Support custom envs for Action DinD container (#722 )

Follow-up to https://gitea.com/gitea/helm-chart/pulls/666. Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/722 Co-authored-by: justusbunsi <sk.bunsenbrenner@gmail.com> Co-committed-by: justusbunsi <sk.bunsenbrenner@gmail.com>
Add Gitea Actions act runner (#666 )
2024-11-10 14:02:15 +00:00 · 2024-11-10 13:35:56 +00:00 · 2024-10-18 15:14:56 +00:00 · 2024-10-18 15:09:14 +00:00 · 2024-10-18 13:50:35 +00:00 · 2024-10-18 13:44:37 +00:00
40 changed files with 1584 additions and 33 deletions
--- a/Chart.yaml
+++ b/Chart.yaml
@ -4,7 +4,7 @@ description: Gitea Helm chart for Kubernetes
 type: application
 version: 0.0.0
 # renovate datasource=github-releases depName=go-gitea/gitea extractVersion=^v(?<version>.*)$
-appVersion: 1.22.2
+appVersion: 1.22.3
 icon: https://gitea.com/assets/img/logo.svg

 keywords:
--- a/README.md
+++ b/README.md
@ -45,6 +45,7 @@
  - [Persistence](#persistence-1)
  - [Init](#init)
  - [Signing](#signing)
+  - [Gitea Actions](#gitea-actions)
  - [Gitea](#gitea)
  - [LivenessProbe](#livenessprobe)
  - [ReadinessProbe](#readinessprobe)
@ -420,6 +421,9 @@ gitea:

 postgresql:
  enabled: false
+
+postgresql-ha:
+  enabled: false
 ```

 ### Ports and external url
@ -498,6 +502,9 @@ redis-cluster:
  enabled: true
 ```

+⚠️ The redis charts [do not work well with special characters in the password](https://gitea.com/gitea/helm-chart/issues/690).
+Consider omitting such or open an issue in the Bitnami repo and let us know once this got fixed.
+
 ### Persistence

 Gitea will be deployed as a deployment.
@ -849,13 +856,14 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo

 ### Global

-| Name                      | Description                                                               | Value |
-| ------------------------- | ------------------------------------------------------------------------- | ----- |
-| `global.imageRegistry`    | global image registry override                                            | `""`  |
-| `global.imagePullSecrets` | global image pull secrets override; can be extended by `imagePullSecrets` | `[]`  |
-| `global.storageClass`     | global storage class override                                             | `""`  |
-| `global.hostAliases`      | global hostAliases which will be added to the pod's hosts files           | `[]`  |
-| `replicaCount`            | number of replicas for the deployment                                     | `1`   |
+| Name                      | Description                                                                                    | Value |
+| ------------------------- | ---------------------------------------------------------------------------------------------- | ----- |
+| `global.imageRegistry`    | global image registry override                                                                 | `""`  |
+| `global.imagePullSecrets` | global image pull secrets override; can be extended by `imagePullSecrets`                      | `[]`  |
+| `global.storageClass`     | global storage class override                                                                  | `""`  |
+| `global.hostAliases`      | global hostAliases which will be added to the pod's hosts files                                | `[]`  |
+| `namespace`               | An explicit namespace to deploy Gitea into. Defaults to the release namespace if not specified | `""`  |
+| `replicaCount`            | number of replicas for the deployment                                                          | `1`   |

 ### strategy

@ -976,6 +984,7 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 | `persistence.storageClass`                        | Name of the storage class to use                                                                      | `nil`                  |
 | `persistence.subPath`                             | Subdirectory of the volume to mount at                                                                | `nil`                  |
 | `persistence.volumeName`                          | Name of persistent volume in PVC                                                                      | `""`                   |
+| `extraContainers`                                 | Additional sidecar containers to run in the pod                                                       | `[]`                   |
 | `extraVolumes`                                    | Additional volumes to mount to the Gitea deployment                                                   | `[]`                   |
 | `extraContainerVolumeMounts`                      | Mounts that are only mapped into the Gitea runtime/main container, to e.g. override custom templates. | `[]`                   |
 | `extraInitVolumeMounts`                           | Mounts that are only mapped into the init-containers. Can be used for additional preconfiguration.    | `[]`                   |
@ -999,25 +1008,65 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 | `signing.privateKey`     | Inline private gpg key for signed internal Git activity           | `""`               |
 | `signing.existingSecret` | Use an existing secret to store the value of `signing.privateKey` | `""`               |

