From 239ed7b214967952a84fcb1482b07e6f5ac4524c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dani=C3=ABl=20Groothuis?= <daniel.groothuis@trimm.nl>
Date: Tue, 28 Oct 2025 18:55:35 +0100
Subject: [PATCH] chore(gitea-runners): Updated values for Dind support

---
 manifests/artemis/gitea-runners/values.yaml | 26 ++++++++++++---------
 1 file changed, 15 insertions(+), 11 deletions(-)

diff --git a/manifests/artemis/gitea-runners/values.yaml b/manifests/artemis/gitea-runners/values.yaml
index 62c94bc..1c94a18 100644
--- a/manifests/artemis/gitea-runners/values.yaml
+++ b/manifests/artemis/gitea-runners/values.yaml
@@ -1,3 +1,5 @@
+# values.yaml — Gitea Actions runner with DinD over shared Unix socket (no TCP, no TLS)
+
 enabled: true
 
 statefulset:
@@ -9,7 +11,7 @@ statefulset:
   tolerations: []
   affinity: {}
 
-  # Share only the docker.sock file between containers
+  # Share only the docker.sock file between dind and act-runner
   extraVolumes:
     - name: docker-socket
       emptyDir: {}
@@ -19,7 +21,7 @@ statefulset:
     tag: 0.2.13
     pullPolicy: IfNotPresent
 
-    # Ensure runner talks to DinD via Unix socket and never uses TLS
+    # Runner talks to DinD via unix socket; ensure no TLS is used
     extraEnvs:
       - name: DOCKER_HOST
         value: unix:///var/run/docker.sock
@@ -30,13 +32,13 @@ statefulset:
       - name: DOCKER_TLS_VERIFY
         value: ""
 
-    # Mount only the socket path; avoid mounting the whole /var/run
+    # Mount only the socket path, not the entire /var/run (prevents "is a directory" errors)
     extraVolumeMounts:
       - name: docker-socket
         mountPath: /var/run/docker.sock
         subPath: docker.sock
 
-    # Gitea act-runner config
+    # Act runner config
     config: |
       log:
         level: info
@@ -49,8 +51,8 @@ statefulset:
           - "ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04"
           - "ubuntu-20.04:docker://docker.gitea.com/runner-images:ubuntu-20.04"
       container:
-        privileged: true
-        require_docker: true
+        privileged: true         # required for DinD
+        require_docker: true     # fail if docker is not reachable
         docker_timeout: 300s
 
   dind:
@@ -58,27 +60,27 @@ statefulset:
     tag: 28.3.3-dind
     pullPolicy: IfNotPresent
 
-    # Disable TLS; use only the default Unix socket
+    # Disable TLS and DO NOT advertise TCP; use only unix socket
     extraEnvs:
       - name: DOCKER_TLS_CERTDIR
         value: ""
-      # Uncomment if needed on your nodes:
+      # If your nodes require legacy iptables:
       # - name: DOCKER_IPTABLES_LEGACY
       #   value: "1"
 
-    # Mount the same socket path so dockerd can create it
+    # Share only the docker.sock file
     extraVolumeMounts:
       - name: docker-socket
         mountPath: /var/run/docker.sock
         subPath: docker.sock
 
-    # Ensure no TCP binding; unix socket only
+    # Explicitly bind dockerd to the unix socket; do not bind tcp://0.0.0.0:2375
     command: ["dockerd"]
     args:
       - "--host=unix:///var/run/docker.sock"
       - "--storage-driver=overlay2"
 
-  # Optional persistence for DinD (images/layers)
+  # Optional: persistence for DinD image layers (default will mount /var/lib/docker inside dind)
   persistence:
     size: 1Gi
 
@@ -87,9 +89,11 @@ init:
     repository: busybox
     tag: "1.37.0"
 
+# Runner registration token
 existingSecret: "gitea-runner-token"
 existingSecretKey: "token"
 
+# Root URL of your Gitea
 giteaRootURL: "https://git.dgse.cloud"
 
 global: