gitea runners

2026-04-08 12:40:13 +02:00
parent 5e205944c6
commit b3d4a26a07
4 changed files with 135 additions and 4 deletions
--- a/docs/REFERENCE.md
+++ b/docs/REFERENCE.md
@@ -87,6 +87,7 @@ sturdy-adventure/
 │   ├── fluent-bit.yaml
 │   ├── trivy.yaml
 │   ├── gitea.yaml
+│   ├── gitea-actions.yaml
 │   ├── sealedsecrets.yaml
 │   ├── secrets.yaml
 │   └── values/
@@ -96,6 +97,7 @@ sturdy-adventure/
 │       ├── loki-values.yaml
 │       ├── tempo-values.yaml
 │       ├── gitea-values.yaml
+│       ├── gitea-actions-values.yaml
 │       └── fluent-bit-values.yaml
 │
 ├── apps/                          # Business applications
@@ -125,6 +127,7 @@ sturdy-adventure/
 │   ├── argocd-mcp-credentials.yaml
 │   ├── dot-ai-secrets.yaml
 │   ├── gitea-credentials-sealed.yaml
+│   ├── gitea-runner-token-sealed.yaml
 │   ├── mcp10x-credentials-sealed.yaml
 │   └── musicman-credentials.yaml
 │
@@ -817,6 +820,53 @@ postgresql:

 **Secrets**: `gitea-credentials` (SealedSecret) containing `admin-password`, `postgres-password`, `secret` (OIDC client secret)

+### Gitea Actions Runners
+
+**Chart**: `actions` (from `https://dl.gitea.com/charts`)
+**Namespace**: `gitea`
+**Sync Wave**: 2 (deploys after Gitea)
+
+**Purpose**: Act runners execute Gitea Actions CI/CD workflows. Deployed as a StatefulSet with a Docker-in-Docker sidecar for container-based job execution.
+
+**Configuration**:
+```yaml
+# infra/gitea-actions.yaml + infra/values/gitea-actions-values.yaml
+replicaCount: 3
+
+runner:
+  labels:
+    - "ubuntu-latest:docker://node:20-bookworm"
+    - "ubuntu-22.04:docker://node:20-bookworm"
+  existingSecret: gitea-runner-token
+
+gitea:
+  instance:
+    url: http://gitea-http.gitea.svc.cluster.local:3000
+
+dind:
+  enabled: true  # Docker-in-Docker sidecar (privileged)
+```
+
+**Resources**:
+
+| Container | CPU Request | Memory Request | CPU Limit | Memory Limit |
+|-----------|-------------|----------------|-----------|--------------|
+| Runner | 250m | 256Mi | 1 | 1Gi |
+| DinD sidecar | 250m | 256Mi | 1 | 1Gi |
+
+**Secrets**: `gitea-runner-token` (SealedSecret) containing `token` (instance-level runner registration token from `/admin/runners`)
+
+**Setup Steps**:
+1. Get runner registration token from Gitea admin panel (`/admin/runners`)
+2. Fill in `private/gitea-runner-token.yaml` with the token
+3. Seal: `kubeseal --format yaml < private/gitea-runner-token.yaml > secrets/gitea-runner-token-sealed.yaml`
+4. Commit and push — ArgoCD deploys runners automatically
+
+**Verification**:
+- `kubectl get statefulset -n gitea` — 3/3 runners ready
+- Gitea admin panel (`/admin/runners`) — runners show as Online
+- Create test workflow in `.gitea/workflows/test.yml` — job executes
+
 ---

 ## Kyverno Policies
@@ -1421,6 +1471,7 @@ team: platform
 | **Tempo** | 2.6.0+ | 1.24.4 |
 | **Fluent-Bit** | 2.1.0+ | Latest |
 | **Gitea** | 1.25.4 | 12.5.0 |
+| **Gitea Act Runner** | Latest | Latest |
 | **PostgreSQL** | 16-alpine | N/A |
 | **Trivy** | Latest | Latest |

--- a/infra/gitea-actions.yaml
+++ b/infra/gitea-actions.yaml
@@ -0,0 +1,42 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: gitea-actions
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "2"
+  labels:
+    app.kubernetes.io/name: gitea-actions
+    app.kubernetes.io/part-of: platform
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+  - repoURL: https://dl.gitea.com/charts
+    chart: actions
+    targetRevision: "*"
+    helm:
+      releaseName: gitea-actions
+      valueFiles:
+      - $values/infra/values/gitea-actions-values.yaml
+
+  - repoURL: git@github.com:fortedigital/sturdy-adventure.git
+    targetRevision: HEAD
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: gitea
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true
--- a/infra/values/gitea-actions-values.yaml
+++ b/infra/values/gitea-actions-values.yaml
@@ -0,0 +1,37 @@
+## Gitea Act Runner - Helm values
+## Chart: actions (https://dl.gitea.com/charts)
+
+replicaCount: 3
+
+runner:
+  config: |
+    log:
+      level: info
+    runner:
+      labels:
+        - "ubuntu-latest:docker://node:20-bookworm"
+        - "ubuntu-22.04:docker://node:20-bookworm"
+
+  existingSecret: gitea-runner-token
+
+  resources:
+    requests:
+      cpu: 250m
+      memory: 256Mi
+    limits:
+      cpu: "1"
+      memory: 1Gi
+
+gitea:
+  instance:
+    url: http://gitea-http.gitea.svc.cluster.local:3000
+
+dind:
+  enabled: true
+  resources:
+    requests:
+      cpu: 250m
+      memory: 256Mi
+    limits:
+      cpu: "1"
+      memory: 1Gi
--- a/infra/values/gitea-values.yaml
+++ b/infra/values/gitea-values.yaml
@@ -21,16 +21,18 @@ gitea:
      LFS_START_SERVER: true

    service:
-      DISABLE_REGISTRATION: true
+      DISABLE_REGISTRATION: false
      REQUIRE_SIGNIN_VIEW: false
      ALLOW_ONLY_EXTERNAL_REGISTRATION: true

    openid:
-      ENABLE_OPENID_SIGNIN: true
-      ENABLE_OPENID_SIGNUP: true
+      ENABLE_OPENID_SIGNIN: false
+      ENABLE_OPENID_SIGNUP: false

    oauth2:
      ENABLED: true
+      ENABLE_AUTO_REGISTRATION: true
+      USERNAME: email

    session:
      PROVIDER: db
@@ -69,7 +71,6 @@ gitea:
    groupClaimName: ""
    adminGroup: ""
    restrictedGroup: ""
-
  # -- Prometheus metrics (scraped via annotations, no ServiceMonitor CRD needed)
  metrics:
    enabled: true