add gitea to kustomize
also fix gitea runners and add automated docker login to runners
This commit is contained in:
parent
93970c7ad8
commit
1724f21938
14
gitea/kustomization.yaml
Normal file
14
gitea/kustomization.yaml
Normal file
|
@ -0,0 +1,14 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- cm.yaml
|
||||
- email-secret.yaml
|
||||
- gitea-secrets.yaml
|
||||
- ingress.yaml
|
||||
- ns.yaml
|
||||
- package-registry-secret.yaml
|
||||
- runner.yaml
|
||||
- runner-config.yaml
|
||||
- sts.yaml
|
||||
- svc-http.yaml
|
||||
- svc-ssh.yaml
|
39
gitea/package-registry-secret.yaml
Normal file
39
gitea/package-registry-secret.yaml
Normal file
|
@ -0,0 +1,39 @@
|
|||
apiVersion: external-secrets.io/v1beta1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: "gitea-package-registry-secret"
|
||||
labels:
|
||||
app: "gitea"
|
||||
spec:
|
||||
secretStoreRef:
|
||||
name: bitwarden
|
||||
kind: ClusterSecretStore
|
||||
refreshInterval: "5m"
|
||||
target:
|
||||
template:
|
||||
type: kubernetes.io/dockerconfigjson
|
||||
engineVersion: v2
|
||||
data:
|
||||
.dockerconfigjson: |
|
||||
{
|
||||
"auths": {
|
||||
{{ .host | toJson }}: {
|
||||
"username": {{ .username | toJson }},
|
||||
"password": {{ .password | toJson }},
|
||||
"auth": {{ printf "%v:%v" .username .password | b64enc | toJson }}
|
||||
}
|
||||
}
|
||||
}
|
||||
data:
|
||||
- secretKey: username
|
||||
remoteRef:
|
||||
key: "gitea package registry token"
|
||||
property: username
|
||||
- secretKey: password
|
||||
remoteRef:
|
||||
key: "gitea package registry token"
|
||||
property: password
|
||||
- secretKey: host
|
||||
remoteRef:
|
||||
key: "gitea package registry token"
|
||||
property: host
|
79
gitea/runner-config.yaml
Normal file
79
gitea/runner-config.yaml
Normal file
|
@ -0,0 +1,79 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: gitea-runner-config
|
||||
namespace: gitea
|
||||
data:
|
||||
config.yaml: |
|
||||
log:
|
||||
level: info # trace debug info warn error fatal
|
||||
|
||||
runner:
|
||||
capacity: 1
|
||||
envs:
|
||||
DOCKER_REGISTRY: "git.strudelline.net"
|
||||
env_file: .env
|
||||
fetch_timeout: 5s
|
||||
fetch_interval: 2s
|
||||
labels:
|
||||
- "metal:host"
|
||||
- "host:host"
|
||||
- "metal-linux:host"
|
||||
- "metal-docker:host"
|
||||
- "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:js-latest"
|
||||
- "ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:js-22.04"
|
||||
- "ubuntu-20.04:docker://ghcr.io/catthehacker/ubuntu:js-20.04"
|
||||
cache:
|
||||
# Enable cache server to use actions/cache.
|
||||
enabled: true
|
||||
# The directory to store the cache data.
|
||||
# If it's empty, the cache data will be stored in $HOME/.cache/actcache.
|
||||
dir: ""
|
||||
# The host of the cache server.
|
||||
# It's not for the address to listen, but the address to connect from job containers.
|
||||
# So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
|
||||
host: ""
|
||||
# The port of the cache server.
|
||||
# 0 means to use a random available port.
|
||||
port: 0
|
||||
# The external cache server URL. Valid only when enable is true.
|
||||
# If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
|
||||
# The URL should generally end with "/".
|
||||
external_server: ""
|
||||
|
||||
container:
|
||||
# Specifies the network to which the container will connect.
|
||||
# Could be host, bridge or the name of a custom network.
|
||||
# If it's empty, act_runner will create a network automatically.
|
||||
network: ""
|
||||
# Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
|
||||
privileged: false
|
||||
# And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
|
||||
options:
