apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: forgejo-runner
  name: forgejo-runner
  namespace: gitea
spec:
  # Two replicas means that if one is busy, the other can pick up jobs.
  replicas: 1
  selector:
    matchLabels:
      app: forgejo-runner
  strategy: {}
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: forgejo-runner
    spec:
      restartPolicy: Always
      volumes:
      - name: docker-certs
        emptyDir: {}
      - name: runner-data
        emptyDir: {}
      # Initialise our configuration file using offline registration
      # https://forgejo.org/docs/v1.21/admin/actions/#offline-registration
      initContainers:
        - name: runner-register
          image: code.forgejo.org/forgejo/runner:6.3.1
          command:
          - "sh"
          - "-c"
          - |
            forgejo-runner \
              register \
              --no-interactive \
              --token ${RUNNER_SECRET} \
              --name ${RUNNER_NAME} \
              --instance ${FORGEJO_INSTANCE_URL} \
              --labels docker:docker://node:20-bookworm,ubuntu-22.04:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04,ubuntu-latest:docker://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/catthehackerubuntu:act-22.04
          env:
            - name: RUNNER_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: RUNNER_SECRET
              valueFrom:
                secretKeyRef:
                  name: forgejo-runner-token
                  key: token
            - name: FORGEJO_INSTANCE_URL
              value: https://
          volumeMounts:
            - name: runner-data
              mountPath: /data
      containers:
      - name: runner
        image: code.forgejo.org/forgejo/runner:6.3.1
        command: 
          - "sh"
          - "-c"
          - |
            while ! nc -z 127.0.0.1 2376 </dev/null; do
              echo 'waiting for docker daemon...';
              sleep 5;
            done
            forgejo-runner generate-config > config.yml ;
            sed -i -e "s|privileged: .*|privileged: true|" config.yml
            sed -i -e "s|network: .*|network: host|" config.yml ;
            sed -i -e "s|^  envs:$$|  envs:\n    DOCKER_HOST: tcp://127.0.0.1:2376\n    DOCKER_TLS_VERIFY: 1\n    DOCKER_CERT_PATH: /certs/client|" config.yml ;
            sed -i -e "s|^  options:|  options: -v /certs/client:/certs/client|" config.yml ;
            sed -i -e "s|  valid_volumes: \[\]$$|  valid_volumes:\n    - /certs/client|" config.yml ;
            /bin/forgejo-runner --config config.yml daemon
        securityContext:
          allowPrivilegeEscalation: true
          privileged: true
          readOnlyRootFilesystem: false
          runAsGroup: 0
          runAsNonRoot: false
          runAsUser: 0
        env:
        - name: DOCKER_HOST
          value: tcp://localhost:2376
        - name: DOCKER_CERT_PATH
          value: /certs/client
        - name: DOCKER_TLS_VERIFY
          value: "1"
        volumeMounts:
        - name: docker-certs
          mountPath: /certs
        - name: runner-data
          mountPath: /data
      - name: daemon
        image: docker:28.0.4-dind
        env:
        - name: DOCKER_TLS_CERTDIR
          value: /certs
        securityContext:
          privileged: true
        volumeMounts:
        - name: docker-certs
          mountPath: /certs