From 9e9a93b8387f43b4a74a48cbcd1ed67a8d8c8e5f Mon Sep 17 00:00:00 2001 From: "Billy D." Date: Wed, 4 Feb 2026 15:27:53 -0500 Subject: [PATCH] fix: Use internal HTTP endpoint for rootless DinD runner - Switch from external HTTPS to internal HTTP (gitea-http.gitea.svc.cluster.local:3000) - Remove sudo commands that don't work in rootless Docker-in-Docker - Use direct docker login with --password-stdin for compatibility - Add http=true to buildkitd config for HTTP registry --- .gitea/workflows/build-push.yaml | 80 ++++++++------------------------ 1 file changed, 20 insertions(+), 60 deletions(-) diff --git a/.gitea/workflows/build-push.yaml b/.gitea/workflows/build-push.yaml index 89ad423..8ca010b 100644 --- a/.gitea/workflows/build-push.yaml +++ b/.gitea/workflows/build-push.yaml @@ -23,9 +23,9 @@ on: default: 'all' env: - # Use external registry URL for proper Bearer token auth flow - REGISTRY: registry.lab.daviestechlabs.io/daviestechlabs - REGISTRY_HOST: registry.lab.daviestechlabs.io + # Use internal cluster HTTP endpoint (no TLS cert issues for in-cluster runner) + REGISTRY: gitea-http.gitea.svc.cluster.local:3000/daviestechlabs + REGISTRY_HOST: gitea-http.gitea.svc.cluster.local:3000 NTFY_URL: http://ntfy.observability.svc.cluster.local:80 jobs: @@ -98,19 +98,12 @@ jobs: - name: Checkout uses: actions/checkout@v4 - # Configure Docker daemon to allow insecure registry (self-signed cert) - - name: Configure Docker for insecure registry - run: | - sudo mkdir -p /etc/docker - echo '{"insecure-registries": ["registry.lab.daviestechlabs.io"]}' | sudo tee /etc/docker/daemon.json - sudo systemctl restart docker || sudo service docker restart || true - sleep 2 - - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: buildkitd-config-inline: | - [registry."registry.lab.daviestechlabs.io"] + [registry."gitea-http.gitea.svc.cluster.local:3000"] + http = true insecure = true # Login to Docker Hub to avoid pull rate limits @@ -121,14 +114,11 @@ jobs: username: ${{ vars.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - # Login to Gitea registry (uses docker/login-action for buildx compatibility) + # Login to Gitea registry (direct docker login for rootless DinD compatibility) - name: Login to Gitea Registry if: github.event_name != 'pull_request' - uses: docker/login-action@v3 - with: - registry: ${{ env.REGISTRY_HOST }} - username: ${{ secrets.REGISTRY_USER }} - password: ${{ secrets.REGISTRY_TOKEN }} + run: | + echo "${{ secrets.REGISTRY_TOKEN }}" | docker login ${{ env.REGISTRY_HOST }} -u ${{ secrets.REGISTRY_USER }} --password-stdin - name: Extract metadata id: meta @@ -161,19 +151,12 @@ jobs: - name: Checkout uses: actions/checkout@v4 - # Configure Docker daemon to allow insecure registry (self-signed cert) - - name: Configure Docker for insecure registry - run: | - sudo mkdir -p /etc/docker - echo '{"insecure-registries": ["registry.lab.daviestechlabs.io"]}' | sudo tee /etc/docker/daemon.json - sudo systemctl restart docker || sudo service docker restart || true - sleep 2 - - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: buildkitd-config-inline: | - [registry."registry.lab.daviestechlabs.io"] + [registry."gitea-http.gitea.svc.cluster.local:3000"] + http = true insecure = true - name: Login to Docker Hub @@ -185,11 +168,8 @@ jobs: - name: Login to Gitea Registry if: github.event_name != 'pull_request' - uses: docker/login-action@v3 - with: - registry: ${{ env.REGISTRY_HOST }} - username: ${{ secrets.REGISTRY_USER }} - password: ${{ secrets.REGISTRY_TOKEN }} + run: | + echo "${{ secrets.REGISTRY_TOKEN }}" | docker login ${{ env.REGISTRY_HOST }} -u ${{ secrets.REGISTRY_USER }} --password-stdin - name: Extract metadata id: meta @@ -222,19 +202,12 @@ jobs: - name: Checkout uses: actions/checkout@v4 - # Configure Docker daemon to allow insecure registry (self-signed cert) - - name: Configure Docker for insecure registry - run: | - sudo mkdir -p /etc/docker - echo '{"insecure-registries": ["registry.lab.daviestechlabs.io"]}' | sudo tee /etc/docker/daemon.json - sudo systemctl restart docker || sudo service docker restart || true - sleep 2 - - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: buildkitd-config-inline: | - [registry."registry.lab.daviestechlabs.io"] + [registry."gitea-http.gitea.svc.cluster.local:3000"] + http = true insecure = true - name: Login to Docker Hub @@ -246,11 +219,8 @@ jobs: - name: Login to Gitea Registry if: github.event_name != 'pull_request' - uses: docker/login-action@v3 - with: - registry: ${{ env.REGISTRY_HOST }} - username: ${{ secrets.REGISTRY_USER }} - password: ${{ secrets.REGISTRY_TOKEN }} + run: | + echo "${{ secrets.REGISTRY_TOKEN }}" | docker login ${{ env.REGISTRY_HOST }} -u ${{ secrets.REGISTRY_USER }} --password-stdin - name: Extract metadata id: meta @@ -283,19 +253,12 @@ jobs: - name: Checkout uses: actions/checkout@v4 - # Configure Docker daemon to allow insecure registry (self-signed cert) - - name: Configure Docker for insecure registry - run: | - sudo mkdir -p /etc/docker - echo '{"insecure-registries": ["registry.lab.daviestechlabs.io"]}' | sudo tee /etc/docker/daemon.json - sudo systemctl restart docker || sudo service docker restart || true - sleep 2 - - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: buildkitd-config-inline: | - [registry."registry.lab.daviestechlabs.io"] + [registry."gitea-http.gitea.svc.cluster.local:3000"] + http = true insecure = true - name: Login to Docker Hub @@ -307,11 +270,8 @@ jobs: - name: Login to Gitea Registry if: github.event_name != 'pull_request' - uses: docker/login-action@v3 - with: - registry: ${{ env.REGISTRY_HOST }} - username: ${{ secrets.REGISTRY_USER }} - password: ${{ secrets.REGISTRY_TOKEN }} + run: | + echo "${{ secrets.REGISTRY_TOKEN }}" | docker login ${{ env.REGISTRY_HOST }} -u ${{ secrets.REGISTRY_USER }} --password-stdin - name: Extract metadata id: meta