From 7b0f520e54c4b28f4d63b94bdc0229a3c08d2f92 Mon Sep 17 00:00:00 2001
From: Mayne0213 <bluemayne0213@icloud.com>
Date: Sun, 28 Dec 2025 17:38:14 +0900
Subject: [PATCH] FIX(k8s): in-cluster kubeconfig access

- Set KUBECONFIG env at job level for all steps
- Generate kubeconfig from ServiceAccount token
- Use tokenFile reference for automatic token renewal
- Set proper cluster CA and server URL
- Test connection after setup

This ensures kubectl works correctly inside K8s Pod runner
---
 .gitea/workflows/build.yml | 49 ++++++++++++++++++++++++++++++++++++--
 1 file changed, 47 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml
index a761d0a..77d3c39 100644
--- a/.gitea/workflows/build.yml
+++ b/.gitea/workflows/build.yml
@@ -18,6 +18,9 @@ jobs:
       contents: write
       packages: write
 
+    env:
+      KUBECONFIG: /tmp/kubeconfig
+
     outputs:
       image-tag: ${{ steps.meta.outputs.tags }}
       image-digest: ${{ steps.build.outputs.digest }}
@@ -37,8 +40,50 @@ jobs:
 
       - name: Setup Kubernetes access
         run: |
-          # Running in Kubernetes Pod - use in-cluster config
-          echo "Running in Kubernetes - using ServiceAccount"
+          # Running in Kubernetes Pod - create kubeconfig from ServiceAccount
+          echo "Setting up in-cluster kubeconfig"
+
+          SA_PATH="/var/run/secrets/kubernetes.io/serviceaccount"
+
+          if [ ! -f "${SA_PATH}/token" ]; then
+            echo "❌ ServiceAccount token not found"
+            exit 1
+          fi
+
+          echo "✅ ServiceAccount token found"
+
+          # Get cluster info
+          KUBE_HOST="${KUBERNETES_SERVICE_HOST:-kubernetes.default.svc}"
+          KUBE_PORT="${KUBERNETES_SERVICE_PORT:-443}"
+          KUBE_URL="https://${KUBE_HOST}:${KUBE_PORT}"
+
+          echo "Kubernetes API: ${KUBE_URL}"
+
+          # Create kubeconfig
+          cat > ${KUBECONFIG} <<EOF
+          apiVersion: v1
+          kind: Config
+          clusters:
+          - cluster:
+              certificate-authority: ${SA_PATH}/ca.crt
+              server: ${KUBE_URL}
+            name: default
+          contexts:
+          - context:
+              cluster: default
+              namespace: $(cat ${SA_PATH}/namespace)
+              user: default
+            name: default
+          current-context: default
+          users:
+          - name: default
+            user:
+              tokenFile: ${SA_PATH}/token
+          EOF
+
+          chmod 600 ${KUBECONFIG}
+
+          # Test connection
           kubectl version
           kubectl get nodes -o wide