From 46280e86c7d90d3d79a783d8744c7db279038b33 Mon Sep 17 00:00:00 2001
From: infinicaretech <huseyin.ozer@infinicaretech.com>
Date: Sun, 5 Apr 2026 20:31:14 +0000
Subject: [PATCH] Add Gitea Actions runner for automated CI/CD pipeline
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Runner deployment with host mode execution and kubectl access
- RBAC for creating Kaniko build pods
- Workflow triggers on push to main: Kaniko build → registry push → gitops update → ArgoCD sync

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../gitea-runner/runner-config.yaml           |  20 ++++
 .../gitea-runner/runner-deployment.yaml       | 101 ++++++++++++++++++
 .../gitea-runner/runner-secret.yaml           |   8 ++
 3 files changed, 129 insertions(+)
 create mode 100644 infrastructure/gitea-runner/runner-config.yaml
 create mode 100644 infrastructure/gitea-runner/runner-deployment.yaml
 create mode 100644 infrastructure/gitea-runner/runner-secret.yaml

diff --git a/infrastructure/gitea-runner/runner-config.yaml b/infrastructure/gitea-runner/runner-config.yaml
new file mode 100644
index 0000000..acb22e0
--- /dev/null
+++ b/infrastructure/gitea-runner/runner-config.yaml
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: runner-config
+  namespace: build
+data:
+  config.yaml: |
+    log:
+      level: info
+    runner:
+      file: .runner
+      capacity: 1
+      timeout: 1h
+      labels:
+        - "ubuntu-latest:host"
+        - "self-hosted:host"
+    cache:
+      enabled: false
+    host:
+      workdir_parent: /tmp/actions
diff --git a/infrastructure/gitea-runner/runner-deployment.yaml b/infrastructure/gitea-runner/runner-deployment.yaml
new file mode 100644
index 0000000..6cdb1cd
--- /dev/null
+++ b/infrastructure/gitea-runner/runner-deployment.yaml
@@ -0,0 +1,101 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gitea-runner
+  namespace: build
+  labels:
+    app: gitea-runner
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: gitea-runner
+  template:
+    metadata:
+      labels:
+        app: gitea-runner
+    spec:
+      serviceAccountName: gitea-runner
+      nodeSelector:
+        kubernetes.io/hostname: kubemaster1
+      tolerations:
+        - key: node-role.kubernetes.io/control-plane
+          effect: NoSchedule
+      containers:
+        - name: runner
+          image: gitea/act_runner:latest
+          command: ["sh", "-c"]
+          args:
+            - |
+              # Install tools needed by workflows
+              apt-get update && apt-get install -y git curl kubectl 2>/dev/null || \
+              apk add --no-cache git curl kubectl 2>/dev/null || true
+
+              # Register runner if not already registered
+              if [ ! -f /data/.runner ]; then
+                act_runner register \
+                  --instance http://gitea-http.gitea.svc:3000 \
+                  --token $(cat /secrets/token) \
+                  --name k8s-runner \
+                  --labels "ubuntu-latest:host,self-hosted:host" \
+                  --no-interactive
+              fi
+              act_runner daemon --config /config/config.yaml
+          volumeMounts:
+            - name: runner-data
+              mountPath: /data
+            - name: runner-config
+              mountPath: /config
+            - name: runner-secret
+              mountPath: /secrets
+            - name: tmp
+              mountPath: /tmp
+          resources:
+            requests:
+              cpu: 100m
+              memory: 128Mi
+            limits:
+              cpu: "1"
+              memory: 1Gi
+      volumes:
+        - name: runner-data
+          emptyDir: {}
+        - name: runner-config
+          configMap:
+            name: runner-config
+        - name: runner-secret
+          secret:
+            secretName: runner-secret
+        - name: tmp
+          emptyDir: {}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gitea-runner
+  namespace: build
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: gitea-runner
+rules:
+  - apiGroups: [""]
+    resources: ["pods", "pods/log"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: gitea-runner
+subjects:
+  - kind: ServiceAccount
+    name: gitea-runner
+    namespace: build
+roleRef:
+  kind: ClusterRole
+  name: gitea-runner
+  apiGroup: rbac.authorization.k8s.io
diff --git a/infrastructure/gitea-runner/runner-secret.yaml b/infrastructure/gitea-runner/runner-secret.yaml
new file mode 100644
index 0000000..455c76d
--- /dev/null
+++ b/infrastructure/gitea-runner/runner-secret.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: runner-secret
+  namespace: build
+type: Opaque
+stringData:
+  token: "LfMBBZOvAHsP4YTBHyl8gwVPYKTxQLLXsMB7YlCy"