.yaml + - email-secret.yaml + - gitea-secrets.yaml + - ingress.yaml + - ns.yaml + - package-registry-secret.yaml + - runner.yaml + - runner-config.yaml + - sts.yaml + - svc-http.yaml + - svc-ssh.yaml diff --git a/gitea/package-registry-secret.yaml b/gitea/package-registry-secret.yaml new file mode 100644 index 0000000..33531e2 --- /dev/null +++ b/gitea/package-registry-secret.yaml @@ -0,0 +1,39 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: "gitea-package-registry-secret" + labels: + app: "gitea" +spec: + secretStoreRef: + name: bitwarden + kind: ClusterSecretStore + refreshInterval: "5m" + target: + template: + type: kubernetes.io/dockerconfigjson + engineVersion: v2 + data: + .dockerconfigjson: | + { + "auths": { + {{ .host | toJson }}: { + "username": {{ .username | toJson }}, + "password": {{ .password | toJson }}, + "auth": {{ printf "%v:%v" .username .password | b64enc | toJson }} + } + } + } + data: + - secretKey: username + remoteRef: + key: "gitea package registry token" + property: username + - secretKey: password + remoteRef: + key: "gitea package registry token" + property: password + - secretKey: host + remoteRef: + key: "gitea package registry token" + property: host diff --git a/gitea/runner-config.yaml b/gitea/runner-config.yaml new file mode 100644 index 0000000..5581a57 --- /dev/null +++ b/gitea/runner-config.yaml @@ -0,0 +1,79 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: gitea-runner-config + namespace: gitea +data: + config.yaml: | + log: + level: info # trace debug info warn error fatal + + runner: + capacity: 1 + envs: + DOCKER_REGISTRY: "git.strudelline.net" + env_file: .env + fetch_timeout: 5s + fetch_interval: 2s + labels: + - "metal:host" + - "host:host" + - "metal-linux:host" + - "metal-docker:host" + - "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:js-latest" + - "ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:js-22.04" + - "ubuntu-20.04:docker://ghcr.io/catthehacker/ubuntu:js-20.04" + cache: + # Enable cache server to use actions/cache. + enabled: true + # The directory to store the cache data. + # If it's empty, the cache data will be stored in $HOME/.cache/actcache. + dir: "" + # The host of the cache server. + # It's not for the address to listen, but the address to connect from job containers. + # So 0.0.0.0 is a bad choice, leave it empty to detect automatically. + host: "" + # The port of the cache server. + # 0 means to use a random available port. + port: 0 + # The external cache server URL. Valid only when enable is true. + # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself. + # The URL should generally end with "/". + external_server: "" + + container: + # Specifies the network to which the container will connect. + # Could be host, bridge or the name of a custom network. + # If it's empty, act_runner will create a network automatically. + network: "" + # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker). + privileged: false + # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway). + options: + # The parent directory of a job's working directory. + # If it's empty, /workspace will be used. + workdir_parent: + # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob + # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted. + # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to: + # valid_volumes: + # - data + # - /src/*.json + # If you want to allow any volume, please use the following configuration: + # valid_volumes: + # - '**' + valid_volumes: [] + # overrides the docker client host with the specified one. + # If it's empty, act_runner will find an available docker host automatically. + # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers. + # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work. + docker_host: "" + # Pull docker image(s) even if already present + force_pull: false + # Rebuild docker image(s) even if already present + force_rebuild: false + + host: + # The parent directory of a job's working directory. + # If it's empty, $HOME/.cache/act/ will be used. + workdir_parent: diff --git a/gitea/runner.yaml b/gitea/runner.yaml index afa088c..1ba4734 100644 --- a/gitea/runner.yaml +++ b/gitea/runner.yaml @@ -6,9 +6,11 @@ metadata: gitea: runner name: runner namespace: gitea + annotations: + reloader.stakater.com/auto: "true" spec: podManagementPolicy: OrderedReady - replicas: 0 + replicas: 4 selector: matchLabels: app: gitea @@ -22,17 +24,49 @@ spec: app: gitea gitea: runner spec: + securityContext: + fsGroup: 1000 + volumes: + - name: gitea-package-registry-secret + secret: + secretName: gitea-package-registry-secret + - name: gitea-runner-config + configMap: + name: gitea-runner-config containers: - - image: gitea/act_runner + - image: jamesandariese/act_runner_node:latest + imagePullPolicy: Always name: runner env: + - name: DOCKER_HOST + value: tcp://localhost:2376 + - name: DOCKER_CERT_PATH + value: /certs/client + - name: DOCKER_TLS_VERIFY + value: "1" + - name: DOCKER_REGISTRY + value: git.strudelline.net + - name: CONFIG_FILE + value: /config/config.yaml - name: GITEA_INSTANCE_URL value: http://gitea.gitea.svc.cluster.local:3000 - name: GITEA_RUNNER_REGISTRATION_TOKEN - value: zCG0cIW5Ut2C4HP4hYwE8niOW98pClqJN3o7ifbI + valueFrom: + secretKeyRef: + name: gitea-runner-token + key: token volumeMounts: - mountPath: /data name: gitea-runner-data + - mountPath: /config + name: gitea-runner-config + readOnly: true + - mountPath: /home/rootless/.docker/config.json + subPath: .dockerconfigjson + name: gitea-package-registry-secret + readOnly: true + securityContext: + privileged: true restartPolicy: Always dnsPolicy: ClusterFirst volumeClaimTemplates: diff --git a/gitea/update-runner-token.sh b/gitea/update-runner-token.sh new file mode 100644 index 0000000..8316ed9 --- /dev/null +++ b/gitea/update-runner-token.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +TOKEN="$(kubectl exec -ti gitea-0 -- su git -c 'gitea actions generate-runner-token 2> /dev/null | grep -E "^[a-zA-Z0-9_-]*$" | grep . | tail -1' | tr -dc a-zA-Z0-9_-)" + +if [ x"$TOKEN" = x ];then + 1>&2 echo "Token could not be extracted." + # if this happens, the CLI has probably changed. you'll need to run gitea actions generate-runner-token + # and see what's different or what's broken. recommended to do that in the gitea sts pod. + exit 1 +fi + +kubectl create secret generic -n gitea gitea-runner-token --from-literal=token="$TOKEN" --dry-run=client -o yaml | kubectl apply -f -