From f331e3c1e6493fd732811c8d9d53efa19345d716 Mon Sep 17 00:00:00 2001 From: Ronni Baslund Date: Mon, 8 Jun 2026 22:13:38 +0200 Subject: [PATCH] feat(infra): in-cluster Gitea Actions runner (act_runner + dind) Self-registering act_runner on node1 with a privileged docker:dind sidecar so workflow jobs can build + push app images (k3s has containerd only, no Docker daemon). Labels ubuntu-latest + docker; state persisted on a Longhorn PVC. The registration token is applied out-of-band as the gitea-runner-token Secret (not in git). Verified: runner declared successfully, dind API up. --- .../production/fleet/ci/gitea-runner.yaml | 96 +++++++++++++++++++ 1 file changed, 96 insertions(+) create mode 100644 infrastructure/production/fleet/ci/gitea-runner.yaml diff --git a/infrastructure/production/fleet/ci/gitea-runner.yaml b/infrastructure/production/fleet/ci/gitea-runner.yaml new file mode 100644 index 0000000..e2ce879 --- /dev/null +++ b/infrastructure/production/fleet/ci/gitea-runner.yaml @@ -0,0 +1,96 @@ +# Gitea Actions runner for the dezky monorepo, in-cluster on node1. +# +# Builds + pushes app images (platform-api / portal / booking) to the Gitea +# container registry on push. A privileged docker:dind sidecar provides the +# Docker daemon the runner's jobs use for `docker build`/`buildx` — k3s itself +# only has containerd, no Docker daemon. +# +# The registration token is NOT in git — create the 'gitea-runner-token' Secret +# out-of-band: +# kubectl -n gitea-runner create secret generic gitea-runner-token \ +# --from-literal=token= +# act_runner auto-registers on first start (persisted on the runner-data PVC). +apiVersion: v1 +kind: Namespace +metadata: + name: gitea-runner +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: runner-data + namespace: gitea-runner +spec: + accessModes: [ReadWriteOnce] + storageClassName: longhorn + resources: + requests: + storage: 2Gi +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: act-runner + namespace: gitea-runner + labels: + app: act-runner +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: act-runner + template: + metadata: + labels: + app: act-runner + spec: + containers: + - name: runner + image: gitea/act_runner:0.2.11 + env: + - name: GITEA_INSTANCE_URL + value: https://git.lastcloud.io + - name: GITEA_RUNNER_REGISTRATION_TOKEN + valueFrom: + secretKeyRef: + name: gitea-runner-token + key: token + - name: GITEA_RUNNER_NAME + value: dezky-k3s + # Map ubuntu-latest (used by .gitea/workflows/ci.yml) to a Docker + # image with the usual build tooling; jobs run via the dind sidecar. + - name: GITEA_RUNNER_LABELS + value: "ubuntu-latest:docker://catthehacker/ubuntu:act-22.04,docker:docker://docker:27-cli" + - name: DOCKER_HOST + value: tcp://localhost:2376 + - name: DOCKER_CERT_PATH + value: /certs/client + - name: DOCKER_TLS_VERIFY + value: "1" + volumeMounts: + - name: runner-data + mountPath: /data + - name: docker-certs + mountPath: /certs + - name: dind + image: docker:27-dind + securityContext: + privileged: true + env: + - name: DOCKER_TLS_CERTDIR + value: /certs + volumeMounts: + - name: docker-certs + mountPath: /certs + - name: dind-storage + mountPath: /var/lib/docker + volumes: + - name: runner-data + persistentVolumeClaim: + claimName: runner-data + - name: docker-certs + emptyDir: {} + - name: dind-storage + emptyDir: {}