Skip to content

Commit

Permalink
Adding in Gitea Runner testing; not very secure yet
Browse files Browse the repository at this point in the history
  • Loading branch information
danmanners committed Sep 16, 2023
1 parent 4a9662b commit 56bf5c7
Show file tree
Hide file tree
Showing 6 changed files with 222 additions and 0 deletions.
9 changes: 9 additions & 0 deletions manifests/workloads/gitea/runners/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: git

resources:
- rbac.yaml
- pod.yaml
- pvc.yaml
- rbac-test-job.yaml
85 changes: 85 additions & 0 deletions manifests/workloads/gitea/runners/pod.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
apiVersion: v1
kind: Pod
metadata:
name: gitea-runner
namespace: git
labels:
gitea-runner: ''
spec:
serviceAccountName: grt
restartPolicy: OnFailure
initContainers:
- name: fetch-runner-token
image: core.harbor.homelab.danmanners.com/docker.io/library/alpine:latest
command: ["ash", "-c"]
args:
- |
apk add --no-cache curl 2>&1 >/dev/null
export ARCH=$(uname -m | awk '{print ($1=="x86_64" ? "amd64" : ($1=="aarch64" ? "arm64" : "unknown"))}')
curl -sLO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/${ARCH}/kubectl" 2>&1 >/dev/null
chmod +x ./kubectl 2>&1 >/dev/null
./kubectl exec -n git deployments/gitea -c gitea -- gitea actions grt > /token/GITEA_RUNNER_REGISTRATION_TOKEN
resources: {}
volumeMounts:
- name: token
mountPath: /token
containers:
- name: runner
image: core.harbor.homelab.danmanners.com/docker.io/gitea/act_runner:nightly
command: ["sh", "-c", "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; /sbin/tini -- /opt/act/run.sh"]
env:
- name: DOCKER_HOST
value: tcp://localhost:2376
- name: DOCKER_CERT_PATH
value: /certs/client
- name: DOCKER_TLS_VERIFY
value: "1"
- name: GITEA_INSTANCE_URL
value: http://gitea-http.git.svc.cluster.local:3000
- name: GITEA_RUNNER_REGISTRATION_TOKEN_FILE
value: /token/GITEA_RUNNER_REGISTRATION_TOKEN
# Mount the secret from the init container
resources: {}
volumeMounts:
- name: token
mountPath: /token
- name: docker-certs
mountPath: /certs
- name: runner-data
mountPath: /data
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
imagePullPolicy: Always
- name: daemon
image: core.harbor.homelab.danmanners.com/docker.io/library/docker:23.0.6-dind
resources: {}
env:
- name: DOCKER_TLS_CERTDIR
value: /certs
securityContext:
privileged: true
volumeMounts:
- name: docker-certs
mountPath: /certs
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
imagePullPolicy: IfNotPresent
volumes:
- name: docker-certs
emptyDir: {}
- name: runner-data
persistentVolumeClaim:
claimName: act-runner-vol
- name: token
emptyDir: {}
terminationGracePeriodSeconds: 30
securityContext: {}
tolerations:
- key: node.kubernetes.io/not-ready
operator: Exists
effect: NoExecute
tolerationSeconds: 300
- key: node.kubernetes.io/unreachable
operator: Exists
effect: NoExecute
tolerationSeconds: 300
12 changes: 12 additions & 0 deletions manifests/workloads/gitea/runners/pvc.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: act-runner-vol
namespace: git
spec:
storageClassName: ceph-rbd
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
35 changes: 35 additions & 0 deletions manifests/workloads/gitea/runners/rbac-test-job.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
apiVersion: batch/v1
kind: Job
metadata:
name: gitea-runner
namespace: git
labels:
gitea-runner: ''
spec:
backoffLimit: 5
template:
spec:
restartPolicy: OnFailure
containers:
- name: fetch-runner-token
image: docker.io/library/alpine:latest
command: ["ash", "-c"]
args:
- |
apk add --no-cache curl 2>&1 >/dev/null
export ARCH=$(uname -m | awk '{print ($1=="x86_64" ? "amd64" : ($1=="aarch64" ? "arm64" : "unknown"))}')
curl -sLO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/${ARCH}/kubectl" 2>&1 >/dev/null
chmod +x ./kubectl 2>&1 >/dev/null
./kubectl exec -n git deployments/gitea -c gitea -- gitea actions grt
resources: {}
serviceAccountName: grt
securityContext: {}
tolerations:
- key: node.kubernetes.io/not-ready
operator: Exists
effect: NoExecute
tolerationSeconds: 300
- key: node.kubernetes.io/unreachable
operator: Exists
effect: NoExecute
tolerationSeconds: 300
45 changes: 45 additions & 0 deletions manifests/workloads/gitea/runners/rbac.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: grt
namespace: git
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: grt.service-account-token
namespace: git
annotations:
kubernetes.io/service-account.name: grt
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: gitea-runner-token
namespace: git
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: grt
namespace: git
subjects:
- name: grt
namespace: git
kind: ServiceAccount
roleRef:
kind: Role
name: gitea-runner-token
apiGroup: rbac.authorization.k8s.io

36 changes: 36 additions & 0 deletions manifests/workloads/gitea/runners/readme.adoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
= Gitea Runners

WARNING: BE EXTREMELY CAREFUL; this RBAC is not locked down well and a malicious actor could do malicious things.

This is a proof of concept and should not be used in production.

The goal of this is to allow a Gitea pod to create a runner registration token and then use that token to register itself. This is not secure in any way and, I cannot stress this enough, **should not be used in production**.

Thar be dragons here; you have been warned.

== You've made it this far...

Fine, you want to mess around? Here's what you should do.

* Deploy the Kustomization file.

[source,bash]
----
kustomize build . | kubectl apply -f -
----

This will deploy the following:

- RBAC for the Gitea Pod to fetch the runner registration token
- A Job to validate that the RBAC is working
- If there is a token output, then the job ran successfully.
- A PersistentVolumeClaim for the runner workspace
- The Runner Pod with DinD baked in

* Navigate to the Gitea instance and confirm that the runner is registered

Navigate to your Gitea instance, login as an administrator, navigate to the Administrative Runners section, confirm that the runner is registered and online.

== What isn't working?

So far, this deployment will not de-register the runner if and when it is deleted. As of now, I can't find any way to de-register runners other than through the Gitea UI.

0 comments on commit 56bf5c7

Please sign in to comment.