fix(cicd): use Kaniko Jobs for building Docker images in Gitea Actions

- Replace docker build with Kaniko Jobs (runner has no Docker daemon) - Add batch/jobs RBAC for act_runner to create Kaniko Jobs - Use MinIO ExternalName pointing to existing minio namespace - Skip build when only K8s configs changed Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 20:15:20 +07:00
parent 48bb30b009
commit 43f0c79478
3 changed files with 156 additions and 161 deletions
--- a/deployments/staging/kubernetes/act-runner-rbac.yaml
+++ b/deployments/staging/kubernetes/act-runner-rbac.yaml
@@ -2,6 +2,7 @@
 # VI: RBAC cho Gitea act_runner deploy vao namespace staging
 #
 # The act_runner ServiceAccount (in gitea namespace) needs permissions to:
+#   - Create Kaniko Jobs for building Docker images
 #   - Apply manifests (deployments, services, configmaps, secrets, ingress, hpa, networkpolicies, pvc)
 #   - Patch deployments (set image, rollout restart)
 #   - Read pods/logs (rollout status)
@@ -15,6 +16,9 @@ rules:
  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: ["get", "list", "watch", "create", "update", "patch"]
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: [""]
    resources: ["services", "configmaps", "secrets", "persistentvolumeclaims"]
    verbs: ["get", "list", "watch", "create", "update", "patch"]
--- a/deployments/staging/kubernetes/minio.yaml
+++ b/deployments/staging/kubernetes/minio.yaml
@@ -1,7 +1,11 @@
-# EN: MinIO - S3-compatible object storage for file uploads and media
-# VI: MinIO - Luu tru doi tuong tuong thich S3 cho file upload va media
-apiVersion: apps/v1
-kind: Deployment
+# EN: MinIO ExternalName Service - Points to existing MinIO in minio namespace
+# VI: MinIO ExternalName Service - Tro den MinIO hien tai trong namespace minio
+#
+# Existing MinIO: https://minio.techbi.org (namespace: minio)
+# Console: https://minio-console.techbi.org
+---
+apiVersion: v1
+kind: Service
 metadata:
  name: minio
  namespace: staging
@@ -11,88 +15,8 @@ metadata:
    platform: goodgo
    tier: infrastructure
 spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: minio
-  template:
-    metadata:
-      labels:
-        app: minio
-        environment: staging
-    spec:
-      containers:
-      - name: minio
-        image: minio/minio:latest
-        command:
-        - server
-        - /data
-        - "--console-address"
-        - ":9001"
-        ports:
-        - containerPort: 9000
-          protocol: TCP
-        - containerPort: 9001
-          protocol: TCP
-        env:
-        - name: MINIO_ROOT_USER
-          valueFrom:
-            secretKeyRef:
-              name: goodgo-secrets
-              key: Storage__MinIO__AccessKey
-        - name: MINIO_ROOT_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: goodgo-secrets
-              key: Storage__MinIO__SecretKey
-        resources:
-          requests:
-            memory: "256Mi"
-            cpu: "250m"
-          limits:
-            memory: "512Mi"
-            cpu: "500m"
-        livenessProbe:
-          httpGet:
-            path: /minio/health/live
-            port: 9000
-          initialDelaySeconds: 15
-          periodSeconds: 10
-          timeoutSeconds: 5
-          failureThreshold: 3
-        readinessProbe:
-          httpGet:
-            path: /minio/health/ready
-            port: 9000
-          initialDelaySeconds: 10
-          periodSeconds: 5
-          timeoutSeconds: 3
-          failureThreshold: 3
-        volumeMounts:
-        - name: minio-data
-          mountPath: /data
-      volumes:
-      - name: minio-data
-        persistentVolumeClaim:
-          claimName: minio-pvc
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: minio
-  namespace: staging
-  labels:
-    app: minio
-    environment: staging
-spec:
-  selector:
-    app: minio
-  ports:
-  - name: minio
-    protocol: TCP
-    port: 9000
-    targetPort: 9000
-  type: ClusterIP
+  type: ExternalName
+  externalName: minio.minio.svc.cluster.local
 ---
 apiVersion: v1
 kind: Service
@@ -100,29 +24,10 @@ metadata:
  name: minio-console
  namespace: staging
  labels:
-    app: minio
+    app: minio-console
    environment: staging
+    platform: goodgo
+    tier: infrastructure
 spec:
-  selector:
-    app: minio
-  ports:
-  - name: console
-    protocol: TCP
-    port: 9001
-    targetPort: 9001
-  type: ClusterIP
---
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: minio-pvc
-  namespace: staging
-  labels:
-    app: minio
-    environment: staging
-spec:
-  accessModes:
-  - ReadWriteOnce
-  resources:
-    requests:
-      storage: 10Gi
+  type: ExternalName
+  externalName: minio-console.minio.svc.cluster.local