+### Gitea Actions
+
+| Name                                           | Description                                                                                                                                 | Value                          |
+| ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ |
+| `actions.enabled`                              | Create an act runner StatefulSet.                                                                                                           | `false`                        |
+| `actions.init.image.repository`                | The image used for the init containers                                                                                                      | `busybox`                      |
+| `actions.init.image.tag`                       | The image tag used for the init containers                                                                                                  | `1.36.1`                       |
+| `actions.statefulset.annotations`              | Act runner annotations                                                                                                                      | `{}`                           |
+| `actions.statefulset.labels`                   | Act runner labels                                                                                                                           | `{}`                           |
+| `actions.statefulset.resources`                | Act runner resources                                                                                                                        | `{}`                           |
+| `actions.statefulset.nodeSelector`             | NodeSelector for the statefulset                                                                                                            | `{}`                           |
+| `actions.statefulset.tolerations`              | Tolerations for the statefulset                                                                                                             | `[]`                           |
+| `actions.statefulset.affinity`                 | Affinity for the statefulset                                                                                                                | `{}`                           |
+| `actions.statefulset.actRunner.repository`     | The Gitea act runner image                                                                                                                  | `gitea/act_runner`             |
+| `actions.statefulset.actRunner.tag`            | The Gitea act runner tag                                                                                                                    | `0.2.11`                       |
+| `actions.statefulset.actRunner.pullPolicy`     | The Gitea act runner pullPolicy                                                                                                             | `IfNotPresent`                 |
+| `actions.statefulset.actRunner.config`         | Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details. | `Too complex. See values.yaml` |
+| `actions.statefulset.dind.repository`          | The Docker-in-Docker image                                                                                                                  | `docker`                       |
+| `actions.statefulset.dind.tag`                 | The Docker-in-Docker image tag                                                                                                              | `25.0.2-dind`                  |
+| `actions.statefulset.dind.pullPolicy`          | The Docker-in-Docker pullPolicy                                                                                                             | `IfNotPresent`                 |
+| `actions.statefulset.dind.extraEnvs`           | Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY`                                                                | `[]`                           |
+| `actions.provisioning.enabled`                 | Create a job that will create and save the token in a Kubernetes Secret                                                                     | `false`                        |
+| `actions.provisioning.annotations`             | Job's annotations                                                                                                                           | `{}`                           |
+| `actions.provisioning.labels`                  | Job's labels                                                                                                                                | `{}`                           |
+| `actions.provisioning.resources`               | Job's resources                                                                                                                             | `{}`                           |
+| `actions.provisioning.nodeSelector`            | NodeSelector for the job                                                                                                                    | `{}`                           |
+| `actions.provisioning.tolerations`             | Tolerations for the job                                                                                                                     | `[]`                           |
+| `actions.provisioning.affinity`                | Affinity for the job                                                                                                                        | `{}`                           |
+| `actions.provisioning.ttlSecondsAfterFinished` | ttl for the job after finished in order to allow helm to properly recognize that the job completed                                          | `300`                          |
+| `actions.provisioning.publish.repository`      | The image that can create the secret via kubectl                                                                                            | `bitnami/kubectl`              |
+| `actions.provisioning.publish.tag`             | The publish image tag that can create the secret                                                                                            | `1.29.0`                       |
+| `actions.provisioning.publish.pullPolicy`      | The publish image pullPolicy that can create the secret                                                                                     | `IfNotPresent`                 |
+| `actions.existingSecret`                       | Secret that contains the token                                                                                                              | `""`                           |
+| `actions.existingSecretKey`                    | Secret key                                                                                                                                  | `""`                           |
+
 ### Gitea

-| Name                                   | Description                                                                                                                   | Value                |
-| -------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | -------------------- |
-| `gitea.admin.username`                 | Username for the Gitea admin user                                                                                             | `gitea_admin`        |
-| `gitea.admin.existingSecret`           | Use an existing secret to store admin user credentials                                                                        | `nil`                |
-| `gitea.admin.password`                 | Password for the Gitea admin user                                                                                             | `r8sA8CPHD9!bt6d`    |
-| `gitea.admin.email`                    | Email for the Gitea admin user                                                                                                | `gitea@local.domain` |
-| `gitea.admin.passwordMode`             | Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated | `keepUpdated`        |
-| `gitea.metrics.enabled`                | Enable Gitea metrics                                                                                                          | `false`              |
-| `gitea.metrics.serviceMonitor.enabled` | Enable Gitea metrics service monitor                                                                                          | `false`              |
-| `gitea.ldap`                           | LDAP configuration                                                                                                            | `[]`                 |
-| `gitea.oauth`                          | OAuth configuration                                                                                                           | `[]`                 |
-| `gitea.config.server.SSH_PORT`         | SSH port for rootlful Gitea image                                                                                             | `22`                 |
-| `gitea.config.server.SSH_LISTEN_PORT`  | SSH port for rootless Gitea image                                                                                             | `2222`               |
-| `gitea.additionalConfigSources`        | Additional configuration from secret or configmap                                                                             | `[]`                 |
-| `gitea.additionalConfigFromEnvs`       | Additional configuration sources from environment variables                                                                   | `[]`                 |
-| `gitea.podAnnotations`                 | Annotations for the Gitea pod                                                                                                 | `{}`                 |
-| `gitea.ssh.logLevel`                   | Configure OpenSSH's log level. Only available for root-based Gitea image.                                                     | `INFO`               |
+| Name                                         | Description                                                                                                                    | Value                |
+| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | -------------------- |
+| `gitea.admin.username`                       | Username for the Gitea admin user                                                                                              | `gitea_admin`        |
+| `gitea.admin.existingSecret`                 | Use an existing secret to store admin user credentials                                                                         | `nil`                |
+| `gitea.admin.password`                       | Password for the Gitea admin user                                                                                              | `r8sA8CPHD9!bt6d`    |
+| `gitea.admin.email`                          | Email for the Gitea admin user                                                                                                 | `gitea@local.domain` |
+| `gitea.admin.passwordMode`                   | Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated  | `keepUpdated`        |
+| `gitea.metrics.enabled`                      | Enable Gitea metrics                                                                                                           | `false`              |
+| `gitea.metrics.serviceMonitor.enabled`       | Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally. | `false`              |
+| `gitea.metrics.serviceMonitor.interval`      | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used.                      | `""`                 |
+| `gitea.metrics.serviceMonitor.relabelings`   | RelabelConfigs to apply to samples before scraping.                                                                            | `[]`                 |
+| `gitea.metrics.serviceMonitor.scheme`        | HTTP scheme to use for scraping. For example `http` or `https`. Default is http.                                               | `""`                 |
+| `gitea.metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used.                           | `""`                 |
+| `gitea.metrics.serviceMonitor.tlsConfig`     | TLS configuration to use when scraping the metric endpoint by Prometheus.                                                      | `{}`                 |
+| `gitea.ldap`                                 | LDAP configuration                                                                                                             | `[]`                 |
+| `gitea.oauth`                                | OAuth configuration                                                                                                            | `[]`                 |
+| `gitea.config.server.SSH_PORT`               | SSH port for rootlful Gitea image                                                                                              | `22`                 |
+| `gitea.config.server.SSH_LISTEN_PORT`        | SSH port for rootless Gitea image                                                                                              | `2222`               |
+| `gitea.additionalConfigSources`              | Additional configuration from secret or configmap                                                                              | `[]`                 |
+| `gitea.additionalConfigFromEnvs`             | Additional configuration sources from environment variables                                                                    | `[]`                 |
+| `gitea.podAnnotations`                       | Annotations for the Gitea pod                                                                                                  | `{}`                 |
+| `gitea.ssh.logLevel`                         | Configure OpenSSH's log level. Only available for root-based Gitea image.                                                      | `INFO`               |

 ### LivenessProbe

--- a/readme-actions-dev.md
+++ b/readme-actions-dev.md
@ -0,0 +1,34 @@
+# Gitea Actions
+
+In order to use the Gitea Actions act-runner you must either:
+
+- enable persistence (used for automatic deployment to be able to store the token in a place accessible for the Job)
+- create a secret containing the act runner token and reference it as a `existingSecret`
+
+In order to use Gitea Actions, you must log on the server that's running Gitea and run the command:
+    `gitea actions generate-runner-token`
+
+This command will out a token that is needed by the act-runner to register with the Gitea backend.
+
+Because this is a manual operation, we automated this using a Kubernetes Job using the following containers:
+
+1) `actions-token-create`: it uses the current `gitea-rootless` image, mounts the persistent directory to `/data/` then it saves the output from `gitea actions generate-runner-token` to `/data/actions/token`
+2) `actions-token-upload`: it uses a `bitnami/kubectl` image, mounts the scripts directory (`/scripts`) and
+the persistent directory (`/data/`), and using the script from `/scripts/token.sh` stores the token in a Kubernetes secret
+
+After the token is stored in a Kubernetes secret we can create the statefulset that contains the following containers:
+
+1) `act-runner`: authenticates with Gitea using the token that was stored in the secret
+2) `dind`: DockerInDocker image that is used to run the actions
+
+If you are not using persistent volumes, you cannot use the Job to automatically generate the token.
+In this case, you can use either the Web UI to generate the token or run a shell into a Gitea pod and invoke
+the command `gitea actions generate-runner-token`. After generating the token, you must create a secret and use it via:
+
+```yaml
+actions:
+  provisioning:
+    enabled: false
+  existingSecret: "secret-name"
+  existingSecretKey: "secret-key"
+```
--- a/scripts/token.sh
+++ b/scripts/token.sh
@ -0,0 +1,43 @@
+#!/bin/sh
+
+set -eu
+
+timeout_delay=15
+
+check_token() {
+  set +e
+
+  echo "Checking for existing token..."
+  token="$(kubectl get secret "$SECRET_NAME" -o jsonpath="{.data['token']}" 2> /dev/null)"
+  [ $? -ne 0 ] && return 1
+  [ -z "$token" ] && return 2
+  return 0
+}
+
+create_token() {
+  echo "Waiting for new token to be generated..."
+  begin=$(date +%s)
+  end=$((begin + timeout_delay))
+  while true; do
+    [ -f /data/actions/token ] && return 0
+    [ "$(date +%s)" -gt $end ] && return 1
+    sleep 5
+  done
+}
+
+store_token() {
+  echo "Storing the token in Kubernetes secret..."
+  kubectl patch secret "$SECRET_NAME" -p "{\"data\":{\"token\":\"$(base64 /data/actions/token | tr -d '\n')\"}}"
+}
+
+if check_token; then
+  echo "Key already in place, exiting."
+  exit
+fi
+
+if ! create_token; then
+  echo "Checking for an existing act runner token in secret $SECRET_NAME timed out after $timeout_delay"
+  exit 1
+fi
+
+store_token
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@ -25,6 +25,13 @@ If release name contains chart name it will be used as a full name.
 {{- end -}}
 {{- end -}}

+{{/*
+Create a default worker name.
+*/}}
+{{- define "gitea.workername" -}}
+{{- printf "%s-%s" .global.Release.Name .worker | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
 {{/*
 Create chart name and version as used by the chart label.
 */}}
@ -92,6 +99,15 @@ version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end -}}

+{{- define "gitea.labels.actRunner" -}}
+helm.sh/chart: {{ include "gitea.chart" . }}
+app: {{ include "gitea.name" . }}-act-runner
+{{ include "gitea.selectorLabels.actRunner" . }}
+app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
+version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
 {{/*
 Selector labels
 */}}
@ -100,6 +116,11 @@ app.kubernetes.io/name: {{ include "gitea.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}

+{{- define "gitea.selectorLabels.actRunner" -}}
+app.kubernetes.io/name: {{ include "gitea.name" . }}-act-runner
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
 {{- define "postgresql-ha.dns" -}}
 {{- if (index .Values "postgresql-ha").enabled -}}
 {{- printf "%s-postgresql-ha-pgpool.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "postgresql-ha" "service" "ports" "postgresql") -}}
@ -199,6 +220,15 @@ https
 {{- end -}}
 {{- end -}}

+{{- define "gitea.act_runner.local_root_url" -}}
+{{- if not .Values.gitea.config.server.LOCAL_ROOT_URL -}}
+    {{- printf "http://%s-http:%.0f" (include "gitea.fullname" .) .Values.service.http.port -}}
+{{- else -}}
+  {{/* fallback for allowing to overwrite this value via inline config */}}
+  {{- .Values.gitea.config.server.LOCAL_ROOT_URL -}}
+{{- end -}}
+{{- end -}}
+
 {{- define "gitea.inline_configuration" -}}
  {{- include "gitea.inline_configuration.init" . -}}
  {{- include "gitea.inline_configuration.defaults" . -}}
@ -263,6 +293,9 @@ https
  {{- if not (hasKey .Values.gitea.config "indexer") -}}
    {{- $_ := set .Values.gitea.config "indexer" dict -}}
  {{- end -}}
+  {{- if not (hasKey .Values.gitea.config "actions") -}}
+    {{- $_ := set .Values.gitea.config "actions" dict -}}
+  {{- end -}}
 {{- end -}}

