create initial secrets before app.ini removal

.gitea/PULL_REQUEST_TEMPLATE.md

@@ -39,5 +39,3 @@
 
 - [ ] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm)
 - [ ] Breaking changes are documented in the `README.md`
-- [ ] Templating unittests are added
-- [ ] All added template resources MUST render a namespace in metadata

.gitea/workflows/release-version.yml

@@ -5,37 +5,24 @@ on:
     tags:
       - "*"
 
-env:
-  # renovate: datasource=docker depName=alpine/helm
-  HELM_VERSION: "3.16.3"
-
 jobs:
   generate-chart-publish:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
       - name: install tools
         run: |
           apt update -y
-          apt install -y curl ca-certificates curl gnupg
-          # helm
-          curl -O https://get.helm.sh/helm-v${{ env.HELM_VERSION }}-linux-amd64.tar.gz
-          tar -xzf helm-v${{ env.HELM_VERSION }}-linux-amd64.tar.gz
-          mv linux-amd64/helm /usr/local/bin/
-          rm -rf linux-amd64 helm-v${{ env.HELM_VERSION }}-linux-amd64.tar.gz
-          helm version
-          # docker
-          install -m 0755 -d /etc/apt/keyrings
-          curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
-          chmod a+r /etc/apt/keyrings/docker.gpg
-          echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
+          apt install -y curl
+          curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | tee /usr/share/keyrings/helm.gpg > /dev/null
+          echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list
           apt update -y
-          apt install -y python3 python3-pip apt-transport-https docker-ce-cli
+          apt install -y python helm python3-pip apt-transport-https
           pip install awscli
 
       - name: Import GPG key
         id: import_gpg
-        uses: https://github.com/crazy-max/ghaction-import-gpg@v6
+        uses: https://github.com/crazy-max/ghaction-import-gpg@v5
         with:
           gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
           passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
@@ -44,22 +31,18 @@ jobs:
       # Using helm gpg plugin as 'helm package --sign' has issues with gpg2: https://github.com/helm/helm/issues/2843
       - name: package chart
         run: |
-          echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | docker login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} --password-stdin
           # FIXME: use upstream after https://github.com/technosophos/helm-gpg/issues/1 is solved
           helm plugin install https://github.com/pat-s/helm-gpg
-          helm dependency build
+          helm dependency update
           helm package --version "${GITHUB_REF#refs/tags/v}" ./
+          helm gpg sign "gitea-${GITHUB_REF#refs/tags/v}.tgz"
           mkdir gitea
           mv gitea*.tgz gitea/
-          curl -s -L -o gitea/index.yaml https://dl.gitea.com/charts/index.yaml
-          helm repo index gitea/ --url https://dl.gitea.com/charts --merge gitea/index.yaml
-          # push to dockerhub
-          echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | helm registry login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} registry-1.docker.io --password-stdin
-          helm push gitea/gitea-${GITHUB_REF#refs/tags/v}.tgz oci://registry-1.docker.io/giteacharts
-          helm registry logout registry-1.docker.io
+          curl -L -o gitea/index.yaml https://dl.gitea.com/charts/index.yaml
+          helm repo index gitea/ --url https://dl.gitea.io/charts --merge gitea/index.yaml
 
       - name: aws credential configure
-        uses: https://github.com/aws-actions/configure-aws-credentials@v4
+        uses: https://github.com/aws-actions/configure-aws-credentials@v2
         with:
           aws-access-key-id: ${{ secrets.AWS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

.gitea/workflows/test-pr.yml

@@ -1,37 +1,32 @@
 name: check-and-test
 
 on:
-  pull_request:
-    branches:
-      - "*"
-  push:
-    branches:
-      - main
-      - "renovate/**"
-
-env:
-  # renovate: datasource=github-releases depName=helm-unittest/helm-unittest
-  HELM_UNITTEST_VERSION: "v0.7.0"
+  - pull_request
 
 jobs:
   check-and-test:
     runs-on: ubuntu-latest
-    container: alpine/helm:3.16.3
     steps:
+      - uses: actions/checkout@v3
       - name: install tools
         run: |
-          apk update
-          apk add --update make nodejs npm yamllint
-      - uses: actions/checkout@v4
-      - name: install chart dependencies
-        run: helm dependency build
+          apt update -y
+          apt install -y curl make
+          curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | tee /usr/share/keyrings/helm.gpg > /dev/null
+          echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list
+          apt update -y
+          apt install -y helm python3-pip
+          pip install yamllint
+      - name: dependency update
+        run: helm dependency update
       - name: lint
         run: helm lint
       - name: template
-        run: helm template --debug gitea-helm .
+        run: |
+          helm template --debug gitea-helm .
       - name: unit tests
         run: |
-          helm plugin install --version ${{ env.HELM_UNITTEST_VERSION }} https://github.com/helm-unittest/helm-unittest
+          helm plugin install --version 0.3.1 https://github.com/helm-unittest/helm-unittest
           make unittests
       - name: verify readme
         run: |

.helmignore

@@ -31,8 +31,3 @@ Makefile
 .drone.yml
 CONTRIBUTING.md
 unittests/
-.editorconfig
-.prettierignore
-.yamllint
-CODEOWNERS
-renovate.json5

.markdownlint.yaml

@@ -47,7 +47,7 @@ MD013:
   # Number of characters
   line_length: 200
   # Number of characters for headings
-  heading_line_length: 100
+  heading_line_length: 80
   # Number of characters for code blocks
   code_block_line_length: 80
   # Include code blocks
@@ -73,7 +73,7 @@ MD022:
 # MD024/no-duplicate-heading/no-duplicate-header - Multiple headings with the same content
 MD024:
   # Only check sibling headings
-  siblings_only: true
+  allow_different_nesting: true
 
 # MD025/single-title/single-h1 - Multiple top-level headings in the same document
 MD025:
@@ -106,7 +106,7 @@ MD030:
 # MD033/no-inline-html - Inline HTML
 MD033:
   # Allowed elements
-  allowed_elements: [details, summary]
+  allowed_elements: []
 
 # MD035/hr-style - Horizontal rule style
 MD035:

.vscode/extensions.json

@@ -1,8 +0,0 @@
-{
-    "recommendations": [
-        "yzhang.markdown-all-in-one",
-        "DavidAnson.vscode-markdownlint",
-        "Tim-Koehler.helm-intellisense",
-        "esbenp.prettier-vscode"
-    ]
-  }

.vscode/settings.json

@@ -1,8 +0,0 @@
-{
-    "yaml.schemas": {
-        "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.7.0/schema/helm-testsuite.json": [
-            "/unittests/**/*.yaml"
-        ]
-    },
-    "yaml.schemaStore.enable": true
-}

CODEOWNERS

@@ -1 +0,0 @@
-* @justusbunsi @pat-s

CONTRIBUTING.md

@@ -9,16 +9,21 @@ refactorings for easier maintainability or documentation improvements.
 - [`helm`](https://helm.sh/docs/intro/install/)
 - `make` is optional; you may call the commands directly
 
-When using Visual Studio Code as IDE, a [ready-to-use profile](.vscode/) is available.
+When using Visual Studio Code as IDE, following plugins might be useful:
+
+- [Markdown All in One](https://marketplace.visualstudio.com/items?itemName=yzhang.markdown-all-in-one)
+- [markdownlint](https://marketplace.visualstudio.com/items?itemName=DavidAnson.vscode-markdownlint)
+- [Helm Intellisense](https://marketplace.visualstudio.com/items?itemName=Tim-Koehler.helm-intellisense)
+- [Prettier - Code formatter](https://marketplace.visualstudio.com/items?itemName=esbenp.prettier-vscode)
 
 ## Documentation Requirements
 
-The `README.md` must include all configuration options.
-The parameters section is generated by extracting the parameter annotations from the `values.yaml` file, by using [this tool](https://github.com/bitnami-labs/readme-generator-for-helm).
+The `README.md` must include all configuration options. The parameters section
+is generated by extracting the parameter annotations from the `values.yaml` file,
+by using [this tool](https://github.com/bitnami-labs/readme-generator-for-helm).
 
-If changes were made on configuration options, run `make readme` to update the README file.
-
-The ToC is created via the VSCode [Markdown All in One](https://marketplace.visualstudio.com/items?itemName=yzhang.markdown-all-in-one) extension which can/must also be used used to update it.
+If changes were made on configuration options, run `make readme` to update the
+README file.
 
 ## Pull Request Requirements
 
@@ -36,15 +41,16 @@ For local development and testing of pull requests, the following workflow can
 be used:
 
 1. Install `minikube` and `helm`.
-1. Start a `minikube` cluster via `minikube start`.
-1. From the `gitea/helm-chart` directory execute the following command.
-   This will install the dependencies listed in `Chart.yml` and deploy the current state of the helm chart found locally.
-   If you want to test a branch, make sure to switch to the respective branch first.
-   `helm install --dependency-update gitea . -f values.yaml`.
-1. Gitea is now deployed in `minikube`.
-   To access it, it's port needs to be forwarded first from `minikube` to localhost first via `kubectl --namespace
-default port-forward svc/gitea-http 3000:3000`.
-   Now Gitea is accessible at [http://localhost:3000](http://localhost:3000).
+2. Start a `minikube` cluster via `minikube start`.
+3. From the `gitea/helm-chart` directory execute the following command. This
+   will install the dependencies listed in `Chart.yml` and deploy the current
+   state of the helm chart found locally. If you want to test a branch, make
+   sure to switch to the respective branch first.
+  `helm install --dependency-update gitea . -f values.yaml`.
+4. Gitea is now deployed in `minikube`. To access it, it's port needs to be
+   forwarded first from `minikube` to localhost first via `kubectl --namespace
+   default port-forward svc/gitea-http 3000:3000`. Now Gitea is accessible at
+   [http://localhost:3000](http://localhost:3000).
 
