From feff296979aeaf4e474cf78290a51d000f4092b3 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Fri, 23 Jan 2026 16:09:27 -0800
Subject: [PATCH] Add Forgejo Actions runner k8s deployment

- ArgoCD Application for forgejo-runner
- Deployment with Docker socket access for running workflow containers
- Secret template for runner registration token (via op inject)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 argocd/apps/forgejo-runner.yaml               | 23 +++++++
 .../manifests/forgejo-runner/deployment.yaml  | 63 +++++++++++++++++++
 .../forgejo-runner/kustomization.yaml         |  7 +++
 .../manifests/forgejo-runner/namespace.yaml   |  4 ++
 .../forgejo-runner/secret-token.yaml.tpl      | 10 +++
 .../forgejo-runner/serviceaccount.yaml        |  5 ++
 6 files changed, 112 insertions(+)
 create mode 100644 argocd/apps/forgejo-runner.yaml
 create mode 100644 argocd/manifests/forgejo-runner/deployment.yaml
 create mode 100644 argocd/manifests/forgejo-runner/kustomization.yaml
 create mode 100644 argocd/manifests/forgejo-runner/namespace.yaml
 create mode 100644 argocd/manifests/forgejo-runner/secret-token.yaml.tpl
 create mode 100644 argocd/manifests/forgejo-runner/serviceaccount.yaml

diff --git a/argocd/apps/forgejo-runner.yaml b/argocd/apps/forgejo-runner.yaml
new file mode 100644
index 0000000..a584d33
--- /dev/null
+++ b/argocd/apps/forgejo-runner.yaml
@@ -0,0 +1,23 @@
+# Forgejo Actions Runner
+# Runs in k8s, polls Forgejo for workflow jobs
+#
+# Before syncing, create the runner token secret:
+#   kubectl create namespace forgejo-runner
+#   op inject -i argocd/manifests/forgejo-runner/secret-token.yaml.tpl | kubectl apply -f -
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: forgejo-runner
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: ssh://forgejo@indri.tail8d86e.ts.net:2200/eblume/blumeops.git
+    targetRevision: main
+    path: argocd/manifests/forgejo-runner
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: forgejo-runner
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
diff --git a/argocd/manifests/forgejo-runner/deployment.yaml b/argocd/manifests/forgejo-runner/deployment.yaml
new file mode 100644
index 0000000..90914e9
--- /dev/null
+++ b/argocd/manifests/forgejo-runner/deployment.yaml
@@ -0,0 +1,63 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: forgejo-runner
+  namespace: forgejo-runner
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: forgejo-runner
+  template:
+    metadata:
+      labels:
+        app: forgejo-runner
+    spec:
+      serviceAccountName: forgejo-runner
+      containers:
+        - name: runner
+          image: code.forgejo.org/forgejo/runner:3.5.1
+          env:
+            - name: FORGEJO_INSTANCE_URL
+              value: "https://forge.tail8d86e.ts.net"
+            - name: RUNNER_NAME
+              value: "k8s-runner-1"
+            - name: RUNNER_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: forgejo-runner-token
+                  key: token
+          command:
+            - /bin/sh
+            - -c
+            - |
+              # Register runner if not already registered
+              if [ ! -f /data/.runner ]; then
+                forgejo-runner register \
+                  --instance "$FORGEJO_INSTANCE_URL" \
+                  --token "$RUNNER_TOKEN" \
+                  --name "$RUNNER_NAME" \
+                  --labels "ubuntu-latest:docker://node:20-bookworm,ubuntu-22.04:docker://ubuntu:22.04" \
+                  --no-interactive
+              fi
+              # Start the runner daemon
+              forgejo-runner daemon
+          volumeMounts:
+            - name: runner-data
+              mountPath: /data
+            - name: docker-sock
+              mountPath: /var/run/docker.sock
+          resources:
+            requests:
+              memory: "256Mi"
+              cpu: "100m"
+            limits:
+              memory: "1Gi"
+              cpu: "1000m"
+      volumes:
+        - name: runner-data
+          emptyDir: {}
+        - name: docker-sock
+          hostPath:
+            path: /var/run/docker.sock
+            type: Socket
diff --git a/argocd/manifests/forgejo-runner/kustomization.yaml b/argocd/manifests/forgejo-runner/kustomization.yaml
new file mode 100644
index 0000000..558b9ff
--- /dev/null
+++ b/argocd/manifests/forgejo-runner/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: forgejo-runner
+resources:
+  - namespace.yaml
+  - serviceaccount.yaml
+  - deployment.yaml
diff --git a/argocd/manifests/forgejo-runner/namespace.yaml b/argocd/manifests/forgejo-runner/namespace.yaml
new file mode 100644
index 0000000..19441b1
--- /dev/null
+++ b/argocd/manifests/forgejo-runner/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: forgejo-runner
diff --git a/argocd/manifests/forgejo-runner/secret-token.yaml.tpl b/argocd/manifests/forgejo-runner/secret-token.yaml.tpl
new file mode 100644
index 0000000..427d8df
--- /dev/null
+++ b/argocd/manifests/forgejo-runner/secret-token.yaml.tpl
@@ -0,0 +1,10 @@
+# Template for op inject
+# Usage: op inject -i secret-token.yaml.tpl | kubectl apply -f -
+apiVersion: v1
+kind: Secret
+metadata:
+  name: forgejo-runner-token
+  namespace: forgejo-runner
+type: Opaque
+stringData:
+  token: "op://blumeops/w3663ffnvkewbftncqxtcpeavy/runner_reg"
diff --git a/argocd/manifests/forgejo-runner/serviceaccount.yaml b/argocd/manifests/forgejo-runner/serviceaccount.yaml
new file mode 100644
index 0000000..ef8cb25
--- /dev/null
+++ b/argocd/manifests/forgejo-runner/serviceaccount.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: forgejo-runner
+  namespace: forgejo-runner