-
Notifications
You must be signed in to change notification settings - Fork 17
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adding in Gitea Runner testing; not very secure yet
- Loading branch information
1 parent
4a9662b
commit 56bf5c7
Showing
6 changed files
with
222 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
namespace: git | ||
|
||
resources: | ||
- rbac.yaml | ||
- pod.yaml | ||
- pvc.yaml | ||
- rbac-test-job.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: gitea-runner | ||
namespace: git | ||
labels: | ||
gitea-runner: '' | ||
spec: | ||
serviceAccountName: grt | ||
restartPolicy: OnFailure | ||
initContainers: | ||
- name: fetch-runner-token | ||
image: core.harbor.homelab.danmanners.com/docker.io/library/alpine:latest | ||
command: ["ash", "-c"] | ||
args: | ||
- | | ||
apk add --no-cache curl 2>&1 >/dev/null | ||
export ARCH=$(uname -m | awk '{print ($1=="x86_64" ? "amd64" : ($1=="aarch64" ? "arm64" : "unknown"))}') | ||
curl -sLO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/${ARCH}/kubectl" 2>&1 >/dev/null | ||
chmod +x ./kubectl 2>&1 >/dev/null | ||
./kubectl exec -n git deployments/gitea -c gitea -- gitea actions grt > /token/GITEA_RUNNER_REGISTRATION_TOKEN | ||
resources: {} | ||
volumeMounts: | ||
- name: token | ||
mountPath: /token | ||
containers: | ||
- name: runner | ||
image: core.harbor.homelab.danmanners.com/docker.io/gitea/act_runner:nightly | ||
command: ["sh", "-c", "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; /sbin/tini -- /opt/act/run.sh"] | ||
env: | ||
- name: DOCKER_HOST | ||
value: tcp://localhost:2376 | ||
- name: DOCKER_CERT_PATH | ||
value: /certs/client | ||
- name: DOCKER_TLS_VERIFY | ||
value: "1" | ||
- name: GITEA_INSTANCE_URL | ||
value: http://gitea-http.git.svc.cluster.local:3000 | ||
- name: GITEA_RUNNER_REGISTRATION_TOKEN_FILE | ||
value: /token/GITEA_RUNNER_REGISTRATION_TOKEN | ||
# Mount the secret from the init container | ||
resources: {} | ||
volumeMounts: | ||
- name: token | ||
mountPath: /token | ||
- name: docker-certs | ||
mountPath: /certs | ||
- name: runner-data | ||
mountPath: /data | ||
terminationMessagePath: /dev/termination-log | ||
terminationMessagePolicy: File | ||
imagePullPolicy: Always | ||
- name: daemon | ||
image: core.harbor.homelab.danmanners.com/docker.io/library/docker:23.0.6-dind | ||
resources: {} | ||
env: | ||
- name: DOCKER_TLS_CERTDIR | ||
value: /certs | ||
securityContext: | ||
privileged: true | ||
volumeMounts: | ||
- name: docker-certs | ||
mountPath: /certs | ||
terminationMessagePath: /dev/termination-log | ||
terminationMessagePolicy: File | ||
imagePullPolicy: IfNotPresent | ||
volumes: | ||
- name: docker-certs | ||
emptyDir: {} | ||
- name: runner-data | ||
persistentVolumeClaim: | ||
claimName: act-runner-vol | ||
- name: token | ||
emptyDir: {} | ||
terminationGracePeriodSeconds: 30 | ||
securityContext: {} | ||
tolerations: | ||
- key: node.kubernetes.io/not-ready | ||
operator: Exists | ||
effect: NoExecute | ||
tolerationSeconds: 300 | ||
- key: node.kubernetes.io/unreachable | ||
operator: Exists | ||
effect: NoExecute | ||
tolerationSeconds: 300 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
apiVersion: v1 | ||
kind: PersistentVolumeClaim | ||
metadata: | ||
name: act-runner-vol | ||
namespace: git | ||
spec: | ||
storageClassName: ceph-rbd | ||
accessModes: | ||
- ReadWriteOnce | ||
resources: | ||
requests: | ||
storage: 1Gi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
apiVersion: batch/v1 | ||
kind: Job | ||
metadata: | ||
name: gitea-runner | ||