 ### Unit tests
 
@@ -55,11 +61,3 @@ $ helm plugin install https://github.com/helm-unittest/helm-unittest
 # run the unittests
 make unittests
 ```
-
-See [plugin documentation](https://github.com/helm-unittest/helm-unittest/blob/main/DOCUMENT.md) for usage instructions.
-
-## Release process
-
-1. Create a tag following the tagging schema
-1. Push the tag
-1. Let CI do it's work

Chart.lock

@@ -1,15 +1,9 @@
 dependencies:
+- name: memcached
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 6.3.14
 - name: postgresql
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 15.5.38
-- name: postgresql-ha
-  repository: oci://registry-1.docker.io/bitnamicharts
-  version: 14.3.10
-- name: redis-cluster
-  repository: oci://registry-1.docker.io/bitnamicharts
-  version: 10.3.0
-- name: redis
-  repository: oci://registry-1.docker.io/bitnamicharts
-  version: 19.6.4
-digest: sha256:462d513ac8ef7abfe26030fd2ea93eb79df167a861ebe09d6c58c7dcd5601e85
-generated: "2024-11-30T00:41:29.178889496Z"
+  version: 12.4.1
+digest: sha256:02d4846bf416038a42658dbca8f8001d0e3ce967b00e990048f8d420065c33fd
+generated: "2023-04-28T09:32:05.295167+02:00"

Chart.yaml

@@ -3,9 +3,8 @@ name: gitea
 description: Gitea Helm chart for Kubernetes
 type: application
 version: 0.0.0
-# renovate datasource=github-releases depName=go-gitea/gitea extractVersion=^v(?<version>.*)$
-appVersion: 1.22.4
-icon: https://gitea.com/assets/img/logo.svg
+appVersion: 1.19.3
+icon: https://docs.gitea.io/images/gitea.png
 
 keywords:
   - git
@@ -32,24 +31,16 @@ maintainers:
   - name: Patrick Schratz
     email: patrick.schratz@gmail.com
 
+# Bitnami charts are served from GitHub CDN - See https://github.com/bitnami/charts/issues/10539 for details
 dependencies:
-  # https://github.com/bitnami/charts/blob/main/bitnami/postgresql
+  # OCI registry: https://blog.bitnami.com/2023/01/bitnami-helm-charts-available-as-oci.html (2023-01)
+  # Chart release date: 2023-04
+  - name: memcached
+    repository: oci://registry-1.docker.io/bitnamicharts
+    version: 6.3.14
+    condition: memcached.enabled
+  # Chart release date: 2023-04
   - name: postgresql
     repository: oci://registry-1.docker.io/bitnamicharts
-    version: 15.5.38
+    version: 12.4.1
     condition: postgresql.enabled
-  # https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml
-  - name: postgresql-ha
-    repository: oci://registry-1.docker.io/bitnamicharts
-    version: 14.3.10
-    condition: postgresql-ha.enabled
-  # https://github.com/bitnami/charts/blob/main/bitnami/redis-cluster/Chart.yaml
-  - name: redis-cluster
-    repository: oci://registry-1.docker.io/bitnamicharts
-    version: 10.3.0
-    condition: redis-cluster.enabled
-  # https://github.com/bitnami/charts/blob/main/bitnami/redis/Chart.yaml
-  - name: redis
-    repository: oci://registry-1.docker.io/bitnamicharts
-    version: 19.6.4
-    condition: redis.enabled

Makefile

@@ -9,9 +9,4 @@ readme: prepare-environment
 
 .PHONY: unittests
 unittests:
-	helm unittest --strict -f 'unittests/**/*.yaml' -f 'unittests/dependency-major-image-check.yaml' -f 'unittests/values-conflicting-checks.yaml' ./
-
-.PHONY: helm
-update-helm-dependencies:
-	helm dependency update
-  
+	helm unittest --strict -f 'unittests/**/*.yaml' ./

docs/ha-setup.md

@@ -1,178 +0,0 @@
-# High Availability
-
-All components (in-memory DB, volume/asset storage, code indexer) used by Gitea must be deployed in a HA-ready fashion to achieve a full HA-ready Gitea deployment.
-The following document explains how to achieve this for all individual components.
-
-The resulting Gitea deployment will consist of ~ 10 pods (depending on the chosen components and their replicas).
-One should evaluate upfront whether a HA-deployment is required as switching between HA/non-HA comes with some effort.
-For production instances, HA is always recommended to increase uptime and have a frictionless update process.
-
-A general comment about chart dependencies and external services:
-Instead of relying on chart dependencies, it is often better to rely on an external, (managed) instances (in-memory database, asset storage provider, database, etc.).
-Many cloud providers offer such services, at least for databases or in-memory databases.
-They might cost a bit more than using a self-hosted k8s variant but are usually easier to maintain and scale, if needed.
-Also they can be centrally managed and are not linked to the Gitea helm chart or namespace.
-Please consider using external services before you start with your Gitea HA setup, it will make your life (and the life of the Gitea maintainers) easier.
-
-This helm chart tries to help as much as possible to simplify and assert the provisioning of a HA-ready Gitea instance by implementing smart conditionals if `replicaCount` is set to a value > 1.
-Nevertheless, we cannot guarantee for every possible combination of Gitea settings to work together perfectly in a HA setup.
-As a general advice, we recommend to have a test environment aside on which to test possible changes/upgrades before applying these to a production installation.
-
-## Requirements for HA
-
-Storage-wise, the HA-Gitea setup requires a RWX file-system which can be shared among the deployment-based replica pods.
-In addition, the following components are required for full HA-readiness:
-
-- A HA-ready issue (and optionally code) indexer: `elasticsearch` or `meilisearch`
-- A HA-ready external object/asset storage (`minio`) (optional, assets can also be stored on the RWX file-system)
-- A HA-ready cache (`redis-cluster`)
-- A HA-ready DB
-
-`postgres.enabled`, which default to `true`, must be set to `false` for a HA setup.
-The default `postgres` chart dependency is not HA-ready (there's a dedicated `postgres-ha` chart).
-
-The following sections discuss each of the components in more detail.
-Note that for each component discussed, the shown configurations only provides a (working) starting point, not necessarily the most optimal setup.
-We try to optimize this document over time as we have gained more experience with HA setups from users.
-
-## Indexers (Issues and code/repo)
-
-The default code indexer `bleve` is not able to allow multiple connections and hence cannot be used in a HA setup.
-Alternatives are `elasticsearch` and `meilisearch` (as of >= 1.19.2).
-Unless you have an existing `elasticsearch` cluster, we recommend using `meilisearch` as it is faster and requires way less resources.
-
-Unfortunately, `meilisearch` does only support the `ISSUE_INDEXER` and not the `REPO_INDEXER` yet ([tracking issue](https://github.com/go-gitea/gitea/pull/24149)).
-This means that the `REPO_INDEXER` must still be disabled for a HA setup right now.
-An alternative to the two options above for the `ISSUE_INDEXER` is `"db"`, however we recommend to just go with `meilisearch` in this case and to not bother the DB with indexing.
-
-To configure `meilisearch` within Gitea, do the following:
-
-```yml
-gitea:
-  config:
-    indexer:
-      ISSUE_INDEXER_CONN_STR: <http://meilisearch.<namespace>.svc.cluster.local:7700>
-      ISSUE_INDEXER_ENABLED: true
-      ISSUE_INDEXER_TYPE: meilisearch
-      REPO_INDEXER_ENABLED: false
-      # REPO_INDEXER_TYPE: meilisearch # not yet working
-```
-
-Unfortunately `meilisearch` cannot be deployed in HA as of now.
-Nevertheless it allows for multiple Gitea requests at the same time and is therefore required in a HA setup.
-
