Switch to Buildah for container builds (#51)
All checks were successful
Test CI / test (push) Successful in 4s
All checks were successful
Test CI / test (push) Successful in 4s
## Summary - Replace Docker with Buildah for container image builds - No Docker socket required - buildah is daemonless - Cleaner security model (no privileged containers or socket mounting) - Remove Docker-related security context from deployment ## Changes - Update Dockerfile to install buildah/podman instead of docker-cli - Configure buildah storage with overlay driver and fuse-overlayfs - Update composite action to use `buildah bud` and `buildah push` - Add `imagePullPolicy: Always` to ensure fresh image pulls - Update test workflow to verify buildah/podman ## Testing - [ ] Runner pod starts successfully - [ ] Buildah is available in runner - [ ] Test workflow verifies buildah/podman versions - [ ] Container build workflow builds and pushes to zot 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/51
This commit is contained in:
parent
5fcd122494
commit
8ca8798121
23 changed files with 366 additions and 163 deletions
|
|
@ -1,23 +0,0 @@
|
|||
# Forgejo Actions Runner
|
||||
# Runs in k8s, polls Forgejo for workflow jobs
|
||||
#
|
||||
# Before syncing, create the runner token secret:
|
||||
# kubectl create namespace forgejo-runner
|
||||
# op inject -i argocd/manifests/forgejo-runner/secret-token.yaml.tpl | kubectl apply -f -
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: forgejo-runner
|
||||
namespace: argocd
|
||||
spec:
|
||||
project: default
|
||||
source:
|
||||
repoURL: ssh://forgejo@indri.tail8d86e.ts.net:2200/eblume/blumeops.git
|
||||
targetRevision: main
|
||||
path: argocd/manifests/forgejo-runner
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: forgejo-runner
|
||||
syncPolicy:
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
|
|
@ -1,29 +0,0 @@
|
|||
FROM code.forgejo.org/forgejo/runner:3.5.1
|
||||
|
||||
# Switch to root to install packages
|
||||
USER root
|
||||
|
||||
# The base image is Alpine Linux
|
||||
# Install tools needed for GitHub Actions and builds
|
||||
RUN apk add --no-cache \
|
||||
# Required for actions/checkout and other Node-based actions
|
||||
nodejs \
|
||||
npm \
|
||||
# Build essentials
|
||||
git \
|
||||
curl \
|
||||
wget \
|
||||
jq \
|
||||
make \
|
||||
gcc \
|
||||
g++ \
|
||||
musl-dev \
|
||||
# For container builds
|
||||
ca-certificates \
|
||||
docker-cli
|
||||
|
||||
# Verify tools are available
|
||||
RUN node --version && npm --version && docker --version
|
||||
|
||||
# Switch back to non-root user
|
||||
USER 1000
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: forgejo-runner-config
|
||||
namespace: forgejo-runner
|
||||
data:
|
||||
config.yaml: |
|
||||
log:
|
||||
level: info
|
||||
runner:
|
||||
file: /data/.runner
|
||||
capacity: 1
|
||||
timeout: 3h
|
||||
|
|
@ -1,63 +0,0 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: forgejo-runner
|
||||
namespace: forgejo-runner
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: forgejo-runner
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: forgejo-runner
|
||||
spec:
|
||||
serviceAccountName: forgejo-runner
|
||||
containers:
|
||||
- name: runner
|
||||
image: registry.tail8d86e.ts.net/blumeops/forgejo-runner:latest
|
||||
env:
|
||||
# Use internal k8s service via Tailscale operator egress
|
||||
- name: FORGEJO_INSTANCE_URL
|
||||
value: "http://forge.tailscale.svc.cluster.local:3001"
|
||||
- name: RUNNER_NAME
|
||||
value: "k8s-runner-1"
|
||||
- name: RUNNER_TOKEN
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: forgejo-runner-token
|
||||
key: token
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
- |
|
||||
# Register runner if not already registered
|
||||
if [ ! -f /data/.runner ]; then
|
||||
forgejo-runner register \
|
||||
--instance "$FORGEJO_INSTANCE_URL" \
|
||||
--token "$RUNNER_TOKEN" \
|
||||
--name "$RUNNER_NAME" \
|
||||
--labels "ubuntu-latest:host,ubuntu-22.04:host" \
|
||||
--no-interactive
|
||||
fi
|
||||
# Start the runner daemon with config
|
||||
forgejo-runner daemon --config /config/config.yaml
|
||||
volumeMounts:
|
||||
- name: runner-data
|
||||
mountPath: /data
|
||||
- name: runner-config
|
||||
mountPath: /config
|
||||
resources:
|
||||
requests:
|
||||
memory: "256Mi"
|
||||
cpu: "100m"
|
||||
limits:
|
||||
memory: "1Gi"
|
||||
cpu: "1000m"
|
||||
volumes:
|
||||
- name: runner-data
|
||||
emptyDir: {}
|
||||
- name: runner-config
|
||||
configMap:
|
||||
name: forgejo-runner-config
|
||||
|
|
@ -1,8 +0,0 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
namespace: forgejo-runner
|
||||
resources:
|
||||
- namespace.yaml
|
||||
- serviceaccount.yaml
|
||||
- configmap.yaml
|
||||
- deployment.yaml
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: forgejo-runner
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
# Template for op inject
|
||||
# Usage: op inject -i secret-token.yaml.tpl | kubectl apply -f -
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: forgejo-runner-token
|
||||
namespace: forgejo-runner
|
||||
type: Opaque
|
||||
stringData:
|
||||
token: "op://blumeops/w3663ffnvkewbftncqxtcpeavy/runner_reg"
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: forgejo-runner
|
||||
namespace: forgejo-runner
|
||||
Loading…
Add table
Add a link
Reference in a new issue