From bf16b8a3f8c6b448de0fb78973bc4228efee0548 Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Mon, 20 Apr 2026 08:44:27 -0700 Subject: [PATCH] feat: adopt declarative forgejo-runner config --- argocd/manifests/forgejo-runner/config.yaml | 13 ++++++++--- .../manifests/forgejo-runner/deployment.yaml | 22 +++---------------- .../forgejo-runner/external-secret.yaml | 16 +++++++------- containers/forgejo-runner/container.py | 4 ++-- ...o-runner-v12-8-server-connections.infra.md | 2 +- docs/reference/services/forgejo-runner.md | 15 +++++++------ docs/reference/services/forgejo.md | 1 + service-versions.yaml | 2 +- 8 files changed, 34 insertions(+), 41 deletions(-) diff --git a/argocd/manifests/forgejo-runner/config.yaml b/argocd/manifests/forgejo-runner/config.yaml index 4894825..121d327 100644 --- a/argocd/manifests/forgejo-runner/config.yaml +++ b/argocd/manifests/forgejo-runner/config.yaml @@ -1,9 +1,8 @@ -# Reviewed against v12.7.3 defaults (2026-03-30) +# Reviewed against v12.8.2 defaults (2026-04-20) log: level: info runner: - file: /data/.runner capacity: 2 timeout: 3h shutdown_timeout: 3h @@ -13,7 +12,15 @@ runner: TZ: America/Los_Angeles container: - # Job execution image is set via RUNNER_LABELS in deployment.yaml network: "host" # Connect to DinD sidecar via TCP (not socket) docker_host: tcp://127.0.0.1:2375 + +server: + connections: + forgejo: + url: https://forge.ops.eblu.me/ + uuid: ${FORGEJO_RUNNER_UUID} + token: ${FORGEJO_RUNNER_TOKEN} + labels: + - k8s:docker://registry.ops.eblu.me/blumeops/runner-job-image:v0.20.1-24f7512 diff --git a/argocd/manifests/forgejo-runner/deployment.yaml b/argocd/manifests/forgejo-runner/deployment.yaml index c793895..7db7798 100644 --- a/argocd/manifests/forgejo-runner/deployment.yaml +++ b/argocd/manifests/forgejo-runner/deployment.yaml @@ -25,14 +25,6 @@ spec: env: - name: TZ value: America/Los_Angeles - - name: DOCKER_HOST - value: tcp://localhost:2375 - - name: FORGEJO_URL - value: "https://forge.ops.eblu.me" - - name: RUNNER_NAME - value: "k8s-runner" - - name: RUNNER_LABELS - value: "k8s:docker://registry.ops.eblu.me/blumeops/runner-job-image:v0.20.1-24f7512" command: - /bin/sh - -c @@ -44,19 +36,11 @@ spec: done echo "Docker daemon ready" - # Register if not already registered - if [ ! -f /data/.runner ]; then - echo "Registering runner..." - forgejo-runner register \ - --instance "$FORGEJO_URL" \ - --token "$RUNNER_TOKEN" \ - --name "$RUNNER_NAME" \ - --labels "$RUNNER_LABELS" \ - --no-interactive - fi + # Render config with credentials from ExternalSecret. + envsubst < /config/config.yaml > /tmp/config.yaml # Start daemon - exec forgejo-runner daemon --config /config/config.yaml + exec forgejo-runner daemon --config /tmp/config.yaml envFrom: - secretRef: name: forgejo-runner-env diff --git a/argocd/manifests/forgejo-runner/external-secret.yaml b/argocd/manifests/forgejo-runner/external-secret.yaml index fce28bb..ab7a691 100644 --- a/argocd/manifests/forgejo-runner/external-secret.yaml +++ b/argocd/manifests/forgejo-runner/external-secret.yaml @@ -1,11 +1,7 @@ -# ExternalSecret for Forgejo Runner token +# ExternalSecret for Forgejo Runner credentials # # 1Password item: "Forgejo Secrets" in blumeops vault -# Field: runner_reg (runner registration token) -# -# Non-secret env vars (FORGEJO_URL, RUNNER_NAME, RUNNER_LABELS) live in the -# deployment spec so that changes (e.g. image version bumps) trigger a rollout -# automatically. +# Fields: runner_k8s_uuid, runner_k8s_token # apiVersion: external-secrets.io/v1 kind: ExternalSecret @@ -21,7 +17,11 @@ spec: name: forgejo-runner-env creationPolicy: Owner data: - - secretKey: RUNNER_TOKEN + - secretKey: FORGEJO_RUNNER_UUID remoteRef: key: Forgejo Secrets - property: runner_reg + property: runner_k8s_uuid + - secretKey: FORGEJO_RUNNER_TOKEN + remoteRef: + key: Forgejo Secrets + property: runner_k8s_token diff --git a/containers/forgejo-runner/container.py b/containers/forgejo-runner/container.py index ffaca88..dfb2edf 100644 --- a/containers/forgejo-runner/container.py +++ b/containers/forgejo-runner/container.py @@ -13,7 +13,7 @@ from blumeops.containers import ( oci_labels, ) -VERSION = "12.7.3" +VERSION = "12.8.2" async def build(src: dagger.Directory) -> dagger.Container: @@ -34,7 +34,7 @@ async def build(src: dagger.Directory) -> dagger.Container: # Stage 2: Runtime runtime = alpine_runtime( - extra_apk=["git", "bash", "ca-certificates"], + extra_apk=["git", "bash", "ca-certificates", "gettext-envsubst"], uid=1000, gid=1000, username="runner", diff --git a/docs/changelog.d/forgejo-runner-v12-8-server-connections.infra.md b/docs/changelog.d/forgejo-runner-v12-8-server-connections.infra.md index aa64b6c..cc35684 100644 --- a/docs/changelog.d/forgejo-runner-v12-8-server-connections.infra.md +++ b/docs/changelog.d/forgejo-runner-v12-8-server-connections.infra.md @@ -1 +1 @@ -Consolidated Forgejo runner how-to documentation into two cards covering declarative `server.connections` configuration and workflow validation, removing stale one-off upgrade notes. +Upgraded the k8s Forgejo runner to the v12.8 line, switched it from first-boot registration to declarative `server.connections` credentials from 1Password, and consolidated the supporting runner how-to documentation. diff --git a/docs/reference/services/forgejo-runner.md b/docs/reference/services/forgejo-runner.md index d61f378..612f20f 100644 --- a/docs/reference/services/forgejo-runner.md +++ b/docs/reference/services/forgejo-runner.md @@ -1,7 +1,7 @@ --- title: Forgejo Runner -modified: 2026-03-30 -last-reviewed: 2026-03-30 +modified: 2026-04-20 +last-reviewed: 2026-04-20 tags: - service - ci-cd @@ -22,21 +22,21 @@ Forgejo Actions runner daemon for CI/CD job execution. Runs as a Kubernetes pod | **Capacity** | 2 concurrent jobs | | **Timeout** | 3h | | **Forgejo Instance** | https://forge.ops.eblu.me | -| **Image** | `code.forgejo.org/forgejo/runner` (see `argocd/manifests/forgejo-runner/kustomization.yaml` for current tag) | +| **Image** | `registry.ops.eblu.me/blumeops/forgejo-runner` (see `argocd/manifests/forgejo-runner/kustomization.yaml` for current tag) | | **DinD Sidecar** | `docker:27-dind` | ## Architecture The pod runs two containers: -1. **runner** - The Forgejo runner daemon. Registers with the forge on first start, then polls for jobs. Talks to DinD via `tcp://localhost:2375`. +1. **runner** - The Forgejo runner daemon. Loads a rendered `server.connections` config at startup, then polls for jobs. Talks to DinD via `tcp://localhost:2375`. 2. **dind** - Docker-in-Docker sidecar (privileged). Provides the Docker daemon for job container execution. Uses a registry mirror at `host.minikube.internal:5050` ([[zot]]). -Runner state (`/data/.runner`) is stored in an `emptyDir` volume, so re-registration happens on pod restart. The registration token comes from 1Password via [[external-secrets]]. +The runner daemon image is built from `containers/forgejo-runner/container.py`, not pulled directly from upstream. Credentials come from 1Password via [[external-secrets]], and the startup script renders the final config before launching the daemon. The `/data` volume remains for the runner home directory and job scratch space, not for `.runner` registration state. ## Job Execution Image -The actual container image used to run workflow steps is set via `RUNNER_LABELS` in the deployment, not in the runner config. This image is tracked separately as `runner-job-image` in `service-versions.yaml`. See [[build-container-image]] for how it's built. +The actual container image used to run workflow steps is declared in `server.connections.labels` in the runner config. This image is tracked separately as `runner-job-image` in `service-versions.yaml`. See [[build-container-image]] for how it's built. ## Network @@ -46,7 +46,8 @@ Jobs run with `network: "host"` to share the DinD network namespace. This gives | Secret | Source | Purpose | |--------|--------|---------| -| `RUNNER_TOKEN` | 1Password ("Forgejo Secrets" → `runner_reg`) | Runner registration with forge | +| `FORGEJO_RUNNER_UUID` | 1Password ("Forgejo Secrets" → `runner_k8s_uuid`) | Static runner identity for `server.connections` | +| `FORGEJO_RUNNER_TOKEN` | 1Password ("Forgejo Secrets" → `runner_k8s_token`) | Static runner credential for `server.connections` | ## Related diff --git a/docs/reference/services/forgejo.md b/docs/reference/services/forgejo.md index 11bb9a5..5b16b0e 100644 --- a/docs/reference/services/forgejo.md +++ b/docs/reference/services/forgejo.md @@ -85,6 +85,7 @@ Both container workflows trigger on the same tag pattern (`*-v[0-9]*`). Each che Server configuration secrets managed via 1Password → Ansible: - `lfs-jwt-secret`, `internal-token`, `oauth2-jwt-secret` - Forgejo server tokens - `runner_reg` - Runner registration token (also in k8s via [[external-secrets]]) +- `runner_k8s_uuid`, `runner_k8s_token` - Static credentials for the k8s runner `server.connections` flow ## Forgejo Actions Secrets diff --git a/service-versions.yaml b/service-versions.yaml index 761aa8d..8584322 100644 --- a/service-versions.yaml +++ b/service-versions.yaml @@ -236,7 +236,7 @@ services: - name: forgejo-runner type: argocd last-reviewed: 2026-03-30 - current-version: "12.7.3" + current-version: "12.8.2" upstream-source: https://code.forgejo.org/forgejo/runner/releases notes: >- Runner daemon version (code.forgejo.org/forgejo/runner). Job execution