-Exemplary configuration for the [meilisearch-kubernetes](https://github.com/meilisearch/meilisearch-kubernetes/tree/main/charts/meilisearch) chart:
-
-```yaml
-persistence:
-  enabled: true
-  accessMode: ReadWriteOnce
-  size: 5Gi
-```
-
-## Cache, session and queue
-
-A `redis` instance is required for the in-memory cache.
-Two options exist:
-
-- `redis`
-- `redis-cluster`
-
-The chart provides `redis-cluster` as a dependency as this one can be used for both HA and non-HA setups.
-You're also welcome to go with `redis` if you prefer or already have a running instance.
-
-It should be noted that `redis-cluster` support is only available starting with Gitea 1.19.2.
-You can also configure an external (managed) `redis` instance to be used.
-To do so, you need to set the following configuration values yourself:
-
-- `gitea.config.queue.TYPE`: redis`
-- `gitea.config.queue.CONN_STR`: `<your redis connection string>`
-
-- `gitea.config.session.PROVIDER`: `redis`
-- `gitea.config.session.PROVIDER_CONFIG`: `<your redis connection string>`
-
-- `gitea.config.cache.ENABLED`: `true`
-- `gitea.config.cache.ADAPTER`: `redis`
-- `gitea.config.cache.HOST`: `<your redis connection string>`
-
-By default, the `redis-cluster` chart provisions three standalone master nodes of which each has a single replica.
-To reduce the number of pods for a default Gitea deployment, we opted to omit the replicas (`replicas: 0`) by default.
-Only the minimum required number of master pods for a functional `redis-cluster` deployment are provisioned.
-For a "proper" `redis-cluster` setup however, we recommend to set `replicas: 1` and `nodes: 6`.
-
-## Object and asset storage
-
-Object/asset storage refers to the storage of attachments, avatars, LFS files, etc.
-While most of these can be stored on the RWX file-system, it is recommended to use an external S3-compatible object storage for such, mainly for performance reasons.
-
-By default the chart provisions a single RWO volume to store everything (repos, avatars, packages, etc.).
-This volume cannot be mounted by multiple pods.
-Hence, a RWX volume is required and (optionally) an external HA-ready object storage.
-
-> **Note:** Double-check that the file permissions are set correctly on the RWX volume! That is everything should be owned by the `git` user which usually has `uid=1000` and `gid=1000`.
-
-To use `minio` you need to deploy and configure an external `minio` instance yourself and explicitly define the `STORAGE_TYPE` values as shown below.
-
-Note that `MINIO_BUCKET` here is just a name and does not refer to a S3 bucket.
-It's the root access point for all objects belonging to the respective application, i.e., to Gitea in this case.
-
-```yaml
-gitea:
-  config:
-    attachment:
-      STORAGE_TYPE: minio
-    lfs:
-      STORAGE_TYPE: minio
-    picture:
-      AVATAR_STORAGE_TYPE: minio
-    "storage.packages":
-      STORAGE_TYPE: minio
-
-    storage:
-      MINIO_ENDPOINT: <minio-headless.<namespace>.svc.cluster.local:9000>
-      MINIO_LOCATION: <location>
-      MINIO_ACCESS_KEY_ID: <access key>
-      MINIO_SECRET_ACCESS_KEY: <secret key>
-      MINIO_BUCKET: <bucket name>
-      MINIO_USE_SSL: false
-```
-
-Exemplary configuration for the [bitnami minio](https://github.com/bitnami/charts/blob/main/bitnami/minio) chart:
-
-```yaml
-auth:
-  rootUser: minio
-mode: distributed
-replicaCount: 4
-persistence:
-  enabled: true
-  size: 20Gi
-  accessModes:
-    - ReadWriteOnce
-```
-
-## Database
-
-If you do not have an HA-ready DB, using a managed database service in the cloud might be the easiest and most robust solution.
-Remember: disable the built-in `postgres` dependency and configure the database connection manually via `gitea.config.database`:
-
-```yml
-gitea:
-  database:
-    builtIn:
-      postgresql:
-        enabled: false
-  config:
-    database:
-      DB_TYPE: postgres
-      HOST: <host>
-      NAME: <name>
-      USER: <user>
-```
-
-## Known issues
-
-- Currently Cron jobs are run on all replicas as no leader election is implemented.
-  See [https://github.com/go-gitea/gitea/issues/13791](https://github.com/go-gitea/gitea/issues/13791) for a discussion and possible solution.
-
-- Running with multiple replicas slows down Gitea a bit, i.e. page loading time increases. 

package.json

@@ -14,6 +14,6 @@
   },
   "devDependencies": {
     "@bitnami/readme-generator-for-helm": "^2.5.0",
-    "markdownlint-cli": "^0.43.0"
+    "markdownlint-cli": "^0.34.0"
   }
 }

readme-actions-dev.md

@@ -1,34 +0,0 @@
-# Gitea Actions
-
-In order to use the Gitea Actions act-runner you must either:
-
-- enable persistence (used for automatic deployment to be able to store the token in a place accessible for the Job)
-- create a secret containing the act runner token and reference it as a `existingSecret`
-
-In order to use Gitea Actions, you must log on the server that's running Gitea and run the command:
-    `gitea actions generate-runner-token`
-
-This command will out a token that is needed by the act-runner to register with the Gitea backend.
-
-Because this is a manual operation, we automated this using a Kubernetes Job using the following containers:
-
-1) `actions-token-create`: it uses the current `gitea-rootless` image, mounts the persistent directory to `/data/` then it saves the output from `gitea actions generate-runner-token` to `/data/actions/token`
-2) `actions-token-upload`: it uses a `bitnami/kubectl` image, mounts the scripts directory (`/scripts`) and
-the persistent directory (`/data/`), and using the script from `/scripts/token.sh` stores the token in a Kubernetes secret
-
-After the token is stored in a Kubernetes secret we can create the statefulset that contains the following containers:
-
-1) `act-runner`: authenticates with Gitea using the token that was stored in the secret
-2) `dind`: DockerInDocker image that is used to run the actions
-
-If you are not using persistent volumes, you cannot use the Job to automatically generate the token.
-In this case, you can use either the Web UI to generate the token or run a shell into a Gitea pod and invoke
-the command `gitea actions generate-runner-token`. After generating the token, you must create a secret and use it via:
-
-```yaml
-actions:
-  provisioning:
-    enabled: false
-  existingSecret: "secret-name"
-  existingSecretKey: "secret-key"
-```

renovate.json5

@@ -1,94 +0,0 @@
-{
-  $schema: 'https://docs.renovatebot.com/renovate-schema.json',
-  extends: [
-    'gitea>gitea/renovate-config',
-    ':automergeMinor',
-    'schedule:automergeDaily',
-    'schedule:weekends',
-  ],
-  labels: [
-    'kind/dependency',
-  ],
-  automergeStrategy: 'squash',
-  customManagers: [
-    {
-      description: 'Gitea-version of https://docs.renovatebot.com/presets-regexManagers/#regexmanagersgithubactionsversions',
-      customType: 'regex',
-      fileMatch: [
-        '.gitea/workflows/.+\\.ya?ml$',
-      ],
-      matchStrings: [
-        '# renovate: datasource=(?<datasource>[a-z-.]+?) depName=(?<depName>[^\\s]+?)(?: (?:lookupName|packageName)=(?<packageName>[^\\s]+?))?(?: versioning=(?<versioning>[a-z-0-9]+?))?\\s+[A-Za-z0-9_]+?_VERSION\\s*:\\s*["\']?(?<currentValue>.+?)["\']?\\s',
-      ],
-    },
-    {
-      description: 'Detect helm-unittest yaml schema file',
-      customType: 'regex',
-      fileMatch: ['.vscode/settings\\.json$'],
-      matchStrings: [
