Add Gitea Actions runner for automated CI/CD pipeline

- Runner deployment with host mode execution and kubectl access
- RBAC for creating Kaniko build pods
- Workflow triggers on push to main: Kaniko build → registry push → gitops update → ArgoCD sync

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

infrastructure/gitea-runner/runner-config.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: runner-config
+  namespace: build
+data:
+  config.yaml: |
+    log:
+      level: info
+    runner:
+      file: .runner
+      capacity: 1
+      timeout: 1h
+      labels:
+        - "ubuntu-latest:host"
+        - "self-hosted:host"
+    cache:
+      enabled: false
+    host:
+      workdir_parent: /tmp/actions

infrastructure/gitea-runner/runner-deployment.yaml

@@ -0,0 +1,101 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gitea-runner
+  namespace: build
+  labels:
+    app: gitea-runner
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: gitea-runner
+  template:
+    metadata:
+      labels:
+        app: gitea-runner
+    spec:
+      serviceAccountName: gitea-runner
+      nodeSelector:
+        kubernetes.io/hostname: kubemaster1
+      tolerations:
+        - key: node-role.kubernetes.io/control-plane
+          effect: NoSchedule
+      containers:
+        - name: runner
+          image: gitea/act_runner:latest
+          command: ["sh", "-c"]
+          args:
+            - |
+              # Install tools needed by workflows
+              apt-get update && apt-get install -y git curl kubectl 2>/dev/null || \
+              apk add --no-cache git curl kubectl 2>/dev/null || true
+
+              # Register runner if not already registered
+              if [ ! -f /data/.runner ]; then
+                act_runner register \
+                  --instance http://gitea-http.gitea.svc:3000 \
+                  --token $(cat /secrets/token) \
+                  --name k8s-runner \
+                  --labels "ubuntu-latest:host,self-hosted:host" \
+                  --no-interactive
+              fi
+              act_runner daemon --config /config/config.yaml
+          volumeMounts:
+            - name: runner-data
+              mountPath: /data
+            - name: runner-config
+              mountPath: /config
+            - name: runner-secret
+              mountPath: /secrets
+            - name: tmp
+              mountPath: /tmp
+          resources:
+            requests:
+              cpu: 100m
+              memory: 128Mi
+            limits:
+              cpu: "1"
+              memory: 1Gi
+      volumes:
+        - name: runner-data
+          emptyDir: {}
+        - name: runner-config
+          configMap:
+            name: runner-config
+        - name: runner-secret
+          secret:
+            secretName: runner-secret
+        - name: tmp
+          emptyDir: {}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gitea-runner
+  namespace: build
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: gitea-runner
+rules:
+  - apiGroups: [""]
+    resources: ["pods", "pods/log"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: gitea-runner
+subjects:
+  - kind: ServiceAccount
+    name: gitea-runner
+    namespace: build
+roleRef:
+  kind: ClusterRole
+  name: gitea-runner
+  apiGroup: rbac.authorization.k8s.io

infrastructure/gitea-runner/runner-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: runner-secret
+  namespace: build
+type: Opaque
+stringData:
+  token: "LfMBBZOvAHsP4YTBHyl8gwVPYKTxQLLXsMB7YlCy"