Archived

Code Issues 2 Pull requests 1 Projects Releases 133 Packages 1 Activity Actions

K8S Resources for a K8S based forgjo-runner that docker build works inside

This repository has been archived on 2025年11月14日. You can view files and clone it, but you cannot make any changes to its state, such as pushing and creating new issues, pull requests or comments.

554 commits 2 branches 139 tags 698 KiB

Dockerfile 75.3%

Shell 15.7%

HCL 7.1%

Just 1.9%

Find a file

Solace System Renovate Fox 1cac33f44a Some checks failed Pipeline / test (push) Successful in 42s Details Pipeline / release (push) Failing after 7s Details Pipeline / push-chart (push) Has been skipped Details fix(deps): update ubuntu:latest docker digest to 4a5ffc0		2025年11月14日 00:19:20 +00:00
.forgejo/workflows	fix(deps): update ghcr.io/catthehacker/ubuntu:act-latest docker digest to a66bcb4	2025年11月08日 14:01:40 +00:00
build	fix(deps): update docker:dind docker digest to 96789d5	2025年11月12日 21:01:18 +00:00
.checkov.yaml	fix: add some docs as to what we're disabling	2025年03月18日 13:47:35 +01:00
.gitignore	chore: Ignore unneeded stuff	2024年11月07日 23:05:46 +01:00
CHANGELOG.md	chore(version): v0.19.65 [skip ci]	2025年11月12日 23:41:22 +00:00
cog.toml	build: Add a prefix to tags	2024年11月11日 19:44:04 +01:00
docker-bake.hcl	ci: GPG-Signierung für Helm-Chart hinzufügen	2025年08月02日 20:53:44 +02:00
Dockerfile	fix(deps): update ubuntu:latest docker digest to 4a5ffc0	2025年11月14日 00:19:20 +00:00
Justfile	feat: switch to stateful set for ci so the cache is reused	2025年07月09日 23:20:44 +02:00
README.md	docs: remove random upper casing	2025年07月11日 22:32:11 +02:00
renovate.json	ci: use app preset	2025年06月24日 23:05:19 +02:00

README.md

K8S Forgejo Runner

With docker in docker available in the container.

Features:

Comes with an autoscaler
Graceful shutdowns
One runner per node
Network policy with only outbound connectivity
No API token mounted for the Kubernetes API
Read only file systems and minimal permissions (yeah, I know, DIND needs admin, not much can be done there)

Mostly I just wish I had this reference when I was trying to setup as the example leaves something to be desired. Combined with a cluster autoscaler in your k8s cluster, and you have autoscaling runners.

The raw resources have comments on motivation behind each of the choices, and how to make the deployment more secure. This isn't done out the box as it would require an alternative container runtime (such as gvisor, kata, sysbox, or similar), which is a bit of a niche setup.

Installing

Kustomize

On the releases page you can download the combined versions of the file. You'll need to create a secret with the token in. Here's an example command to generate a new secret.

All resources are created in the forgejo-runner namespace

To print the resource:

kubectl create \
	secret generic \
	runner-secret \
	"--from-literal=token=$RUNNER_TOKEN" \
	--dry-run=client \
	--output=yaml \
	--namespace forgejo-runner

To create it:

kubectl create \
	secret generic \
	runner-secret \
	"--from-literal=token=$RUNNER_TOKEN" \
	--namespace forgejo-runner

Alternatively you could use kustomize

apiVersion:kustomize.config.k8s.io/v1beta1kind:Kustomizationresources:- https://codeberg.org/PurpleBooth/forgejo-runner/releases/download/latest/combined.yamlsecretGenerator:- name:runner-secretnamespace:forgejo-runnerbehavior:mergeliterals:- token=your-actual-token-here

Helm

There's a helm chart, if you're feeling like you would rather not leave the browser to read the values, they're on the releases page.

helm show values oci://codeberg.org/purplebooth/helm-forgejo-runner/forgejo-runner > values.yaml
helm install forgejo-runner oci://codeberg.org/purplebooth/helm-forgejo-runner/forgejo-runner \
 --namespace forgejo-runner \
 --create-namespace \
 --values values.yaml