Added actions statefulset

2024-01-05 20:19:24 +01:00 · 2024-01-05 20:19:24 +01:00 · 440560ef0b
commit 440560ef0b
parent d77793a52b
4 changed files with 141 additions and 178 deletions
--- a/templates/gitea/actions-job.yaml
+++ b/templates/gitea/actions-job.yaml
@ -161,7 +161,6 @@ metadata:
  annotations:
    # helm.sh/hook: post-install
    # helm.sh/hook-delete-policy: never
-    helm.sh/resource-policy: keep
    argocd.argoproj.io/hook: Skip
    argocd.argoproj.io/hook-delete-policy: Never
  name: {{ $secretName }}
@ -171,6 +170,6 @@ metadata:
 {{ $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}}
 {{ if $secret -}}
 data:
-  signing.key: {{ (b64dec (index $secret.data "signing.key")) | b64enc }}
+  token: {{ (b64dec (index $secret.data "token")) | b64enc }}
 {{ end -}}
 {{- end }}
--- a/templates/gitea/actions-statefulset.yaml
+++ b/templates/gitea/actions-statefulset.yaml
@ -0,0 +1,120 @@
+{{- if and (and .Values.actions.statefulset.enabled .Values.persistence.enabled) .Values.persistence.mount }}
+{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "gitea.fullname" . }}-act-runner-config
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+data:
+  config.yaml: |
+    log:
+      level: debug
+    cache:
+      enabled: false    
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+    {{- if .Values.actions.statefulset.labels }}
+    {{- toYaml .Values.actions.statefulset.labels | nindent 4 }}
+    {{- end }}
+  name: act-runner
+spec:
+  selector:
+    matchLabels:
+      {{- include "gitea.selectorLabels" . | nindent 6 }}
+      {{- if .Values.actions.statefulset.labels }}
+      {{- toYaml .Values.actions.statefulset.labels | nindent 6 }}
+      {{- end }}
+  template:
+    metadata:
+      labels:
+        {{- include "gitea.labels" . | nindent 8 }}
+        {{- if .Values.actions.statefulset.labels }}
+        {{- toYaml .Values.actions.statefulset.labels | nindent 8 }}
+        {{- end }}
+    spec:
+      initContainers:
+        - name: init-gitea
+          image: busybox:latest
+          command:
+            - sh
+            - -c
+            - |
+              while ! nc -z gitea-http 3000; do
+                sleep 5
+              done
+      containers:
+        - name: act-runner
+          image: "{{ .Values.actions.statefulset.actRunnerImage.repository }}:{{ .Values.actions.statefulset.actRunnerImage.tag | default "latest" }}"
+          imagePullPolicy: {{ .Values.actions.statefulset.actRunnerImage.pullPolicy }}
+          workingDir: /data
+          env:
+            - name: DOCKER_HOST
+              value: tcp://127.0.0.1:2376
+            - name: DOCKER_TLS_VERIFY
+              value: "1"
+            - name: DOCKER_CERT_PATH
+              value: /certs/server
+            - name: GITEA_RUNNER_REGISTRATION_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $secretName }}
+                  key: token
+            - name: GITEA_INSTANCE_URL
+              value: http://gitea-http:3000
+            - name: GITEA_RUNNER_LABELS
+              value: ubuntu-latest
+            - name: CONFIG_FILE
+              value: /actrunner/config.yaml
+          lifecycle:
+            postStart:
+              exec:
+                command:
+                  - sh
+                  - -c
+                  - |
+                    apk --update add nodejs npm
+          volumeMounts:
+            - mountPath: /actrunner/config.yaml
+              name: act-runner-config
+              subPath: config.yaml
+            - mountPath: /certs/server
+              name: docker-certs
+            - mountPath: /data
+              name: data-act-runner
+        - name: dind
+          image: "{{ .Values.actions.statefulset.dindImage.repository }}:{{ .Values.actions.statefulset.dindImage.tag | default "24.0.7-dind" }}"
+          imagePullPolicy: {{ .Values.actions.statefulset.dindImage.pullPolicy }}
