ronnibaslund/dezky
1
0
Fork 0
Code Issues 37 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
7dd61e433f6f1f322b1f3359448bc1fbc0a04682
dezky/infrastructure/production/fleet/ci/gitea-runner.yaml
T
Ronni Baslund 323c46fba1
ci / typecheck (map[dir:apps/booking name:booking]) (push) Successful in 42s
Details
ci / typecheck (map[dir:apps/operator name:operator]) (push) Successful in 45s
Details
ci / typecheck (map[dir:apps/website name:website]) (push) Successful in 21s
Details
ci / typecheck (map[dir:apps/portal name:portal]) (push) Successful in 26s
Details
ci / typecheck (map[dir:services/platform-api name:platform-api]) (push) Successful in 20s
Details
ci / test (push) Successful in 32s
Details
ci / build (map[dir:apps/booking name:booking]) (push) Successful in 34s
Details
ci / build (map[dir:apps/operator name:operator]) (push) Successful in 46s
Details
ci / build (map[dir:services/platform-api name:platform-api]) (push) Successful in 35s
Details
ci / build (map[dir:apps/portal name:portal]) (push) Successful in 49s
Details
ci / deploy (push) Successful in 45s
Details
fix(ci): share dind's unix socket with the runner (jobs need a mountable docker host) 
gitea/runner can only bind-mount a UNIX-socket docker host into job
containers — the old tcp://localhost:2376 + TLS daemon address cannot be
mounted, so build jobs still had no docker API. Share dind's
/var/run/docker.sock with the runner via a /var/run emptyDir and drop the
DOCKER_HOST/TLS env; the runner auto-finds the socket and the bind path
resolves inside dind where the socket lives.
2026-06-10 08:51:44 +02:00

147 lines
5.1 KiB
YAML
Raw Blame History

# Gitea Actions runner for the dezky monorepo, in-cluster on node1.
#
# Builds + pushes app images (platform-api / portal / booking) to the Gitea
# container registry on push. A privileged docker:dind sidecar provides the
# Docker daemon the runner's jobs use for `docker build`/`buildx` — k3s itself
# only has containerd, no Docker daemon.
#
# The registration token is NOT in git — create the 'gitea-runner-token' Secret
# out-of-band:
# kubectl -n gitea-runner create secret generic gitea-runner-token \
# --from-literal=token=<gitea registration token>
# act_runner auto-registers on first start (persisted on the runner-data PVC).
apiVersion: v1
kind: Namespace
metadata:
name: gitea-runner
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: runner-data
namespace: gitea-runner
spec:
accessModes: [ReadWriteOnce]
storageClassName: longhorn
resources:
requests:
storage: 2Gi
---
apiVersion: v1
kind: ConfigMap
metadata:
name: act-runner-config
namespace: gitea-runner
data:
config.yaml: |
log:
level: info
runner:
# Some parallelism without overloading the single shared dind daemon
# (concurrent container teardowns trigger moby's cgroup-v2 removal
# deadlock). 2 is a safe balance on this node.
capacity: 2
timeout: 3h
labels:
- "ubuntu-latest:docker://catthehacker/ubuntu:act-22.04"
- "docker:docker://docker:27-cli"
cache:
# We don't use the Actions cache (setup-node cache was removed); disabling
# avoids the cache server the DinD job containers can't reach anyway.
enabled: false
container:
# "" = find an available docker host automatically AND expose it to job
# containers (the dind daemon's socket gets bind-mounted into jobs, which
# is what `docker build` in the build jobs needs). gitea/runner 1.x no
# longer does this by default — act_runner 0.2.x did.
docker_host: ""
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: act-runner
namespace: gitea-runner
labels:
app: act-runner
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app: act-runner
template:
metadata:
labels:
app: act-runner
spec:
containers:
- name: runner
# gitea/runner is the successor of the deprecated gitea/act_runner.
# act_runner 0.2.11 + Gitea 1.26 left finished jobs stuck "Running" —
# the runner completed and freed slots, but Gitea never registered the
# completion, so dependent jobs (build → deploy) were never dispatched.
# Same config format / env vars / .runner registration file.
image: gitea/runner:1.0.8
env:
- name: GITEA_INSTANCE_URL
value: https://git.lastcloud.io
- name: GITEA_RUNNER_REGISTRATION_TOKEN
valueFrom:
secretKeyRef:
name: gitea-runner-token
key: token
- name: GITEA_RUNNER_NAME
value: dezky-k3s
# Map ubuntu-latest (used by .gitea/workflows/ci.yml) to a Docker
# image with the usual build tooling; jobs run via the dind sidecar.
- name: GITEA_RUNNER_LABELS
value: "ubuntu-latest:docker://catthehacker/ubuntu:act-22.04,docker:docker://docker:27-cli"
# No DOCKER_HOST: the runner auto-finds the dind daemon's unix
# socket on the shared /var/run volume. A unix socket (unlike the
# old tcp://localhost:2376) is the only kind of docker host the
# runner can bind-mount into job containers — and the bind is
# resolved by dockerd inside dind, where the path exists too — so
# `docker build` works inside the build jobs.
- name: CONFIG_FILE
value: /config/config.yaml
volumeMounts:
- name: runner-data
mountPath: /data
- name: docker-run
mountPath: /var/run
- name: runner-config
mountPath: /config
- name: dind
# docker:24-dind — moby 24 avoids the cgroup-v2 container-removal
# deadlock seen on 27 ("removal of container … is already in
# progress" looping → "Complete job" hangs).
image: docker:24-dind
securityContext:
privileged: true
env:
- name: DOCKER_TLS_CERTDIR
value: /certs
volumeMounts:
- name: docker-certs
mountPath: /certs
# dockerd serves /var/run/docker.sock here; sharing the volume
# hands that socket to the runner container above.
- name: docker-run
mountPath: /var/run
- name: dind-storage
mountPath: /var/lib/docker
volumes:
- name: runner-data
persistentVolumeClaim:
claimName: runner-data
- name: docker-certs
emptyDir: {}
- name: docker-run
emptyDir: {}
- name: dind-storage
emptyDir: {}
- name: runner-config
configMap:
name: act-runner-config
Reference in New Issue View Git Blame Copy Permalink