lunny/helm-chart
1
0
Fork 0
Code Issues 36 Pull Requests 14 Actions Packages Projects Releases 93 Wiki Activity

Add Gitea Actions act runner (#666)

Browse Source 
Co-authored-by: dementhorr <dementhorr@proton.me>
Co-authored-by: Vince Montalbano <vince.montalbano@gmail.com>

Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/666
Reviewed-by: justusbunsi <justusbunsi@noreply.gitea.com>
Co-authored-by: vjm <vjm@noreply.gitea.com>
Co-committed-by: vjm <vjm@noreply.gitea.com>
This commit is contained in:
vjm 2024-11-10 13:35:56 +00:00 committed by justusbunsi
parent 5c7e78b467
commit f7c66c0336
24 changed files with 1142 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
README.md
View File

@ -45,6 +45,7 @@
- [Persistence](#persistence-1)
- [Init](#init)
- [Signing](#signing)
- [Gitea Actions](#gitea-actions)
- [Gitea](#gitea)
- [LivenessProbe](#livenessprobe)
- [ReadinessProbe](#readinessprobe)
@ -1007,6 +1008,40 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
| `signing.privateKey` | Inline private gpg key for signed internal Git activity | `""` |
| `signing.existingSecret` | Use an existing secret to store the value of `signing.privateKey` | `""` |
### Gitea Actions
| Name | Description | Value |
| ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ |
| `actions.enabled` | Create an act runner StatefulSet. | `false` |
| `actions.init.image.repository` | The image used for the init containers | `busybox` |
| `actions.init.image.tag` | The image tag used for the init containers | `1.36.1` |
| `actions.statefulset.annotations` | Act runner annotations | `{}` |
| `actions.statefulset.labels` | Act runner labels | `{}` |
| `actions.statefulset.resources` | Act runner resources | `{}` |
| `actions.statefulset.nodeSelector` | NodeSelector for the statefulset | `{}` |
| `actions.statefulset.tolerations` | Tolerations for the statefulset | `[]` |
| `actions.statefulset.affinity` | Affinity for the statefulset | `{}` |
| `actions.statefulset.actRunner.repository` | The Gitea act runner image | `gitea/act_runner` |
| `actions.statefulset.actRunner.tag` | The Gitea act runner tag | `0.2.11` |
| `actions.statefulset.actRunner.pullPolicy` | The Gitea act runner pullPolicy | `IfNotPresent` |
| `actions.statefulset.actRunner.config` | Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details. | `Too complex. See values.yaml` |
| `actions.statefulset.dind.repository` | The Docker-in-Docker image | `docker` |
| `actions.statefulset.dind.tag` | The Docker-in-Docker image tag | `25.0.2-dind` |
| `actions.statefulset.dind.pullPolicy` | The Docker-in-Docker pullPolicy | `IfNotPresent` |
| `actions.provisioning.enabled` | Create a job that will create and save the token in a Kubernetes Secret | `false` |
| `actions.provisioning.annotations` | Job's annotations | `{}` |
| `actions.provisioning.labels` | Job's labels | `{}` |
| `actions.provisioning.resources` | Job's resources | `{}` |
| `actions.provisioning.nodeSelector` | NodeSelector for the job | `{}` |
| `actions.provisioning.tolerations` | Tolerations for the job | `[]` |
| `actions.provisioning.affinity` | Affinity for the job | `{}` |
| `actions.provisioning.ttlSecondsAfterFinished` | ttl for the job after finished in order to allow helm to properly recognize that the job completed | `300` |
| `actions.provisioning.publish.repository` | The image that can create the secret via kubectl | `bitnami/kubectl` |
| `actions.provisioning.publish.tag` | The publish image tag that can create the secret | `1.29.0` |
| `actions.provisioning.publish.pullPolicy` | The publish image pullPolicy that can create the secret | `IfNotPresent` |
| `actions.existingSecret` | Secret that contains the token | `""` |
| `actions.existingSecretKey` | Secret key | `""` |
### Gitea
| Name | Description | Value |

34
readme-actions-dev.md Normal file
View File

@ -0,0 +1,34 @@
# Gitea Actions
In order to use the Gitea Actions act-runner you must either:
- enable persistence (used for automatic deployment to be able to store the token in a place accessible for the Job)
- create a secret containing the act runner token and reference it as a `existingSecret`
In order to use Gitea Actions, you must log on the server that's running Gitea and run the command:
`gitea actions generate-runner-token`
This command will out a token that is needed by the act-runner to register with the Gitea backend.
Because this is a manual operation, we automated this using a Kubernetes Job using the following containers:
1) `actions-token-create`: it uses the current `gitea-rootless` image, mounts the persistent directory to `/data/` then it saves the output from `gitea actions generate-runner-token` to `/data/actions/token`
2) `actions-token-upload`: it uses a `bitnami/kubectl` image, mounts the scripts directory (`/scripts`) and
the persistent directory (`/data/`), and using the script from `/scripts/token.sh` stores the token in a Kubernetes secret
After the token is stored in a Kubernetes secret we can create the statefulset that contains the following containers:
1) `act-runner`: authenticates with Gitea using the token that was stored in the secret
2) `dind`: DockerInDocker image that is used to run the actions
If you are not using persistent volumes, you cannot use the Job to automatically generate the token.
In this case, you can use either the Web UI to generate the token or run a shell into a Gitea pod and invoke
the command `gitea actions generate-runner-token`. After generating the token, you must create a secret and use it via:
```yaml
actions:
provisioning:
enabled: false
existingSecret: "secret-name"
existingSecretKey: "secret-key"
```

43
scripts/token.sh Normal file
View File

@ -0,0 +1,43 @@
#!/bin/sh
set -eu
timeout_delay=15
check_token() {
set +e
echo "Checking for existing token..."
token="$(kubectl get secret "$SECRET_NAME" -o jsonpath="{.data['token']}" 2> /dev/null)"
[ $? -ne 0 ] && return 1
[ -z "$token" ] && return 2
return 0
}
create_token() {
echo "Waiting for new token to be generated..."
begin=$(date +%s)
end=$((begin + timeout_delay))
while true; do
[ -f /data/actions/token ] && return 0
[ "$(date +%s)" -gt $end ] && return 1
sleep 5
done
}
store_token() {
echo "Storing the token in Kubernetes secret..."
kubectl patch secret "$SECRET_NAME" -p "{\"data\":{\"token\":\"$(base64 /data/actions/token | tr -d '\n')\"}}"
}
if check_token; then
echo "Key already in place, exiting."
exit
fi
if ! create_token; then
echo "Checking for an existing act runner token in secret $SECRET_NAME timed out after $timeout_delay"
exit 1
fi
store_token

39
templates/_helpers.tpl
View File

@ -25,6 +25,13 @@ If release name contains chart name it will be used as a full name.
{{- end -}}
{{- end -}}
{{/*
Create a default worker name.
*/}}
{{- define "gitea.workername" -}}
{{- printf "%s-%s" .global.Release.Name .worker | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
@ -92,6 +99,15 @@ version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{- define "gitea.labels.actRunner" -}}
helm.sh/chart: {{ include "gitea.chart" . }}
app: {{ include "gitea.name" . }}-act-runner
{{ include "gitea.selectorLabels.actRunner" . }}
app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Selector labels
*/}}
@ -100,6 +116,11 @@ app.kubernetes.io/name: {{ include "gitea.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
{{- define "gitea.selectorLabels.actRunner" -}}
app.kubernetes.io/name: {{ include "gitea.name" . }}-act-runner
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
{{- define "postgresql-ha.dns" -}}
{{- if (index .Values "postgresql-ha").enabled -}}
{{- printf "%s-postgresql-ha-pgpool.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "postgresql-ha" "service" "ports" "postgresql") -}}
@ -199,6 +220,15 @@ https
{{- end -}}
{{- end -}}
{{- define "gitea.act_runner.local_root_url" -}}
{{- if not .Values.gitea.config.server.LOCAL_ROOT_URL -}}
{{- printf "http://%s-http:%.0f" (include "gitea.fullname" .) .Values.service.http.port -}}
{{- else -}}
{{/* fallback for allowing to overwrite this value via inline config */}}
{{- .Values.gitea.config.server.LOCAL_ROOT_URL -}}
{{- end -}}
{{- end -}}
{{- define "gitea.inline_configuration" -}}
{{- include "gitea.inline_configuration.init" . -}}
{{- include "gitea.inline_configuration.defaults" . -}}
@ -263,6 +293,9 @@ https
{{- if not (hasKey .Values.gitea.config "indexer") -}}
{{- $_ := set .Values.gitea.config "indexer" dict -}}
{{- end -}}
{{- if not (hasKey .Values.gitea.config "actions") -}}
{{- $_ := set .Values.gitea.config "actions" dict -}}
{{- end -}}
{{- end -}}
{{- define "gitea.inline_configuration.defaults" -}}
@ -309,6 +342,9 @@ https
{{- if not .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE -}}
{{- $_ := set .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE" "db" -}}
{{- end -}}
{{- if not .Values.gitea.config.actions.ENABLED -}}
{{- $_ := set .Values.gitea.config.actions "ENABLED" (ternary "true" "false" .Values.actions.enabled) -}}
{{- end -}}
{{- end -}}
{{- define "gitea.inline_configuration.defaults.server" -}}
@ -328,6 +364,9 @@ https
{{- if not .Values.gitea.config.server.ROOT_URL -}}
{{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" (include "gitea.public_protocol" .) .Values.gitea.config.server.DOMAIN) -}}
{{- end -}}
{{- if .Values.actions.enabled -}}
{{- $_ := set .Values.gitea.config.server "LOCAL_ROOT_URL" (include "gitea.act_runner.local_root_url" .) -}}
{{- end -}}
{{- if not .Values.gitea.config.server.SSH_DOMAIN -}}
{{- $_ := set .Values.gitea.config.server "SSH_DOMAIN" .Values.gitea.config.server.DOMAIN -}}
{{- end -}}

15
templates/gitea/act_runner/01-consistency-checks.yaml Normal file
View File

@ -0,0 +1,15 @@
{{- if .Values.actions.enabled -}}
{{- if .Values.actions.provisioning.enabled -}}
{{- if not (and .Values.persistence.enabled .Values.persistence.mount) -}}
{{- fail "persistence.enabled and persistence.mount are required when provisioning is enabled" -}}
{{- end -}}
{{- if and .Values.persistence.enabled .Values.persistence.mount -}}
{{- if .Values.actions.existingSecret -}}
{{- fail "Can't specify both actions.provisioning.enabled and actions.existingSecret" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if and (not .Values.actions.provisioning.enabled) (or (empty .Values.actions.existingSecret) (empty .Values.actions.existingSecretKey)) -}}
{{- fail "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled" -}}
{{- end -}}
{{- end -}}

14
templates/gitea/act_runner/config-act-runner.yaml Normal file
View File

@ -0,0 +1,14 @@
{{- if .Values.actions.enabled }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "gitea.fullname" . }}-act-runner-config
labels:
{{- include "gitea.labels" . | nindent 4 }}
data:
config.yaml: |
{{- with .Values.actions.statefulset.actRunner.config -}}
{{ . | nindent 4}}
{{- end -}}
{{- end }}

13
templates/gitea/act_runner/config-scripts.yaml Normal file
View File

@ -0,0 +1,13 @@
{{- if .Values.actions.enabled }}
{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "gitea.fullname" . }}-scripts
labels:
{{- include "gitea.labels" . | nindent 4 }}
data:
{{ (.Files.Glob "scripts/*.sh").AsConfig | indent 2 }}
{{- end }}
{{- end }}