 {{- define "gitea.inline_configuration.defaults" -}}
@ -309,6 +342,9 @@ https
  {{- if not .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE -}}
     {{- $_ := set .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE" "db" -}}
  {{- end -}}
+  {{- if not .Values.gitea.config.actions.ENABLED -}}
+     {{- $_ := set .Values.gitea.config.actions "ENABLED" (ternary "true" "false" .Values.actions.enabled) -}}
+  {{- end -}}
 {{- end -}}

 {{- define "gitea.inline_configuration.defaults.server" -}}
@ -328,6 +364,9 @@ https
  {{- if not .Values.gitea.config.server.ROOT_URL -}}
    {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" (include "gitea.public_protocol" .) .Values.gitea.config.server.DOMAIN) -}}
  {{- end -}}
+  {{- if .Values.actions.enabled -}}
+     {{- $_ := set .Values.gitea.config.server "LOCAL_ROOT_URL" (include "gitea.act_runner.local_root_url" .) -}}
+  {{- end -}}
  {{- if not .Values.gitea.config.server.SSH_DOMAIN -}}
    {{- $_ := set .Values.gitea.config.server "SSH_DOMAIN" .Values.gitea.config.server.DOMAIN -}}
  {{- end -}}
@ -408,3 +447,21 @@ https
 {{ printf "gitea.admin.passwordMode must be set to one of 'keepUpdated', 'initialOnlyNoReset', or 'initialOnlyRequireReset'. Received: '%s'" .Values.gitea.admin.passwordMode | fail }}
 {{- end -}}
 {{- end -}}
+
+{{/* Create a functioning probe object for rendering. Given argument must be either a livenessProbe, readinessProbe, or startupProbe */}}
+{{- define "gitea.deployment.probe" -}}
+  {{- $probe := unset . "enabled" -}}
+  {{- $probeKeys := keys $probe -}}
+  {{- $containsCustomMethod := false -}}
+  {{- $chartDefaultMethod := "tcpSocket" -}}
+  {{- $nonChartDefaultMethods := list "exec" "httpGet" "grpc" -}}
+  {{- range $probeKeys -}}
+    {{- if has . $nonChartDefaultMethods -}}
+      {{- $containsCustomMethod = true -}}
+    {{- end -}}
+  {{- end -}}
+  {{- if $containsCustomMethod -}}
+    {{- $probe = unset . $chartDefaultMethod -}}
+  {{- end -}}
+  {{- toYaml $probe -}}
+{{- end -}}
--- a/templates/gitea/act_runner/01-consistency-checks.yaml
+++ b/templates/gitea/act_runner/01-consistency-checks.yaml
@ -0,0 +1,15 @@
+{{- if .Values.actions.enabled -}}
+    {{- if .Values.actions.provisioning.enabled -}}
+        {{- if not (and .Values.persistence.enabled .Values.persistence.mount) -}}
+            {{- fail "persistence.enabled and persistence.mount are required when provisioning is enabled" -}}
+        {{- end -}}
+        {{- if and .Values.persistence.enabled .Values.persistence.mount -}}
+            {{- if .Values.actions.existingSecret -}}
+                {{- fail "Can't specify both actions.provisioning.enabled and actions.existingSecret" -}}
+            {{- end -}}
+        {{- end -}}
+    {{- end -}}
+    {{- if and (not .Values.actions.provisioning.enabled) (or (empty .Values.actions.existingSecret) (empty .Values.actions.existingSecretKey)) -}}
+        {{- fail "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled" -}}
+    {{- end -}}
+{{- end -}}
--- a/templates/gitea/act_runner/config-act-runner.yaml
+++ b/templates/gitea/act_runner/config-act-runner.yaml
@ -0,0 +1,14 @@
+{{- if .Values.actions.enabled }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "gitea.fullname" . }}-act-runner-config
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+data:
+  config.yaml: |
+    {{- with .Values.actions.statefulset.actRunner.config -}}
+    {{ . | nindent 4}}
+    {{- end -}}
+{{- end }}
--- a/templates/gitea/act_runner/config-scripts.yaml
+++ b/templates/gitea/act_runner/config-scripts.yaml
@ -0,0 +1,13 @@
+{{- if .Values.actions.enabled }}
+{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "gitea.fullname" . }}-scripts
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+data:
+{{ (.Files.Glob "scripts/*.sh").AsConfig | indent 2 }}
+{{- end }}
+{{- end }}
--- a/templates/gitea/act_runner/job.yaml
+++ b/templates/gitea/act_runner/job.yaml
@ -0,0 +1,114 @@
+{{- if .Values.actions.enabled }}
+{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
+{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
+{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ $name }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+    {{- with .Values.actions.provisioning.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    app.kubernetes.io/component: token-job
+  annotations:
+    {{- with .Values.actions.provisioning.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  ttlSecondsAfterFinished: {{ .Values.actions.provisioning.ttlSecondsAfterFinished }}
+  template:
+    metadata:
+      labels:
+        {{- include "gitea.labels" . | nindent 8 }}
+        {{- with .Values.actions.provisioning.labels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        app.kubernetes.io/component: token-job
+    spec:
+      initContainers:
+        - name: init-gitea
+          image: "{{ .Values.actions.init.image.repository }}:{{ .Values.actions.init.image.tag }}"
+          command:
+            - sh
+            - -c
+            - |
+              while ! nc -z {{ include "gitea.fullname" . }}-http {{ .Values.service.http.port }}; do
+                sleep 5
+              done
+      containers:
+        - name: actions-token-create
+          image: "{{ include "gitea.image" . }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          env:
+            - name: GITEA_APP_INI
+              value: /data/gitea/conf/app.ini
+          command:
+            - sh
+            - -c
+            - |
+              echo "Generating act_runner token via 'gitea actions generate-runner-token'..."
+              mkdir -p /data/actions/
+              gitea actions generate-runner-token | grep -E '^.{40}$' | tr -d '\n' > /data/actions/token
+          resources:
+            {{- toYaml .Values.actions.provisioning.resources | nindent 12 }}
+          volumeMounts:
+            - name: data
+              mountPath: /data
+              {{- if .Values.persistence.subPath }}
+              subPath: {{ .Values.persistence.subPath }}
