feat: Gitea | add runners to utility-services stack

TBD if they will stay here
2025-11-22 20:27:04 +05:00
parent 2f0b9af67c
commit 3c31105fc6
5 changed files with 156 additions and 21 deletions
--- a/utility-services/gitea/index.ts
+++ b/utility-services/gitea/index.ts
@@ -1 +1,2 @@
 export { GiteaServer } from "./server";
+export { GiteaRunner } from "./runner";
--- a/utility-services/gitea/runner.ts
+++ b/utility-services/gitea/runner.ts
@@ -0,0 +1,144 @@
+import { Construct } from "constructs";
+import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
+
+import { OnePasswordSecret, LonghornPvc } from "../../utils";
+import { DeploymentV1 } from "@cdktf/provider-kubernetes/lib/deployment-v1";
+import { PodDisruptionBudgetV1 } from "@cdktf/provider-kubernetes/lib/pod-disruption-budget-v1";
+
+type GiteaRunnerOptions = {
+  provider: KubernetesProvider;
+  name: string;
+  namespace: string;
+  replicas?: number;
+};
+
+export class GiteaRunner extends Construct {
+  constructor(scope: Construct, id: string, options: GiteaRunnerOptions) {
+    super(scope, id);
+
+    const { provider, name, namespace } = options;
+    const replicas = options.replicas?.toString() ?? "1";
+
+    const pvc = new LonghornPvc(this, "data-pvc", {
+      provider,
+      name: `${name}-data`,
+      namespace: namespace,
+      size: "10Gi",
+      accessModes: ["ReadWriteMany"],
+    });
+
+    new OnePasswordSecret(this, "runner-secret", {
+      provider,
+      name: "runner-secret",
+      namespace: namespace,
+      itemPath: "vaults/Lab/items/Gitea",
+    });
+
+    new PodDisruptionBudgetV1(this, "pdb", {
+      provider,
+      metadata: {
+        name,
+        namespace,
+      },
+      spec: {
+        minAvailable: replicas,
+        selector: {
+          matchLabels: {
+            app: name,
+          },
+        },
+      },
+    });
+
+    new DeploymentV1(this, "gitea-runner", {
+      provider,
+      metadata: {
+        name: name,
+        namespace: namespace,
+        labels: {
+          app: name,
+        },
+      },
+      spec: {
+        replicas,
+        selector: {
+          matchLabels: {
+            app: name,
+          },
+        },
+        template: {
+          metadata: {
+            labels: {
+              app: name,
+            },
+          },
+          spec: {
+            nodeSelector: {
+              nodepool: "worker",
+            },
+            topologySpreadConstraint: [
+              {
+                maxSkew: 1,
+                topologyKey: "kubernetes.io/hostname",
+                whenUnsatisfiable: "DoNotSchedule",
+                labelSelector: [
+                  {
+                    matchLabels: {
+                      app: name,
+                    },
+                  },
+                ],
+              },
+            ],
+            restartPolicy: "Always",
+            securityContext: {
+              fsGroup: "1000",
+            },
+            container: [
+              {
+                name: "gitea-runner",
+                image: "gitea/act_runner:nightly-dind-rootless",
+                env: [
+                  {
+                    name: "DOCKER_HOST",
+                    value: "unix:///run/user/1000/docker.sock",
+                  },
+                  {
+                    name: "GITEA_INSTANCE_URL",
+                    value: "https://git.dogar.dev",
+                  },
+                  {
+                    name: "GITEA_RUNNER_REGISTRATION_TOKEN",
+                    valueFrom: {
+                      secretKeyRef: {
+                        name: "runner-secret",
+                        key: "runner-token",
+                      },
+                    },
+                  },
+                ],
+                securityContext: {
+                  privileged: true,
+                },
+                volumeMount: [
+                  {
+                    name: "runner-data",
+                    mountPath: "/data",
+                  },
+                ],
+              },
+            ],
+            volume: [
+              {
+                name: "runner-data",
+                persistentVolumeClaim: {
+                  claimName: pvc.name,
+                },
+              },
+            ],
+          },
+        },
+      },
+    });
+  }
+}
--- a/utility-services/gitea/server.ts
+++ b/utility-services/gitea/server.ts
@@ -1,18 +1,13 @@
 import * as fs from "fs";
 import * as path from "path";
-import { HelmProvider } from "@cdktf/provider-helm/lib/provider";
 import { Release } from "@cdktf/provider-helm/lib/release";
 import { Construct } from "constructs";
-import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";

-import { OnePasswordSecret } from "../../utils";
-import { IngressRoute, IngressRouteTcp } from "../../utils/traefik";
+import { OnePasswordSecret, IngressRoute, IngressRouteTcp } from "../../utils";
+import type { Providers } from "../../types";

 type GiteaServerOptions = {
-  providers: {
-    helm: HelmProvider;
-    kubernetes: KubernetesProvider;
-  };
+  providers: Providers;
  name: string;
  namespace: string;
  r2Endpoint: string;
--- a/utility-services/index.ts
+++ b/utility-services/index.ts
@@ -5,7 +5,7 @@ import { DataTerraformRemoteStateS3, TerraformStack } from "cdktf";
 import { Construct } from "constructs";

 import { ValkeyCluster } from "./valkey";
-import { GiteaServer } from "./gitea";
+import { GiteaRunner, GiteaServer } from "./gitea";
 import { AuthentikServer } from "./authentik";
 import { PostgresCluster } from "./postgres";
 import { DynamicDNS } from "./dynamic-dns";
@@ -110,5 +110,12 @@ export class UtilityServices extends TerraformStack {
    });

    gitea.node.addDependency(authentik);
+
+    new GiteaRunner(this, "gitea-runner", {
+      provider: kubernetes,
+      namespace,
+      name: "gitea-runner",
+      replicas: 3,
+    });
  }
 }