114
templates/gitea/act_runner/job.yaml Normal file
View File

@ -0,0 +1,114 @@
{{- if .Values.actions.enabled }}
{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ $name }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
{{- with .Values.actions.provisioning.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
app.kubernetes.io/component: token-job
annotations:
{{- with .Values.actions.provisioning.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ttlSecondsAfterFinished: {{ .Values.actions.provisioning.ttlSecondsAfterFinished }}
template:
metadata:
labels:
{{- include "gitea.labels" . | nindent 8 }}
{{- with .Values.actions.provisioning.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
app.kubernetes.io/component: token-job
spec:
initContainers:
- name: init-gitea
image: "{{ .Values.actions.init.image.repository }}:{{ .Values.actions.init.image.tag }}"
command:
- sh
- -c
- |
while ! nc -z {{ include "gitea.fullname" . }}-http {{ .Values.service.http.port }}; do
sleep 5
done
containers:
- name: actions-token-create
image: "{{ include "gitea.image" . }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
- name: GITEA_APP_INI
value: /data/gitea/conf/app.ini
command:
- sh
- -c
- |
echo "Generating act_runner token via 'gitea actions generate-runner-token'..."
mkdir -p /data/actions/
gitea actions generate-runner-token | grep -E '^.{40}$' | tr -d '\n' > /data/actions/token
resources:
{{- toYaml .Values.actions.provisioning.resources | nindent 12 }}
volumeMounts:
- name: data
mountPath: /data
{{- if .Values.persistence.subPath }}
subPath: {{ .Values.persistence.subPath }}
{{- end }}
- name: actions-token-upload
image: "{{ .Values.actions.provisioning.publish.repository }}:{{ .Values.actions.provisioning.publish.tag }}"
imagePullPolicy: {{ .Values.actions.provisioning.publish.pullPolicy }}
env:
- name: SECRET_NAME
value: {{ $secretName }}
command:
- sh
- -c
- |
printf "Checking rights to update kubernetes act_runner secret..."
kubectl auth can-i update secret/${SECRET_NAME}
/scripts/token.sh
resources:
{{- toYaml .Values.actions.provisioning.resources | nindent 12 }}
volumeMounts:
- mountPath: /scripts
name: scripts
readOnly: true
- mountPath: /data
name: data
readOnly: true
{{- if .Values.persistence.subPath }}
subPath: {{ .Values.persistence.subPath }}
{{- end }}
{{- with .Values.actions.provisioning.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.actions.provisioning.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.actions.provisioning.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
restartPolicy: Never
serviceAccount: {{ $name }}
volumes:
- name: scripts
configMap:
name: {{ include "gitea.fullname" . }}-scripts
defaultMode: 0755
- name: data
persistentVolumeClaim:
claimName: {{ .Values.persistence.claimName }}
parallelism: 1
completions: 1
backoffLimit: 1
{{- end }}
{{- end }}

25
templates/gitea/act_runner/role-job.yaml Normal file
View File

@ -0,0 +1,25 @@
{{- if .Values.actions.enabled }}
{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ $name }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
app.kubernetes.io/component: token-job
rules:
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- {{ $secretName }}
verbs:
- get
- update
- patch
{{- end }}
{{- end }}

22
templates/gitea/act_runner/rolebinding-job.yaml Normal file
View File

@ -0,0 +1,22 @@
{{- if .Values.actions.enabled }}
{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ $name }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
app.kubernetes.io/component: token-job
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ $name }}
subjects:
- kind: ServiceAccount
name: {{ $name }}
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}

19
templates/gitea/act_runner/secret-token.yaml Normal file
View File

@ -0,0 +1,19 @@
{{- if .Values.actions.enabled }}
{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ $secretName }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
app.kubernetes.io/component: token-job
{{ $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}}
{{ if $secret -}}
data:
token: {{ (b64dec (index $secret.data "token")) | b64enc }}
{{ end -}}
{{- end }}
{{- end }}

13
templates/gitea/act_runner/serviceaccount-job.yaml Normal file
View File

@ -0,0 +1,13 @@
{{- if .Values.actions.enabled }}
{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ $name }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
app.kubernetes.io/component: token-job
{{- end }}
{{- end }}

