gitea runner setup

kustomize/bases/gitea/gitea-deployment.yaml

@@ -39,9 +39,15 @@ spec:
             - name: GITEA__METRICS__ENABLED
               value: "true"
             - name: GITEA__REPOSITORY__DISABLED_REPO_UNITS
-              value: repo.wiki
+              value: epo.issues,repo.ext_issues,repo.pulls,repo.wiki,repo.ext_wiki,repo.projects
             - name: GITEA__REPOSITORY__DEFAULT_REPO_UNITS
               value: repo.code,repo.releases
+            - name: GITEA__REPOSITORY__DEFAULT_FORK_REPO_UNITS
+              value: repo.code,repo.releases
+            - name: GITEA__REPOSITORY__MIRROR_REPO_UNITS
+              value: repo.code,repo.releases
+            - name: GITEA__REPOSITORY__DEFAULT_TEMPLATE_REPO_UNITS
+              value: repo.code,repo.releases
           ports:
             - name: http
               containerPort: 3000

kustomize/bases/gitea/kustomization.yaml

@@ -1,6 +1,8 @@
 resources:
   - gitea-deployment.yaml
   - gitea-ingress.yaml
+  - runner-statefulset.yaml
+  - runner-externalsecret.yaml
 
 namePrefix: gitea-
 
@@ -35,3 +37,23 @@ replacements:
           name: server
         fieldPaths:
           - spec.rules.0.host
+  - source:
+      kind: StatefulSet
+      name: runner-amd64
+      fieldPath: spec.template.spec.containers
+    targets:
+      - select:
+          kind: StatefulSet
+          name: runner-arm64
+        fieldPaths:
+          - spec.template.spec.containers
+  - source:
+      kind: StatefulSet
+      name: runner-amd64
+      fieldPath: spec.volumeClaimTemplates
+    targets:
+      - select:
+          kind: StatefulSet
+          name: runner-arm64
+        fieldPaths:
+          - spec.volumeClaimTemplates

kustomize/bases/gitea/runner-externalsecret.yaml

@@ -0,0 +1,23 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: runner-config
+  labels:
+    app.kubernetes.io/managed-by: external-secret
+    app.kubernetes.io/component: runner
+spec:
+  secretStoreRef:
+    name: aws-parameters-store
+    kind: ClusterSecretStore
+  target:
+    name: runner-config
+    template:
+      metadata:
+        labels:
+          app.kubernetes.io/managed-by: external-secret
+          app.kubernetes.io/component: runner
+        annotations: {}
+  data:
+    - secretKey: registration_token
+      remoteRef:
+        key: /k3s/prod/gitea/runner/registration_token

kustomize/bases/gitea/runner-statefulset.yaml

@@ -0,0 +1,122 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: runner-amd64
+  labels:
+    app.kubernetes.io/name: gitea
+    app.kubernetes.io/component: runner
+    app.kubernetes.io/arch: amd64
+spec:
+  serviceName: runner-amd64
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: gitea
+      app.kubernetes.io/component: runner
+      app.kubernetes.io/arch: amd64
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: gitea
+        app.kubernetes.io/component: runner
+        app.kubernetes.io/arch: amd64
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: kubernetes.io/arch
+                    operator: In
+                    values:
+                      - amd64
+      containers:
+        - name: runner
+          image: gitea/act_runner:nightly
+          command: ["sh", "-c", "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; /sbin/tini -- run.sh"]
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: GITEA_INSTANCE_URL
+              value: http://gitea-server.$(NAMESPACE).svc
+            - name: GITEA_RUNNER_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: GITEA_RUNNER_REGISTRATION_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: runner-config
+                  key: registration_token
+            - name: DOCKER_HOST
+              value: tcp://localhost:2376
+            - name: DOCKER_CERT_PATH
+              value: /data/certs/client
+            - name: DOCKER_TLS_VERIFY
+              value: "1"
+          resources:
+            requests:
+              memory: 200Mi
+              cpu: 200m
+            limits:
+              memory: 200Mi
+              cpu: 200m
+          volumeMounts:
+            - name: runner-data-pvc
+              mountPath: /data
+        - name: docker
+          image: docker:dind
+          securityContext:
+            privileged: true
+          env:
+          - name: DOCKER_TLS_CERTDIR
+            value: /data/certs
+          volumeMounts:
+          - name: runner-data-pvc
+            mountPath: /data
+  volumeClaimTemplates:
+    - metadata:
+        name: runner-data-pvc
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 1Gi
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: runner-arm64
+  labels:
+    app.kubernetes.io/name: gitea
+    app.kubernetes.io/component: runner
+    app.kubernetes.io/arch: arm64
+spec:
+  serviceName: runner-arm64
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: gitea
+      app.kubernetes.io/component: runner
+      app.kubernetes.io/arch: arm64
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: gitea
+        app.kubernetes.io/component: runner
+        app.kubernetes.io/arch: arm64
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: kubernetes.io/arch
+                    operator: In
+                    values:
+                      - arm64
+      containers: []
+  volumeClaimTemplates: []