# Job: obtains Gitea runner registration token via API and creates # the test-env-runner-token Secret. Run once after Gitea is available. # # Prerequisites: gitea-admin Secret in gitea namespace (created by deploy-k3s) # The job resolves Gitea pod IP (headless svc) and calls the registration API. apiVersion: batch/v1 kind: Job metadata: name: register-test-env-runner namespace: test-env labels: app: test-env-runner spec: backoffLimit: 3 ttlSecondsAfterFinished: 300 template: spec: serviceAccountName: runner-registrar restartPolicy: OnFailure containers: - name: register image: alpine/k8s:1.35.1 command: - sh - -c - | set -e echo "=== Obtaining Gitea runner registration token ===" # Get Gitea admin credentials from gitea namespace USER=$(kubectl -n gitea get secret gitea-admin -o jsonpath='{.data.username}' | base64 -d) PASS=$(kubectl -n gitea get secret gitea-admin -o jsonpath='{.data.password}' | base64 -d) # Resolve Gitea pod IP (headless service) GITEA_POD_IP=$(kubectl -n gitea get pod -l app.kubernetes.io/name=gitea \ -o jsonpath='{.items[0].status.podIP}') GITEA_URL="http://${GITEA_POD_IP}:3000" echo "Gitea URL: $GITEA_URL" # Wait for Gitea API to be ready for i in $(seq 1 30); do if curl -sf "$GITEA_URL/api/v1/version" > /dev/null 2>&1; then echo "Gitea API is ready" break fi echo "Waiting for Gitea API... ($i/30)" sleep 5 done # Get registration token TOKEN=$(curl -sf -X POST -u "$USER:$PASS" \ "$GITEA_URL/api/v1/user/actions/runners/registration-token" \ | sed 's/.*"token":"\([^"]*\)".*/\1/') if [ -z "$TOKEN" ]; then echo "ERROR: Failed to get registration token" exit 1 fi echo "Got registration token: ${TOKEN:0:8}..." # Create/update Secret in test-env namespace kubectl -n test-env create secret generic test-env-runner-token \ --from-literal=token="$TOKEN" \ --dry-run=client -o yaml | kubectl apply -f - echo "=== Secret test-env-runner-token created ===" # Scale runner deployment to 1 kubectl -n test-env scale deployment test-env-runner --replicas=1 echo "=== Runner deployment scaled to 1 ===" --- # ServiceAccount + RBAC for the registration job apiVersion: v1 kind: ServiceAccount metadata: name: runner-registrar namespace: test-env --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: runner-registrar namespace: test-env rules: - apiGroups: [""] resources: ["secrets"] verbs: ["create", "get", "update", "patch"] - apiGroups: ["apps"] resources: ["deployments/scale", "deployments"] verbs: ["get", "update", "patch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: runner-registrar namespace: test-env subjects: - kind: ServiceAccount name: runner-registrar namespace: test-env roleRef: kind: Role name: runner-registrar apiGroup: rbac.authorization.k8s.io --- # ClusterRole to read gitea-admin secret from gitea namespace apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: test-env-gitea-reader rules: - apiGroups: [""] resources: ["secrets"] resourceNames: ["gitea-admin"] verbs: ["get"] - apiGroups: [""] resources: ["pods"] verbs: ["get", "list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: test-env-gitea-reader subjects: - kind: ServiceAccount name: runner-registrar namespace: test-env roleRef: kind: ClusterRole name: test-env-gitea-reader apiGroup: rbac.authorization.k8s.io