114
templates/gitea/act_runner/statefulset.yaml Normal file
View File

@ -0,0 +1,114 @@
{{- if .Values.actions.enabled }}
{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
labels:
{{- include "gitea.labels.actRunner" . | nindent 4 }}
{{- with .Values.actions.statefulset.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with .Values.actions.statefulset.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "gitea.fullname" . }}-act-runner
spec:
selector:
matchLabels:
{{- include "gitea.selectorLabels.actRunner" . | nindent 6 }}
template:
metadata:
labels:
{{- include "gitea.labels.actRunner" . | nindent 8 }}
{{- with .Values.actions.statefulset.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
initContainers:
- name: init-gitea
image: "{{ .Values.actions.init.image.repository }}:{{ .Values.actions.init.image.tag }}"
command:
- sh
- -c
- |
while ! nc -z {{ include "gitea.fullname" . }}-http {{ .Values.service.http.port }}; do
sleep 5
done
containers:
- name: act-runner
image: "{{ .Values.actions.statefulset.actRunner.repository }}:{{ .Values.actions.statefulset.actRunner.tag }}"
imagePullPolicy: {{ .Values.actions.statefulset.actRunner.pullPolicy }}
workingDir: /data
env:
- name: DOCKER_HOST
value: tcp://127.0.0.1:2376
- name: DOCKER_TLS_VERIFY
value: "1"
- name: DOCKER_CERT_PATH
value: /certs/server
- name: GITEA_RUNNER_REGISTRATION_TOKEN
valueFrom:
secretKeyRef:
name: "{{ .Values.actions.existingSecret | default $secretName }}"
key: "{{ .Values.actions.existingSecretKey | default "token" }}"
- name: GITEA_INSTANCE_URL
value: {{ include "gitea.act_runner.local_root_url" . }}
- name: CONFIG_FILE
value: /actrunner/config.yaml
resources:
{{- toYaml .Values.actions.statefulset.resources | nindent 12 }}
volumeMounts:
- mountPath: /actrunner/config.yaml
name: act-runner-config
subPath: config.yaml
- mountPath: /certs/server
name: docker-certs
- mountPath: /data
name: data-act-runner
- name: dind
image: "{{ .Values.actions.statefulset.dind.repository }}:{{ .Values.actions.statefulset.dind.tag }}"
imagePullPolicy: {{ .Values.actions.statefulset.dind.pullPolicy }}
env:
- name: DOCKER_HOST
value: tcp://127.0.0.1:2376
- name: DOCKER_TLS_VERIFY
value: "1"
- name: DOCKER_CERT_PATH
value: /certs/server
securityContext:
privileged: true
resources:
{{- toYaml .Values.actions.statefulset.resources | nindent 12 }}
volumeMounts:
- mountPath: /certs/server
name: docker-certs
{{- with .Values.actions.statefulset.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.actions.statefulset.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.actions.statefulset.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: act-runner-config
configMap:
name: {{ include "gitea.fullname" . }}-act-runner-config
- name: docker-certs
emptyDir: {}
volumeClaimTemplates:
- metadata:
name: data-act-runner
spec:
accessModes: [ "ReadWriteOnce" ]
{{- include "gitea.persistence.storageClass" . | nindent 8 }}
resources:
requests:
storage: 1Mi
{{- end }}

69
unittests/act_runner/01-consistency-checks.yaml Normal file
View File

@ -0,0 +1,69 @@
suite: actions template | consistency checks
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/act_runner/01-consistency-checks.yaml
tests:
- it: fails when provisioning is enabled BUT persistence is completely disabled
set:
persistence:
enabled: false
actions:
enabled: true
provisioning:
enabled: true
asserts:
- failedTemplate:
errorMessage: "persistence.enabled and persistence.mount are required when provisioning is enabled"
- it: fails when provisioning is enabled BUT mount is disabled, although persistence is enabled
set:
persistence:
enabled: true
mount: false
actions:
enabled: true
provisioning:
enabled: true
asserts:
- failedTemplate:
errorMessage: "persistence.enabled and persistence.mount are required when provisioning is enabled"
- it: fails when provisioning is enabled AND existingSecret is given
set:
actions:
enabled: true
provisioning:
enabled: true
existingSecret: "secret-reference"
asserts:
- failedTemplate:
errorMessage: "Can't specify both actions.provisioning.enabled and actions.existingSecret"
- it: fails when provisioning is disabled BUT existingSecret and existingSecretKey are missing
set:
actions:
enabled: true
provisioning:
enabled: false
asserts:
- failedTemplate:
errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled"
- it: fails when provisioning is disabled BUT existingSecretKey is missing
set:
actions:
enabled: true
provisioning:
enabled: false
existingSecret: "my-secret"
asserts:
- failedTemplate:
errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled"
- it: fails when provisioning is disabled BUT existingSecret is missing
set:
actions:
enabled: true
provisioning:
enabled: false
existingSecretKey: "my-secret-key"
asserts:
- failedTemplate:
errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled"

45
unittests/act_runner/config-act-runner.yaml Normal file
View File

@ -0,0 +1,45 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
suite: actions template | config-act-runner
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/act_runner/config-act-runner.yaml
tests:
- it: doesn't renders a ConfigMap by default
template: templates/gitea/act_runner/config-act-runner.yaml
asserts:
- hasDocuments:
count: 0
- it: renders a ConfigMap
template: templates/gitea/act_runner/config-act-runner.yaml
set:
actions:
enabled: true
statefulset:
actRunner:
config: |
log:
level: info
cache:
enabled: false
runner:
labels:
- "ubuntu-latest"
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: ConfigMap
apiVersion: v1
name: gitea-unittests-act-runner-config
- equal:
path: data["config.yaml"]
value: |
log:
level: info
cache:
enabled: false
runner:
labels:
- "ubuntu-latest"