+              {{- end }}
+        - name: actions-token-upload
+          image: "{{ .Values.actions.provisioning.publish.repository }}:{{ .Values.actions.provisioning.publish.tag }}"
+          imagePullPolicy: {{ .Values.actions.provisioning.publish.pullPolicy }}
+          env:
+            - name: SECRET_NAME
+              value: {{ $secretName }}
+          command:
+            - sh
+            - -c
+            - |
+              printf "Checking rights to update kubernetes act_runner secret..."
+              kubectl auth can-i update secret/${SECRET_NAME}
+              /scripts/token.sh
+          resources:
+            {{- toYaml .Values.actions.provisioning.resources | nindent 12 }}
+          volumeMounts:
+            - mountPath: /scripts
+              name: scripts
+              readOnly: true
+            - mountPath: /data
+              name: data
+              readOnly: true
+              {{- if .Values.persistence.subPath }}
+              subPath: {{ .Values.persistence.subPath }}
+              {{- end }}
+      {{- with .Values.actions.provisioning.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.actions.provisioning.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.actions.provisioning.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      restartPolicy: Never
+      serviceAccount: {{ $name }}
+      volumes:
+        - name: scripts
+          configMap:
+            name: {{ include "gitea.fullname" . }}-scripts
+            defaultMode: 0755
+        - name: data
+          persistentVolumeClaim:
+            claimName: {{ .Values.persistence.claimName }}
+  parallelism: 1
+  completions: 1
+  backoffLimit: 1
+{{- end }}
+{{- end }}
--- a/templates/gitea/act_runner/role-job.yaml
+++ b/templates/gitea/act_runner/role-job.yaml
@ -0,0 +1,25 @@
+{{- if .Values.actions.enabled }}
+{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
+{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
+{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $name }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+    app.kubernetes.io/component: token-job
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    resourceNames:
+      - {{ $secretName }}
+    verbs:
+      - get
+      - update
+      - patch
+{{- end }}
+{{- end }}
--- a/templates/gitea/act_runner/rolebinding-job.yaml
+++ b/templates/gitea/act_runner/rolebinding-job.yaml
@ -0,0 +1,22 @@
+{{- if .Values.actions.enabled }}
+{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
+{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
+{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $name }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+    app.kubernetes.io/component: token-job
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $name }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $name }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}
+{{- end }}
--- a/templates/gitea/act_runner/secret-token.yaml
+++ b/templates/gitea/act_runner/secret-token.yaml
@ -0,0 +1,19 @@
+{{- if .Values.actions.enabled }}
+{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
+{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
+{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+    app.kubernetes.io/component: token-job
+{{ $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}}
+{{ if $secret -}}
+data:
+  token: {{ (b64dec (index $secret.data "token")) | b64enc }}
+{{ end -}}
+{{- end }}
+{{- end }}
--- a/templates/gitea/act_runner/serviceaccount-job.yaml
+++ b/templates/gitea/act_runner/serviceaccount-job.yaml
@ -0,0 +1,13 @@
+{{- if .Values.actions.enabled }}
+{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
+{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $name }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+    app.kubernetes.io/component: token-job
+{{- end }}
+{{- end }}
--- a/templates/gitea/act_runner/statefulset.yaml
+++ b/templates/gitea/act_runner/statefulset.yaml
@ -0,0 +1,117 @@
+{{- if .Values.actions.enabled }}
+{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  labels:
+    {{- include "gitea.labels.actRunner" . | nindent 4 }}
+    {{- with .Values.actions.statefulset.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- with .Values.actions.statefulset.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  name: {{ include "gitea.fullname" . }}-act-runner
+spec:
+  selector:
+    matchLabels:
+      {{- include "gitea.selectorLabels.actRunner" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "gitea.labels.actRunner" . | nindent 8 }}
+        {{- with .Values.actions.statefulset.labels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      initContainers:
+        - name: init-gitea
+          image: "{{ .Values.actions.init.image.repository }}:{{ .Values.actions.init.image.tag }}"
+          command:
+            - sh
+            - -c
+            - |
+              while ! nc -z {{ include "gitea.fullname" . }}-http {{ .Values.service.http.port }}; do
+                sleep 5
+              done
+      containers:
+        - name: act-runner
+          image: "{{ .Values.actions.statefulset.actRunner.repository }}:{{ .Values.actions.statefulset.actRunner.tag }}"
+          imagePullPolicy: {{ .Values.actions.statefulset.actRunner.pullPolicy }}
+          workingDir: /data
+          env:
+            - name: DOCKER_HOST
+              value: tcp://127.0.0.1:2376
+            - name: DOCKER_TLS_VERIFY
+              value: "1"
+            - name: DOCKER_CERT_PATH
+              value: /certs/server
+            - name: GITEA_RUNNER_REGISTRATION_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.actions.existingSecret | default $secretName }}"
+                  key: "{{ .Values.actions.existingSecretKey | default "token" }}"
+            - name: GITEA_INSTANCE_URL
+              value: {{ include "gitea.act_runner.local_root_url" . }}
+            - name: CONFIG_FILE
+              value: /actrunner/config.yaml
+          resources:
