update kubernetes examples to match version 3.0.0 images

Starting with Forgejo runner 3.0.0 images are different in two ways
that matter to k8s because they:

* are all rootless
* do not rely on tini
This commit is contained in:
Earl Warren 2023-08-26 12:19:06 +02:00
parent 9d79a0b92d
commit 294912488c
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00
3 changed files with 11 additions and 88 deletions

View file

@ -1,13 +1,7 @@
## Kubernetes Docker in Docker Deployment with `act_runner` ## Kubernetes Docker in Docker Deployment
Registers Kubernetes pod runners using [offline registration](https://forgejo.org/docs/v1.21/admin/actions/#offline-registration), allowing the scaling of runners as needed. Registers Kubernetes pod runners using [offline registration](https://forgejo.org/docs/v1.21/admin/actions/#offline-registration), allowing the scaling of runners as needed.
NOTE: Docker in Docker (dind) requires elevated privileges on Kubernetes. The current way to achieve this is to set the pod `SecurityContext` to `privileged`. Keep in mind that this is a potential security issue that has the potential for a malicious application to break out of the container context. NOTE: Docker in Docker (dind) requires elevated privileges on Kubernetes. The current way to achieve this is to set the pod `SecurityContext` to `privileged`. Keep in mind that this is a potential security issue that has the potential for a malicious application to break out of the container context.
Files in this directory: [`dind-docker.yaml`](dind-docker.yaml) creates a deployment and secret for Kubernetes to act as a runner. The Docker credentials are re-generated each time the pod connects and does not need to be persisted.
- [`dind-docker.yaml`](dind-docker.yaml)
How to create a Deployment and Secret for Kubernetes to act as a runner. The Docker credentials are re-generated each time the pod connects and does not need to be persisted.
- [`rootless-docker.yaml`](rootless-docker.yaml)
How to create a rootless Deployment and Secret for Kubernetes to act as a runner. The Docker credentials are re-generated each time the pod connects and does not need to be persisted.

View file

@ -12,20 +12,20 @@ apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
labels: labels:
app: act-runner app: forgejo-runner
name: act-runner name: forgejo-runner
spec: spec:
# Two replicas means that if one is busy, the other can pick up jobs. # Two replicas means that if one is busy, the other can pick up jobs.
replicas: 2 replicas: 2
selector: selector:
matchLabels: matchLabels:
app: act-runner app: forgejo-runner
strategy: {} strategy: {}
template: template:
metadata: metadata:
creationTimestamp: null creationTimestamp: null
labels: labels:
app: act-runner app: forgejo-runner
spec: spec:
restartPolicy: Always restartPolicy: Always
volumes: volumes:
@ -37,23 +37,23 @@ spec:
# https://forgejo.org/docs/v1.21/admin/actions/#offline-registration # https://forgejo.org/docs/v1.21/admin/actions/#offline-registration
initContainers: initContainers:
- name: runner-config-generation - name: runner-config-generation
image: code.forgejo.org/forgejo/runner:2.4.0 image: code.forgejo.org/forgejo/runner:3.0.0
command: [ "sh", "-c", "cd /data && forgejo-runner create-runner-file --instance $GITEA_INSTANCE_URL --secret $RUNNER_SECRET --connect" ] command: [ "forgejo-runner create-runner-file --instance $FORGEJO_INSTANCE_URL --secret $RUNNER_SECRET --connect" ]
env: env:
- name: RUNNER_SECRET - name: RUNNER_SECRET
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: runner-secret name: runner-secret
key: token key: token
- name: GITEA_INSTANCE_URL - name: FORGEJO_INSTANCE_URL
value: http://gitea-http.gitea.svc.cluster.local:3000 value: http://gitea-http.gitea.svc.cluster.local:3000
volumeMounts: volumeMounts:
- name: runner-data - name: runner-data
mountPath: /data mountPath: /data
containers: containers:
- name: runner - name: runner
image: gitea/act_runner:nightly image: code.forgejo.org/forgejo/runner:3.0.0
command: ["sh", "-c", "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; /sbin/tini -- /opt/act/run.sh"] command: ["sh", "-c", "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; forgejo-runner daemon"]
env: env:
- name: DOCKER_HOST - name: DOCKER_HOST
value: tcp://localhost:2376 value: tcp://localhost:2376
@ -61,8 +61,6 @@ spec:
value: /certs/client value: /certs/client
- name: DOCKER_TLS_VERIFY - name: DOCKER_TLS_VERIFY
value: "1" value: "1"
- name: GITEA_INSTANCE_URL
value: http://gitea-http.gitea.svc.cluster.local:3000
volumeMounts: volumeMounts:
- name: docker-certs - name: docker-certs
mountPath: /certs mountPath: /certs

View file

@ -1,69 +0,0 @@
# Secret data.
# Alternatively, create this with
# kubectl create secret generic runner-secret --from-literal=token=your_offline_token_here
apiVersion: v1
stringData:
token: your_offline_secret_here
kind: Secret
metadata:
name: runner-secret
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: act-runner
name: act-runner
spec:
# Two replicas means that if one is busy, the other can pick up jobs.
replicas: 2
selector:
matchLabels:
app: act-runner
strategy: {}
template:
metadata:
creationTimestamp: null
labels:
app: act-runner
spec:
restartPolicy: Always
volumes:
- name: runner-data
emptyDir: {}
# Initialise our configuration file using offline registration
# https://forgejo.org/docs/v1.21/admin/actions/#offline-registration
initContainers:
- name: runner-config-generation
image: code.forgejo.org/forgejo/runner:2.4.0
command: [ "sh", "-c", "cd /data && forgejo-runner create-runner-file --instance $GITEA_INSTANCE_URL --secret $RUNNER_SECRET --connect" ]
env:
- name: RUNNER_SECRET
valueFrom:
secretKeyRef:
name: runner-secret
key: token
- name: GITEA_INSTANCE_URL
value: http://gitea-http.gitea.svc.cluster.local:3000
volumeMounts:
- name: runner-data
mountPath: /data
containers:
- name: runner
image: gitea/act_runner:nightly-dind-rootless
imagePullPolicy: Always
env:
- name: DOCKER_HOST
value: tcp://localhost:2376
- name: DOCKER_CERT_PATH
value: /certs/client
- name: DOCKER_TLS_VERIFY
value: "1"
- name: GITEA_INSTANCE_URL
value: http://gitea-http.gitea.svc.cluster.local:3000
securityContext:
privileged: true
volumeMounts:
- name: runner-data
mountPath: /data