feat: Gitea | add runners to utility-services stack

TBD if they will stay here

utility-services/gitea/runner.ts

@@ -0,0 +1,144 @@
+import { Construct } from "constructs";
+import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
+
+import { OnePasswordSecret, LonghornPvc } from "../../utils";
+import { DeploymentV1 } from "@cdktf/provider-kubernetes/lib/deployment-v1";
+import { PodDisruptionBudgetV1 } from "@cdktf/provider-kubernetes/lib/pod-disruption-budget-v1";
+
+type GiteaRunnerOptions = {
+  provider: KubernetesProvider;
+  name: string;
+  namespace: string;
+  replicas?: number;
+};
+
+export class GiteaRunner extends Construct {
+  constructor(scope: Construct, id: string, options: GiteaRunnerOptions) {
+    super(scope, id);
+
+    const { provider, name, namespace } = options;
+    const replicas = options.replicas?.toString() ?? "1";
+
+    const pvc = new LonghornPvc(this, "data-pvc", {
+      provider,
+      name: `${name}-data`,
+      namespace: namespace,
+      size: "10Gi",
+      accessModes: ["ReadWriteMany"],
+    });
+
+    new OnePasswordSecret(this, "runner-secret", {
+      provider,
+      name: "runner-secret",
+      namespace: namespace,
+      itemPath: "vaults/Lab/items/Gitea",
+    });
+
+    new PodDisruptionBudgetV1(this, "pdb", {
+      provider,
+      metadata: {
+        name,
+        namespace,
+      },
+      spec: {
+        minAvailable: replicas,
+        selector: {
+          matchLabels: {
+            app: name,
+          },
+        },
+      },
+    });
+
+    new DeploymentV1(this, "gitea-runner", {
+      provider,
+      metadata: {
+        name: name,
+        namespace: namespace,
+        labels: {
+          app: name,
+        },
+      },
+      spec: {
+        replicas,
+        selector: {
+          matchLabels: {
+            app: name,
+          },
+        },
+        template: {
+          metadata: {
+            labels: {
+              app: name,
+            },
+          },
+          spec: {
+            nodeSelector: {
+              nodepool: "worker",
+            },
+            topologySpreadConstraint: [
+              {
+                maxSkew: 1,
+                topologyKey: "kubernetes.io/hostname",
+                whenUnsatisfiable: "DoNotSchedule",
+                labelSelector: [
+                  {
+                    matchLabels: {
+                      app: name,
+                    },
+                  },
+                ],
+              },
+            ],
+            restartPolicy: "Always",
+            securityContext: {
+              fsGroup: "1000",
+            },
+            container: [
+              {
+                name: "gitea-runner",
+                image: "gitea/act_runner:nightly-dind-rootless",
+                env: [
+                  {
+                    name: "DOCKER_HOST",
+                    value: "unix:///run/user/1000/docker.sock",
+                  },
+                  {
+                    name: "GITEA_INSTANCE_URL",
+                    value: "https://git.dogar.dev",
+                  },
+                  {
+                    name: "GITEA_RUNNER_REGISTRATION_TOKEN",
+                    valueFrom: {
+                      secretKeyRef: {
+                        name: "runner-secret",
+                        key: "runner-token",
+                      },
+                    },
+                  },
+                ],
+                securityContext: {
+                  privileged: true,
+                },
+                volumeMount: [
+                  {
+                    name: "runner-data",
+                    mountPath: "/data",
+                  },
+                ],
+              },
+            ],
+            volume: [
+              {
+                name: "runner-data",
+                persistentVolumeClaim: {
+                  claimName: pvc.name,
+                },
+              },
+            ],
+          },
+        },
+      },
+    });
+  }
+}