From 56bf5c71e678922fdef6303d1758356338d71711 Mon Sep 17 00:00:00 2001 From: Dan Manners Date: Sat, 16 Sep 2023 14:36:25 -0400 Subject: [PATCH] Adding in Gitea Runner testing; not very secure yet --- .../gitea/runners/kustomization.yaml | 9 ++ manifests/workloads/gitea/runners/pod.yaml | 85 +++++++++++++++++++ manifests/workloads/gitea/runners/pvc.yaml | 12 +++ .../gitea/runners/rbac-test-job.yaml | 35 ++++++++ manifests/workloads/gitea/runners/rbac.yaml | 45 ++++++++++ manifests/workloads/gitea/runners/readme.adoc | 36 ++++++++ 6 files changed, 222 insertions(+) create mode 100644 manifests/workloads/gitea/runners/kustomization.yaml create mode 100644 manifests/workloads/gitea/runners/pod.yaml create mode 100644 manifests/workloads/gitea/runners/pvc.yaml create mode 100644 manifests/workloads/gitea/runners/rbac-test-job.yaml create mode 100644 manifests/workloads/gitea/runners/rbac.yaml create mode 100644 manifests/workloads/gitea/runners/readme.adoc diff --git a/manifests/workloads/gitea/runners/kustomization.yaml b/manifests/workloads/gitea/runners/kustomization.yaml new file mode 100644 index 00000000..96c3a309 --- /dev/null +++ b/manifests/workloads/gitea/runners/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: git + +resources: +- rbac.yaml +- pod.yaml +- pvc.yaml +- rbac-test-job.yaml diff --git a/manifests/workloads/gitea/runners/pod.yaml b/manifests/workloads/gitea/runners/pod.yaml new file mode 100644 index 00000000..410908e6 --- /dev/null +++ b/manifests/workloads/gitea/runners/pod.yaml @@ -0,0 +1,85 @@ +apiVersion: v1 +kind: Pod +metadata: + name: gitea-runner + namespace: git + labels: + gitea-runner: '' +spec: + serviceAccountName: grt + restartPolicy: OnFailure + initContainers: + - name: fetch-runner-token + image: core.harbor.homelab.danmanners.com/docker.io/library/alpine:latest + command: ["ash", "-c"] + args: + - | + apk add --no-cache curl 2>&1 >/dev/null + export ARCH=$(uname -m | awk '{print ($1=="x86_64" ? "amd64" : ($1=="aarch64" ? "arm64" : "unknown"))}') + curl -sLO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/${ARCH}/kubectl" 2>&1 >/dev/null + chmod +x ./kubectl 2>&1 >/dev/null + ./kubectl exec -n git deployments/gitea -c gitea -- gitea actions grt > /token/GITEA_RUNNER_REGISTRATION_TOKEN + resources: {} + volumeMounts: + - name: token + mountPath: /token + containers: + - name: runner + image: core.harbor.homelab.danmanners.com/docker.io/gitea/act_runner:nightly + command: ["sh", "-c", "while ! nc -z localhost 2376 &1 >/dev/null + export ARCH=$(uname -m | awk '{print ($1=="x86_64" ? "amd64" : ($1=="aarch64" ? "arm64" : "unknown"))}') + curl -sLO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/${ARCH}/kubectl" 2>&1 >/dev/null + chmod +x ./kubectl 2>&1 >/dev/null + ./kubectl exec -n git deployments/gitea -c gitea -- gitea actions grt + resources: {} + serviceAccountName: grt + securityContext: {} + tolerations: + - key: node.kubernetes.io/not-ready + operator: Exists + effect: NoExecute + tolerationSeconds: 300 + - key: node.kubernetes.io/unreachable + operator: Exists + effect: NoExecute + tolerationSeconds: 300 diff --git a/manifests/workloads/gitea/runners/rbac.yaml b/manifests/workloads/gitea/runners/rbac.yaml new file mode 100644 index 00000000..dbb07d7f --- /dev/null +++ b/manifests/workloads/gitea/runners/rbac.yaml @@ -0,0 +1,45 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: grt + namespace: git +--- +apiVersion: v1 +kind: Secret +type: kubernetes.io/service-account-token +metadata: + name: grt.service-account-token + namespace: git + annotations: + kubernetes.io/service-account.name: grt +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gitea-runner-token + namespace: git +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list"] +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "list"] +- apiGroups: [""] + resources: ["pods/exec"] + verbs: ["create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: grt + namespace: git +subjects: +- name: grt + namespace: git + kind: ServiceAccount +roleRef: + kind: Role + name: gitea-runner-token + apiGroup: rbac.authorization.k8s.io + diff --git a/manifests/workloads/gitea/runners/readme.adoc b/manifests/workloads/gitea/runners/readme.adoc new file mode 100644 index 00000000..7d91c5d4 --- /dev/null +++ b/manifests/workloads/gitea/runners/readme.adoc @@ -0,0 +1,36 @@ += Gitea Runners + +WARNING: BE EXTREMELY CAREFUL; this RBAC is not locked down well and a malicious actor could do malicious things. + +This is a proof of concept and should not be used in production. + +The goal of this is to allow a Gitea pod to create a runner registration token and then use that token to register itself. This is not secure in any way and, I cannot stress this enough, **should not be used in production**. + +Thar be dragons here; you have been warned. + +== You've made it this far... + +Fine, you want to mess around? Here's what you should do. + +* Deploy the Kustomization file. + +[source,bash] +---- +kustomize build . | kubectl apply -f - +---- + +This will deploy the following: + +- RBAC for the Gitea Pod to fetch the runner registration token +- A Job to validate that the RBAC is working + - If there is a token output, then the job ran successfully. +- A PersistentVolumeClaim for the runner workspace +- The Runner Pod with DinD baked in + +* Navigate to the Gitea instance and confirm that the runner is registered + +Navigate to your Gitea instance, login as an administrator, navigate to the Administrative Runners section, confirm that the runner is registered and online. + +== What isn't working? + +So far, this deployment will not de-register the runner if and when it is deleted. As of now, I can't find any way to de-register runners other than through the Gitea UI.