49
unittests/act_runner/config-scripts.yaml Normal file
View File

@ -0,0 +1,49 @@
suite: actions template | config-scripts
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/act_runner/config-scripts.yaml
tests:
- it: renders a ConfigMap when all criteria are met
template: templates/gitea/act_runner/config-scripts.yaml
set:
actions:
enabled: true
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: ConfigMap
apiVersion: v1
name: gitea-unittests-scripts
- isNotNullOrEmpty:
path: data["token.sh"]
- it: doesn't renders a ConfigMap by default
template: templates/gitea/act_runner/config-scripts.yaml
asserts:
- hasDocuments:
count: 0
- it: doesn't renders a ConfigMap with disabled actions but enabled provisioning
template: templates/gitea/act_runner/config-scripts.yaml
asserts:
- hasDocuments:
count: 0
- it: doesn't renders a ConfigMap with disabled actions but otherwise met criteria
template: templates/gitea/act_runner/config-scripts.yaml
set:
actions:
enabled: false
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 0

65
unittests/act_runner/job.yaml Normal file
View File

@ -0,0 +1,65 @@
suite: actions template | job
release:
name: gitea-unittests
namespace: testing
chart:
# Override appVersion to have a pinned version for comparison
appVersion: 1.19.3
templates:
- templates/gitea/act_runner/job.yaml
tests:
- it: renders a Job
template: templates/gitea/act_runner/job.yaml
set:
actions:
enabled: true
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: Job
apiVersion: batch/v1
name: gitea-unittests-actions-token-job
- equal:
path: spec.template.spec.containers[0].image
value: "gitea/gitea:1.19.3-rootless"
- it: tag override
template: templates/gitea/act_runner/job.yaml
set:
image.tag: "1.19.4"
actions:
enabled: true
provisioning:
enabled: true
publish:
tag: "1.29.0"
persistence:
enabled: true
mount: true
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: "gitea/gitea:1.19.4-rootless"
- equal:
path: spec.template.spec.containers[1].image
value: "bitnami/kubectl:1.29.0"
- it: doesn't renders a Job by default
template: templates/gitea/act_runner/job.yaml
asserts:
- hasDocuments:
count: 0
- it: doesn't renders a Job when provisioning is enabled BUT actions are not enabled
template: templates/gitea/act_runner/job.yaml
set:
actions:
enabled: false
provisioning:
enabled: true
asserts:
- hasDocuments:
count: 0

42
unittests/act_runner/role-job.yaml Normal file
View File

@ -0,0 +1,42 @@
suite: actions template | role-job
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/act_runner/role-job.yaml
tests:
- it: doesn't renders a Role by default
template: templates/gitea/act_runner/role-job.yaml
asserts:
- hasDocuments:
count: 0
- it: renders a Role
template: templates/gitea/act_runner/role-job.yaml
set:
actions:
enabled: true
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
name: gitea-unittests-actions-token-job
- it: doesn't renders a Role when criteria met BUT actions are not enabled
template: templates/gitea/act_runner/role-job.yaml
set:
actions:
enabled: false
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 0

42
unittests/act_runner/rolebinding-job.yaml Normal file
View File

@ -0,0 +1,42 @@
suite: actions template | rolebinding-job
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/act_runner/rolebinding-job.yaml
tests:
- it: doesn't renders a RoleBinding by default
template: templates/gitea/act_runner/rolebinding-job.yaml
asserts:
- hasDocuments:
count: 0
- it: renders a RoleBinding
template: templates/gitea/act_runner/rolebinding-job.yaml
set:
actions:
enabled: true
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
name: gitea-unittests-actions-token-job
- it: doesn't renders a RoleBinding when criteria met BUT actions are not enabled
template: templates/gitea/act_runner/rolebinding-job.yaml
set:
actions:
enabled: false
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 0

