Skip to content

Commit 07ecb27

Browse files
jaredallardjaredallard
committed
forgejo: runner rootless dind (v3)
1 parent 68ca1b8 commit 07ecb27

File tree

1 file changed

+34
-44
lines changed

1 file changed

+34
-44
lines changed

manifests/apps/by-cluster/rgst/forgejo.jsonnet

+34-44
Original file line numberDiff line numberDiff line change
@@ -138,6 +138,22 @@ local all = {
138138
redis: { enabled: true },
139139
},
140140
),
141+
runner_config: k.ConfigMap(name + '-runner-config', namespace) {
142+
data_:: {
143+
'config.yaml': std.manifestYamlDoc({
144+
runner: {
145+
// Generated by the registration init container.
146+
file: '.runner',
147+
},
148+
container: {
149+
valid_volumes: ['**'],
150+
force_pull: true, // TODO(jaredallard): Periodic re-pull?
151+
// Expose our socket into the container.
152+
options: '-v /run/docker/docker.sock:/var/run/docker.sock:ro',
153+
},
154+
}),
155+
},
156+
},
141157
runner: k._Object('apps/v1', 'StatefulSet', name + '-runner', namespace) {
142158
spec: {
143159
replicas: 2,
@@ -160,7 +176,12 @@ local all = {
160176
emptyDir: {},
161177
}
162178
for name in ['dind-sock', 'dind-etc', 'dind-home', 'runner-data']
163-
],
179+
] + [{
180+
name: 'runner-config',
181+
configMap: {
182+
name: all.runner_config.metadata.name,
183+
},
184+
}],
164185
local dind_sock_dir = '/run/docker',
165186
local dind_sock = dind_sock_dir + '/docker.sock',
166187
initContainers: [
@@ -180,20 +201,11 @@ local all = {
180201
'--labels',
181202
'ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest',
182203
],
183-
env: [
184-
{
185-
name: 'RUNNER_NAME',
186-
valueFrom: { fieldRef: { fieldPath: 'metadata.name' } },
187-
},
188-
{
189-
name: 'RUNNER_SECRET',
190-
valueFrom: { secretKeyRef: { name: $.external_secret.metadata.name, key: 'RUNNER_SECRET' } },
191-
},
192-
{
193-
name: 'FORGEJO_INSTANCE_URL',
194-
value: 'http://forgejo-http.forgejo.svc.cluster.local:3000',
195-
},
196-
],
204+
env: k.envList({
205+
RUNNER_NAME: { fieldRef: { fieldPath: 'metadata.name' } },
206+
RUNNER_SECRET: { secretKeyRef: { name: $.external_secret.metadata.name, key: 'RUNNER_SECRET' } },
207+
FORGEJO_INSTANCE_URL: 'http://forgejo-http.forgejo.svc.cluster.local:3000',
208+
}),
197209
resources: {
198210
limits: {
199211
cpu: 4,
@@ -209,34 +221,6 @@ local all = {
209221
mountPath: '/data',
210222
}],
211223
},
212-
{
213-
name: 'setup-dind',
214-
image: 'docker:28.0.1-dind-rootless',
215-
command: ['sh', '-ex', '-c'],
216-
args: [
217-
|||
218-
cp -a /etc/. /dind-etc/
219-
echo 'runner:x:1000:1000:runner:/home/runner:/bin/ash' >> /dind-etc/passwd
220-
echo 'runner:x:1000:' >> /dind-etc/group
221-
echo 'runner:100000:65536' >> /dind-etc/subgid
222-
echo 'runner:100000:65536' >> /dind-etc/subuid
223-
chmod 755 /dind-etc;
224-
chmod u=rwx,g=rx+s,o=rx /dind-home
225-
chown 1000:1000 /dind-home
226-
||| % { dock_sock: dind_sock },
227-
],
228-
securityContext: { runAsUser: 0 },
229-
volumeMounts: [
230-
{
231-
name: 'dind-etc',
232-
mountPath: '/dind-etc',
233-
},
234-
{
235-
name: 'dind-home',
236-
mountPath: '/dind-home',
237-
},
238-
],
239-
},
240224
{
241225
name: 'docker',
242226
image: 'docker:28.0.1-dind-rootless',
@@ -263,7 +247,7 @@ local all = {
263247
},
264248
{
265249
name: 'dind-home',
266-
mountPath: '/home/runner',
250+
mountPath: '/home/rootless',
267251
},
268252
],
269253
},
@@ -285,6 +269,12 @@ local all = {
285269
name: 'runner-data',
286270
mountPath: '/data',
287271
},
272+
{
273+
name: 'runner-config',
274+
mountPath: '/data/config.yaml',
275+
subPath: 'config.yaml',
276+
readOnly: true,
277+
},
288278
],
289279
}],
290280
},

0 commit comments

Comments
 (0)