From 338456b8204c52eef8a14890ab05008e35947cce Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Fri, 23 Jan 2026 16:40:37 -0800 Subject: [PATCH] Switch Forgejo runner to host mode - Use host labels (ubuntu-latest:host) instead of docker:// - Remove RBAC (not needed for host mode) - Simplify configmap (no container backend config needed) Host mode runs jobs directly in the runner container, which is acceptable since we control all workflows and the pod provides isolation from indri. Co-Authored-By: Claude Opus 4.5 --- CLAUDE.md | 5 ++++ .../manifests/forgejo-runner/configmap.yaml | 13 --------- .../manifests/forgejo-runner/deployment.yaml | 2 +- .../forgejo-runner/kustomization.yaml | 1 - argocd/manifests/forgejo-runner/rbac.yaml | 27 ------------------- 5 files changed, 6 insertions(+), 42 deletions(-) delete mode 100644 argocd/manifests/forgejo-runner/rbac.yaml diff --git a/CLAUDE.md b/CLAUDE.md index 67687db..82ed044 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -102,6 +102,11 @@ kubectl --context=minikube-indri logs -n # View logs Note: The user has fish abbreviations `ki` for `kubectl --context=minikube-indri` and `k9i` for `k9s --context=minikube-indri`, but these only work in interactive shells. +**ArgoCD login (when token expires):** +```fish +argocd login argocd.tail8d86e.ts.net --username admin --password "$(op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get srogeebssulhtb6tnqd7ls6qey --fields password --reveal)" +``` + ### Indri Services (via Ansible) Some services remain on indri outside of Kubernetes: diff --git a/argocd/manifests/forgejo-runner/configmap.yaml b/argocd/manifests/forgejo-runner/configmap.yaml index 1728edb..584efe0 100644 --- a/argocd/manifests/forgejo-runner/configmap.yaml +++ b/argocd/manifests/forgejo-runner/configmap.yaml @@ -11,16 +11,3 @@ data: file: /data/.runner capacity: 1 timeout: 3h - container: - # Use Kubernetes to run job pods - backend: kubernetes - kubernetes: - namespace: forgejo-runner - # Job pods use these resource limits - resources: - requests: - cpu: "100m" - memory: "256Mi" - limits: - cpu: "1000m" - memory: "1Gi" diff --git a/argocd/manifests/forgejo-runner/deployment.yaml b/argocd/manifests/forgejo-runner/deployment.yaml index 4c02da8..d0939de 100644 --- a/argocd/manifests/forgejo-runner/deployment.yaml +++ b/argocd/manifests/forgejo-runner/deployment.yaml @@ -38,7 +38,7 @@ spec: --instance "$FORGEJO_INSTANCE_URL" \ --token "$RUNNER_TOKEN" \ --name "$RUNNER_NAME" \ - --labels "ubuntu-latest:docker://node:20-bookworm,ubuntu-22.04:docker://ubuntu:22.04" \ + --labels "ubuntu-latest:host,ubuntu-22.04:host" \ --no-interactive fi # Start the runner daemon with config diff --git a/argocd/manifests/forgejo-runner/kustomization.yaml b/argocd/manifests/forgejo-runner/kustomization.yaml index eb3839e..332c49c 100644 --- a/argocd/manifests/forgejo-runner/kustomization.yaml +++ b/argocd/manifests/forgejo-runner/kustomization.yaml @@ -4,6 +4,5 @@ namespace: forgejo-runner resources: - namespace.yaml - serviceaccount.yaml - - rbac.yaml - configmap.yaml - deployment.yaml diff --git a/argocd/manifests/forgejo-runner/rbac.yaml b/argocd/manifests/forgejo-runner/rbac.yaml deleted file mode 100644 index 9f25bca..0000000 --- a/argocd/manifests/forgejo-runner/rbac.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# RBAC for Forgejo runner to create job pods -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: forgejo-runner - namespace: forgejo-runner -rules: - - apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "create", "delete", "watch"] - - apiGroups: [""] - resources: ["pods/log"] - verbs: ["get", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: forgejo-runner - namespace: forgejo-runner -subjects: - - kind: ServiceAccount - name: forgejo-runner - namespace: forgejo-runner -roleRef: - kind: Role - name: forgejo-runner - apiGroup: rbac.authorization.k8s.io