42
unittests/act_runner/secret-token.yaml Normal file
View File

@ -0,0 +1,42 @@
suite: actions template | secret-token
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/act_runner/secret-token.yaml
tests:
- it: doesn't renders a Secret by default
template: templates/gitea/act_runner/secret-token.yaml
asserts:
- hasDocuments:
count: 0
- it: renders a Secret
template: templates/gitea/act_runner/secret-token.yaml
set:
actions:
enabled: true
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: Secret
apiVersion: v1
name: gitea-unittests-actions-token
- it: doesn't renders a Secret when criteria met BUT actions are not enabled
template: templates/gitea/act_runner/secret-token.yaml
set:
actions:
enabled: false
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 0

42
unittests/act_runner/serviceaccount-job.yaml Normal file
View File

@ -0,0 +1,42 @@
suite: actions template | serviceaccount-job
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/act_runner/serviceaccount-job.yaml
tests:
- it: doesn't renders a ServiceAccount by default
template: templates/gitea/act_runner/serviceaccount-job.yaml
asserts:
- hasDocuments:
count: 0
- it: renders a ServiceAccount
template: templates/gitea/act_runner/serviceaccount-job.yaml
set:
actions:
enabled: true
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: ServiceAccount
apiVersion: v1
name: gitea-unittests-actions-token-job
- it: doesn't renders a ServiceAccount when criteria met BUT actions are not enabled
template: templates/gitea/act_runner/serviceaccount-job.yaml
set:
actions:
enabled: false
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 0

95
unittests/act_runner/statefulset.yaml Normal file
View File

@ -0,0 +1,95 @@
suite: actions template | statefulset
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/act_runner/statefulset.yaml
tests:
- it: doesn't renders a StatefulSet by default
template: templates/gitea/act_runner/statefulset.yaml
asserts:
- hasDocuments:
count: 0
- it: renders a StatefulSet (with given existingSecret/existingSecretKey)
template: templates/gitea/act_runner/statefulset.yaml
set:
actions:
enabled: true
existingSecret: "my-secret"
existingSecretKey: "my-secret-key"
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: StatefulSet
apiVersion: apps/v1
name: gitea-unittests-act-runner
- equal:
path: spec.template.spec.containers[0].env[3]
value:
name: GITEA_RUNNER_REGISTRATION_TOKEN
valueFrom:
secretKeyRef:
name: "my-secret"
key: "my-secret-key"
- it: renders a StatefulSet (with secret reference defaults for enabled provisioning)
template: templates/gitea/act_runner/statefulset.yaml
set:
actions:
enabled: true
provisioning:
enabled: true
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: StatefulSet
apiVersion: apps/v1
name: gitea-unittests-act-runner
- equal:
path: spec.template.spec.containers[0].env[3]
value:
name: GITEA_RUNNER_REGISTRATION_TOKEN
valueFrom:
secretKeyRef:
name: "gitea-unittests-actions-token"
key: "token"
- it: renders a StatefulSet (with correct GITEA_INSTANCE_URL env with default act-runner specific LOCAL_ROOT_URL)
template: templates/gitea/act_runner/statefulset.yaml
set:
actions:
enabled: true
existingSecret: "my-secret"
existingSecretKey: "my-secret-key"
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: StatefulSet
apiVersion: apps/v1
name: gitea-unittests-act-runner
- equal:
path: spec.template.spec.containers[0].env[4]
value:
name: GITEA_INSTANCE_URL
value: "http://gitea-unittests-http:3000"
- it: renders a StatefulSet (with correct GITEA_INSTANCE_URL env from customized LOCAL_ROOT_URL)
template: templates/gitea/act_runner/statefulset.yaml
set:
gitea.config.server.LOCAL_ROOT_URL: "http://git.example.com"
actions:
enabled: true
existingSecret: "my-secret"
existingSecretKey: "my-secret-key"
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: StatefulSet
apiVersion: apps/v1
name: gitea-unittests-act-runner
- equal:
path: spec.template.spec.containers[0].env[4]
value:
name: GITEA_INSTANCE_URL
value: "http://git.example.com"

