Skip to content

Commit aad98ae

Browse files
jaredallardjaredallard
committed
forgejo: runner rootless dind (v4)
1 parent dd58d02 commit aad98ae

File tree

1 file changed

+62
-82
lines changed

1 file changed

+62
-82
lines changed

manifests/apps/by-cluster/rgst/forgejo.jsonnet

+62-82
Original file line numberDiff line numberDiff line change
@@ -144,13 +144,13 @@ local all = {
144144
runner: {
145145
// Generated by the registration init container.
146146
file: '.runner',
147+
envs: {
148+
DOCKER_HOST: 'tcp://localhost:2376',
149+
},
147150
capacity: 2,
148151
},
149152
container: {
150-
valid_volumes: ['**'],
151153
force_pull: true, // TODO(jaredallard): Periodic re-pull?
152-
// Expose our socket into the container.
153-
options: '-v /run/docker/docker.sock:/var/run/docker.sock:ro',
154154
},
155155
}),
156156
},
@@ -172,108 +172,88 @@ local all = {
172172
'kubernetes.io/hostname': 'mocha',
173173
},
174174
volumes: [
175+
{ name: 'dind-home', emptyDir: {} },
176+
{ name: 'runner-data', emptyDir: {} },
175177
{
176-
name: name,
177-
emptyDir: {},
178-
}
179-
for name in ['dind-sock', 'dind-home', 'runner-data']
180-
] + [{
181-
name: 'runner-config',
182-
configMap: {
183-
name: all.runner_config.metadata.name,
178+
name: 'runner-config',
179+
configMap: {
180+
name: all.runner_config.metadata.name,
181+
},
184182
},
183+
],
184+
initContainers: [{
185+
name: 'runner-register',
186+
image: 'code.forgejo.org/forgejo/runner:6.2.2',
187+
command: [
188+
'forgejo-runner',
189+
'register',
190+
'--no-interactive',
191+
'--token',
192+
'$(RUNNER_SECRET)',
193+
'--name',
194+
'$(RUNNER_NAME)',
195+
'--instance',
196+
'$(FORGEJO_INSTANCE_URL)',
197+
'--labels',
198+
'ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest',
199+
],
200+
env: k.envList({
201+
RUNNER_NAME: { fieldRef: { fieldPath: 'metadata.name' } },
202+
RUNNER_SECRET: { secretKeyRef: { name: $.external_secret.metadata.name, key: 'RUNNER_SECRET' } },
203+
FORGEJO_INSTANCE_URL: 'http://forgejo-http.forgejo.svc.cluster.local:3000',
204+
}),
205+
volumeMounts: [{
206+
name: 'runner-data',
207+
mountPath: '/data',
208+
}],
185209
}],
186-
local dind_sock_dir = '/run/docker',
187-
local dind_sock = dind_sock_dir + '/docker.sock',
188-
initContainers: [
210+
containers: [
189211
{
190-
name: 'runner-register',
212+
name: 'runner',
191213
image: 'code.forgejo.org/forgejo/runner:6.2.2',
192-
command: [
193-
'forgejo-runner',
194-
'register',
195-
'--no-interactive',
196-
'--token',
197-
'$(RUNNER_SECRET)',
198-
'--name',
199-
'$(RUNNER_NAME)',
200-
'--instance',
201-
'$(FORGEJO_INSTANCE_URL)',
202-
'--labels',
203-
'ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest',
214+
command: ['sh', '-e', '-c'],
215+
args: [
216+
|||
217+
while ! nc -z localhost 2376 </dev/null; do
218+
echo 'waiting for docker daemon...' >&2
219+
sleep 2
220+
done
221+
222+
exec forgejo-runner daemon
223+
|||,
204224
],
205225
env: k.envList({
206-
RUNNER_NAME: { fieldRef: { fieldPath: 'metadata.name' } },
207-
RUNNER_SECRET: { secretKeyRef: { name: $.external_secret.metadata.name, key: 'RUNNER_SECRET' } },
208-
FORGEJO_INSTANCE_URL: 'http://forgejo-http.forgejo.svc.cluster.local:3000',
226+
DOCKER_HOST: 'tcp://localhost:2376',
209227
}),
210-
resources: {
211-
limits: {
212-
cpu: 6,
213-
memory: '12Gi',
228+
volumeMounts: [
229+
{
230+
name: 'runner-data',
231+
mountPath: '/data',
214232
},
215-
requests: {
216-
cpu: 2,
217-
memory: '4Gi',
233+
{
234+
name: 'runner-config',
235+
mountPath: '/data/config.yaml',
236+
subPath: 'config.yaml',
237+
readOnly: true,
218238
},
219-
},
220-
volumeMounts: [{
221-
name: 'runner-data',
222-
mountPath: '/data',
223-
}],
239+
],
224240
},
225241
{
226242
name: 'docker',
227243
image: 'docker:28.0.1-dind-rootless',
228-
args: [
229-
'--host',
230-
'unix://' + dind_sock,
231-
],
232244
securityContext: {
233245
seccompProfile: { type: 'Unconfined' },
234246
appArmorProfile: { type: 'Unconfined' },
235247
privileged: true,
236248
runAsUser: 1000,
237249
runAsGroup: 1000,
238250
},
239-
restartPolicy: 'Always', // sidecar
240-
volumeMounts: [
241-
{
242-
name: 'dind-sock',
243-
mountPath: dind_sock_dir,
244-
},
245-
{
246-
name: 'dind-home',
247-
mountPath: '/home/rootless',
248-
},
249-
],
251+
volumeMounts: [{
252+
name: 'dind-home',
253+
mountPath: '/home/rootless',
254+
}],
250255
},
251256
],
252-
containers: [{
253-
name: 'runner',
254-
image: 'code.forgejo.org/forgejo/runner:6.2.2',
255-
command: ['forgejo-runner', 'daemon'],
256-
env: k.envList({
257-
DOCKER_HOST: 'unix:///run/docker/docker.sock',
258-
}),
259-
volumeMounts: [
260-
{
261-
name: 'dind-sock',
262-
mountPath: dind_sock_dir,
263-
readOnly: true,
264-
},
265-
{
266-
name: 'runner-data',
267-
mountPath: '/data',
268-
},
269-
{
270-
name: 'runner-config',
271-
mountPath: '/data/config.yaml',
272-
subPath: 'config.yaml',
273-
readOnly: true,
274-
},
275-
],
276-
}],
277257
},
278258
},
279259
},

0 commit comments

Comments
 (0)