generated from coulomb/repo-seed
Point Forgejo runner substrate at in-cluster railiance01 (ADR-004)
Status probe checks k8s runner first; documents retirement of coulombcore interim host runner.
This commit is contained in:
@@ -2,75 +2,73 @@
|
||||
|
||||
Last reviewed: 2026-07-03
|
||||
|
||||
Status: first supported runner on coulombcore (interim). Forgejo instance runs on
|
||||
railiance01; runner host is intentionally separate per Forgejo security guidance.
|
||||
Status: **in-cluster runner on railiance01** (ADR-004). Supersedes interim coulombcore
|
||||
host runner.
|
||||
|
||||
## Purpose
|
||||
|
||||
Provide a forge-owned Actions runner for `https://forgejo.coulomb.social` so
|
||||
repos in the `coulomb` organization can build and publish without workstation
|
||||
involvement. Mirrors the Gitea runner contract in
|
||||
`docs/gitea-actions-runner-substrate.md`.
|
||||
Forge-owned Actions runner for `https://forgejo.coulomb.social` so `coulomb`
|
||||
organization repos build and publish without workstation or legacy-host Docker.
|
||||
Label contract aligns with `docs/gitea-actions-runner-substrate.md` and
|
||||
`docs/ci-runner-actions-gitops-ownership.md`.
|
||||
|
||||
## First Supported Runner
|
||||
## Production Runner (ADR-004)
|
||||
|
||||
| Field | Value |
|
||||
| --- | --- |
|
||||
| Runner name | `railiance-coulombcore-build-01` |
|
||||
| Runner scope | `coulomb` organization |
|
||||
| Host | coulombcore (`92.205.130.254`) |
|
||||
| Instance | `https://forgejo.coulomb.social/` |
|
||||
| Binary | `forgejo-runner` v6.3.1 |
|
||||
| Runtime | Host mode (Docker not installed on host yet) |
|
||||
| Runner name | `railiance01-build-01` |
|
||||
| Scope | `coulomb` organization |
|
||||
| Placement | `forgejo` namespace, railiance01 k3s |
|
||||
| Manifest | `railiance-apps/manifests/forgejo-runner.yaml` |
|
||||
| Images | `code.forgejo.org/forgejo/runner:6.3.1`, `docker:27-dind` |
|
||||
| Job runtime | DinD sidecar (`DOCKER_HOST=tcp://127.0.0.1:2375`) |
|
||||
| State PVC | `forgejo-runner-data` |
|
||||
| Cluster deploy authority | Not included |
|
||||
|
||||
### Labels
|
||||
|
||||
```text
|
||||
self-hosted:host,linux:host,linux_amd64:host,container-build:host,registry-publish:host,railiance01:host
|
||||
self-hosted:host,linux:host,linux_amd64:host,container-build:host,registry-publish:host,railiance01:host,ubuntu-latest:docker://node:20-bookworm,docker:docker://node:20-bookworm
|
||||
```
|
||||
|
||||
`self-hosted` preserves compatibility with existing Gitea workflow `runs-on`
|
||||
values during migration. Container image builds require Docker on the runner
|
||||
host — install before cutover of image-publishing workflows.
|
||||
|
||||
## Service Layout
|
||||
|
||||
| Path | Purpose |
|
||||
| --- | --- |
|
||||
| `/usr/local/bin/forgejo-runner` | Runner binary |
|
||||
| `/var/lib/forgejo-runner/config.yaml` | Generated config |
|
||||
| `/var/lib/forgejo-runner/.runner` | Registration state (secret) |
|
||||
| `/etc/systemd/system/forgejo-runner.service` | systemd unit |
|
||||
|
||||
## Probe Evidence (2026-07-03)
|
||||
|
||||
- Org `coulomb` created on Forgejo.
|
||||
- Runner registered and `systemctl is-active forgejo-runner` → `active`.
|
||||
- Repo `coulomb/forgejo-actions-probe` workflow `probe.yaml` (`runs-on: self-hosted`)
|
||||
completed with `status: success` (API: `/api/v1/repos/coulomb/forgejo-actions-probe/actions/tasks`).
|
||||
|
||||
## Operator Commands
|
||||
|
||||
```bash
|
||||
# Runner health (from railiance-forge)
|
||||
RUNNER_HOST=coulombcore make forgejo-runner-status
|
||||
# S5 deploy (railiance-apps)
|
||||
cd ~/railiance-apps
|
||||
make forgejo-runner-registration-deploy # after SOPS encrypt
|
||||
make forgejo-runner-deploy
|
||||
make forgejo-runner-status
|
||||
|
||||
# Forgejo app smoke (from railiance-apps)
|
||||
make -C ~/railiance-apps forgejo-smoke
|
||||
# Endpoint smoke
|
||||
make forgejo-smoke
|
||||
|
||||
# Generate a new org registration token (in cluster, no token in logs)
|
||||
# Generate registration token (in cluster; do not log token)
|
||||
KUBECONFIG=~/.kube/config-hosteurope kubectl exec -n forgejo deploy/forgejo-gitea -- \
|
||||
forgejo actions generate-runner-token --scope coulomb
|
||||
```
|
||||
|
||||
## Secret Boundaries
|
||||
|
||||
Same as Gitea runner substrate: registration tokens and `.runner` files stay
|
||||
off Git. Use approved secret paths on the runner host only.
