diff --git a/templates/gitea/actions-job.yaml b/templates/gitea/actions-job.yaml index 4e3e130..881fd83 100644 --- a/templates/gitea/actions-job.yaml +++ b/templates/gitea/actions-job.yaml @@ -161,7 +161,6 @@ metadata: annotations: # helm.sh/hook: post-install # helm.sh/hook-delete-policy: never - helm.sh/resource-policy: keep argocd.argoproj.io/hook: Skip argocd.argoproj.io/hook-delete-policy: Never name: {{ $secretName }} @@ -171,6 +170,6 @@ metadata: {{ $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}} {{ if $secret -}} data: - signing.key: {{ (b64dec (index $secret.data "signing.key")) | b64enc }} + token: {{ (b64dec (index $secret.data "token")) | b64enc }} {{ end -}} {{- end }} diff --git a/templates/gitea/actions-statefulset.yaml b/templates/gitea/actions-statefulset.yaml new file mode 100644 index 0000000..f0d76fc --- /dev/null +++ b/templates/gitea/actions-statefulset.yaml @@ -0,0 +1,120 @@ +{{- if and (and .Values.actions.statefulset.enabled .Values.persistence.enabled) .Values.persistence.mount }} +{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "gitea.fullname" . }}-act-runner-config + labels: + {{- include "gitea.labels" . | nindent 4 }} +data: + config.yaml: | + log: + level: debug + cache: + enabled: false +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + labels: + {{- include "gitea.labels" . | nindent 4 }} + {{- if .Values.actions.statefulset.labels }} + {{- toYaml .Values.actions.statefulset.labels | nindent 4 }} + {{- end }} + name: act-runner +spec: + selector: + matchLabels: + {{- include "gitea.selectorLabels" . | nindent 6 }} + {{- if .Values.actions.statefulset.labels }} + {{- toYaml .Values.actions.statefulset.labels | nindent 6 }} + {{- end }} + template: + metadata: + labels: + {{- include "gitea.labels" . | nindent 8 }} + {{- if .Values.actions.statefulset.labels }} + {{- toYaml .Values.actions.statefulset.labels | nindent 8 }} + {{- end }} + spec: + initContainers: + - name: init-gitea + image: busybox:latest + command: + - sh + - -c + - | + while ! nc -z gitea-http 3000; do + sleep 5 + done + containers: + - name: act-runner + image: "{{ .Values.actions.statefulset.actRunnerImage.repository }}:{{ .Values.actions.statefulset.actRunnerImage.tag | default "latest" }}" + imagePullPolicy: {{ .Values.actions.statefulset.actRunnerImage.pullPolicy }} + workingDir: /data + env: + - name: DOCKER_HOST + value: tcp://127.0.0.1:2376 + - name: DOCKER_TLS_VERIFY + value: "1" + - name: DOCKER_CERT_PATH + value: /certs/server + - name: GITEA_RUNNER_REGISTRATION_TOKEN + valueFrom: + secretKeyRef: + name: {{ $secretName }} + key: token + - name: GITEA_INSTANCE_URL + value: http://gitea-http:3000 + - name: GITEA_RUNNER_LABELS + value: ubuntu-latest + - name: CONFIG_FILE + value: /actrunner/config.yaml + lifecycle: + postStart: + exec: + command: + - sh + - -c + - | + apk --update add nodejs npm + volumeMounts: + - mountPath: /actrunner/config.yaml + name: act-runner-config + subPath: config.yaml + - mountPath: /certs/server + name: docker-certs + - mountPath: /data + name: data-act-runner + - name: dind + image: "{{ .Values.actions.statefulset.dindImage.repository }}:{{ .Values.actions.statefulset.dindImage.tag | default "24.0.7-dind" }}" + imagePullPolicy: {{ .Values.actions.statefulset.dindImage.pullPolicy }} + env: + - name: DOCKER_HOST + value: tcp://127.0.0.1:2376 + - name: DOCKER_TLS_VERIFY + value: "1" + - name: DOCKER_CERT_PATH + value: /certs/server + securityContext: + # allowPrivilegeEscalation: true + privileged: true + volumeMounts: + - mountPath: /certs/server + name: docker-certs + volumes: + - name: act-runner-config + configMap: + name: {{ include "gitea.fullname" . }}-act-runner-config + - name: docker-certs + emptyDir: {} + volumeClaimTemplates: + - metadata: + name: data-act-runner + spec: + accessModes: [ "ReadWriteOnce" ] + resources: + requests: + storage: 1Mi +{{- end }} diff --git a/templates/gitea/actions.yaml b/templates/gitea/actions.yaml deleted file mode 100644 index 4e3e130..0000000 --- a/templates/gitea/actions.yaml +++ /dev/null @@ -1,176 +0,0 @@ -{{- if and (and .Values.actions.job.enabled .Values.persistence.enabled) .Values.persistence.mount }} -{{- if .Values.actions.existingSecret }} -{{- fail "Can't specify both actions.job.enabled and actions.existingSecret" }} -{{- end }} -{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} -{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "gitea.fullname" . }}-scripts - labels: - {{- include "gitea.labels" . | nindent 4 }} - annotations: - # helm.sh/hook: post-install - # helm.sh/hook-delete-policy: hook-succeeded -data: -{{ (.Files.Glob "scripts/*.sh").AsConfig | indent 2 }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ $name }} - labels: - {{- include "gitea.labels" . | nindent 4 }} - app.kubernetes.io/component: token-job - annotations: - # helm.sh/hook: post-install - # helm.sh/hook-delete-policy: hook-succeeded ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ $name }} - labels: - {{- include "gitea.labels" . | nindent 4 }} - app.kubernetes.io/component: token-job - annotations: - # helm.sh/hook: post-install - # helm.sh/hook-delete-policy: hook-succeeded -rules: - - apiGroups: - - "" - resources: - - secrets - resourceNames: - - {{ $secretName }} - verbs: - - get - - update - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ $name }} - labels: - {{- include "gitea.labels" . | nindent 4 }} - app.kubernetes.io/component: token-job - annotations: - # helm.sh/hook: post-install - # helm.sh/hook-delete-policy: hook-succeeded -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ $name }} -subjects: - - kind: ServiceAccount - name: {{ $name }} - namespace: {{ .Release.Namespace }} ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ $name }} - labels: - {{- include "gitea.labels" . | nindent 4 }} - app.kubernetes.io/component: token-job - annotations: - # helm.sh/hook: post-install - # helm.sh/hook-delete-policy: hook-succeeded - {{- with .Values.actions.job.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ttlSecondsAfterFinished: 0 - template: - metadata: - labels: - {{- include "gitea.labels" . | nindent 8 }} - app.kubernetes.io/component: token-job - spec: - containers: - - name: actions-token-create - image: "{{ .Values.actions.job.tokenImage.repository }}:{{ .Values.actions.job.tokenImage.tag | default "latest-rootless" }}" - imagePullPolicy: {{ .Values.actions.job.tokenImage.pullPolicy }} - env: - - name: GITEA_APP_INI - value: /data/gitea/conf/app.ini - command: - - sh - - -c - - | - while ! nc -z gitea-http 3000; do - sleep 5 - done - - echo "Generating token..." - mkdir -p /data/actions/ - gitea actions generate-runner-token | grep -E '^.{40}$' | tr -d '\n' > /data/actions/token - resources: - {{- toYaml .Values.actions.resources | nindent 12 }} - volumeMounts: - - name: data - mountPath: /data - {{- if .Values.persistence.subPath }} - subPath: {{ .Values.persistence.subPath }} - {{- end }} - - name: actions-token-upload - image: "{{ .Values.actions.job.publishImage.repository }}:{{ .Values.actions.job.publishImage.tag | default "latest" }}" - imagePullPolicy: {{ .Values.actions.job.publishImage.pullPolicy }} - env: - - name: SECRET_NAME - value: {{ $secretName }} - command: - - sh - - -c - - | - printf "Checking rights to update secret... " - kubectl auth can-i update secret/${SECRET_NAME} - /scripts/token.sh - resources: - {{- toYaml .Values.actions.resources | nindent 12 }} - volumeMounts: - - mountPath: /scripts - name: scripts - readOnly: true - - mountPath: /data - name: data - readOnly: true - {{- if .Values.persistence.subPath }} - subPath: {{ .Values.persistence.subPath }} - {{- end }} - restartPolicy: Never - serviceAccount: {{ $name }} - volumes: - - name: scripts - configMap: - name: {{ include "gitea.fullname" . }}-scripts - defaultMode: 0755 - - name: data - persistentVolumeClaim: - claimName: {{ .Values.persistence.claimName }} - parallelism: 1 - completions: 1 - backoffLimit: 1 ---- -apiVersion: v1 -kind: Secret -metadata: - annotations: - # helm.sh/hook: post-install - # helm.sh/hook-delete-policy: never - helm.sh/resource-policy: keep - argocd.argoproj.io/hook: Skip - argocd.argoproj.io/hook-delete-policy: Never - name: {{ $secretName }} - labels: - {{- include "gitea.labels" . | nindent 4 }} - app.kubernetes.io/component: token-job -{{ $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}} -{{ if $secret -}} -data: - signing.key: {{ (b64dec (index $secret.data "signing.key")) | b64enc }} -{{ end -}} -{{- end }} diff --git a/values.yaml b/values.yaml index 729fc46..6389fc6 100644 --- a/values.yaml +++ b/values.yaml @@ -345,6 +345,12 @@ signing: ## @section GiteaActions # ## @param actions.statefulset.enabled Create an act-runner StatefulSet. +## @param actions.statefulset.actRunnerImage.repository The Gitea act runner image +## @param actions.statefulset.actRunnerImage.tag The Gitea act runner tag +## @param actions.statefulset.actRunnerImage.pullPolicy The Gitea act runner pullPolicy +## @param actions.statefulset.dindImage.repository The Docker-in-Docker image +## @param actions.statefulset.dindImage.tag The Docker-in-Docker image tag +## @param actions.statefulset.dindImage.pullPolicy The Docker-in-Docker pullPolicy ## @param actions.job.enabled Create a job that will create and save the token in a Kubernetes Secret ## @param actions.job.tokenImage.repository The image that can create a token via `gitea actions generate-runner-token` ## @param actions.job.tokenImage.tag The token image tag that can create a token @@ -358,6 +364,20 @@ actions: statefulset: enabled: false + annotations: {} + labels: {} + resources: {} + + actRunnerImage: + repository: gitea/act_runner + # tag: latest + pullPolicy: IfNotPresent + + dindImage: + repository: docker + # tag: 24.0.7-dind + pullPolicy: IfNotPresent + job: enabled: false