-        'https:\\/\\/raw\\.githubusercontent\\.com\\/(?<depName>[^\\s]+?)\\/(?<currentValue>v[0-9.]+?)\\/schema\\/helm-testsuite\\.json',
-      ],
-      datasourceTemplate: 'github-releases',
-    },
-    {
-      'description': 'Automatically detect new Gitea releases',
-      'customType': 'regex',
-      'fileMatch': ['(^|/)Chart\\.yaml$'],
-      'matchStrings': [
-        '# renovate datasource=(?<datasource>\\S+) depName=(?<depName>\\S+) extractVersion=(?<extractVersion>\\S+)\\nappVersion:\\s?(?<currentValue>\\S+)\\n',
-      ],
-    },
-  ],
-  packageRules: [
-    {
-      groupName: 'subcharts (minor & patch)',
-      matchManagers: [
-        'helmv3',
-      ],
-      matchUpdateTypes: [
-        'minor',
-        'patch',
-        'digest',
-      ],
-    },
-    {
-      groupName: 'workflow dependencies (minor & patch)',
-      matchManagers: [
-        'github-actions',
-        'npm',
-        'custom.regex',
-      ],
-      matchUpdateTypes: [
-        'minor',
-        'patch',
-        'digest',
-      ],
-      matchFileNames: [
-        '!Chart.yaml',
-      ],
-    },
-    {
-      description: 'Update README.md on changes in values.yaml',
-      matchManagers: [
-        'helm-values',
-      ],
-      postUpgradeTasks: {
-        commands: [
-          'install-tool node',
-          'make readme',
-        ],
-        fileFilters: [
-          'README.md',
-        ],
-        executionMode: 'update',
-      },
-    },
-    {
-      description: 'Override changelog url for Helm image, to have release notes in our PRs',
-      matchDepNames: [
-        'alpine/helm',
-      ],
-      changelogUrl: 'https://github.com/helm/helm',
-    },
-  ],
-}

scripts/token.sh

@@ -1,43 +0,0 @@
-#!/bin/sh
-
-set -eu
-
-timeout_delay=15
-
-check_token() {
-  set +e
-
-  echo "Checking for existing token..."
-  token="$(kubectl get secret "$SECRET_NAME" -o jsonpath="{.data['token']}" 2> /dev/null)"
-  [ $? -ne 0 ] && return 1
-  [ -z "$token" ] && return 2
-  return 0
-}
-
-create_token() {
-  echo "Waiting for new token to be generated..."
-  begin=$(date +%s)
-  end=$((begin + timeout_delay))
-  while true; do
-    [ -f /data/actions/token ] && return 0
-    [ "$(date +%s)" -gt $end ] && return 1
-    sleep 5
-  done
-}
-
-store_token() {
-  echo "Storing the token in Kubernetes secret..."
-  kubectl patch secret "$SECRET_NAME" -p "{\"data\":{\"token\":\"$(base64 /data/actions/token | tr -d '\n')\"}}"
-}
-
-if check_token; then
-  echo "Key already in place, exiting."
-  exit
-fi
-
-if ! create_token; then
-  echo "Checking for an existing act runner token in secret $SECRET_NAME timed out after $timeout_delay"
-  exit 1
-fi
-
-store_token

templates/NOTES.txt

@@ -18,19 +18,3 @@
   echo "Visit http://127.0.0.1:{{ .Values.service.http.port }} to use your application"
   kubectl --namespace {{ .Release.Namespace }} port-forward svc/{{ .Release.Name }}-http {{ .Values.service.http.port }}:{{ .Values.service.http.port }}
 {{- end }}
-{{- $warnings := list -}}
-{{- if eq (get .Values.gitea.config.cache "ADAPTER") "memory" -}}
-  {{- $warnings = append $warnings "Gitea uses 'memory' for caching which is not recommended for production use. See https://docs.gitea.com/next/administration/config-cheat-sheet#cache-cache for available options." -}}
-{{- end }}
-{{- if eq (get .Values.gitea.config.queue "TYPE") "level" -}}
-  {{- $warnings = append $warnings "Gitea uses 'leveldb' for queue actions which is not recommended for production use. See https://docs.gitea.com/next/administration/config-cheat-sheet#queue-queue-and-queue for available options." -}}
-{{- end }}
-{{- if eq (get .Values.gitea.config.session "PROVIDER") "memory" -}}
-  {{- $warnings = append $warnings "Gitea uses 'memory' for sessions which is not recommended for production use. See https://docs.gitea.com/next/administration/config-cheat-sheet#session-session for available options." -}}
-{{- end }}
-{{- if gt (len $warnings) 0 }}
-2. Review these warnings:
-{{- range $warnings }}
-  - {{ . }}
-{{- end }}
-{{- end }}

templates/_helpers.tpl

@@ -2,7 +2,6 @@
 {{/*
 Expand the name of the chart.
 */}}
-
 {{- define "gitea.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
@@ -25,13 +24,6 @@ If release name contains chart name it will be used as a full name.
 {{- end -}}
 {{- end -}}
 
-{{/*
-Create a default worker name.
-*/}}
-{{- define "gitea.workername" -}}
-{{- printf "%s-%s" .global.Release.Name .worker | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
 {{/*
 Create chart name and version as used by the chart label.
 */}}
@@ -43,22 +35,14 @@ Create chart name and version as used by the chart label.
 Create image name and tag used by the deployment.
 */}}
 {{- define "gitea.image" -}}
-{{- $fullOverride := .Values.image.fullOverride | default "" -}}
 {{- $registry := .Values.global.imageRegistry | default .Values.image.registry -}}
-{{- $repository := .Values.image.repository -}}
-{{- $separator := ":" -}}
-{{- $tag := .Values.image.tag | default .Chart.AppVersion | toString -}}
+{{- $name := .Values.image.repository -}}
+{{- $tag := .Values.image.tag | default .Chart.AppVersion -}}
 {{- $rootless := ternary "-rootless" "" (.Values.image.rootless) -}}
-{{- $digest := "" -}}
-{{- if .Values.image.digest }}
-    {{- $digest = (printf "@%s" (.Values.image.digest | toString)) -}}
-{{- end -}}
-{{- if $fullOverride }}
-    {{- printf "%s" $fullOverride -}}
-{{- else if $registry }}
-    {{- printf "%s/%s%s%s%s%s" $registry $repository $separator $tag $rootless $digest -}}
+{{- if $registry -}}
+  {{- printf "%s/%s:%s%s" $registry $name $tag $rootless -}}
 {{- else -}}
-    {{- printf "%s%s%s%s%s" $repository $separator $tag $rootless $digest -}}
+  {{- printf "%s:%s%s" $name $tag $rootless -}}
 {{- end -}}
 {{- end -}}
 
@@ -81,7 +65,7 @@ imagePullSecrets:
 Storage Class
 */}}
 {{- define "gitea.persistence.storageClass" -}}
-{{- $storageClass :=  (tpl ( default "" .Values.persistence.storageClass) .) | default (tpl ( default "" .Values.global.storageClass) .) }}
+{{- $storageClass := .Values.global.storageClass | default .Values.persistence.storageClass }}
 {{- if $storageClass }}
 storageClassName: {{ $storageClass | quote }}
 {{- end }}
@@ -99,15 +83,6 @@ version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end -}}
 
-{{- define "gitea.labels.actRunner" -}}
-helm.sh/chart: {{ include "gitea.chart" . }}
-app: {{ include "gitea.name" . }}-act-runner
-{{ include "gitea.selectorLabels.actRunner" . }}
-app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
-version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end -}}
-
 {{/*
 Selector labels
 */}}
@@ -116,51 +91,16 @@ app.kubernetes.io/name: {{ include "gitea.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
-{{- define "gitea.selectorLabels.actRunner" -}}
-app.kubernetes.io/name: {{ include "gitea.name" . }}-act-runner
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end -}}
-
-{{- define "postgresql-ha.dns" -}}
-{{- if (index .Values "postgresql-ha").enabled -}}
-{{- printf "%s-postgresql-ha-pgpool.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "postgresql-ha" "service" "ports" "postgresql") -}}
-{{- end -}}
-{{- end -}}
-
 {{- define "postgresql.dns" -}}
-{{- if (index .Values "postgresql").enabled -}}
 {{- printf "%s-postgresql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.postgresql.global.postgresql.service.ports.postgresql -}}
 {{- end -}}
-{{- end -}}
 
-{{- define "redis.dns" -}}
