From 294912488ccbee7d86c1e22c2628931f118307c3 Mon Sep 17 00:00:00 2001
From: Earl Warren <contact@earl-warren.org>
Date: Sat, 26 Aug 2023 12:19:06 +0200
Subject: [PATCH] update kubernetes examples to match version 3.0.0 images
Starting with Forgejo runner 3.0.0 images are different in two ways
that matter to k8s because they:
* are all rootless
* do not rely on tini
---
examples/kubernetes/README.md | 10 +---
examples/kubernetes/dind-docker.yaml | 20 ++++---
examples/kubernetes/rootless-docker.yaml | 69 ------------------------
3 files changed, 11 insertions(+), 88 deletions(-)
delete mode 100644 examples/kubernetes/rootless-docker.yaml
diff --git a/examples/kubernetes/README.md b/examples/kubernetes/README.md
index a8784b4..d00cf1a 100644
--- a/examples/kubernetes/README.md
+++ b/examples/kubernetes/README.md
@@ -1,13 +1,7 @@
-## Kubernetes Docker in Docker Deployment with `act_runner`
+## Kubernetes Docker in Docker Deployment
Registers Kubernetes pod runners using [offline registration](https://forgejo.org/docs/v1.21/admin/actions/#offline-registration), allowing the scaling of runners as needed.
NOTE: Docker in Docker (dind) requires elevated privileges on Kubernetes. The current way to achieve this is to set the pod `SecurityContext` to `privileged`. Keep in mind that this is a potential security issue that has the potential for a malicious application to break out of the container context.
-Files in this directory:
-
-- [`dind-docker.yaml`](dind-docker.yaml)
- How to create a Deployment and Secret for Kubernetes to act as a runner. The Docker credentials are re-generated each time the pod connects and does not need to be persisted.
-
-- [`rootless-docker.yaml`](rootless-docker.yaml)
- How to create a rootless Deployment and Secret for Kubernetes to act as a runner. The Docker credentials are re-generated each time the pod connects and does not need to be persisted.
+[`dind-docker.yaml`](dind-docker.yaml) creates a deployment and secret for Kubernetes to act as a runner. The Docker credentials are re-generated each time the pod connects and does not need to be persisted.
diff --git a/examples/kubernetes/dind-docker.yaml b/examples/kubernetes/dind-docker.yaml
index 92e46e9..7abf9e0 100644
--- a/examples/kubernetes/dind-docker.yaml
+++ b/examples/kubernetes/dind-docker.yaml
@@ -12,20 +12,20 @@ apiVersion: apps/v1
kind: Deployment
metadata:
labels:
- app: act-runner
- name: act-runner
+ app: forgejo-runner
+ name: forgejo-runner
spec:
# Two replicas means that if one is busy, the other can pick up jobs.
replicas: 2
selector:
matchLabels:
- app: act-runner
+ app: forgejo-runner
strategy: {}
template:
metadata:
creationTimestamp: null
labels:
- app: act-runner
+ app: forgejo-runner
spec:
restartPolicy: Always
volumes:
@@ -37,23 +37,23 @@ spec:
# https://forgejo.org/docs/v1.21/admin/actions/#offline-registration
initContainers:
- name: runner-config-generation
- image: code.forgejo.org/forgejo/runner:2.4.0
- command: [ "sh", "-c", "cd /data && forgejo-runner create-runner-file --instance $GITEA_INSTANCE_URL --secret $RUNNER_SECRET --connect" ]
+ image: code.forgejo.org/forgejo/runner:3.0.0
+ command: [ "forgejo-runner create-runner-file --instance $FORGEJO_INSTANCE_URL --secret $RUNNER_SECRET --connect" ]
env:
- name: RUNNER_SECRET
valueFrom:
secretKeyRef:
name: runner-secret
key: token
- - name: GITEA_INSTANCE_URL
+ - name: FORGEJO_INSTANCE_URL
value: http://gitea-http.gitea.svc.cluster.local:3000
volumeMounts:
- name: runner-data
mountPath: /data
containers:
- name: runner
- image: gitea/act_runner:nightly
- command: ["sh", "-c", "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; /sbin/tini -- /opt/act/run.sh"]
+ image: code.forgejo.org/forgejo/runner:3.0.0
+ command: ["sh", "-c", "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; forgejo-runner daemon"]
env:
- name: DOCKER_HOST
value: tcp://localhost:2376
@@ -61,8 +61,6 @@ spec:
value: /certs/client
- name: DOCKER_TLS_VERIFY
value: "1"
- - name: GITEA_INSTANCE_URL
- value: http://gitea-http.gitea.svc.cluster.local:3000
volumeMounts:
- name: docker-certs
mountPath: /certs
diff --git a/examples/kubernetes/rootless-docker.yaml b/examples/kubernetes/rootless-docker.yaml
deleted file mode 100644
index cd003a8..0000000
--- a/examples/kubernetes/rootless-docker.yaml
+++ /dev/null
@@ -1,69 +0,0 @@
-# Secret data.
-# Alternatively, create this with
-# kubectl create secret generic runner-secret --from-literal=token=your_offline_token_here
-apiVersion: v1
-stringData:
- token: your_offline_secret_here
-kind: Secret
-metadata:
- name: runner-secret
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- labels:
- app: act-runner
- name: act-runner
-spec:
- # Two replicas means that if one is busy, the other can pick up jobs.
- replicas: 2
- selector:
- matchLabels:
- app: act-runner
- strategy: {}
- template:
- metadata:
- creationTimestamp: null
- labels:
- app: act-runner
- spec:
- restartPolicy: Always
- volumes:
- - name: runner-data
- emptyDir: {}
- # Initialise our configuration file using offline registration
- # https://forgejo.org/docs/v1.21/admin/actions/#offline-registration
- initContainers:
- - name: runner-config-generation
- image: code.forgejo.org/forgejo/runner:2.4.0
- command: [ "sh", "-c", "cd /data && forgejo-runner create-runner-file --instance $GITEA_INSTANCE_URL --secret $RUNNER_SECRET --connect" ]
- env:
- - name: RUNNER_SECRET
- valueFrom:
- secretKeyRef:
- name: runner-secret
- key: token
- - name: GITEA_INSTANCE_URL
- value: http://gitea-http.gitea.svc.cluster.local:3000
- volumeMounts:
- - name: runner-data
- mountPath: /data
- containers:
- - name: runner
- image: gitea/act_runner:nightly-dind-rootless
- imagePullPolicy: Always
- env:
- - name: DOCKER_HOST
- value: tcp://localhost:2376
- - name: DOCKER_CERT_PATH
- value: /certs/client
- - name: DOCKER_TLS_VERIFY
- value: "1"
- - name: GITEA_INSTANCE_URL
- value: http://gitea-http.gitea.svc.cluster.local:3000
- securityContext:
- privileged: true
- volumeMounts:
- - name: runner-data
- mountPath: /data
-