+            {{- toYaml .Values.actions.statefulset.resources | nindent 12 }}
+          volumeMounts:
+            - mountPath: /actrunner/config.yaml
+              name: act-runner-config
+              subPath: config.yaml
+            - mountPath: /certs/server
+              name: docker-certs
+            - mountPath: /data
+              name: data-act-runner
+        - name: dind
+          image: "{{ .Values.actions.statefulset.dind.repository }}:{{ .Values.actions.statefulset.dind.tag }}"
+          imagePullPolicy: {{ .Values.actions.statefulset.dind.pullPolicy }}
+          env:
+            - name: DOCKER_HOST
+              value: tcp://127.0.0.1:2376
+            - name: DOCKER_TLS_VERIFY
+              value: "1"
+            - name: DOCKER_CERT_PATH
+              value: /certs/server
+            {{- if .Values.actions.statefulset.dind.extraEnvs }}
+            {{- toYaml .Values.actions.statefulset.dind.extraEnvs | nindent 12 }}
+            {{- end }}
+          securityContext:
+            privileged: true
+          resources:
+            {{- toYaml .Values.actions.statefulset.resources | nindent 12 }}
+          volumeMounts:
+            - mountPath: /certs/server
+              name: docker-certs
+      {{- with .Values.actions.statefulset.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.actions.statefulset.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.actions.statefulset.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+        - name: act-runner-config
+          configMap:
+            name: {{ include "gitea.fullname" . }}-act-runner-config
+        - name: docker-certs
+          emptyDir: {}
+  volumeClaimTemplates:
+    - metadata:
+        name: data-act-runner
+      spec:
+        accessModes: [ "ReadWriteOnce" ]
+        {{- include "gitea.persistence.storageClass" . | nindent 8 }}
+        resources:
+          requests:
+            storage: 1Mi
+{{- end }}
--- a/templates/gitea/config.yaml
+++ b/templates/gitea/config.yaml
@ -2,6 +2,7 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "gitea.fullname" . }}-inline-config
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
@ -12,6 +13,7 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "gitea.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
--- a/templates/gitea/deployment.yaml
+++ b/templates/gitea/deployment.yaml
@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "gitea.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  annotations:
    {{- if .Values.deployment.annotations }}
    {{- toYaml .Values.deployment.annotations | nindent 4 }}
@ -311,15 +312,15 @@ spec:
            {{- end }}
          {{- if .Values.gitea.livenessProbe.enabled }}
          livenessProbe:
-            {{- toYaml (omit .Values.gitea.livenessProbe "enabled") | nindent 12 }}
+            {{- include "gitea.deployment.probe" .Values.gitea.livenessProbe | nindent 12 }}
          {{- end }}
          {{- if .Values.gitea.readinessProbe.enabled }}
          readinessProbe:
-            {{- toYaml (omit .Values.gitea.readinessProbe "enabled") | nindent 12 }}
+            {{- include "gitea.deployment.probe" .Values.gitea.readinessProbe | nindent 12 }}
          {{- end }}
          {{- if .Values.gitea.startupProbe.enabled }}
          startupProbe:
-            {{- toYaml (omit .Values.gitea.startupProbe "enabled") | nindent 12 }}
+            {{- include "gitea.deployment.probe" .Values.gitea.startupProbe | nindent 12 }}
          {{- end }}
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
@ -339,6 +340,9 @@ spec:
              subPath: {{ .Values.persistence.subPath }}
              {{- end }}
            {{- include "gitea.container-additional-mounts" . | nindent 12 }}
+        {{- if .Values.extraContainers }}
+        {{- toYaml .Values.extraContainers | nindent 8 }}
+        {{- end }}
      {{- with .Values.global.hostAliases }}
      hostAliases:
        {{- toYaml . | nindent 8 }}
@ -402,4 +406,4 @@ spec:
  {{- else if not .Values.persistence.enabled }}
        - name: data
          emptyDir: {}
-  {{- end }}
+  {{- end }}
--- a/templates/gitea/gpg-secret.yaml
+++ b/templates/gitea/gpg-secret.yaml
@ -7,6 +7,7 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "gitea.gpg-key-secret-name" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
--- a/templates/gitea/http-svc.yaml
+++ b/templates/gitea/http-svc.yaml
@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "gitea.fullname" . }}-http
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
    {{- if .Values.service.http.labels }}
--- a/templates/gitea/ingress.yaml
+++ b/templates/gitea/ingress.yaml
@ -13,6 +13,7 @@ apiVersion: {{ $apiVersion }}
 kind: Ingress
 metadata:
  name: {{ $fullName }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
  annotations:
--- a/templates/gitea/init.yaml
+++ b/templates/gitea/init.yaml
@ -2,6 +2,7 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "gitea.fullname" . }}-init
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
--- a/templates/gitea/poddisruptionbudget.yaml
+++ b/templates/gitea/poddisruptionbudget.yaml
@ -7,6 +7,7 @@ apiVersion: policy/v1beta1
 kind: PodDisruptionBudget
 metadata:
  name: {{ include "gitea.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
 spec:
--- a/templates/gitea/pvc.yaml
+++ b/templates/gitea/pvc.yaml
@ -3,7 +3,7 @@ kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: {{ .Values.persistence.claimName }}
-  namespace: {{ $.Release.Namespace }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  annotations:
 {{ .Values.persistence.annotations | toYaml | indent 4}}
  labels:
--- a/templates/gitea/serviceaccount.yaml
+++ b/templates/gitea/serviceaccount.yaml
@ -3,7 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ include "gitea.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
    {{- with .Values.serviceAccount.labels }}
--- a/templates/gitea/servicemonitor.yaml
+++ b/templates/gitea/servicemonitor.yaml
@ -1,8 +1,9 @@
-{{- if .Values.gitea.metrics.serviceMonitor.enabled -}}