|
||||
- `forgejo-runner-registration` Kubernetes Secret — registration token only.
|
||||
- Repo/org registry credentials — Forgejo Actions secrets, not in Git.
|
||||
- No kubeconfig or OpenBao tokens on the runner pod by default.
|
||||
|
||||
## Follow-On
|
||||
## Retired: Interim coulombcore Host Runner
|
||||
|
||||
1. Install Docker on the approved runner host for `container-build` jobs.
|
||||
2. Move runner to a non-legacy host before coulombcore decommission (T03 drain).
|
||||
3. Add repo-scoped registry credentials in Forgejo org secrets for image push.
|
||||
`railiance-coulombcore-build-01` on coulombcore was a scheduling proof only.
|
||||
Disable after in-cluster runner is healthy:
|
||||
|
||||
```bash
|
||||
ssh coulombcore 'sudo systemctl disable --now forgejo-runner'
|
||||
```
|
||||
|
||||
## Evidence
|
||||
|
||||
- Host probe (2026-07-03): `coulomb/forgejo-actions-probe` workflow `success`.
|
||||
- In-cluster: verify with `make forgejo-runner-status` and a container `runs-on: ubuntu-latest` job.
|
||||
|
||||
## References
|
||||
|
||||
- `railiance-infra/docs/adr/ADR-004-forgejo-in-cluster-actions-runner.md`
|
||||
- [Forgejo runner installation](https://forgejo.org/docs/v11.0/admin/actions/runner-installation/)
|
||||
@@ -2,7 +2,8 @@
|
||||
set -u
|
||||
|
||||
FORGEJO_URL="${FORGEJO_URL:-https://forgejo.coulomb.social}"
|
||||
RUNNER_HOST="${RUNNER_HOST:-coulombcore}"
|
||||
FORGEJO_KUBECONFIG="${FORGEJO_KUBECONFIG:-${HOME}/.kube/config-hosteurope}"
|
||||
RUNNER_HOST="${RUNNER_HOST:-}"
|
||||
RUNNER_SSH_USER="${RUNNER_SSH_USER:-}"
|
||||
RUNNER_SSH_KEY="${RUNNER_SSH_KEY:-}"
|
||||
SSH_CONNECT_TIMEOUT="${SSH_CONNECT_TIMEOUT:-5}"
|
||||
@@ -25,8 +26,16 @@ else
|
||||
echo "curl missing; skipping endpoint checks"
|
||||
fi
|
||||
|
||||
section "Runner host probe"
|
||||
if have ssh; then
|
||||
section "In-cluster runner (railiance01)"
|
||||
if have kubectl && [ -r "${FORGEJO_KUBECONFIG}" ]; then
|
||||
KUBECONFIG="${FORGEJO_KUBECONFIG}" kubectl get deploy,pods,pvc -n forgejo -l app.kubernetes.io/name=forgejo-runner --ignore-not-found 2>/dev/null || true
|
||||
KUBECONFIG="${FORGEJO_KUBECONFIG}" kubectl logs -n forgejo deploy/forgejo-runner -c runner --tail=5 2>/dev/null || true
|
||||
else
|
||||
echo "kubectl or kubeconfig missing; skipping in-cluster probe"
|
||||
fi
|
||||
|
||||
section "Legacy host runner probe (optional)"
|
||||
if [ -n "${RUNNER_HOST}" ] && have ssh; then
|
||||
ssh_target="${RUNNER_HOST}"
|
||||
if [ -n "${RUNNER_SSH_USER}" ]; then ssh_target="${RUNNER_SSH_USER}@${RUNNER_HOST}"; fi
|
||||
ssh_args=(-o BatchMode=yes -o ConnectTimeout="${SSH_CONNECT_TIMEOUT}")
|
||||
@@ -41,6 +50,8 @@ if have ssh; then
|
||||
fi
|
||||
if [ -f /var/lib/forgejo-runner/.runner ]; then echo "ok: /var/lib/forgejo-runner/.runner present"; fi
|
||||
'
|
||||
elif [ -n "${RUNNER_HOST}" ]; then
|
||||
echo "ssh missing; skipping legacy host probe"
|
||||
else
|
||||
echo "ssh missing; skipping runner host probe"
|
||||
echo "RUNNER_HOST unset; skipping legacy host probe"
|
||||
fi
|
||||
Reference in New Issue
Block a user