-{{- if and ((index .Values "redis-cluster").enabled) ((index .Values "redis").enabled) -}}
-{{- fail "redis and redis-cluster cannot be enabled at the same time. Please only choose one." -}}
-{{- else if (index .Values "redis-cluster").enabled -}}
-{{- printf "redis+cluster://:%s@%s-redis-cluster-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "redis-cluster").global.redis.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "redis-cluster").service.ports.redis -}}
-{{- else if (index .Values "redis").enabled -}}
-{{- printf "redis://:%s@%s-redis-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "redis").global.redis.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "redis").master.service.ports.redis -}}
-{{- end -}}
-{{- end -}}
-
-{{- define "redis.port" -}}
-{{- if (index .Values "redis-cluster").enabled -}}
-{{ (index .Values "redis-cluster").service.ports.redis }}
-{{- else if (index .Values "redis").enabled -}}
-{{ (index .Values "redis").master.service.ports.redis }}
-{{- end -}}
-{{- end -}}
-
-{{- define "redis.servicename" -}}
-{{- if (index .Values "redis-cluster").enabled -}}
-{{- printf "%s-redis-cluster-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
-{{- else if (index .Values "redis").enabled -}}
-{{- printf "%s-redis-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
-{{- end -}}
+{{- define "memcached.dns" -}}
+{{- printf "%s-memcached.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.memcached.service.ports.memcached | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
 {{- define "gitea.default_domain" -}}
-{{- printf "%s-http.%s.svc.%s" (include "gitea.fullname" .) .Release.Namespace .Values.clusterDomain -}}
+{{- printf "%s-gitea.%s.svc.%s" (include "gitea.fullname" .) .Release.Namespace .Values.clusterDomain | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
 {{- define "gitea.ldap_settings" -}}
@@ -220,15 +160,6 @@ https
 {{- end -}}
 {{- end -}}
 
-{{- define "gitea.act_runner.local_root_url" -}}
-{{- if not .Values.gitea.config.server.LOCAL_ROOT_URL -}}
-    {{- printf "http://%s-http:%.0f" (include "gitea.fullname" .) .Values.service.http.port -}}
-{{- else -}}
-  {{/* fallback for allowing to overwrite this value via inline config */}}
-  {{- .Values.gitea.config.server.LOCAL_ROOT_URL -}}
-{{- end -}}
-{{- end -}}
-
 {{- define "gitea.inline_configuration" -}}
   {{- include "gitea.inline_configuration.init" . -}}
   {{- include "gitea.inline_configuration.defaults" . -}}
@@ -251,7 +182,6 @@ https
       {{- else -}}
         {{- (printf "Key %s cannot be on top level of configuration" $key) | fail -}}
       {{- end -}}
-
     {{- end }}
   {{- end }}
 
@@ -281,21 +211,6 @@ https
   {{- if not (hasKey .Values.gitea.config "oauth2") -}}
     {{- $_ := set .Values.gitea.config "oauth2" dict -}}
   {{- end -}}
-  {{- if not (hasKey .Values.gitea.config "session") -}}
-    {{- $_ := set .Values.gitea.config "session" dict -}}
-  {{- end -}}
-  {{- if not (hasKey .Values.gitea.config "queue") -}}
-    {{- $_ := set .Values.gitea.config "queue" dict -}}
-  {{- end -}}
-  {{- if not (hasKey .Values.gitea.config "queue.issue_indexer") -}}
-    {{- $_ := set .Values.gitea.config "queue.issue_indexer" dict -}}
-  {{- end -}}
-  {{- if not (hasKey .Values.gitea.config "indexer") -}}
-    {{- $_ := set .Values.gitea.config "indexer" dict -}}
-  {{- end -}}
-  {{- if not (hasKey .Values.gitea.config "actions") -}}
-    {{- $_ := set .Values.gitea.config "actions" dict -}}
-  {{- end -}}
 {{- end -}}
 
 {{- define "gitea.inline_configuration.defaults" -}}
@@ -311,42 +226,12 @@ https
   {{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}}
     {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}}
   {{- end -}}
-  {{- if and (not (hasKey .Values.gitea.config.metrics "TOKEN")) (.Values.gitea.metrics.token) (.Values.gitea.metrics.enabled) -}}
-    {{- $_ := set .Values.gitea.config.metrics "TOKEN" .Values.gitea.metrics.token -}}
-  {{- end -}}
-  {{- /* redis queue */ -}}
-  {{- if or ((index .Values "redis-cluster").enabled) ((index .Values "redis").enabled) -}}
-    {{- $_ := set .Values.gitea.config.queue "TYPE" "redis" -}}
-    {{- $_ := set .Values.gitea.config.queue "CONN_STR" (include "redis.dns" .) -}}
-    {{- $_ := set .Values.gitea.config.session "PROVIDER" "redis" -}}
-    {{- $_ := set .Values.gitea.config.session "PROVIDER_CONFIG" (include "redis.dns" .) -}}
-    {{- $_ := set .Values.gitea.config.cache "ADAPTER" "redis" -}}
-    {{- $_ := set .Values.gitea.config.cache "HOST" (include "redis.dns" .) -}}
-  {{- else -}}
-    {{- if not (get .Values.gitea.config.session "PROVIDER") -}}
-      {{- $_ := set .Values.gitea.config.session "PROVIDER" "memory" -}}
+  {{- if .Values.memcached.enabled -}}
+    {{- $_ := set .Values.gitea.config.cache "ENABLED" "true" -}}
+    {{- $_ := set .Values.gitea.config.cache "ADAPTER" "memcache" -}}
+    {{- if not (.Values.gitea.config.cache.HOST) -}}
+      {{- $_ := set .Values.gitea.config.cache "HOST" (include "memcached.dns" .) -}}
     {{- end -}}
-    {{- if not (get .Values.gitea.config.session "PROVIDER_CONFIG") -}}
-      {{- $_ := set .Values.gitea.config.session "PROVIDER_CONFIG" "" -}}
-    {{- end -}}
-    {{- if not (get .Values.gitea.config.queue "TYPE") -}}
-      {{- $_ := set .Values.gitea.config.queue "TYPE" "level" -}}
-    {{- end -}}
-    {{- if not (get .Values.gitea.config.queue "CONN_STR") -}}
-      {{- $_ := set .Values.gitea.config.queue "CONN_STR" "" -}}
-    {{- end -}}
-    {{- if not (get .Values.gitea.config.cache "ADAPTER") -}}
-      {{- $_ := set .Values.gitea.config.cache "ADAPTER" "memory" -}}
-    {{- end -}}
-    {{- if not (get .Values.gitea.config.cache "HOST") -}}
-      {{- $_ := set .Values.gitea.config.cache "HOST" "" -}}
-    {{- end -}}
-  {{- end -}}
-  {{- if not .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE -}}
-     {{- $_ := set .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE" "db" -}}
-  {{- end -}}
-  {{- if not .Values.gitea.config.actions.ENABLED -}}
-     {{- $_ := set .Values.gitea.config.actions "ENABLED" (ternary "true" "false" .Values.actions.enabled) -}}
   {{- end -}}
 {{- end -}}
 
@@ -359,7 +244,7 @@ https
   {{- end -}}
   {{- if not (.Values.gitea.config.server.DOMAIN) -}}
     {{- if gt (len .Values.ingress.hosts) 0 -}}
-      {{- $_ := set .Values.gitea.config.server "DOMAIN" ( tpl (index .Values.ingress.hosts 0).host $) -}}
+      {{- $_ := set .Values.gitea.config.server "DOMAIN" (index .Values.ingress.hosts 0).host -}}
     {{- else -}}
       {{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.default_domain" .) -}}
     {{- end -}}
@@ -367,9 +252,6 @@ https
   {{- if not .Values.gitea.config.server.ROOT_URL -}}
     {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" (include "gitea.public_protocol" .) .Values.gitea.config.server.DOMAIN) -}}
   {{- end -}}
-  {{- if .Values.actions.enabled -}}
-     {{- $_ := set .Values.gitea.config.server "LOCAL_ROOT_URL" (include "gitea.act_runner.local_root_url" .) -}}
-  {{- end -}}
   {{- if not .Values.gitea.config.server.SSH_DOMAIN -}}
     {{- $_ := set .Values.gitea.config.server "SSH_DOMAIN" .Values.gitea.config.server.DOMAIN -}}
   {{- end -}}
@@ -397,16 +279,7 @@ https
 {{- end -}}
 
 {{- define "gitea.inline_configuration.defaults.database" -}}
-  {{- if (index .Values "postgresql-ha" "enabled") -}}
-    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "postgres" -}}