+{{- if and .Values.gitea.metrics.enabled .Values.gitea.metrics.serviceMonitor.enabled -}}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: {{ include "gitea.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
    {{- if .Values.gitea.metrics.serviceMonitor.additionalLabels }}
@ -14,4 +15,21 @@ spec:
      {{- include "gitea.selectorLabels" . | nindent 6 }}
  endpoints:
  - port: http
+    {{- if .Values.gitea.metrics.serviceMonitor.interval }}
+    interval: {{ .Values.gitea.metrics.serviceMonitor.interval }}
+    {{- end }}
+    {{- with .Values.gitea.metrics.serviceMonitor.relabelings }}
+    relabelings:
+      {{- . | toYaml | nindent 6 }}
+    {{- end }}
+    {{- if .Values.gitea.metrics.serviceMonitor.scheme }}
+    scheme: {{ .Values.gitea.metrics.serviceMonitor.scheme }}
+    {{- end }}
+    {{- if .Values.gitea.metrics.serviceMonitor.scrapeTimeout }}
+    scrapeTimeout: {{ .Values.gitea.metrics.serviceMonitor.scrapeTimeout }}
+    {{- end }}
+    {{- with .Values.gitea.metrics.serviceMonitor.tlsConfig }}
+    tlsConfig:
+      {{- . | toYaml | nindent 6 }}
+    {{- end }}
 {{- end -}}
--- a/templates/gitea/ssh-svc.yaml
+++ b/templates/gitea/ssh-svc.yaml
@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "gitea.fullname" . }}-ssh
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
    {{- if .Values.service.ssh.labels }}
--- a/templates/tests/test-http-connection.yaml
+++ b/templates/tests/test-http-connection.yaml
@ -3,6 +3,7 @@ apiVersion: v1
 kind: Pod
 metadata:
  name: "{{ include "gitea.fullname" . }}-test-connection"
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
 {{ include "gitea.labels" . | nindent 4 }}
  annotations:
--- a/unittests/act_runner/01-consistency-checks.yaml
+++ b/unittests/act_runner/01-consistency-checks.yaml
@ -0,0 +1,69 @@
+suite: actions template | consistency checks
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/01-consistency-checks.yaml
+tests:
+  - it: fails when provisioning is enabled BUT persistence is completely disabled
+    set:
+      persistence:
+        enabled: false
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+    asserts:
+      - failedTemplate:
+          errorMessage: "persistence.enabled and persistence.mount are required when provisioning is enabled"
+  - it: fails when provisioning is enabled BUT mount is disabled, although persistence is enabled
+    set:
+      persistence:
+        enabled: true
+        mount: false
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+    asserts:
+      - failedTemplate:
+          errorMessage: "persistence.enabled and persistence.mount are required when provisioning is enabled"
+  - it: fails when provisioning is enabled AND existingSecret is given
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+        existingSecret: "secret-reference"
+    asserts:
+      - failedTemplate:
+          errorMessage: "Can't specify both actions.provisioning.enabled and actions.existingSecret"
+  - it: fails when provisioning is disabled BUT existingSecret and existingSecretKey are missing
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: false
+    asserts:
+      - failedTemplate:
+          errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled"
+  - it: fails when provisioning is disabled BUT existingSecretKey is missing
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: false
+        existingSecret: "my-secret"
+    asserts:
+      - failedTemplate:
+          errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled"
+  - it: fails when provisioning is disabled BUT existingSecret is missing
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: false
+        existingSecretKey: "my-secret-key"
+    asserts:
+      - failedTemplate:
+          errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled"
--- a/unittests/act_runner/config-act-runner.yaml
+++ b/unittests/act_runner/config-act-runner.yaml
@ -0,0 +1,45 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
+suite: actions template | config-act-runner
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/config-act-runner.yaml
+tests:
+  - it: doesn't renders a ConfigMap by default
+    template: templates/gitea/act_runner/config-act-runner.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders a ConfigMap
+    template: templates/gitea/act_runner/config-act-runner.yaml
+    set:
+      actions:
+        enabled: true
+        statefulset:
+          actRunner:
+            config: |
+              log:
+                level: info
+              cache:
+                enabled: false
+              runner:
+                labels:
+                  - "ubuntu-latest"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: ConfigMap
+          apiVersion: v1
+          name: gitea-unittests-act-runner-config
+      - equal:
+          path: data["config.yaml"]
+          value: |
+            log:
+              level: info
+            cache:
+              enabled: false
+            runner:
+              labels:
+                - "ubuntu-latest"
--- a/unittests/act_runner/config-scripts.yaml
+++ b/unittests/act_runner/config-scripts.yaml
@ -0,0 +1,49 @@
+suite: actions template | config-scripts
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/config-scripts.yaml
+tests:
+  - it: renders a ConfigMap when all criteria are met
+    template: templates/gitea/act_runner/config-scripts.yaml
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: ConfigMap
+          apiVersion: v1
+          name: gitea-unittests-scripts
+      - isNotNullOrEmpty:
+          path: data["token.sh"]
+  - it: doesn't renders a ConfigMap by default
+    template: templates/gitea/act_runner/config-scripts.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: doesn't renders a ConfigMap with disabled actions but enabled provisioning
+    template: templates/gitea/act_runner/config-scripts.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: doesn't renders a ConfigMap with disabled actions but otherwise met criteria
+    template: templates/gitea/act_runner/config-scripts.yaml