|
||||
# The parent directory of a job's working directory.
|
||||
# If it's empty, /workspace will be used.
|
||||
workdir_parent:
|
||||
# Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
|
||||
# You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
|
||||
# For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
|
||||
# valid_volumes:
|
||||
# - data
|
||||
# - /src/*.json
|
||||
# If you want to allow any volume, please use the following configuration:
|
||||
# valid_volumes:
|
||||
# - '**'
|
||||
valid_volumes: []
|
||||
# overrides the docker client host with the specified one.
|
||||
# If it's empty, act_runner will find an available docker host automatically.
|
||||
# If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
|
||||
# If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
|
||||
docker_host: ""
|
||||
# Pull docker image(s) even if already present
|
||||
force_pull: false
|
||||
# Rebuild docker image(s) even if already present
|
||||
force_rebuild: false
|
||||
|
||||
host:
|
||||
# The parent directory of a job's working directory.
|
||||
# If it's empty, $HOME/.cache/act/ will be used.
|
||||
workdir_parent:
|
|
@ -6,9 +6,11 @@ metadata:
|
|||
gitea: runner
|
||||
name: runner
|
||||
namespace: gitea
|
||||
annotations:
|
||||
reloader.stakater.com/auto: "true"
|
||||
spec:
|
||||
podManagementPolicy: OrderedReady
|
||||
replicas: 0
|
||||
replicas: 4
|
||||
selector:
|
||||
matchLabels:
|
||||
app: gitea
|
||||
|
@ -22,17 +24,49 @@ spec:
|
|||
app: gitea
|
||||
gitea: runner
|
||||
spec:
|
||||
securityContext:
|
||||
fsGroup: 1000
|
||||
volumes:
|
||||
- name: gitea-package-registry-secret
|
||||
secret:
|
||||
secretName: gitea-package-registry-secret
|
||||
- name: gitea-runner-config
|
||||
configMap:
|
||||
name: gitea-runner-config
|
||||
containers:
|
||||
- image: gitea/act_runner
|
||||
- image: jamesandariese/act_runner_node:latest
|
||||
imagePullPolicy: Always
|
||||
name: runner
|
||||
env:
|
||||
- name: DOCKER_HOST
|
||||
value: tcp://localhost:2376
|
||||
- name: DOCKER_CERT_PATH
|
||||
value: /certs/client
|
||||
- name: DOCKER_TLS_VERIFY
|
||||
value: "1"
|
||||
- name: DOCKER_REGISTRY
|
||||
value: git.strudelline.net
|
||||
- name: CONFIG_FILE
|
||||
value: /config/config.yaml
|
||||
- name: GITEA_INSTANCE_URL
|
||||
value: http://gitea.gitea.svc.cluster.local:3000
|
||||
- name: GITEA_RUNNER_REGISTRATION_TOKEN
|
||||
value: zCG0cIW5Ut2C4HP4hYwE8niOW98pClqJN3o7ifbI
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: gitea-runner-token
|
||||
key: token
|
||||
volumeMounts:
|
||||
- mountPath: /data
|
||||
name: gitea-runner-data
|
||||
- mountPath: /config
|
||||
name: gitea-runner-config
|
||||
readOnly: true
|
||||
- mountPath: /home/rootless/.docker/config.json
|
||||
subPath: .dockerconfigjson
|
||||
name: gitea-package-registry-secret
|
||||
readOnly: true
|
||||
securityContext:
|
||||
privileged: true
|
||||
restartPolicy: Always
|
||||
dnsPolicy: ClusterFirst
|
||||
volumeClaimTemplates:
|
||||
|
|
12
gitea/update-runner-token.sh
Normal file
12
gitea/update-runner-token.sh
Normal file
|
@ -0,0 +1,12 @@
|
|||
#!/bin/bash
|
||||
|
||||
TOKEN="$(kubectl exec -ti gitea-0 -- su git -c 'gitea actions generate-runner-token 2> /dev/null | grep -E "^[a-zA-Z0-9_-]*$" | grep . | tail -1' | tr -dc a-zA-Z0-9_-)"
|
||||
|
||||
if [ x"$TOKEN" = x ];then
|
||||
1>&2 echo "Token could not be extracted."
|
||||
# if this happens, the CLI has probably changed. you'll need to run gitea actions generate-runner-token
|
||||
# and see what's different or what's broken. recommended to do that in the gitea sts pod.
|
||||
exit 1
|
||||
fi
|
||||
|
||||
kubectl create secret generic -n gitea gitea-runner-token --from-literal=token="$TOKEN" --dry-run=client -o yaml | kubectl apply -f -
|
Loading…
Reference in New Issue
Block a user