Spec ser8 Forgejo Actions build/test runners without moving deploy runner #507
Labels
No labels
burndown-2026-06
coherence-core
consult
headless
interactive
P0
P1
P2
P3
P4
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
coilyco-flight-deck/infrastructure#507
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Design-only request from Kai: spec moving/adding the normal Forgejo Actions build/test runners on ser8. Do not implement in this run.
Intent:
deploy:hostrunner on kai-server for now because it relies on in-cluster ServiceAccount auth to deploy into kai-server k3s.Current kai-server shape to compare against:
deploy/forgejo-runner.yml- StatefulSet in namespaceforgejo,replicas: 4, per-pod DinD sidecar, labels are the stock runner labels (jobs useruns-on: docker).http://forgejo.forgejo.svc.cluster.local, which only works inside kai-server's cluster.--insecure-registry=192.168.0.194:30500, the kai-server in-cluster registry.deploy/forgejo-runner-deploy.yml- separatedeploy:hostrunner withdeployerServiceAccount and in-cluster kubectl/helm. This is explicitly out of scope for the first ser8 move.Questions the spec must answer:
forgejo.forgejo.svc.cluster.local. Decide the URL and TLS/auth implications.dockerlabel so capacity is automatic, or use a new label likedocker-ser8for a canary period? Recommend rollout sequence.192.168.0.194:30500. From ser8, decide whether to reach that registry over tailnet/LAN, mirror a registry on ser8, or publish elsewhere. Include failure modes and whether--insecure-registryremains acceptable.deploy/forgejo-runner-ser8.ymlor an ansible/fleet-reachability-style per-cluster rollout. Be explicit.Deliverable:
Acceptance for the eventual implementation is not part of this issue, but the design should enable a first canary ser8
dockerrunner, then scaling to additional replicas once image push and checkout/build workloads are proven.🔎 ward agent advisor
ward agent advisor --harness codexran a one-shot standard research pass on this question:Recommendation
The clean first design is split-plane, same Forgejo:
deploy/forgejo-runner-deploy.ymland thedeploy:hostrunner on kai-server unchanged.runs-on: dockerbuild/test capacity.This matches the repo's current shape:
deploy/forgejo-runner.ymlis today a 4-replica DinD StatefulSet inforgejo, registering againsthttp://forgejo.forgejo.svc.cluster.localand pushing to the in-cluster registry at192.168.0.194:30500.deploy/forgejo-runner-deploy.ymlis already a separatedeploy:hostsurface with adeployerServiceAccount and is explicitly the wrong thing to move first.docs/fleet-reachability.mdconfirms ser8 and kai-server are separate k3s clusters, and that ser8 does not have external-secrets today.Decisions
1. Registration path
Use
https://forgejo.coilysiren.me/asFORGEJO_INSTANCE_URLfor ser8 runners.Why this is the right default:
forgejo.forgejo.svc.cluster.localaddress is cluster-local to kai-server and cannot work from ser8.TLS/auth implications:
forgejo.coilysiren.me.Secretcreated out-of-band from SSM or operator input, never in tracked YAML.Why not the tailnet URL first:
2. Labels and scheduling
Do not put ser8 straight onto the shared
dockerlabel. Start with a canary label, then promote.Recommended rollout:
docker-ser8only.docker-ser8.dockerlabel to that same runner pool.Reasoning:
dockerimmediately, any existing image-build workflow can land there before registry reachability is solved.dockerpool is load-bearing. A bad first cut would turn random CI red instead of creating an isolated canary lane.Promotion target:
dockerso capacity becomes automatic.dockerrunners + ser8dockerrunners + kai-server-onlydeploy:host.3. Registry access
Do not mirror a second registry on ser8, and do not switch package registries in this first move. Keep kai-server's registry as the source of truth, but give ser8 a remote-safe path to it.
Best first design:
192.168.0.194:30500literal.Why this over the alternatives:
192.168.0.194:30500only works from kai-server/LAN-adjacent paths. It is the wrong address from ser8.Failure modes to call out:
--insecure-registry, that remains acceptable only as a temporary canary compromise. It is brittle and not a good permanent cross-site shape.Practical recommendation:
4. Secrets
Because ser8 lacks external-secrets, the secret flow should be bounded and imperative, mirroring the existing ser8 pattern used elsewhere in this repo.
Recommended flow:
Secretat apply time.Preference order:
Operational note:
docs/fleet-reachability.md: resolve from SSM on the control host, then create the in-cluster secret imperatively.5. Namespace and manifest ownership
Keep this infra-owned and manifest-owned in this repo.
Recommended ownership:
deploy/forgejo-runner-ser8.yml.forgejoon ser8 as well.Why:
deploy/forgejo-runner.yml.forgejonamespace keeps operational queries symmetric across clusters.Rollout method:
ansible-sync.fleet-reachability: explicit, per-cluster, and confirm-before-apply.6. Resource sizing
Current kai-server per-replica limits are effectively:
For ser8 (
57 GiB RAM,16 cores), the safest recommendation is:replicas: 1, same limits as kai-server.replicas: 2after checkout/build/image-push smoke passes.replicas: 3on ser8 before considering 4.Why 3 is the right initial target:
So the spec should say:
7. Observability
The spec should require ser8-specific identity in both labels and dashboards.
Add stable pod labels such as:
app=forgejo-runnerrunner-plane=buildrunner-cluster=ser8runner-scope=sharedorrunner-scope=canaryWhat to watch:
dockeranddocker-ser8jobsWhere visibility should come from:
/metricsfor server-side queue and Actions health where availableregister,runner, anddindfor registration loops and push failuresAlerting targets:
8. Rollback
Rollback should be one action on ser8 only.
Recommended rollback plan:
forgejo-runner-ser8to0replicas, or delete only the ser8 manifest.docker, remove thedockerlabel before or while scaling down.deploy:hostand kai-server's existing build runners untouched.This is another reason to keep:
Suggested rollout sequence
deploy/forgejo-runner-ser8.ymlwithreplicas: 1and ser8-specific labels.https://forgejo.coilysiren.me/.docker-ser8only.dockerto the ser8 runner labels.Risks and open questions
Risks
192.168.0.194:30500HTTP shape is tolerable inside the kai-server context, but it is a poor long-term contract for ser8.dockeris too risky. Without a canary label, unrelated repos will discover the migration before the operator does.Open questions the implementation issue should pin down
Bottom line
The recommended first spec is:
https://forgejo.coilysiren.me/,docker-ser8, not shareddocker,That gives a real canary without redesigning deploy credentials, while preserving the current kai-server deploy runner and existing build pool until the ser8 path proves itself.
Researched and posted automatically by
ward agent advisor --harness codex(ward#179). This is one-shot research, not a carried change - verify before acting on it.— Codex, via
ward agent