namespace: git | ||
labels: | ||
gitea-runner: '' | ||
spec: | ||
backoffLimit: 5 | ||
template: | ||
spec: | ||
restartPolicy: OnFailure | ||
containers: | ||
- name: fetch-runner-token | ||
image: docker.io/library/alpine:latest | ||
command: ["ash", "-c"] | ||
args: | ||
- | | ||
apk add --no-cache curl 2>&1 >/dev/null | ||
export ARCH=$(uname -m | awk '{print ($1=="x86_64" ? "amd64" : ($1=="aarch64" ? "arm64" : "unknown"))}') | ||
curl -sLO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/${ARCH}/kubectl" 2>&1 >/dev/null | ||
chmod +x ./kubectl 2>&1 >/dev/null | ||
./kubectl exec -n git deployments/gitea -c gitea -- gitea actions grt | ||
resources: {} | ||
serviceAccountName: grt | ||
securityContext: {} | ||
tolerations: | ||
- key: node.kubernetes.io/not-ready | ||
operator: Exists | ||
effect: NoExecute | ||
tolerationSeconds: 300 | ||
- key: node.kubernetes.io/unreachable | ||
operator: Exists | ||
effect: NoExecute | ||
tolerationSeconds: 300 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: grt | ||
namespace: git | ||
--- | ||
apiVersion: v1 | ||
kind: Secret | ||
type: kubernetes.io/service-account-token | ||
metadata: | ||
name: grt.service-account-token | ||
namespace: git | ||
annotations: | ||
kubernetes.io/service-account.name: grt | ||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: Role | ||
metadata: | ||
name: gitea-runner-token | ||
namespace: git | ||
rules: | ||
- apiGroups: [""] | ||
resources: ["pods"] | ||
verbs: ["get", "list"] | ||
- apiGroups: ["apps"] | ||
resources: ["deployments"] | ||
verbs: ["get", "list"] | ||
- apiGroups: [""] | ||
resources: ["pods/exec"] | ||
verbs: ["create"] | ||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: RoleBinding | ||
metadata: | ||
name: grt | ||
namespace: git | ||
subjects: | ||
- name: grt | ||
namespace: git | ||
kind: ServiceAccount | ||
roleRef: | ||
kind: Role | ||
name: gitea-runner-token | ||
apiGroup: rbac.authorization.k8s.io | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
= Gitea Runners | ||
|
||
WARNING: BE EXTREMELY CAREFUL; this RBAC is not locked down well and a malicious actor could do malicious things. | ||
|
||
This is a proof of concept and should not be used in production. | ||
|
||
The goal of this is to allow a Gitea pod to create a runner registration token and then use that token to register itself. This is not secure in any way and, I cannot stress this enough, **should not be used in production**. | ||
|
||
Thar be dragons here; you have been warned. | ||
|
||
== You've made it this far... | ||
|
||
Fine, you want to mess around? Here's what you should do. | ||
|
||
* Deploy the Kustomization file. | ||
|
||
[source,bash] | ||
---- | ||
kustomize build . | kubectl apply -f - | ||
---- | ||
|
||
This will deploy the following: | ||
|
||
- RBAC for the Gitea Pod to fetch the runner registration token | ||
- A Job to validate that the RBAC is working | ||
- If there is a token output, then the job ran successfully. | ||
- A PersistentVolumeClaim for the runner workspace | ||
- The Runner Pod with DinD baked in | ||
|
||
* Navigate to the Gitea instance and confirm that the runner is registered | ||
|
||
Navigate to your Gitea instance, login as an administrator, navigate to the Administrative Runners section, confirm that the runner is registered and online. | ||
|
||
== What isn't working? | ||
|
||
So far, this deployment will not de-register the runner if and when it is deleted. As of now, I can't find any way to de-register runners other than through the Gitea UI. |