fix: remove CI tailscale dependency and allow runner CIDR exception

2026-03-01 14:08:08 +00:00
parent 0d83ef45c1
commit 86c38e385f
4 changed files with 9 additions and 39 deletions
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -17,6 +17,8 @@ env:
  TF_VAR_s3_endpoint: ${{ secrets.S3_ENDPOINT }}
  TF_VAR_s3_bucket: ${{ secrets.S3_BUCKET }}
  TF_VAR_tailscale_tailnet: ${{ secrets.TAILSCALE_TAILNET }}
+  TF_VAR_allowed_ssh_ips: ${{ secrets.RUNNER_ALLOWED_CIDRS }}
+  TF_VAR_allowed_api_ips: ${{ secrets.RUNNER_ALLOWED_CIDRS }}

 jobs:
  terraform:
@@ -191,42 +193,9 @@ jobs:
          apt-get update && apt-get install -y python3-pip
          pip3 install --break-system-packages ansible kubernetes jinja2 pyyaml

-      - name: Install Tailscale on runner
-        run: curl -fsSL https://tailscale.com/install.sh | sh
-
-      - name: Start tailscaled daemon
+      - name: Note runner connectivity mode
        run: |
-          set -e
-          if command -v systemctl >/dev/null 2>&1; then
-            systemctl enable --now tailscaled || true
-          fi
-          if ! pgrep -x tailscaled >/dev/null 2>&1; then
-            service tailscaled start || true
-          fi
-          if ! pgrep -x tailscaled >/dev/null 2>&1; then
-            mkdir -p /var/run/tailscale /var/lib/tailscale
-            nohup tailscaled --state=/var/lib/tailscale/tailscaled.state >/tmp/tailscaled.log 2>&1 &
-          fi
-          for i in $(seq 1 30); do
-            tailscale status >/dev/null 2>&1 && exit 0
-            sleep 1
-          done
-          echo "tailscaled failed to start"
-          if [ -f /tmp/tailscaled.log ]; then cat /tmp/tailscaled.log; fi
-          exit 1
-
-      - name: Connect runner to tailnet
-        run: |
-          tailscale up \
-            --authkey "${{ secrets.TAILSCALE_CI_AUTH_KEY }}" \
-            --hostname "gitea-runner-${{ github.run_number }}" \
-            --ssh=false \
-            --accept-routes=false
-
-      - name: Verify runner tailnet status
-        run: |
-          tailscale status
-          tailscale ip -4
+          echo "Using runner public network access with RUNNER_ALLOWED_CIDRS for SSH/API"

      - name: Install Ansible Collections
        run: ansible-galaxy collection install -r ansible/requirements.yml
--- a/.gitea/workflows/destroy.yml
+++ b/.gitea/workflows/destroy.yml
@@ -16,6 +16,8 @@ env:
  TF_VAR_s3_endpoint: ${{ secrets.S3_ENDPOINT }}
  TF_VAR_s3_bucket: ${{ secrets.S3_BUCKET }}
  TF_VAR_tailscale_tailnet: ${{ secrets.TAILSCALE_TAILNET }}
+  TF_VAR_allowed_ssh_ips: ${{ secrets.RUNNER_ALLOWED_CIDRS }}
+  TF_VAR_allowed_api_ips: ${{ secrets.RUNNER_ALLOWED_CIDRS }}

 jobs:
  destroy: