apiVersion: apps/v1 kind: Deployment metadata: name: forgejo-runner namespace: forgejo-runner labels: app: forgejo-runner spec: replicas: 1 selector: matchLabels: app: forgejo-runner template: metadata: labels: app: forgejo-runner spec: securityContext: seccompProfile: type: RuntimeDefault containers: # Forgejo runner daemon - name: runner image: code.forgejo.org/forgejo/runner:kustomized env: - name: TZ value: America/Los_Angeles command: - /bin/sh - -c - | # Wait for DinD to be ready echo "Waiting for Docker daemon..." while ! wget -q -O /dev/null http://localhost:2375/_ping 2>/dev/null; do sleep 1 done echo "Docker daemon ready" # Render config with credentials from ExternalSecret. envsubst < /config/config.yaml > /tmp/config.yaml # Start daemon exec forgejo-runner daemon --config /tmp/config.yaml envFrom: - secretRef: name: forgejo-runner-env volumeMounts: - name: data mountPath: /data - name: config mountPath: /config - name: zoneinfo mountPath: /usr/share/zoneinfo readOnly: true # Docker-in-Docker sidecar - name: dind image: docker:kustomized securityContext: privileged: true seccompProfile: type: Unconfined env: - name: DOCKER_TLS_CERTDIR value: "" volumeMounts: - name: dind-storage mountPath: /var/lib/docker - name: config mountPath: /etc/docker/daemon.json subPath: daemon.json readOnly: true volumes: - name: data emptyDir: {} - name: dind-storage emptyDir: {} - name: config configMap: name: forgejo-runner-config - name: zoneinfo hostPath: path: /usr/share/zoneinfo type: Directory