From c3b7003725f70153662f08e2038d8f1532316d3a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gon=C3=A7alo=20Rodrigues?= Date: Sat, 20 Jun 2026 16:06:32 +0100 Subject: [PATCH] =?UTF-8?q?chore(infra):=20disable=20Gitea=20and=20act-run?= =?UTF-8?q?ner=20=E2=80=94=20postponed=20until=20dedicated=20server?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Empties gitea.tf and act-runner.tf so terraform apply removes all Gitea and runner resources. Drops the gitea namespace from the managed list. Full config preserved in git history. Co-Authored-By: Claude Sonnet 4.6 --- infrastructure/terraform/act-runner.tf | 202 +------------------------ infrastructure/terraform/gitea.tf | 167 +------------------- infrastructure/terraform/namespaces.tf | 2 +- 3 files changed, 5 insertions(+), 366 deletions(-) diff --git a/infrastructure/terraform/act-runner.tf b/infrastructure/terraform/act-runner.tf index a5f0b20..b3e75ff 100644 --- a/infrastructure/terraform/act-runner.tf +++ b/infrastructure/terraform/act-runner.tf @@ -1,200 +1,2 @@ -resource "kubernetes_service_account" "act_runner" { - metadata { - name = "act-runner" - namespace = kubernetes_namespace.domains["gitea"].metadata[0].name - } -} - -resource "kubernetes_cluster_role" "act_runner" { - metadata { - name = "act-runner" - } - # Allow deploying to finance namespace - rule { - api_groups = ["apps"] - resources = ["deployments"] - verbs = ["get", "list", "patch", "update"] - } - rule { - api_groups = [""] - resources = ["pods", "pods/log"] - verbs = ["get", "list"] - } - # Allow creating Kaniko build jobs in gitea namespace - rule { - api_groups = ["batch"] - resources = ["jobs"] - verbs = ["create", "get", "list", "watch", "delete"] - } -} - -resource "kubernetes_cluster_role_binding" "act_runner" { - metadata { - name = "act-runner" - } - role_ref { - api_group = "rbac.authorization.k8s.io" - kind = "ClusterRole" - name = kubernetes_cluster_role.act_runner.metadata[0].name - } - subject { - kind = "ServiceAccount" - name = kubernetes_service_account.act_runner.metadata[0].name - namespace = kubernetes_namespace.domains["gitea"].metadata[0].name - } -} - -# ConfigMap for act runner config (host executor mode — steps run directly in runner container) -resource "kubernetes_config_map" "act_runner" { - metadata { - name = "act-runner-config" - namespace = kubernetes_namespace.domains["gitea"].metadata[0].name - } - data = { - "config.yaml" = yamlencode({ - log = { level = "info" } - runner = { - capacity = 2 - fetch_timeout = "5s" - fetch_interval = "2s" - report_interval = "1s" - envs = {} - } - cache = { enabled = false } - container = { - network = "host" - # Allow pipeline steps to mount the SA token for kubectl - valid_volumes = [ - "/var/run/secrets/kubernetes.io/serviceaccount", - ] - docker_host = "tcp://localhost:2375" - } - }) - } -} - -resource "kubernetes_deployment" "act_runner" { - depends_on = [helm_release.gitea, kubernetes_secret.gitea_runner_token] - - metadata { - name = "act-runner" - namespace = kubernetes_namespace.domains["gitea"].metadata[0].name - labels = { app = "act-runner" } - } - - spec { - replicas = 1 - selector { - match_labels = { app = "act-runner" } - } - template { - metadata { - labels = { app = "act-runner" } - } - spec { - service_account_name = kubernetes_service_account.act_runner.metadata[0].name - - # act runner — runs steps using Docker (provided by dind sidecar) - container { - name = "runner" - image = "gitea/act_runner:latest" - - command = ["/bin/sh", "-c"] - args = [<<-EOT - set -e - # Register if not yet registered - if [ ! -f /data/.runner ]; then - act_runner register \ - --no-interactive \ - --instance http://gitea-http.gitea.svc.cluster.local:3000 \ - --token "$(cat /etc/runner-token/token)" \ - --name "k3d-runner-$(hostname)" \ - --labels ubuntu-latest - fi - exec act_runner daemon --config /etc/act-runner/config.yaml - EOT - ] - - env { - name = "DOCKER_HOST" - value = "tcp://localhost:2375" - } - # Make the runner's KUBERNETES_SERVICE env accessible to pipeline steps - env { - name = "KUBERNETES_SERVICE_HOST" - value_from { - field_ref { field_path = "status.hostIP" } - } - } - - volume_mount { - name = "runner-data" - mount_path = "/data" - } - volume_mount { - name = "runner-config" - mount_path = "/etc/act-runner" - } - volume_mount { - name = "runner-token" - mount_path = "/etc/runner-token" - read_only = true - } - - resources { - requests = { cpu = "100m", memory = "128Mi" } - limits = { cpu = "500m", memory = "512Mi" } - } - } - - # Docker-in-Docker: provides a Docker daemon for the pipeline steps - container { - name = "dind" - image = "docker:27-dind" - - security_context { - privileged = true - } - args = [ - "--insecure-registry=gitea-http.gitea.svc.cluster.local:3000", - ] - env { - name = "DOCKER_TLS_CERTDIR" - value = "" - } - - volume_mount { - name = "docker-storage" - mount_path = "/var/lib/docker" - } - - resources { - requests = { cpu = "200m", memory = "256Mi" } - limits = { cpu = "1", memory = "1Gi" } - } - } - - volume { - name = "runner-data" - empty_dir {} - } - volume { - name = "docker-storage" - empty_dir {} - } - volume { - name = "runner-config" - config_map { - name = kubernetes_config_map.act_runner.metadata[0].name - } - } - volume { - name = "runner-token" - secret { - secret_name = kubernetes_secret.gitea_runner_token.metadata[0].name - } - } - } - } - } -} +# Act runner disabled — postponed until dedicated server/VPS. +# See git history for the full configuration. diff --git a/infrastructure/terraform/gitea.tf b/infrastructure/terraform/gitea.tf index 64e92f7..fc26e5a 100644 --- a/infrastructure/terraform/gitea.tf +++ b/infrastructure/terraform/gitea.tf @@ -1,165 +1,2 @@ -resource "random_password" "gitea_admin" { - length = 24 - special = false -} - -resource "kubernetes_secret" "gitea_admin" { - metadata { - name = "gitea-admin" - namespace = kubernetes_namespace.domains["gitea"].metadata[0].name - } - data = { - username = "admin" - password = random_password.gitea_admin.result - email = "admin@homelab.local" - } -} - -resource "helm_release" "gitea" { - name = "gitea" - namespace = kubernetes_namespace.domains["gitea"].metadata[0].name - repository = "https://dl.gitea.com/charts/" - chart = "gitea" - version = "~> 12.0" - atomic = true - timeout = 300 - - values = [yamlencode({ - gitea = { - admin = { - existingSecret = kubernetes_secret.gitea_admin.metadata[0].name - } - config = { - APP_NAME = "Homelab Git" - server = { - DOMAIN = "git.homelab.local" - ROOT_URL = "http://git.homelab.local" - SSH_DOMAIN = "localhost" - SSH_PORT = 30001 - } - database = { DB_TYPE = "sqlite3" } - queue = { TYPE = "level" } - cache = { ADAPTER = "memory" } - session = { PROVIDER = "memory" } - packages = { ENABLED = "true" } - service = { DISABLE_REGISTRATION = "true" } - log = { LEVEL = "Warn" } - } - } - - "postgresql-ha" = { enabled = false } - "valkey-cluster" = { enabled = false } - - ingress = { - enabled = true - className = "traefik" - hosts = [{ - host = "git.homelab.local" - paths = [{ path = "/", pathType = "Prefix" }] - }] - } - - # NodePort 30002: used by k3d containerd registry mirror (see k3d/config.yaml) - service = { - http = { - type = "NodePort" - port = 3000 - nodePort = 30002 - } - ssh = { - type = "NodePort" - port = 22 - nodePort = 30001 - } - } - - persistence = { - enabled = true - size = "10Gi" - storageClass = "local-path" - } - - resources = { - requests = { cpu = "100m", memory = "256Mi" } - limits = { cpu = "500m", memory = "512Mi" } - } - })] -} - -# Placeholder secret created by Terraform; data is populated by the -# terraform_data bootstrapper below after Gitea is reachable. -resource "kubernetes_secret" "gitea_runner_token" { - metadata { - name = "gitea-runner-token" - namespace = kubernetes_namespace.domains["gitea"].metadata[0].name - } - data = { token = "" } - - lifecycle { - # After the bootstrapper writes the real token we must not overwrite it - # with the empty placeholder on subsequent applies. - ignore_changes = [data] - } -} - -# On first apply: poll until Gitea is up, call the admin API to obtain a -# runner registration token, and patch the secret in place. -# On subsequent applies this resource is a no-op (terraform_data only -# re-runs its provisioner when triggers_replace changes). -resource "terraform_data" "gitea_runner_registration" { - depends_on = [helm_release.gitea, kubernetes_secret.gitea_runner_token] - - # Re-bootstrap only if the admin password rotates. - triggers_replace = [random_password.gitea_admin.id] - - provisioner "local-exec" { - interpreter = ["/bin/sh", "-c"] - command = <<-EOT - set -e - - echo "Waiting for Gitea to be ready..." - until curl -sf "http://git.homelab.local/api/v1/version" > /dev/null 2>&1; do - sleep 5 - done - - PASSWORD=$(kubectl get secret gitea-admin -n gitea \ - -o jsonpath='{.data.password}' | base64 -d) - - TOKEN=$(curl -sf \ - -u "admin:$PASSWORD" \ - "http://git.homelab.local/api/v1/admin/runners/registration-token" \ - | grep -o '"token":"[^"]*"' | cut -d'"' -f4) - - kubectl patch secret gitea-runner-token -n gitea \ - -p "{\"data\":{\"token\":\"$(printf '%s' "$TOKEN" | base64)\"}}" - - echo "Runner registration token written to gitea-runner-token secret." - EOT - } -} - -# imagePullSecret for all app namespaces — allows k8s to pull images from the -# local Gitea registry. Containerd mirrors "git.homelab.local" to localhost:30002 -# (see k3d/config.yaml) and forwards these credentials to authenticate. -locals { - app_namespaces = ["auth", "finance", "home", "test"] -} - -resource "kubernetes_secret" "gitea_registry" { - for_each = toset(local.app_namespaces) - - metadata { - name = "gitea-registry" - namespace = kubernetes_namespace.domains[each.value].metadata[0].name - } - type = "kubernetes.io/dockerconfigjson" - data = { - ".dockerconfigjson" = jsonencode({ - auths = { - "git.homelab.local" = { - auth = base64encode("admin:${random_password.gitea_admin.result}") - } - } - }) - } -} +# Gitea and registry pull secrets disabled — postponed until dedicated server/VPS. +# See git history for the full configuration. diff --git a/infrastructure/terraform/namespaces.tf b/infrastructure/terraform/namespaces.tf index 6f80689..1b55955 100644 --- a/infrastructure/terraform/namespaces.tf +++ b/infrastructure/terraform/namespaces.tf @@ -1,5 +1,5 @@ locals { - namespaces = ["auth", "home", "finance", "test", "monitoring", "infrastructure", "gitea"] + namespaces = ["auth", "home", "finance", "test", "monitoring", "infrastructure"] } resource "kubernetes_namespace" "domains" {