iklim.co/Environment_Infrastructure
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Environment_Infrastructure/setup/05-test-runner-ve-deploy-onkosullari.md
Murat ÖZDEMİR 8780c7c05e docs(db): implement direct cluster access strategy for production 
- Updated roadmap (03-infra-stack-changes.md) to deprecate database proxies in prod.
- Detailed direct subnet access via WireGuard for production developers.
- Provided multi-host connection parameters for Patroni and MongoDB Replica Sets in setup guide (08-prod-db-cluster-kurulum.md).
- Added environment comparison table to developer access guide.
2026-05-18 14:25:26 +03:00

120 lines
4.3 KiB
Markdown
Raw Blame History

# 05 - Test Runner and Deploy Prerequisites
The purpose of this phase is to install the Gitea Actions runner (`act_runner`) as a systemd service in the test environment and prepare the environment where CI/CD pipelines can run.
## Runner Placement
A single runner is used in the test environment for cost and simplicity:
| Host | Service Name | System User | Labels |
| --- | --- | --- | --- |
| `iklim-app-01` | `gitea-act-runner` | `gitea-runner` | `ubuntu-latest`, `ubuntu-22.04`, `ubuntu-20.04`, `test-runner` |
## 1. Runner User and Permissions
The runner must be able to run Docker commands on the host.
```bash
# Create the user
sudo useradd -m -s /bin/bash gitea-runner
# Add to the Docker group
sudo usermod -aG docker gitea-runner
```
## 2. act_runner Installation
### Installation
Installation and registration are done automatically with Ansible (`test-app-post-stack.yml`). If manual installation is required:
```bash
wget -O act_runner https://dl.gitea.com/act_runner/0.2.12/act_runner-0.2.12-linux-amd64
sudo mv act_runner /usr/local/bin/
sudo chmod +x /usr/local/bin/act_runner
```
### Registration
Get the **Registration Token** from the Gitea UI (Organization -> Settings -> Actions -> Runners) and add it to the vault:
```yaml
# group_vars/all/vault.yml
vault_gitea_runner_token: "<TOKEN>"
```
```bash
cd Environment_Infrastructure/ansible/test
ansible-playbook test-app-post-stack.yml --vault-password-file=.vault_pass
```
## 3. Systemd Service and Configuration
Managed by Ansible. The service file is located at `/etc/systemd/system/gitea-act-runner.service`, and the configuration is located at `/etc/gitea-act-runner/config.yaml`.
Critical parts of the configuration:
```yaml
runner:
labels:
- "ubuntu-latest:docker://ubuntu:latest"
- "ubuntu-22.04:docker://ubuntu:22.04"
- "ubuntu-20.04:docker://ubuntu:20.04"
- "test-runner:docker://ubuntu:22.04"
container:
network: "iklimco-net" # Access to DB services through overlay
options: "-v /var/run/docker.sock:/var/run/docker.sock" # For Docker commands
```
Status check:
```bash
sudo systemctl status gitea-act-runner
sudo journalctl -u gitea-act-runner -f
```
## 4. Deploy Prerequisites
The following tools must be installed for the pipeline to deploy successfully on `iklim-app-01`:
- `docker-ce` and `docker-compose-plugin`
- `gettext` for the `envsubst` command
- `jq`
- `git`
## 5. Gitea Organization Secrets
The following secrets must be defined at Gitea Organization level for pipelines to run:
| Secret | Description |
| --- | --- |
| `STORAGEBOX_SSH_PRIV` | StorageBox SSH private key |
| `STORAGEBOX_SSH_PUB` | StorageBox SSH public key |
| `HARBOR_CI_TOKEN` | `robot-ci-push-iklimco` robot account token (build + push) |
| `HARBOR_PULL_TOKEN` | `robot-swarm-pull-iklimco` robot account token (Swarm deploy pull) |
| `REPO_ACCESS_TOKEN` | Gitea private repo access (BE-Commons, etc. checkout) |
## 6. Custom Image Build and Harbor Push
`docker-stack-infra.yml` and microservice stacks use private images under `registry.tarla.io/iklimco/`. These images are built and pushed to the registry with the `ops/push-harbor-custom-images.sh` script.
APISIX config files (`build/apisix-core/config.yaml`, `build/apisix-dashboard/conf.yaml`) are generated from templates under `template/` with `envsubst`. `push-harbor-custom-images.sh` performs this generation internally; temporary files are cleaned automatically when the build finishes.
**Design note:** The APISIX admin key is not baked into the image. The template uses `${{APISIX_ADMIN_KEY}}` (double curly braces); APISIX reads it from the Docker service environment variable when the container starts. This allows one image to be used for both test and prod.
### Steps
```bash
# 1. Log in to Harbor
docker login registry.tarla.io -u robot-ci-push-iklimco
# 2. Build and push the images; the script generates envs and config files itself
bash ops/push-harbor-custom-images.sh
```
## Acceptance Criteria
1. The runner labeled `test-runner` appears as **Idle** (green) on the Gitea Runners page.
2. A workflow using `runs-on: test-runner` is triggered successfully.
3. The job container can access the Docker daemon and the `iklimco-net` overlay network.
4. The `8200/tcp` (Vault) port is closed to the public internet.
5. `registry.tarla.io/iklimco/custom-apisix`, `custom-apisix-dashboard`, and `custom-prometheus` images exist in Harbor and are pullable.
Reference in New Issue View Git Blame Copy Permalink