From 294912488ccbee7d86c1e22c2628931f118307c3 Mon Sep 17 00:00:00 2001 From: Earl Warren Date: Sat, 26 Aug 2023 12:19:06 +0200 Subject: [PATCH] update kubernetes examples to match version 3.0.0 images Starting with Forgejo runner 3.0.0 images are different in two ways that matter to k8s because they: * are all rootless * do not rely on tini --- examples/kubernetes/README.md | 10 +--- examples/kubernetes/dind-docker.yaml | 20 ++++--- examples/kubernetes/rootless-docker.yaml | 69 ------------------------ 3 files changed, 11 insertions(+), 88 deletions(-) delete mode 100644 examples/kubernetes/rootless-docker.yaml diff --git a/examples/kubernetes/README.md b/examples/kubernetes/README.md index a8784b4..d00cf1a 100644 --- a/examples/kubernetes/README.md +++ b/examples/kubernetes/README.md @@ -1,13 +1,7 @@ -## Kubernetes Docker in Docker Deployment with `act_runner` +## Kubernetes Docker in Docker Deployment Registers Kubernetes pod runners using [offline registration](https://forgejo.org/docs/v1.21/admin/actions/#offline-registration), allowing the scaling of runners as needed. NOTE: Docker in Docker (dind) requires elevated privileges on Kubernetes. The current way to achieve this is to set the pod `SecurityContext` to `privileged`. Keep in mind that this is a potential security issue that has the potential for a malicious application to break out of the container context. -Files in this directory: - -- [`dind-docker.yaml`](dind-docker.yaml) - How to create a Deployment and Secret for Kubernetes to act as a runner. The Docker credentials are re-generated each time the pod connects and does not need to be persisted. - -- [`rootless-docker.yaml`](rootless-docker.yaml) - How to create a rootless Deployment and Secret for Kubernetes to act as a runner. The Docker credentials are re-generated each time the pod connects and does not need to be persisted. +[`dind-docker.yaml`](dind-docker.yaml) creates a deployment and secret for Kubernetes to act as a runner. The Docker credentials are re-generated each time the pod connects and does not need to be persisted. diff --git a/examples/kubernetes/dind-docker.yaml b/examples/kubernetes/dind-docker.yaml index 92e46e9..7abf9e0 100644 --- a/examples/kubernetes/dind-docker.yaml +++ b/examples/kubernetes/dind-docker.yaml @@ -12,20 +12,20 @@ apiVersion: apps/v1 kind: Deployment metadata: labels: - app: act-runner - name: act-runner + app: forgejo-runner + name: forgejo-runner spec: # Two replicas means that if one is busy, the other can pick up jobs. replicas: 2 selector: matchLabels: - app: act-runner + app: forgejo-runner strategy: {} template: metadata: creationTimestamp: null labels: - app: act-runner + app: forgejo-runner spec: restartPolicy: Always volumes: @@ -37,23 +37,23 @@ spec: # https://forgejo.org/docs/v1.21/admin/actions/#offline-registration initContainers: - name: runner-config-generation - image: code.forgejo.org/forgejo/runner:2.4.0 - command: [ "sh", "-c", "cd /data && forgejo-runner create-runner-file --instance $GITEA_INSTANCE_URL --secret $RUNNER_SECRET --connect" ] + image: code.forgejo.org/forgejo/runner:3.0.0 + command: [ "forgejo-runner create-runner-file --instance $FORGEJO_INSTANCE_URL --secret $RUNNER_SECRET --connect" ] env: - name: RUNNER_SECRET valueFrom: secretKeyRef: name: runner-secret key: token - - name: GITEA_INSTANCE_URL + - name: FORGEJO_INSTANCE_URL value: http://gitea-http.gitea.svc.cluster.local:3000 volumeMounts: - name: runner-data mountPath: /data containers: - name: runner - image: gitea/act_runner:nightly - command: ["sh", "-c", "while ! nc -z localhost 2376