+          env:
+            - name: DOCKER_HOST
+              value: tcp://127.0.0.1:2376
+            - name: DOCKER_TLS_VERIFY
+              value: "1"
+            - name: DOCKER_CERT_PATH
+              value: /certs/server
+          securityContext:
+            # allowPrivilegeEscalation: true
+            privileged: true
+          volumeMounts:
+            - mountPath: /certs/server
+              name: docker-certs
+      volumes:
+        - name: act-runner-config
+          configMap:
+            name: {{ include "gitea.fullname" . }}-act-runner-config
+        - name: docker-certs
+          emptyDir: {}
+  volumeClaimTemplates:
+    - metadata:
+        name: data-act-runner
+      spec:
+        accessModes: [ "ReadWriteOnce" ]
+        resources:
+          requests:
+            storage: 1Mi
+{{- end }}
--- a/templates/gitea/actions.yaml
+++ b/templates/gitea/actions.yaml
@ -1,176 +0,0 @@
-{{- if and (and .Values.actions.job.enabled .Values.persistence.enabled) .Values.persistence.mount }}
-{{- if .Values.actions.existingSecret }}
-{{- fail "Can't specify both actions.job.enabled and actions.existingSecret" }}
-{{- end }}
-{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
-{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
---
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ include "gitea.fullname" . }}-scripts
-  labels:
-    {{- include "gitea.labels" . | nindent 4 }}
-  annotations:
-    # helm.sh/hook: post-install
-    # helm.sh/hook-delete-policy: hook-succeeded
-data:
-{{ (.Files.Glob "scripts/*.sh").AsConfig | indent 2 }}
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ $name }}
-  labels:
-    {{- include "gitea.labels" . | nindent 4 }}
-    app.kubernetes.io/component: token-job
-  annotations:
-    # helm.sh/hook: post-install
-    # helm.sh/hook-delete-policy: hook-succeeded
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ $name }}
-  labels:
-    {{- include "gitea.labels" . | nindent 4 }}
-    app.kubernetes.io/component: token-job
-  annotations:
-    # helm.sh/hook: post-install
-    # helm.sh/hook-delete-policy: hook-succeeded
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - secrets
-    resourceNames:
-      - {{ $secretName }}
-    verbs:
-      - get
-      - update
-      - patch
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ $name }}
-  labels:
-    {{- include "gitea.labels" . | nindent 4 }}
-    app.kubernetes.io/component: token-job
-  annotations:
-    # helm.sh/hook: post-install
-    # helm.sh/hook-delete-policy: hook-succeeded
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ $name }}
-subjects:
-  - kind: ServiceAccount
-    name: {{ $name }}
-    namespace: {{ .Release.Namespace }}
---
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: {{ $name }}
-  labels:
-    {{- include "gitea.labels" . | nindent 4 }}
-    app.kubernetes.io/component: token-job
-  annotations:
-    # helm.sh/hook: post-install
-    # helm.sh/hook-delete-policy: hook-succeeded
-  {{- with .Values.actions.job.annotations }}
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  ttlSecondsAfterFinished: 0
-  template:
-    metadata:
-      labels:
-        {{- include "gitea.labels" . | nindent 8 }}
-        app.kubernetes.io/component: token-job
-    spec:
-      containers:
-        - name: actions-token-create
-          image: "{{ .Values.actions.job.tokenImage.repository }}:{{ .Values.actions.job.tokenImage.tag | default "latest-rootless" }}"
-          imagePullPolicy: {{ .Values.actions.job.tokenImage.pullPolicy }}
-          env:
-            - name: GITEA_APP_INI
-              value: /data/gitea/conf/app.ini
-          command:
-            - sh
-            - -c
-            - |
-              while ! nc -z gitea-http 3000; do
-                sleep 5
-              done
-
-              echo "Generating token..."
-              mkdir -p /data/actions/
-              gitea actions generate-runner-token | grep -E '^.{40}$' | tr -d '\n' > /data/actions/token
-          resources:
-            {{- toYaml .Values.actions.resources | nindent 12 }}
-          volumeMounts:
-            - name: data
-              mountPath: /data
-              {{- if .Values.persistence.subPath }}
-              subPath: {{ .Values.persistence.subPath }}
-              {{- end }}
-        - name: actions-token-upload
-          image: "{{ .Values.actions.job.publishImage.repository }}:{{ .Values.actions.job.publishImage.tag | default "latest" }}"
-          imagePullPolicy: {{ .Values.actions.job.publishImage.pullPolicy }}
-          env:
-            - name: SECRET_NAME
-              value: {{ $secretName }}
-          command:
-            - sh
-            - -c
-            - |
-              printf "Checking rights to update secret... "
-              kubectl auth can-i update secret/${SECRET_NAME}
-              /scripts/token.sh
-          resources:
-            {{- toYaml .Values.actions.resources | nindent 12 }}
-          volumeMounts:
-            - mountPath: /scripts
-              name: scripts
-              readOnly: true
-            - mountPath: /data
-              name: data
-              readOnly: true
-              {{- if .Values.persistence.subPath }}
-              subPath: {{ .Values.persistence.subPath }}
-              {{- end }}
-      restartPolicy: Never
-      serviceAccount: {{ $name }}
-      volumes:
-        - name: scripts
-          configMap:
-            name: {{ include "gitea.fullname" . }}-scripts
-            defaultMode: 0755
-        - name: data
-          persistentVolumeClaim:
-            claimName: {{ .Values.persistence.claimName }}
-  parallelism: 1
-  completions: 1
-  backoffLimit: 1
---
-apiVersion: v1
-kind: Secret
-metadata:
-  annotations:
-    # helm.sh/hook: post-install
-    # helm.sh/hook-delete-policy: never
-    helm.sh/resource-policy: keep
-    argocd.argoproj.io/hook: Skip
-    argocd.argoproj.io/hook-delete-policy: Never
-  name: {{ $secretName }}
-  labels:
-    {{- include "gitea.labels" . | nindent 4 }}
-    app.kubernetes.io/component: token-job
-{{ $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}}
-{{ if $secret -}}
-data:
-  signing.key: {{ (b64dec (index $secret.data "signing.key")) | b64enc }}
-{{ end -}}
-{{- end }}
--- a/values.yaml
+++ b/values.yaml
@ -345,6 +345,12 @@ signing:
 ## @section GiteaActions
 #
 ## @param actions.statefulset.enabled Create an act-runner StatefulSet.
+## @param actions.statefulset.actRunnerImage.repository The Gitea act runner image
+## @param actions.statefulset.actRunnerImage.tag The Gitea act runner tag
+## @param actions.statefulset.actRunnerImage.pullPolicy The Gitea act runner pullPolicy
+## @param actions.statefulset.dindImage.repository The Docker-in-Docker image
+## @param actions.statefulset.dindImage.tag The Docker-in-Docker image tag
+## @param actions.statefulset.dindImage.pullPolicy The Docker-in-Docker pullPolicy
 ## @param actions.job.enabled Create a job that will create and save the token in a Kubernetes Secret
 ## @param actions.job.tokenImage.repository The image that can create a token via `gitea actions generate-runner-token`
 ## @param actions.job.tokenImage.tag The token image tag that can create a token
@ -358,6 +364,20 @@ actions:
  statefulset:
    enabled: false

+    annotations: {}
+    labels: {}
+    resources: {}
+
+    actRunnerImage:
+      repository: gitea/act_runner
+      # tag: latest
+      pullPolicy: IfNotPresent
+
+    dindImage:
+      repository: docker
+      # tag: 24.0.7-dind
+      pullPolicy: IfNotPresent
+
  job:
    enabled: false