+    set:
+      actions:
+        enabled: false
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 0
--- a/unittests/act_runner/job.yaml
+++ b/unittests/act_runner/job.yaml
@ -0,0 +1,65 @@
+suite: actions template | job
+release:
+  name: gitea-unittests
+  namespace: testing
+chart:
+  # Override appVersion to have a pinned version for comparison
+  appVersion: 1.19.3
+templates:
+  - templates/gitea/act_runner/job.yaml
+tests:
+  - it: renders a Job
+    template: templates/gitea/act_runner/job.yaml
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: Job
+          apiVersion: batch/v1
+          name: gitea-unittests-actions-token-job
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "gitea/gitea:1.19.3-rootless"
+  - it: tag override
+    template: templates/gitea/act_runner/job.yaml
+    set:
+      image.tag: "1.19.4"
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+          publish:
+            tag: "1.29.0"
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "gitea/gitea:1.19.4-rootless"
+      - equal:
+          path: spec.template.spec.containers[1].image
+          value: "bitnami/kubectl:1.29.0"
+  - it: doesn't renders a Job by default
+    template: templates/gitea/act_runner/job.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: doesn't renders a Job when provisioning is enabled BUT actions are not enabled
+    template: templates/gitea/act_runner/job.yaml
+    set:
+      actions:
+        enabled: false
+        provisioning:
+          enabled: true
+    asserts:
+      - hasDocuments:
+          count: 0
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
justusbunsi	7b892431d6	Support custom envs for Action DinD container (#722 ) Follow-up to https://gitea.com/gitea/helm-chart/pulls/666. Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/722 Co-authored-by: justusbunsi <sk.bunsenbrenner@gmail.com> Co-committed-by: justusbunsi <sk.bunsenbrenner@gmail.com>	2024-11-10 14:02:15 +00:00
vjm	f7c66c0336	Add Gitea Actions act runner (#666 ) Co-authored-by: dementhorr <dementhorr@proton.me> Co-authored-by: Vince Montalbano <vince.montalbano@gmail.com> Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/666 Reviewed-by: justusbunsi <justusbunsi@noreply.gitea.com> Co-authored-by: vjm <vjm@noreply.gitea.com> Co-committed-by: vjm <vjm@noreply.gitea.com>	2024-11-10 13:35:56 +00:00
justusbunsi	5c7e78b467	Bump Gitea to 1.22.3 (#718 ) Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/718 Co-authored-by: justusbunsi <sk.bunsenbrenner@gmail.com> Co-committed-by: justusbunsi <sk.bunsenbrenner@gmail.com>	2024-10-18 15:14:56 +00:00
justusbunsi	478af4e381	Fix probe definition overrides (#717 ) ### Description of the change This fixes an issue when trying to apply a custom probe that is not `tcpSocket`. ### Benefits Custom probes 🥳 ### Applicable issues - Fixes #694 ### Checklist - [x] Templating unittests are added Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/717 Co-authored-by: justusbunsi <sk.bunsenbrenner@gmail.com> Co-committed-by: justusbunsi <sk.bunsenbrenner@gmail.com>	2024-10-18 15:09:14 +00:00
justusbunsi	7c4d6c3797	Fix configuration in "external database" docs (#716 ) Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/716 Co-authored-by: justusbunsi <sk.bunsenbrenner@gmail.com> Co-committed-by: justusbunsi <sk.bunsenbrenner@gmail.com>	2024-10-18 13:50:35 +00:00
rossigee	aa9808bc27	Add 'extraContainers' parameter (#697 ) ### Description of the change Adds an 'extraContainers' parameter. ### Benefits Users will be able to run sidecar containers as required by their environment. ### Possible drawbacks N/A ### Applicable issues - Fixes #696 ### Checklist - [X] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm) Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/697 Reviewed-by: justusbunsi <justusbunsi@noreply.gitea.com> Co-authored-by: rossigee <rossigee@noreply.gitea.com> Co-committed-by: rossigee <rossigee@noreply.gitea.com>	2024-10-18 13:44:37 +00:00
SorsOps	a08e39f8ff	Fix namespace templating inconsistencies (#713 ) ### Description of the change Added namespaces to all the template files to better support alternate templaters in gitops systems ### Benefits Gitops system that have different ways of handling helm templates can actually deploy this chart correct, especially through subcharts ### Possible drawbacks Potential regression when upgrading, though this should be unlikely per @jessesanford 's comments with it defaulting back to the existing behaviour ### Applicable issues - Addresses https://gitea.com/gitea/helm-chart/issues/630 - Addresses https://gitea.com/gitea/helm-chart/issues/557 - Addresses https://gitea.com/gitea/helm-chart/issues/623 ### Checklist - [X] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm) - [X] Breaking changes are documented in the `README.md` Co-authored-by: SorsOps <80043879+sorsOps@users.noreply.github.com> Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/713 Reviewed-by: pat-s <pat-s@noreply.gitea.com> Reviewed-by: justusbunsi <justusbunsi@noreply.gitea.com> Co-authored-by: SorsOps <sorsops@noreply.gitea.com> Co-committed-by: SorsOps <sorsops@noreply.gitea.com>	2024-10-08 16:40:23 +00:00
pat-s	c039673e5a	Add comments about redis password policy (#706 ) fix #690 Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/706 Co-authored-by: pat-s <patrick.schratz@gmail.com> Co-committed-by: pat-s <patrick.schratz@gmail.com>	2024-09-19 21:59:47 +00:00
Markus Pesch	e636984db1	feat(serviceMonitor): custom configuration (#710 ) This patch extends the serviceMonitor resource to specify a custom TLS configuration used by prometheus to scrape the metrics. Furthermore, the interval and scrapeTimeout can now be adapted without changing the global defaults of the prometheus instance. Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/710 Reviewed-by: pat-s <pat-s@noreply.gitea.com> Co-authored-by: Markus Pesch <markus.pesch@cryptic.systems> Co-committed-by: Markus Pesch <markus.pesch@cryptic.systems>	2024-09-18 17:55:28 +00:00