deploy-app-kargo-private/test-env/gitea-runner/register-job.yaml

# Job: obtains Gitea runner registration token via API and creates
# the test-env-runner-token Secret. Run once after Gitea is available.
#
# Prerequisites: gitea-admin Secret in gitea namespace (created by deploy-k3s)
# The job resolves Gitea pod IP (headless svc) and calls the registration API.
apiVersion: batch/v1
kind: Job
metadata:
  name: register-test-env-runner
  namespace: test-env
  labels:
    app: test-env-runner
spec:
  backoffLimit: 3
  ttlSecondsAfterFinished: 300
  template:
    spec:
      serviceAccountName: runner-registrar
      restartPolicy: OnFailure
      containers:
        - name: register
          image: alpine/k8s:1.35.1
          command:
            - sh
            - -c
            - |
              set -e

              echo "=== Obtaining Gitea runner registration token ==="

              # Get Gitea admin credentials from gitea namespace
              USER=$(kubectl -n gitea get secret gitea-admin -o jsonpath='{.data.username}' | base64 -d)
              PASS=$(kubectl -n gitea get secret gitea-admin -o jsonpath='{.data.password}' | base64 -d)

              # Resolve Gitea pod IP (headless service)
              GITEA_POD_IP=$(kubectl -n gitea get pod -l app.kubernetes.io/name=gitea \
                -o jsonpath='{.items[0].status.podIP}')
              GITEA_URL="http://${GITEA_POD_IP}:3000"

              echo "Gitea URL: $GITEA_URL"

              # Wait for Gitea API to be ready
              for i in $(seq 1 30); do
                if curl -sf "$GITEA_URL/api/v1/version" > /dev/null 2>&1; then
                  echo "Gitea API is ready"
                  break
                fi
                echo "Waiting for Gitea API... ($i/30)"
                sleep 5
              done

              # Get registration token
              TOKEN=$(curl -sf -X POST -u "$USER:$PASS" \
                "$GITEA_URL/api/v1/user/actions/runners/registration-token" \
                | sed 's/.*"token":"\([^"]*\)".*/\1/')

              if [ -z "$TOKEN" ]; then
                echo "ERROR: Failed to get registration token"
                exit 1
              fi

              echo "Got registration token: ${TOKEN:0:8}..."

              # Create/update Secret in test-env namespace
              kubectl -n test-env create secret generic test-env-runner-token \
                --from-literal=token="$TOKEN" \
                --dry-run=client -o yaml | kubectl apply -f -

              echo "=== Secret test-env-runner-token created ==="

              # Scale runner deployment to 1
              kubectl -n test-env scale deployment test-env-runner --replicas=1
              echo "=== Runner deployment scaled to 1 ==="
---
# ServiceAccount + RBAC for the registration job
apiVersion: v1
kind: ServiceAccount
metadata:
  name: runner-registrar
  namespace: test-env
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: runner-registrar
  namespace: test-env
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["create", "get", "update", "patch"]
  - apiGroups: ["apps"]
    resources: ["deployments/scale", "deployments"]
    verbs: ["get", "update", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: runner-registrar
  namespace: test-env
subjects:
  - kind: ServiceAccount
    name: runner-registrar
    namespace: test-env
roleRef:
  kind: Role
  name: runner-registrar
  apiGroup: rbac.authorization.k8s.io
---
# ClusterRole to read gitea-admin secret from gitea namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: test-env-gitea-reader
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    resourceNames: ["gitea-admin"]
    verbs: ["get"]
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: test-env-gitea-reader
subjects:
  - kind: ServiceAccount
    name: runner-registrar
    namespace: test-env
roleRef:
  kind: ClusterRole
  name: test-env-gitea-reader
  apiGroup: rbac.authorization.k8s.io