-    {{- if not (.Values.gitea.config.database.HOST) -}}
-      {{- $_ := set .Values.gitea.config.database "HOST"      (include "postgresql-ha.dns" .) -}}
-    {{- end -}}
-    {{- $_ := set .Values.gitea.config.database "NAME"      (index .Values "postgresql-ha" "global" "postgresql" "database") -}}
-    {{- $_ := set .Values.gitea.config.database "USER"      (index .Values "postgresql-ha" "global" "postgresql" "username") -}}
-    {{- $_ := set .Values.gitea.config.database "PASSWD"    (index .Values "postgresql-ha" "global" "postgresql" "password") -}}
-  {{- end -}}
-  {{- if (index .Values "postgresql" "enabled") -}}
+  {{- if .Values.postgresql.enabled -}}
     {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "postgres" -}}
     {{- if not (.Values.gitea.config.database.HOST) -}}
       {{- $_ := set .Values.gitea.config.database "HOST"      (include "postgresql.dns" .) -}}
@@ -438,37 +311,3 @@ https
 {{- define "gitea.gpg-key-secret-name" -}}
 {{ default (printf "%s-gpg-key" (include "gitea.fullname" .)) .Values.signing.existingSecret }}
 {{- end -}}
-
-{{- define "gitea.serviceAccountName" -}}
-{{ .Values.serviceAccount.name | default (include "gitea.fullname" .) }}
-{{- end -}}
-
-{{- define "gitea.admin.passwordMode" -}}
-{{- if has .Values.gitea.admin.passwordMode (tuple "keepUpdated" "initialOnlyNoReset" "initialOnlyRequireReset") -}}
-{{ .Values.gitea.admin.passwordMode }}
-{{- else -}}
-{{ printf "gitea.admin.passwordMode must be set to one of 'keepUpdated', 'initialOnlyNoReset', or 'initialOnlyRequireReset'. Received: '%s'" .Values.gitea.admin.passwordMode | fail }}
-{{- end -}}
-{{- end -}}
-
-{{/* Create a functioning probe object for rendering. Given argument must be either a livenessProbe, readinessProbe, or startupProbe */}}
-{{- define "gitea.deployment.probe" -}}
-  {{- $probe := unset . "enabled" -}}
-  {{- $probeKeys := keys $probe -}}
-  {{- $containsCustomMethod := false -}}
-  {{- $chartDefaultMethod := "tcpSocket" -}}
-  {{- $nonChartDefaultMethods := list "exec" "httpGet" "grpc" -}}
-  {{- range $probeKeys -}}
-    {{- if has . $nonChartDefaultMethods -}}
-      {{- $containsCustomMethod = true -}}
-    {{- end -}}
-  {{- end -}}
-  {{- if $containsCustomMethod -}}
-    {{- $probe = unset . $chartDefaultMethod -}}
-  {{- end -}}
-  {{- toYaml $probe -}}
-{{- end -}}
-
-{{- define "gitea.metrics-secret-name" -}}
-{{ default (printf "%s-metrics-secret" (include "gitea.fullname" .)) }}
-{{- end -}}

templates/gitea/act_runner/01-consistency-checks.yaml

@@ -1,15 +0,0 @@
-{{- if .Values.actions.enabled -}}
-    {{- if .Values.actions.provisioning.enabled -}}
-        {{- if not (and .Values.persistence.enabled .Values.persistence.mount) -}}
-            {{- fail "persistence.enabled and persistence.mount are required when provisioning is enabled" -}}
-        {{- end -}}
-        {{- if and .Values.persistence.enabled .Values.persistence.mount -}}
-            {{- if .Values.actions.existingSecret -}}
-                {{- fail "Can't specify both actions.provisioning.enabled and actions.existingSecret" -}}
-            {{- end -}}
-        {{- end -}}
-    {{- end -}}
-    {{- if and (not .Values.actions.provisioning.enabled) (or (empty .Values.actions.existingSecret) (empty .Values.actions.existingSecretKey)) -}}
-        {{- fail "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled" -}}
-    {{- end -}}
-{{- end -}}

templates/gitea/act_runner/config-act-runner.yaml

@@ -1,15 +0,0 @@
-{{- if .Values.actions.enabled }}
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ include "gitea.fullname" . }}-act-runner-config
-  namespace: {{ .Values.namespace | default .Release.Namespace }}
-  labels:
-    {{- include "gitea.labels" . | nindent 4 }}
-data:
-  config.yaml: |
-    {{- with .Values.actions.statefulset.actRunner.config -}}
-    {{ . | nindent 4}}
-    {{- end -}}
-{{- end }}

templates/gitea/act_runner/config-scripts.yaml

@@ -1,14 +0,0 @@
-{{- if .Values.actions.enabled }}
-{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ include "gitea.fullname" . }}-scripts
-  namespace: {{ .Values.namespace | default .Release.Namespace }}
-  labels:
-    {{- include "gitea.labels" . | nindent 4 }}
-data:
-{{ (.Files.Glob "scripts/*.sh").AsConfig | indent 2 }}
-{{- end }}
-{{- end }}

templates/gitea/act_runner/job.yaml

@@ -1,115 +0,0 @@
-{{- if .Values.actions.enabled }}
-{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
-{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
-{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: {{ $name }}
-  namespace: {{ .Values.namespace | default .Release.Namespace }}
-  labels:
-    {{- include "gitea.labels" . | nindent 4 }}
-    {{- with .Values.actions.provisioning.labels }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-    app.kubernetes.io/component: token-job
-  annotations:
-    {{- with .Values.actions.provisioning.annotations }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-spec:
-  ttlSecondsAfterFinished: {{ .Values.actions.provisioning.ttlSecondsAfterFinished }}
-  template:
-    metadata:
-      labels:
-        {{- include "gitea.labels" . | nindent 8 }}
-        {{- with .Values.actions.provisioning.labels }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
-        app.kubernetes.io/component: token-job
-    spec:
-      initContainers:
-        - name: init-gitea
-          image: "{{ .Values.actions.init.image.repository }}:{{ .Values.actions.init.image.tag }}"
-          command:
-            - sh
-            - -c
-            - |
-              while ! nc -z {{ include "gitea.fullname" . }}-http {{ .Values.service.http.port }}; do
-                sleep 5
-              done
-      containers:
-        - name: actions-token-create
-          image: "{{ include "gitea.image" . }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          env:
-            - name: GITEA_APP_INI
-              value: /data/gitea/conf/app.ini
-          command:
-            - sh
-            - -c
-            - |
-              echo "Generating act_runner token via 'gitea actions generate-runner-token'..."
-              mkdir -p /data/actions/
-              gitea actions generate-runner-token | grep -E '^.{40}$' | tr -d '\n' > /data/actions/token
-          resources:
-            {{- toYaml .Values.actions.provisioning.resources | nindent 12 }}
-          volumeMounts:
-            - name: data
-              mountPath: /data
-              {{- if .Values.persistence.subPath }}
-              subPath: {{ .Values.persistence.subPath }}
-              {{- end }}
-        - name: actions-token-upload
-          image: "{{ .Values.actions.provisioning.publish.repository }}:{{ .Values.actions.provisioning.publish.tag }}"
-          imagePullPolicy: {{ .Values.actions.provisioning.publish.pullPolicy }}
-          env:
-            - name: SECRET_NAME
-              value: {{ $secretName }}
-          command:
-            - sh
-            - -c
-            - |
-              printf "Checking rights to update kubernetes act_runner secret..."
-              kubectl auth can-i update secret/${SECRET_NAME}
-              /scripts/token.sh
-          resources:
-            {{- toYaml .Values.actions.provisioning.resources | nindent 12 }}
-          volumeMounts:
-            - mountPath: /scripts
-              name: scripts
-              readOnly: true
-            - mountPath: /data
-              name: data
