Switch Forgejo runner to host mode

- Use host labels (ubuntu-latest:host) instead of docker:// - Remove RBAC (not needed for host mode) - Simplify configmap (no container backend config needed) Host mode runs jobs directly in the runner container, which is acceptable since we control all workflows and the pod provides isolation from indri. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-23 16:40:37 -08:00 · 2026-01-23 16:40:37 -08:00 · 338456b820
commit 338456b820
parent 460449326e
5 changed files with 6 additions and 42 deletions
--- a/CLAUDE.md
+++ b/CLAUDE.md
@ -102,6 +102,11 @@ kubectl --context=minikube-indri logs -n <namespace> <pod>  # View logs

 Note: The user has fish abbreviations `ki` for `kubectl --context=minikube-indri` and `k9i` for `k9s --context=minikube-indri`, but these only work in interactive shells.

+**ArgoCD login (when token expires):**
+```fish
+argocd login argocd.tail8d86e.ts.net --username admin --password "$(op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get srogeebssulhtb6tnqd7ls6qey --fields password --reveal)"
+```
+
 ### Indri Services (via Ansible)

 Some services remain on indri outside of Kubernetes:
--- a/argocd/manifests/forgejo-runner/configmap.yaml
+++ b/argocd/manifests/forgejo-runner/configmap.yaml
@ -11,16 +11,3 @@ data:
      file: /data/.runner
      capacity: 1
      timeout: 3h
-    container:
-      # Use Kubernetes to run job pods
-      backend: kubernetes
-      kubernetes:
-        namespace: forgejo-runner
-        # Job pods use these resource limits
-        resources:
-          requests:
-            cpu: "100m"
-            memory: "256Mi"
-          limits:
-            cpu: "1000m"
-            memory: "1Gi"
--- a/argocd/manifests/forgejo-runner/deployment.yaml
+++ b/argocd/manifests/forgejo-runner/deployment.yaml
@ -38,7 +38,7 @@ spec:
                  --instance "$FORGEJO_INSTANCE_URL" \
                  --token "$RUNNER_TOKEN" \
                  --name "$RUNNER_NAME" \
-                  --labels "ubuntu-latest:docker://node:20-bookworm,ubuntu-22.04:docker://ubuntu:22.04" \
+                  --labels "ubuntu-latest:host,ubuntu-22.04:host" \
                  --no-interactive
              fi
              # Start the runner daemon with config
--- a/argocd/manifests/forgejo-runner/kustomization.yaml
+++ b/argocd/manifests/forgejo-runner/kustomization.yaml
@ -4,6 +4,5 @@ namespace: forgejo-runner
 resources:
  - namespace.yaml
  - serviceaccount.yaml
-  - rbac.yaml
  - configmap.yaml
  - deployment.yaml
--- a/argocd/manifests/forgejo-runner/rbac.yaml
+++ b/argocd/manifests/forgejo-runner/rbac.yaml
@ -1,27 +0,0 @@
-# RBAC for Forgejo runner to create job pods
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: forgejo-runner
-  namespace: forgejo-runner
-rules:
-  - apiGroups: [""]
-    resources: ["pods"]
-    verbs: ["get", "list", "create", "delete", "watch"]
-  - apiGroups: [""]
-    resources: ["pods/log"]
-    verbs: ["get", "list", "watch"]
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: forgejo-runner
-  namespace: forgejo-runner
-subjects:
-  - kind: ServiceAccount
-    name: forgejo-runner
-    namespace: forgejo-runner
-roleRef:
-  kind: Role
-  name: forgejo-runner
-  apiGroup: rbac.authorization.k8s.io