eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Migrate Forgejo runner to Kubernetes with DinD #60

Merged
eblume merged 15 commits from feature/containerized-runner into main 2026-01-25 19:56:17 -08:00
Conversation 0 Commits 15 Files changed 14 +181 -156
eblume commented 2026-01-25 19:32:52 -08:00
Owner
Copy link

Summary

  • Deploy Forgejo runner to k8s with Docker-in-Docker sidecar
  • Add job execution image with Node.js and Docker CLI
  • Retire host-mode runner on indri
  • All CI jobs now run containerized in k8s

Components Added

  • containers/forgejo-runner/Dockerfile - Job execution image
  • argocd/apps/forgejo-runner.yaml - ArgoCD Application
  • argocd/manifests/forgejo-runner/ - Kubernetes manifests

Components Removed

  • ansible/roles/forgejo_runner/ - No longer needed

Changes to Existing Files

  • .forgejo/workflows/build-container.yaml - Use k8s runner with DOCKER_HOST env
  • .github/actionlint.yaml - Only k8s label now valid

Deployment

  1. Apply secret: op inject -i argocd/manifests/forgejo-runner/secret.yaml.tpl | kubectl --context=minikube-indri apply -f -
  2. Sync ArgoCD: argocd app sync forgejo-runner

🤖 Generated with Claude Code

## Summary - Deploy Forgejo runner to k8s with Docker-in-Docker sidecar - Add job execution image with Node.js and Docker CLI - Retire host-mode runner on indri - All CI jobs now run containerized in k8s ## Components Added - `containers/forgejo-runner/Dockerfile` - Job execution image - `argocd/apps/forgejo-runner.yaml` - ArgoCD Application - `argocd/manifests/forgejo-runner/` - Kubernetes manifests ## Components Removed - `ansible/roles/forgejo_runner/` - No longer needed ## Changes to Existing Files - `.forgejo/workflows/build-container.yaml` - Use `k8s` runner with `DOCKER_HOST` env - `.github/actionlint.yaml` - Only `k8s` label now valid ## Deployment 1. Apply secret: `op inject -i argocd/manifests/forgejo-runner/secret.yaml.tpl | kubectl --context=minikube-indri apply -f -` 2. Sync ArgoCD: `argocd app sync forgejo-runner` 🤖 Generated with [Claude Code](https://claude.com/claude-code)
Add containerized forgejo-runner for Phase 1 ratcheting
Some checks failed
Build Container / build (push) Failing after 41s
Details
008533491f 
Part of the runner ratcheting plan to migrate from host-mode to k8s runners.

- Debian-based image with forgejo-runner and Docker CLI
- Mounts Docker socket for container builds
- Auto-registers on first start
- Host networking for access to *.ops.eblu.me services

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Fix: add xz-utils for runner binary extraction
All checks were successful
Build Container / build (push) Successful in 1m5s
Details
ef6e40d8f2 
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Switch container builds to docker runner (Phase 1 ratcheting)
Some checks failed
Build Container / build (push) Failing after 26s
Details
82d0162282 
Test that the containerized runner can build containers.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Simplify forgejo-runner to job execution image
All checks were successful
Build Container / build (push) Successful in 1m15s
Details
f19795615c 
- Remove daemon entrypoint (host runner handles daemon)
- Add Node.js 20.x for GitHub Actions compatibility
- Keep Docker CLI for container builds
- Switch workflow back to ubuntu-latest (host runner)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add docker mode to runner for containerized job execution
Some checks failed
Build Container / build (push) Failing after 39s
Details
fcbc3b958e 
- Runner now supports both host and docker labels
- docker label uses forgejo-runner:v2.1.0 image with Node.js + Docker CLI
- Switch build workflow to docker mode for ratcheting test

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Use forge.ops.eblu.me for runner URL (works from containers)
Some checks failed
Build Container / build (push) Failing after 4s
Details
e61e70078a 
localhost:3001 doesn't work from Docker containers on macOS
because Docker Desktop's host networking runs in a VM.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Mount Docker socket in job containers for DinD
All checks were successful
Build Container / build (push) Successful in 59s
Details
411b07e23c 
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add k8s forgejo-runner deployment (Phase 2 ratcheting)
Some checks failed
Build Container / build (push) Failing after 26s
Details
24e7df02df 
- Deployment with forgejo-runner daemon + DinD sidecar
- ConfigMap for runner configuration
- Secret template for runner token (op inject)
- ArgoCD Application definition

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Set docker_host for DinD in k8s runner config
All checks were successful
Build Container / build (push) Successful in 37s
Details
47bbdf5d00 
Job containers need to connect to DinD via TCP, not socket.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Use k8s label for k8s runner testing
Some checks failed
Build Container / build (push) Failing after 20s
Details
1f595b6041 
Differentiate k8s runner from host runner with unique label.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add DOCKER_HOST env var to workflow for k8s DinD support
All checks were successful
Build Container / build (push) Successful in 1m8s
Details
c7a58b8fdb 
The k8s runner uses a DinD sidecar accessible via TCP on port 2375.
While the runner daemon config has docker_host set, job containers
don't inherit this - they need the DOCKER_HOST env var set explicitly.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove forgejo_runner ansible role (no longer needed)
- Remove runner pre_tasks from indri.yml playbook
- Clean up actionlint.yaml to only allow k8s label
- Host runner was stopped and cleaned up on indri

All CI jobs now run on the k8s runner with DinD sidecar.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Move DOCKER_HOST to runner config instead of workflow
Some checks failed
Build Container / build (push) Failing after 59s
Details
c4b14c0b89 
The runner's container.env config sets environment variables in all
job containers, so we don't need to specify DOCKER_HOST per-workflow.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Fix: Move DOCKER_HOST to runner.envs (not container.env)
All checks were successful
Build Container / build (push) Successful in 41s
Details
ce10997f79 
The act_runner config uses runner.envs for job environment variables,
not container.env which doesn't exist.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
eblume merged commit ea42362b6f into main 2026-01-25 19:56:17 -08:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
eblume/blumeops!60
No description provided.