From dfa2a0578e254c23e969fa52a14d64cf859468b8 Mon Sep 17 00:00:00 2001
From: Mayne0213 <bluemayne0213@icloud.com>
Date: Sat, 10 Jan 2026 21:15:19 +0900
Subject: [PATCH] =?UTF-8?q?feat:=20Kaniko=20=EA=B8=B0=EB=B0=98=20CI/CD=20?=
 =?UTF-8?q?=EC=84=A4=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- gitea-runner: DinD 제거, Host 모드 전환
- gitea-runner: ServiceAccount, RBAC 추가
- gitea ns: zot-registry-credentials ExternalSecret 추가
- argocd ns: zot-registry-credentials ExternalSecret 추가

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 argocd/image-updater-manifests/zot-creds.yaml | 27 ++++++++++++
 gitea-runner/manifests/deployment.yaml        | 42 ++++---------------
 gitea-runner/manifests/rbac.yaml              | 33 +++++++++++++++
 gitea-runner/manifests/zot-secret.yaml        | 27 ++++++++++++
 4 files changed, 96 insertions(+), 33 deletions(-)
 create mode 100644 argocd/image-updater-manifests/zot-creds.yaml
 create mode 100644 gitea-runner/manifests/rbac.yaml
 create mode 100644 gitea-runner/manifests/zot-secret.yaml

diff --git a/argocd/image-updater-manifests/zot-creds.yaml b/argocd/image-updater-manifests/zot-creds.yaml
new file mode 100644
index 0000000..80e8283
--- /dev/null
+++ b/argocd/image-updater-manifests/zot-creds.yaml
@@ -0,0 +1,27 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: zot-registry-credentials
+  namespace: argocd
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-backend
+  target:
+    name: zot-registry-credentials
+    creationPolicy: Owner
+    template:
+      type: kubernetes.io/dockerconfigjson
+      data:
+        .dockerconfigjson: |
+          {"auths":{"zot0213.kro.kr":{"username":"{{ .USERNAME }}","password":"{{ .PASSWORD }}","auth":"{{ printf "%s:%s" .USERNAME .PASSWORD | b64enc }}"}}}
+  data:
+    - secretKey: USERNAME
+      remoteRef:
+        key: zot
+        property: USERNAME
+    - secretKey: PASSWORD
+      remoteRef:
+        key: zot
+        property: PASSWORD
diff --git a/gitea-runner/manifests/deployment.yaml b/gitea-runner/manifests/deployment.yaml
index c78aef2..193bd34 100644
--- a/gitea-runner/manifests/deployment.yaml
+++ b/gitea-runner/manifests/deployment.yaml
@@ -15,40 +15,20 @@ spec:
       labels:
         app: gitea-runner
     spec:
+      serviceAccountName: gitea-runner
       containers:
-      # Docker-in-Docker sidecar
-      - name: dind
-        image: docker:dind
-        securityContext:
-          privileged: true
-        env:
-        - name: DOCKER_TLS_CERTDIR
-          value: ""
-        volumeMounts:
-        - name: docker-graph
-          mountPath: /var/lib/docker
-        resources:
-          requests:
-            cpu: 100m
-            memory: 512Mi
-          limits:
-            memory: 2Gi
-      # Gitea Actions Runner
       - name: runner
         image: gitea/act_runner:latest
         command:
         - sh
         - -c
         - |
-          # Wait for Docker to be ready
-          echo "Waiting for Docker daemon..."
-          while ! docker info > /dev/null 2>&1; do
-            sleep 2
-          done
-          echo "Docker is ready!"
+          # Install kubectl
+          wget -q -O /usr/local/bin/kubectl "https://dl.k8s.io/release/$(wget -q -O - https://dl.k8s.io/release/stable.txt)/bin/linux/arm64/kubectl"
+          chmod +x /usr/local/bin/kubectl
 
           # Wait for Gitea to be ready
-          while ! wget -q --spider http://gitea-http.gitea.svc:3000/api/v1/version; do
+          while ! wget -q --spider http://gitea-http.gitea.svc:3000/api/v1/version 2>/dev/null; do
             echo "Waiting for Gitea to be ready..."
             sleep 5
           done
@@ -60,15 +40,13 @@ spec:
               --instance https://github0213.com \
               --token $(cat /secrets/token) \
               --name k3s-runner \
-              --labels k3s-home:docker://node:20-alpine,ubuntu-latest:docker://ubuntu:latest,arm64:host
+              --labels k3s-home:host
           fi
 
           act_runner daemon
         env:
         - name: GITEA_INSTANCE_URL
           value: "https://github0213.com"
-        - name: DOCKER_HOST
-          value: "tcp://localhost:2375"
         volumeMounts:
         - name: runner-data
           mountPath: /data
@@ -77,13 +55,11 @@ spec:
           readOnly: true
         resources:
           requests:
-            cpu: 100m
-            memory: 256Mi
+            cpu: 50m
+            memory: 128Mi
           limits:
-            memory: 1Gi
+            memory: 512Mi
       volumes:
-      - name: docker-graph
-        emptyDir: {}
       - name: runner-data
         emptyDir: {}
       - name: runner-secret
diff --git a/gitea-runner/manifests/rbac.yaml b/gitea-runner/manifests/rbac.yaml
new file mode 100644
index 0000000..cd9b441
--- /dev/null
+++ b/gitea-runner/manifests/rbac.yaml
@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gitea-runner
+  namespace: gitea
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: gitea-runner-kaniko
+rules:
+- apiGroups: ["batch"]
+  resources: ["jobs"]
+  verbs: ["create", "delete", "get", "watch"]
+- apiGroups: [""]
+  resources: ["pods", "pods/log"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: gitea-runner-kaniko
+subjects:
+- kind: ServiceAccount
+  name: gitea-runner
+  namespace: gitea
+roleRef:
+  kind: ClusterRole
+  name: gitea-runner-kaniko
+  apiGroup: rbac.authorization.k8s.io
diff --git a/gitea-runner/manifests/zot-secret.yaml b/gitea-runner/manifests/zot-secret.yaml
new file mode 100644
index 0000000..ead019a
--- /dev/null
+++ b/gitea-runner/manifests/zot-secret.yaml
@@ -0,0 +1,27 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: zot-registry-credentials
+  namespace: gitea
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-backend
+  target:
+    name: zot-registry-credentials
+    creationPolicy: Owner
+    template:
+      type: kubernetes.io/dockerconfigjson
+      data:
+        .dockerconfigjson: |
+          {"auths":{"zot0213.kro.kr":{"username":"{{ .USERNAME }}","password":"{{ .PASSWORD }}","auth":"{{ printf "%s:%s" .USERNAME .PASSWORD | b64enc }}"}}}
+  data:
+    - secretKey: USERNAME
+      remoteRef:
+        key: zot
+        property: USERNAME
+    - secretKey: PASSWORD
+      remoteRef:
+        key: zot
+        property: PASSWORD