-              readOnly: true
-              {{- if .Values.persistence.subPath }}
-              subPath: {{ .Values.persistence.subPath }}
-              {{- end }}
-      {{- with .Values.actions.provisioning.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.actions.provisioning.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.actions.provisioning.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      restartPolicy: Never
-      serviceAccount: {{ $name }}
-      volumes:
-        - name: scripts
-          configMap:
-            name: {{ include "gitea.fullname" . }}-scripts
-            defaultMode: 0755
-        - name: data
-          persistentVolumeClaim:
-            claimName: {{ .Values.persistence.claimName }}
-  parallelism: 1
-  completions: 1
-  backoffLimit: 1
-{{- end }}
-{{- end }}

templates/gitea/act_runner/role-job.yaml

@@ -1,26 +0,0 @@
-{{- if .Values.actions.enabled }}
-{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
-{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
-{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ $name }}
-  namespace: {{ .Values.namespace | default .Release.Namespace }}
-  labels:
-    {{- include "gitea.labels" . | nindent 4 }}
-    app.kubernetes.io/component: token-job
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - secrets
-    resourceNames:
-      - {{ $secretName }}
-    verbs:
-      - get
-      - update
-      - patch
-{{- end }}
-{{- end }}

templates/gitea/act_runner/rolebinding-job.yaml

@@ -1,23 +0,0 @@
-{{- if .Values.actions.enabled }}
-{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
-{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
-{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ $name }}
-  namespace: {{ .Values.namespace | default .Release.Namespace }}
-  labels:
-    {{- include "gitea.labels" . | nindent 4 }}
-    app.kubernetes.io/component: token-job
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ $name }}
-subjects:
-  - kind: ServiceAccount
-    name: {{ $name }}
-    namespace: {{ .Release.Namespace }}
-{{- end }}
-{{- end }}

templates/gitea/act_runner/secret-token.yaml

@@ -1,20 +0,0 @@
-{{- if .Values.actions.enabled }}
-{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
-{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
-{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ $secretName }}
-  namespace: {{ .Values.namespace | default .Release.Namespace }}
-  labels:
-    {{- include "gitea.labels" . | nindent 4 }}
-    app.kubernetes.io/component: token-job
-{{ $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}}
-{{ if $secret -}}
-data:
-  token: {{ (b64dec (index $secret.data "token")) | b64enc }}
-{{ end -}}
-{{- end }}
-{{- end }}

templates/gitea/act_runner/serviceaccount-job.yaml

@@ -1,14 +0,0 @@
-{{- if .Values.actions.enabled }}
-{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
-{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ $name }}
-  namespace: {{ .Values.namespace | default .Release.Namespace }}
-  labels:
-    {{- include "gitea.labels" . | nindent 4 }}
-    app.kubernetes.io/component: token-job
-{{- end }}
-{{- end }}

templates/gitea/act_runner/statefulset.yaml

@@ -1,118 +0,0 @@
-{{- if .Values.actions.enabled }}
-{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
----
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  labels:
-    {{- include "gitea.labels.actRunner" . | nindent 4 }}
-    {{- with .Values.actions.statefulset.labels }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-  annotations:
-    {{- with .Values.actions.statefulset.annotations }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-  name: {{ include "gitea.fullname" . }}-act-runner
-  namespace: {{ .Values.namespace | default .Release.Namespace }}
-spec:
-  selector:
-    matchLabels:
-      {{- include "gitea.selectorLabels.actRunner" . | nindent 6 }}
-  template:
-    metadata:
-      labels:
-        {{- include "gitea.labels.actRunner" . | nindent 8 }}
-        {{- with .Values.actions.statefulset.labels }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
-    spec:
-      initContainers:
-        - name: init-gitea
-          image: "{{ .Values.actions.init.image.repository }}:{{ .Values.actions.init.image.tag }}"
-          command:
-            - sh
-            - -c
-            - |
-              while ! nc -z {{ include "gitea.fullname" . }}-http {{ .Values.service.http.port }}; do
-                sleep 5
-              done
-      containers:
-        - name: act-runner
-          image: "{{ .Values.actions.statefulset.actRunner.repository }}:{{ .Values.actions.statefulset.actRunner.tag }}"
-          imagePullPolicy: {{ .Values.actions.statefulset.actRunner.pullPolicy }}
-          workingDir: /data
-          env:
-            - name: DOCKER_HOST
-              value: tcp://127.0.0.1:2376
-            - name: DOCKER_TLS_VERIFY
-              value: "1"
-            - name: DOCKER_CERT_PATH
-              value: /certs/server
-            - name: GITEA_RUNNER_REGISTRATION_TOKEN
-              valueFrom:
-                secretKeyRef:
-                  name: "{{ .Values.actions.existingSecret | default $secretName }}"
-                  key: "{{ .Values.actions.existingSecretKey | default "token" }}"
-            - name: GITEA_INSTANCE_URL
-              value: {{ include "gitea.act_runner.local_root_url" . }}
-            - name: CONFIG_FILE
-              value: /actrunner/config.yaml
-          resources:
-            {{- toYaml .Values.actions.statefulset.resources | nindent 12 }}
-          volumeMounts:
-            - mountPath: /actrunner/config.yaml
-              name: act-runner-config
-              subPath: config.yaml
-            - mountPath: /certs/server
-              name: docker-certs
-            - mountPath: /data
-              name: data-act-runner
-        - name: dind
-          image: "{{ .Values.actions.statefulset.dind.repository }}:{{ .Values.actions.statefulset.dind.tag }}"
-          imagePullPolicy: {{ .Values.actions.statefulset.dind.pullPolicy }}
-          env:
-            - name: DOCKER_HOST
-              value: tcp://127.0.0.1:2376
-            - name: DOCKER_TLS_VERIFY
-              value: "1"
-            - name: DOCKER_CERT_PATH
-              value: /certs/server
-            {{- if .Values.actions.statefulset.dind.extraEnvs }}
-            {{- toYaml .Values.actions.statefulset.dind.extraEnvs | nindent 12 }}
-            {{- end }}
-          securityContext:
-            privileged: true
-          resources:
-            {{- toYaml .Values.actions.statefulset.resources | nindent 12 }}
-          volumeMounts:
-            - mountPath: /certs/server
-              name: docker-certs
-      {{- with .Values.actions.statefulset.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.actions.statefulset.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.actions.statefulset.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      volumes:
-        - name: act-runner-config
-          configMap:
-            name: {{ include "gitea.fullname" . }}-act-runner-config
-        - name: docker-certs
-          emptyDir: {}
-  volumeClaimTemplates:
-    - metadata:
-        name: data-act-runner
-      spec:
-        accessModes: [ "ReadWriteOnce" ]
-        {{- include "gitea.persistence.storageClass" . | nindent 8 }}
-        resources:
-          requests:
-            storage: 1Mi
-{{- end }}