61
unittests/config/actions-config.yaml Normal file
View File

@ -0,0 +1,61 @@
suite: config template | actions config
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/config.yaml
tests:
- it: "actions are not enabled by default"
template: templates/gitea/config.yaml
asserts:
- documentIndex: 0
equal:
path: stringData.actions
value: |-
ENABLED=false
- it: "actions can be enabled via inline config"
template: templates/gitea/config.yaml
set:
gitea.config.actions.ENABLED: true
asserts:
- documentIndex: 0
equal:
path: stringData.actions
value: |-
ENABLED=true
- it: "actions can be enabled via dedicated values object"
template: templates/gitea/config.yaml
set:
actions:
enabled: true
asserts:
- documentIndex: 0
equal:
path: stringData.actions
value: |-
ENABLED=true
- it: "defines LOCAL_ROOT_URL when actions are enabled"
template: templates/gitea/config.yaml
set:
actions:
enabled: true
asserts:
- documentIndex: 0
matchRegex:
path: stringData.server
pattern: \nLOCAL_ROOT_URL=http://gitea-unittests-http:3000
- it: "respects custom LOCAL_ROOT_URL, even when actions are enabled"
template: templates/gitea/config.yaml
set:
actions:
enabled: true
gitea.config.server.LOCAL_ROOT_URL: "http://git.example.com"
asserts:
- documentIndex: 0
matchRegex:
path: stringData.server
pattern: \nLOCAL_ROOT_URL=http://git.example.com

90
values.yaml
View File

@ -348,6 +348,96 @@ signing:
# -----END PGP PRIVATE KEY BLOCK-----
existingSecret: ""
# Configure Gitea Actions
# - must enable persistence if the job is enabled
## @section Gitea Actions
#
## @param actions.enabled Create an act runner StatefulSet.
## @param actions.init.image.repository The image used for the init containers
## @param actions.init.image.tag The image tag used for the init containers
## @param actions.statefulset.annotations Act runner annotations
## @param actions.statefulset.labels Act runner labels
## @param actions.statefulset.resources Act runner resources
## @param actions.statefulset.nodeSelector NodeSelector for the statefulset
## @param actions.statefulset.tolerations Tolerations for the statefulset
## @param actions.statefulset.affinity Affinity for the statefulset
## @param actions.statefulset.actRunner.repository The Gitea act runner image
## @param actions.statefulset.actRunner.tag The Gitea act runner tag
## @param actions.statefulset.actRunner.pullPolicy The Gitea act runner pullPolicy
## @param actions.statefulset.actRunner.config [default: Too complex. See values.yaml] Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details.
## @param actions.statefulset.dind.repository The Docker-in-Docker image
## @param actions.statefulset.dind.tag The Docker-in-Docker image tag
## @param actions.statefulset.dind.pullPolicy The Docker-in-Docker pullPolicy
## @param actions.provisioning.enabled Create a job that will create and save the token in a Kubernetes Secret
## @param actions.provisioning.annotations Job's annotations
## @param actions.provisioning.labels Job's labels
## @param actions.provisioning.resources Job's resources
## @param actions.provisioning.nodeSelector NodeSelector for the job
## @param actions.provisioning.tolerations Tolerations for the job
## @param actions.provisioning.affinity Affinity for the job
## @param actions.provisioning.ttlSecondsAfterFinished ttl for the job after finished in order to allow helm to properly recognize that the job completed
## @param actions.provisioning.publish.repository The image that can create the secret via kubectl
## @param actions.provisioning.publish.tag The publish image tag that can create the secret
## @param actions.provisioning.publish.pullPolicy The publish image pullPolicy that can create the secret
## @param actions.existingSecret Secret that contains the token
## @param actions.existingSecretKey Secret key
actions:
enabled: false
statefulset:
annotations: {}
labels: {}
resources: {}
nodeSelector: {}
tolerations: []
affinity: {}
actRunner:
repository: gitea/act_runner
tag: 0.2.11
pullPolicy: IfNotPresent
config: |
log:
level: debug
cache:
enabled: false
runner:
labels:
- "ubuntu-latest"
dind:
repository: docker
tag: 25.0.2-dind
pullPolicy: IfNotPresent
init:
image:
repository: busybox
# Overrides the image tag whose default is the chart appVersion.
tag: "1.36.1"
provisioning:
enabled: false
annotations: {}
labels: {}
resources: {}
nodeSelector: {}
tolerations: []
affinity: {}
publish:
repository: bitnami/kubectl
tag: 1.29.0
pullPolicy: IfNotPresent
ttlSecondsAfterFinished: 300
## Specify an existing token secret
##
existingSecret: ""
existingSecretKey: ""
## @section Gitea
#
gitea: