Compare commits
10 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
aec87c2490 | ||
|
|
e3db83e22b | ||
|
|
7cae9d3404 | ||
| 52153021e3 | |||
| 5f7d353901 | |||
|
|
389a8460e4 | ||
|
|
3bacaaad84 | ||
|
|
2be2e2a639 | ||
| 7b892431d6 | |||
|
|
f7c66c0336 |
@ -40,3 +40,4 @@
|
||||
- [ ] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm)
|
||||
- [ ] Breaking changes are documented in the `README.md`
|
||||
- [ ] Templating unittests are added
|
||||
- [ ] All added template resources MUST render a namespace in metadata
|
||||
|
||||
@ -7,7 +7,7 @@ on:
|
||||
|
||||
env:
|
||||
# renovate: datasource=docker depName=alpine/helm
|
||||
HELM_VERSION: "3.15.3"
|
||||
HELM_VERSION: "3.16.3"
|
||||
|
||||
jobs:
|
||||
generate-chart-publish:
|
||||
|
||||
@ -11,12 +11,12 @@ on:
|
||||
|
||||
env:
|
||||
# renovate: datasource=github-releases depName=helm-unittest/helm-unittest
|
||||
HELM_UNITTEST_VERSION: "v0.5.2"
|
||||
HELM_UNITTEST_VERSION: "v0.7.0"
|
||||
|
||||
jobs:
|
||||
check-and-test:
|
||||
runs-on: ubuntu-latest
|
||||
container: alpine/helm:3.15.3
|
||||
container: alpine/helm:3.16.3
|
||||
steps:
|
||||
- name: install tools
|
||||
run: |
|
||||
|
||||
@ -31,3 +31,8 @@ Makefile
|
||||
.drone.yml
|
||||
CONTRIBUTING.md
|
||||
unittests/
|
||||
.editorconfig
|
||||
.prettierignore
|
||||
.yamllint
|
||||
CODEOWNERS
|
||||
renovate.json5
|
||||
|
||||
2
.vscode/settings.json
vendored
2
.vscode/settings.json
vendored
@ -1,6 +1,6 @@
|
||||
{
|
||||
"yaml.schemas": {
|
||||
"https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.5.2/schema/helm-testsuite.json": [
|
||||
"https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.7.0/schema/helm-testsuite.json": [
|
||||
"/unittests/**/*.yaml"
|
||||
]
|
||||
},
|
||||
|
||||
@ -1,15 +1,15 @@
|
||||
dependencies:
|
||||
- name: postgresql
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
version: 15.5.20
|
||||
version: 15.5.38
|
||||
- name: postgresql-ha
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
version: 14.2.16
|
||||
version: 14.3.10
|
||||
- name: redis-cluster
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
version: 10.3.0
|
||||
- name: redis
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
version: 19.6.4
|
||||
digest: sha256:a28c809273f313c482e3f803a0a002c3bb3a0d2090bf6b732d68ecc4710b4732
|
||||
generated: "2024-08-03T00:21:16.080925346Z"
|
||||
digest: sha256:462d513ac8ef7abfe26030fd2ea93eb79df167a861ebe09d6c58c7dcd5601e85
|
||||
generated: "2024-11-30T00:41:29.178889496Z"
|
||||
|
||||
@ -4,7 +4,7 @@ description: Gitea Helm chart for Kubernetes
|
||||
type: application
|
||||
version: 0.0.0
|
||||
# renovate datasource=github-releases depName=go-gitea/gitea extractVersion=^v(?<version>.*)$
|
||||
appVersion: 1.22.3
|
||||
appVersion: 1.22.4
|
||||
icon: https://gitea.com/assets/img/logo.svg
|
||||
|
||||
keywords:
|
||||
@ -36,12 +36,12 @@ dependencies:
|
||||
# https://github.com/bitnami/charts/blob/main/bitnami/postgresql
|
||||
- name: postgresql
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
version: 15.5.20
|
||||
version: 15.5.38
|
||||
condition: postgresql.enabled
|
||||
# https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml
|
||||
- name: postgresql-ha
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
version: 14.2.16
|
||||
version: 14.3.10
|
||||
condition: postgresql-ha.enabled
|
||||
# https://github.com/bitnami/charts/blob/main/bitnami/redis-cluster/Chart.yaml
|
||||
- name: redis-cluster
|
||||
|
||||
53
README.md
53
README.md
@ -30,6 +30,7 @@
|
||||
- [OAuth2 Settings](#oauth2-settings)
|
||||
- [Configure commit signing](#configure-commit-signing)
|
||||
- [Metrics and profiling](#metrics-and-profiling)
|
||||
- [Secure Metrics Endpoint](#secure-metrics-endpoint)
|
||||
- [Pod annotations](#pod-annotations)
|
||||
- [Themes](#themes)
|
||||
- [Renovate](#renovate)
|
||||
@ -45,6 +46,7 @@
|
||||
- [Persistence](#persistence-1)
|
||||
- [Init](#init)
|
||||
- [Signing](#signing)
|
||||
- [Gitea Actions](#gitea-actions)
|
||||
- [Gitea](#gitea)
|
||||
- [LivenessProbe](#livenessprobe)
|
||||
- [ReadinessProbe](#readinessprobe)
|
||||
@ -746,6 +748,21 @@ gitea:
|
||||
ENABLE_PPROF: true
|
||||
```
|
||||
|
||||
### Secure Metrics Endpoint
|
||||
|
||||
Metrics endpoint `/metrics` can be secured by using `Bearer` token authentication.
|
||||
|
||||
**Note:** Providing non-empty `TOKEN` value will also require authentication for `ServiceMonitor`.
|
||||
|
||||
```yaml
|
||||
gitea:
|
||||
metrics:
|
||||
token: "secure-token"
|
||||
enabled: true
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
```
|
||||
|
||||
## Pod annotations
|
||||
|
||||
Annotations can be added to the Gitea pod.
|
||||
@ -1007,6 +1024,41 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
|
||||
| `signing.privateKey` | Inline private gpg key for signed internal Git activity | `""` |
|
||||
| `signing.existingSecret` | Use an existing secret to store the value of `signing.privateKey` | `""` |
|
||||
|
||||
### Gitea Actions
|
||||
|
||||
| Name | Description | Value |
|
||||
| ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ |
|
||||
| `actions.enabled` | Create an act runner StatefulSet. | `false` |
|
||||
| `actions.init.image.repository` | The image used for the init containers | `busybox` |
|
||||
| `actions.init.image.tag` | The image tag used for the init containers | `1.37.0` |
|
||||
| `actions.statefulset.annotations` | Act runner annotations | `{}` |
|
||||
| `actions.statefulset.labels` | Act runner labels | `{}` |
|
||||
| `actions.statefulset.resources` | Act runner resources | `{}` |
|
||||
| `actions.statefulset.nodeSelector` | NodeSelector for the statefulset | `{}` |
|
||||
| `actions.statefulset.tolerations` | Tolerations for the statefulset | `[]` |
|
||||
| `actions.statefulset.affinity` | Affinity for the statefulset | `{}` |
|
||||
| `actions.statefulset.actRunner.repository` | The Gitea act runner image | `gitea/act_runner` |
|
||||
| `actions.statefulset.actRunner.tag` | The Gitea act runner tag | `0.2.11` |
|
||||
| `actions.statefulset.actRunner.pullPolicy` | The Gitea act runner pullPolicy | `IfNotPresent` |
|
||||
| `actions.statefulset.actRunner.config` | Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details. | `Too complex. See values.yaml` |
|
||||
| `actions.statefulset.dind.repository` | The Docker-in-Docker image | `docker` |
|
||||
| `actions.statefulset.dind.tag` | The Docker-in-Docker image tag | `25.0.2-dind` |
|
||||
| `actions.statefulset.dind.pullPolicy` | The Docker-in-Docker pullPolicy | `IfNotPresent` |
|
||||
| `actions.statefulset.dind.extraEnvs` | Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY` | `[]` |
|
||||
| `actions.provisioning.enabled` | Create a job that will create and save the token in a Kubernetes Secret | `false` |
|
||||
| `actions.provisioning.annotations` | Job's annotations | `{}` |
|
||||
| `actions.provisioning.labels` | Job's labels | `{}` |
|
||||
| `actions.provisioning.resources` | Job's resources | `{}` |
|
||||
| `actions.provisioning.nodeSelector` | NodeSelector for the job | `{}` |
|
||||
| `actions.provisioning.tolerations` | Tolerations for the job | `[]` |
|
||||
| `actions.provisioning.affinity` | Affinity for the job | `{}` |
|
||||
| `actions.provisioning.ttlSecondsAfterFinished` | ttl for the job after finished in order to allow helm to properly recognize that the job completed | `300` |
|
||||
| `actions.provisioning.publish.repository` | The image that can create the secret via kubectl | `bitnami/kubectl` |
|
||||
| `actions.provisioning.publish.tag` | The publish image tag that can create the secret | `1.29.0` |
|
||||
| `actions.provisioning.publish.pullPolicy` | The publish image pullPolicy that can create the secret | `IfNotPresent` |
|
||||
| `actions.existingSecret` | Secret that contains the token | `""` |
|
||||
| `actions.existingSecretKey` | Secret key | `""` |
|
||||
|
||||
### Gitea
|
||||
|
||||
| Name | Description | Value |
|
||||
@ -1017,6 +1069,7 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
|
||||
| `gitea.admin.email` | Email for the Gitea admin user | `gitea@local.domain` |
|
||||
| `gitea.admin.passwordMode` | Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated | `keepUpdated` |
|
||||
| `gitea.metrics.enabled` | Enable Gitea metrics | `false` |
|
||||
| `gitea.metrics.token` | used for `bearer` token authentication on metrics endpoint. If not specified or empty metrics endpoint is public. | `nil` |
|
||||
| `gitea.metrics.serviceMonitor.enabled` | Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally. | `false` |
|
||||
| `gitea.metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. | `""` |
|
||||
| `gitea.metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping. | `[]` |
|
||||
|
||||
149
package-lock.json
generated
149
package-lock.json
generated
@ -8,7 +8,7 @@
|
||||
"license": "MIT",
|
||||
"devDependencies": {
|
||||
"@bitnami/readme-generator-for-helm": "^2.5.0",
|
||||
"markdownlint-cli": "^0.41.0"
|
||||
"markdownlint-cli": "^0.43.0"
|
||||
},
|
||||
"engines": {
|
||||
"node": ">=16.0.0",
|
||||
@ -48,16 +48,6 @@
|
||||
"node": ">=12"
|
||||
}
|
||||
},
|
||||
"node_modules/@pkgjs/parseargs": {
|
||||
"version": "0.11.0",
|
||||
"resolved": "https://registry.npmjs.org/@pkgjs/parseargs/-/parseargs-0.11.0.tgz",
|
||||
"integrity": "sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg==",
|
||||
"dev": true,
|
||||
"optional": true,
|
||||
"engines": {
|
||||
"node": ">=14"
|
||||
}
|
||||
},
|
||||
"node_modules/ansi-regex": {
|
||||
"version": "6.0.1",
|
||||
"resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.0.1.tgz",
|
||||
@ -228,18 +218,6 @@
|
||||
"integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==",
|
||||
"dev": true
|
||||
},
|
||||
"node_modules/get-stdin": {
|
||||
"version": "9.0.0",
|
||||
"resolved": "https://registry.npmjs.org/get-stdin/-/get-stdin-9.0.0.tgz",
|
||||
"integrity": "sha512-dVKBjfWisLAicarI2Sf+JuBE/DghV4UzNAVe9yhEJuzeREd3JhOTE9cUaJTeSa77fsbQUK3pcOpJfM59+VKZaA==",
|
||||
"dev": true,
|
||||
"engines": {
|
||||
"node": ">=12"
|
||||
},
|
||||
"funding": {
|
||||
"url": "https://github.com/sponsors/sindresorhus"
|
||||
}
|
||||
},
|
||||
"node_modules/glob": {
|
||||
"version": "7.2.3",
|
||||
"resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz",
|
||||
@ -261,10 +239,11 @@
|
||||
}
|
||||
},
|
||||
"node_modules/ignore": {
|
||||
"version": "5.3.1",
|
||||
"resolved": "https://registry.npmjs.org/ignore/-/ignore-5.3.1.tgz",
|
||||
"integrity": "sha512-5Fytz/IraMjqpwfd34ke28PTVMjZjJG2MPn5t7OE4eUCUNf8BAa7b5WUS9/Qvr6mwOQS7Mk6vdsMno5he+T8Xw==",
|
||||
"version": "6.0.2",
|
||||
"resolved": "https://registry.npmjs.org/ignore/-/ignore-6.0.2.tgz",
|
||||
"integrity": "sha512-InwqeHHN2XpumIkMvpl/DCJVrAHgCsG5+cn1XlnLWGwtZBm8QJfSusItfrwx81CTp5agNZqpKU2J/ccC5nGT4A==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"engines": {
|
||||
"node": ">= 4"
|
||||
}
|
||||
@ -310,22 +289,19 @@
|
||||
"dev": true
|
||||
},
|
||||
"node_modules/jackspeak": {
|
||||
"version": "3.1.2",
|
||||
"resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-3.1.2.tgz",
|
||||
"integrity": "sha512-kWmLKn2tRtfYMF/BakihVVRzBKOxz4gJMiL2Rj91WnAB5TPZumSH99R/Yf1qE1u4uRimvCSJfm6hnxohXeEXjQ==",
|
||||
"version": "4.0.2",
|
||||
"resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-4.0.2.tgz",
|
||||
"integrity": "sha512-bZsjR/iRjl1Nk1UkjGpAzLNfQtzuijhn2g+pbZb98HQ1Gk8vM9hfbxeMBP+M2/UUdwj0RqGG3mlvk2MsAqwvEw==",
|
||||
"dev": true,
|
||||
"license": "BlueOak-1.0.0",
|
||||
"dependencies": {
|
||||
"@isaacs/cliui": "^8.0.2"
|
||||
},
|
||||
"engines": {
|
||||
"node": ">=14"
|
||||
"node": "20 || >=22"
|
||||
},
|
||||
"funding": {
|
||||
"url": "https://github.com/sponsors/isaacs"
|
||||
},
|
||||
"optionalDependencies": {
|
||||
"@pkgjs/parseargs": "^0.11.0"
|
||||
}
|
||||
},
|
||||
"node_modules/js-yaml": {
|
||||
@ -341,10 +317,11 @@
|
||||
}
|
||||
},
|
||||
"node_modules/jsonc-parser": {
|
||||
"version": "3.2.1",
|
||||
"resolved": "https://registry.npmjs.org/jsonc-parser/-/jsonc-parser-3.2.1.tgz",
|
||||
"integrity": "sha512-AilxAyFOAcK5wA1+LeaySVBrHsGQvUFCDWXKpZjzaL0PqW+xfBOttn8GNtWKFWqneyMZj41MWF9Kl6iPWLwgOA==",
|
||||
"dev": true
|
||||
"version": "3.3.1",
|
||||
"resolved": "https://registry.npmjs.org/jsonc-parser/-/jsonc-parser-3.3.1.tgz",
|
||||
"integrity": "sha512-HUgH65KyejrUFPvHFPbqOY0rsFip3Bo5wb4ngvdi1EpCYWUQDC5V+Y7mZws+DLkr4M//zQJoanu1SP+87Dv1oQ==",
|
||||
"dev": true,
|
||||
"license": "MIT"
|
||||
},
|
||||
"node_modules/jsonpointer": {
|
||||
"version": "5.0.1",
|
||||
@ -371,12 +348,13 @@
|
||||
"dev": true
|
||||
},
|
||||
"node_modules/lru-cache": {
|
||||
"version": "10.2.2",
|
||||
"resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.2.2.tgz",
|
||||
"integrity": "sha512-9hp3Vp2/hFQUiIwKo8XCeFVnrg8Pk3TYNPIR7tJADKi5YfcF7vEaK7avFHTlSy3kOKYaJQaalfEo6YuXdceBOQ==",
|
||||
"version": "11.0.2",
|
||||
"resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-11.0.2.tgz",
|
||||
"integrity": "sha512-123qHRfJBmo2jXDbo/a5YOQrJoHF/GNQTLzQ5+IdK5pWpceK17yRc6ozlWd25FxvGKQbIUs91fDFkXmDHTKcyA==",
|
||||
"dev": true,
|
||||
"license": "ISC",
|
||||
"engines": {
|
||||
"node": "14 || >=16.14"
|
||||
"node": "20 || >=22"
|
||||
}
|
||||
},
|
||||
"node_modules/markdown-it": {
|
||||
@ -410,13 +388,14 @@
|
||||
}
|
||||
},
|
||||
"node_modules/markdownlint": {
|
||||
"version": "0.34.0",
|
||||
"resolved": "https://registry.npmjs.org/markdownlint/-/markdownlint-0.34.0.tgz",
|
||||
"integrity": "sha512-qwGyuyKwjkEMOJ10XN6OTKNOVYvOIi35RNvDLNxTof5s8UmyGHlCdpngRHoRGNvQVGuxO3BJ7uNSgdeX166WXw==",
|
||||
"version": "0.36.1",
|
||||
"resolved": "https://registry.npmjs.org/markdownlint/-/markdownlint-0.36.1.tgz",
|
||||
"integrity": "sha512-s73fU2CQN7WCgjhaQUQ8wYESQNzGRNOKDd+3xgVqu8kuTEhmwepd/mxOv1LR2oV046ONrTLBFsM7IoKWNvmy5g==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"markdown-it": "14.1.0",
|
||||
"markdownlint-micromark": "0.1.9"
|
||||
"markdownlint-micromark": "0.1.12"
|
||||
},
|
||||
"engines": {
|
||||
"node": ">=18"
|
||||
@ -426,23 +405,22 @@
|
||||
}
|
||||
},
|
||||
"node_modules/markdownlint-cli": {
|
||||
"version": "0.41.0",
|
||||
"resolved": "https://registry.npmjs.org/markdownlint-cli/-/markdownlint-cli-0.41.0.tgz",
|
||||
"integrity": "sha512-kp29tKrMKdn+xonfefjp3a/MsNzAd9c5ke0ydMEI9PR98bOjzglYN4nfMSaIs69msUf1DNkgevAIAPtK2SeX0Q==",
|
||||
"version": "0.43.0",
|
||||
"resolved": "https://registry.npmjs.org/markdownlint-cli/-/markdownlint-cli-0.43.0.tgz",
|
||||
"integrity": "sha512-6vwurKK4B21eyYzwgX6ph13cZS7hE6LZfcS8QyD722CyxVD2RtAvbZK2p7k+FZbbKORulEuwl+hJaEq1l6/hoQ==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"commander": "~12.1.0",
|
||||
"get-stdin": "~9.0.0",
|
||||
"glob": "~10.4.1",
|
||||
"ignore": "~5.3.1",
|
||||
"glob": "~11.0.0",
|
||||
"ignore": "~6.0.2",
|
||||
"js-yaml": "^4.1.0",
|
||||
"jsonc-parser": "~3.2.1",
|
||||
"jsonc-parser": "~3.3.1",
|
||||
"jsonpointer": "5.0.1",
|
||||
"markdownlint": "~0.34.0",
|
||||
"minimatch": "~9.0.4",
|
||||
"markdownlint": "~0.36.1",
|
||||
"minimatch": "~10.0.1",
|
||||
"run-con": "~1.3.2",
|
||||
"smol-toml": "~1.2.0"
|
||||
"smol-toml": "~1.3.1"
|
||||
},
|
||||
"bin": {
|
||||
"markdownlint": "markdownlint.js"
|
||||
@ -472,49 +450,51 @@
|
||||
}
|
||||
},
|
||||
"node_modules/markdownlint-cli/node_modules/glob": {
|
||||
"version": "10.4.1",
|
||||
"resolved": "https://registry.npmjs.org/glob/-/glob-10.4.1.tgz",
|
||||
"integrity": "sha512-2jelhlq3E4ho74ZyVLN03oKdAZVUa6UDZzFLVH1H7dnoax+y9qyaq8zBkfDIggjniU19z0wU18y16jMB2eyVIw==",
|
||||
"version": "11.0.0",
|
||||
"resolved": "https://registry.npmjs.org/glob/-/glob-11.0.0.tgz",
|
||||
"integrity": "sha512-9UiX/Bl6J2yaBbxKoEBRm4Cipxgok8kQYcOPEhScPwebu2I0HoQOuYdIO6S3hLuWoZgpDpwQZMzTFxgpkyT76g==",
|
||||
"dev": true,
|
||||
"license": "ISC",
|
||||
"dependencies": {
|
||||
"foreground-child": "^3.1.0",
|
||||
"jackspeak": "^3.1.2",
|
||||
"minimatch": "^9.0.4",
|
||||
"jackspeak": "^4.0.1",
|
||||
"minimatch": "^10.0.0",
|
||||
"minipass": "^7.1.2",
|
||||
"path-scurry": "^1.11.1"
|
||||
"package-json-from-dist": "^1.0.0",
|
||||
"path-scurry": "^2.0.0"
|
||||
},
|
||||
"bin": {
|
||||
"glob": "dist/esm/bin.mjs"
|
||||
},
|
||||
"engines": {
|
||||
"node": ">=16 || 14 >=14.18"
|
||||
"node": "20 || >=22"
|
||||
},
|
||||
"funding": {
|
||||
"url": "https://github.com/sponsors/isaacs"
|
||||
}
|
||||
},
|
||||
"node_modules/markdownlint-cli/node_modules/minimatch": {
|
||||
"version": "9.0.4",
|
||||
"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.4.tgz",
|
||||
"integrity": "sha512-KqWh+VchfxcMNRAJjj2tnsSJdNbHsVgnkBhTNrW7AjVo6OvLtxw8zfT9oLw1JSohlFzJ8jCoTgaoXvJ+kHt6fw==",
|
||||
"version": "10.0.1",
|
||||
"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.0.1.tgz",
|
||||
"integrity": "sha512-ethXTt3SGGR+95gudmqJ1eNhRO7eGEGIgYA9vnPatK4/etz2MEVDno5GMCibdMTuBMyElzIlgxMna3K94XDIDQ==",
|
||||
"dev": true,
|
||||
"license": "ISC",
|
||||
"dependencies": {
|
||||
"brace-expansion": "^2.0.1"
|
||||
},
|
||||
"engines": {
|
||||
"node": ">=16 || 14 >=14.17"
|
||||
"node": "20 || >=22"
|
||||
},
|
||||
"funding": {
|
||||
"url": "https://github.com/sponsors/isaacs"
|
||||
}
|
||||
},
|
||||
"node_modules/markdownlint-micromark": {
|
||||
"version": "0.1.9",
|
||||
"resolved": "https://registry.npmjs.org/markdownlint-micromark/-/markdownlint-micromark-0.1.9.tgz",
|
||||
"integrity": "sha512-5hVs/DzAFa8XqYosbEAEg6ok6MF2smDj89ztn9pKkCtdKHVdPQuGMH7frFfYL9mLkvfFe4pTyAMffLbjf3/EyA==",
|
||||
"version": "0.1.12",
|
||||
"resolved": "https://registry.npmjs.org/markdownlint-micromark/-/markdownlint-micromark-0.1.12.tgz",
|
||||
"integrity": "sha512-RlB6EwMGgc0sxcIhOQ2+aq7Zw1V2fBnzbXKGgYK/mVWdT7cz34fteKSwfYeo4rL6+L/q2tyC9QtD/PgZbkdyJQ==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"engines": {
|
||||
"node": ">=18"
|
||||
},
|
||||
@ -568,6 +548,13 @@
|
||||
"wrappy": "1"
|
||||
}
|
||||
},
|
||||
"node_modules/package-json-from-dist": {
|
||||
"version": "1.0.1",
|
||||
"resolved": "https://registry.npmjs.org/package-json-from-dist/-/package-json-from-dist-1.0.1.tgz",
|
||||
"integrity": "sha512-UEZIS3/by4OC8vL3P2dTXRETpebLI2NiI5vIrjaD/5UtrkFX/tNbwjTSRAGC/+7CAo2pIcBaRgWmcBBHcsaCIw==",
|
||||
"dev": true,
|
||||
"license": "BlueOak-1.0.0"
|
||||
},
|
||||
"node_modules/path-is-absolute": {
|
||||
"version": "1.0.1",
|
||||
"resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz",
|
||||
@ -587,17 +574,17 @@
|
||||
}
|
||||
},
|
||||
"node_modules/path-scurry": {
|
||||
"version": "1.11.1",
|
||||
"resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-1.11.1.tgz",
|
||||
"integrity": "sha512-Xa4Nw17FS9ApQFJ9umLiJS4orGjm7ZzwUrwamcGQuHSzDyth9boKDaycYdDcZDuqYATXw4HFXgaqWTctW/v1HA==",
|
||||
"version": "2.0.0",
|
||||
"resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-2.0.0.tgz",
|
||||
"integrity": "sha512-ypGJsmGtdXUOeM5u93TyeIEfEhM6s+ljAhrk5vAvSx8uyY/02OvrZnA0YNGUrPXfpJMgI1ODd3nwz8Npx4O4cg==",
|
||||
"dev": true,
|
||||
"license": "BlueOak-1.0.0",
|
||||
"dependencies": {
|
||||
"lru-cache": "^10.2.0",
|
||||
"minipass": "^5.0.0 || ^6.0.2 || ^7.0.0"
|
||||
"lru-cache": "^11.0.0",
|
||||
"minipass": "^7.1.2"
|
||||
},
|
||||
"engines": {
|
||||
"node": ">=16 || 14 >=14.18"
|
||||
"node": "20 || >=22"
|
||||
},
|
||||
"funding": {
|
||||
"url": "https://github.com/sponsors/isaacs"
|
||||
@ -670,14 +657,16 @@
|
||||
}
|
||||
},
|
||||
"node_modules/smol-toml": {
|
||||
"version": "1.2.0",
|
||||
"resolved": "https://registry.npmjs.org/smol-toml/-/smol-toml-1.2.0.tgz",
|
||||
"integrity": "sha512-KObxdQANC/xje3OoatMbSwQf2XAvJ0RbK+4nmQRszFNZptbNRnMWqbLF/zb4sMi9xJ6HNyhWXeuZ9zC/I/XY7w==",
|
||||
"version": "1.3.1",
|
||||
"resolved": "https://registry.npmjs.org/smol-toml/-/smol-toml-1.3.1.tgz",
|
||||
"integrity": "sha512-tEYNll18pPKHroYSmLLrksq233j021G0giwW7P3D24jC54pQ5W5BXMsQ/Mvw1OJCmEYDgY+lrzT+3nNUtoNfXQ==",
|
||||
"dev": true,
|
||||
"license": "BSD-3-Clause",
|
||||
"engines": {
|
||||
"node": ">= 18",
|
||||
"pnpm": ">= 9"
|
||||
"node": ">= 18"
|
||||
},
|
||||
"funding": {
|
||||
"url": "https://github.com/sponsors/cyyynthia"
|
||||
}
|
||||
},
|
||||
"node_modules/string-width": {
|
||||
|
||||
@ -14,6 +14,6 @@
|
||||
},
|
||||
"devDependencies": {
|
||||
"@bitnami/readme-generator-for-helm": "^2.5.0",
|
||||
"markdownlint-cli": "^0.41.0"
|
||||
"markdownlint-cli": "^0.43.0"
|
||||
}
|
||||
}
|
||||
|
||||
34
readme-actions-dev.md
Normal file
34
readme-actions-dev.md
Normal file
@ -0,0 +1,34 @@
|
||||
# Gitea Actions
|
||||
|
||||
In order to use the Gitea Actions act-runner you must either:
|
||||
|
||||
- enable persistence (used for automatic deployment to be able to store the token in a place accessible for the Job)
|
||||
- create a secret containing the act runner token and reference it as a `existingSecret`
|
||||
|
||||
In order to use Gitea Actions, you must log on the server that's running Gitea and run the command:
|
||||
`gitea actions generate-runner-token`
|
||||
|
||||
This command will out a token that is needed by the act-runner to register with the Gitea backend.
|
||||
|
||||
Because this is a manual operation, we automated this using a Kubernetes Job using the following containers:
|
||||
|
||||
1) `actions-token-create`: it uses the current `gitea-rootless` image, mounts the persistent directory to `/data/` then it saves the output from `gitea actions generate-runner-token` to `/data/actions/token`
|
||||
2) `actions-token-upload`: it uses a `bitnami/kubectl` image, mounts the scripts directory (`/scripts`) and
|
||||
the persistent directory (`/data/`), and using the script from `/scripts/token.sh` stores the token in a Kubernetes secret
|
||||
|
||||
After the token is stored in a Kubernetes secret we can create the statefulset that contains the following containers:
|
||||
|
||||
1) `act-runner`: authenticates with Gitea using the token that was stored in the secret
|
||||
2) `dind`: DockerInDocker image that is used to run the actions
|
||||
|
||||
If you are not using persistent volumes, you cannot use the Job to automatically generate the token.
|
||||
In this case, you can use either the Web UI to generate the token or run a shell into a Gitea pod and invoke
|
||||
the command `gitea actions generate-runner-token`. After generating the token, you must create a secret and use it via:
|
||||
|
||||
```yaml
|
||||
actions:
|
||||
provisioning:
|
||||
enabled: false
|
||||
existingSecret: "secret-name"
|
||||
existingSecretKey: "secret-key"
|
||||
```
|
||||
@ -63,6 +63,25 @@
|
||||
'patch',
|
||||
'digest',
|
||||
],
|
||||
matchFileNames: [
|
||||
'!Chart.yaml',
|
||||
],
|
||||
},
|
||||
{
|
||||
description: 'Update README.md on changes in values.yaml',
|
||||
matchManagers: [
|
||||
'helm-values',
|
||||
],
|
||||
postUpgradeTasks: {
|
||||
commands: [
|
||||
'install-tool node',
|
||||
'make readme',
|
||||
],
|
||||
fileFilters: [
|
||||
'README.md',
|
||||
],
|
||||
executionMode: 'update',
|
||||
},
|
||||
},
|
||||
{
|
||||
description: 'Override changelog url for Helm image, to have release notes in our PRs',
|
||||
|
||||
43
scripts/token.sh
Normal file
43
scripts/token.sh
Normal file
@ -0,0 +1,43 @@
|
||||
#!/bin/sh
|
||||
|
||||
set -eu
|
||||
|
||||
timeout_delay=15
|
||||
|
||||
check_token() {
|
||||
set +e
|
||||
|
||||
echo "Checking for existing token..."
|
||||
token="$(kubectl get secret "$SECRET_NAME" -o jsonpath="{.data['token']}" 2> /dev/null)"
|
||||
[ $? -ne 0 ] && return 1
|
||||
[ -z "$token" ] && return 2
|
||||
return 0
|
||||
}
|
||||
|
||||
create_token() {
|
||||
echo "Waiting for new token to be generated..."
|
||||
begin=$(date +%s)
|
||||
end=$((begin + timeout_delay))
|
||||
while true; do
|
||||
[ -f /data/actions/token ] && return 0
|
||||
[ "$(date +%s)" -gt $end ] && return 1
|
||||
sleep 5
|
||||
done
|
||||
}
|
||||
|
||||
store_token() {
|
||||
echo "Storing the token in Kubernetes secret..."
|
||||
kubectl patch secret "$SECRET_NAME" -p "{\"data\":{\"token\":\"$(base64 /data/actions/token | tr -d '\n')\"}}"
|
||||
}
|
||||
|
||||
if check_token; then
|
||||
echo "Key already in place, exiting."
|
||||
exit
|
||||
fi
|
||||
|
||||
if ! create_token; then
|
||||
echo "Checking for an existing act runner token in secret $SECRET_NAME timed out after $timeout_delay"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
store_token
|
||||
@ -25,6 +25,13 @@ If release name contains chart name it will be used as a full name.
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default worker name.
|
||||
*/}}
|
||||
{{- define "gitea.workername" -}}
|
||||
{{- printf "%s-%s" .global.Release.Name .worker | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create chart name and version as used by the chart label.
|
||||
*/}}
|
||||
@ -92,6 +99,15 @@ version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "gitea.labels.actRunner" -}}
|
||||
helm.sh/chart: {{ include "gitea.chart" . }}
|
||||
app: {{ include "gitea.name" . }}-act-runner
|
||||
{{ include "gitea.selectorLabels.actRunner" . }}
|
||||
app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
|
||||
version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Selector labels
|
||||
*/}}
|
||||
@ -100,6 +116,11 @@ app.kubernetes.io/name: {{ include "gitea.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "gitea.selectorLabels.actRunner" -}}
|
||||
app.kubernetes.io/name: {{ include "gitea.name" . }}-act-runner
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "postgresql-ha.dns" -}}
|
||||
{{- if (index .Values "postgresql-ha").enabled -}}
|
||||
{{- printf "%s-postgresql-ha-pgpool.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "postgresql-ha" "service" "ports" "postgresql") -}}
|
||||
@ -199,6 +220,15 @@ https
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "gitea.act_runner.local_root_url" -}}
|
||||
{{- if not .Values.gitea.config.server.LOCAL_ROOT_URL -}}
|
||||
{{- printf "http://%s-http:%.0f" (include "gitea.fullname" .) .Values.service.http.port -}}
|
||||
{{- else -}}
|
||||
{{/* fallback for allowing to overwrite this value via inline config */}}
|
||||
{{- .Values.gitea.config.server.LOCAL_ROOT_URL -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "gitea.inline_configuration" -}}
|
||||
{{- include "gitea.inline_configuration.init" . -}}
|
||||
{{- include "gitea.inline_configuration.defaults" . -}}
|
||||
@ -263,6 +293,9 @@ https
|
||||
{{- if not (hasKey .Values.gitea.config "indexer") -}}
|
||||
{{- $_ := set .Values.gitea.config "indexer" dict -}}
|
||||
{{- end -}}
|
||||
{{- if not (hasKey .Values.gitea.config "actions") -}}
|
||||
{{- $_ := set .Values.gitea.config "actions" dict -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "gitea.inline_configuration.defaults" -}}
|
||||
@ -278,6 +311,9 @@ https
|
||||
{{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}}
|
||||
{{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}}
|
||||
{{- end -}}
|
||||
{{- if and (not (hasKey .Values.gitea.config.metrics "TOKEN")) (.Values.gitea.metrics.token) (.Values.gitea.metrics.enabled) -}}
|
||||
{{- $_ := set .Values.gitea.config.metrics "TOKEN" .Values.gitea.metrics.token -}}
|
||||
{{- end -}}
|
||||
{{- /* redis queue */ -}}
|
||||
{{- if or ((index .Values "redis-cluster").enabled) ((index .Values "redis").enabled) -}}
|
||||
{{- $_ := set .Values.gitea.config.queue "TYPE" "redis" -}}
|
||||
@ -309,6 +345,9 @@ https
|
||||
{{- if not .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE -}}
|
||||
{{- $_ := set .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE" "db" -}}
|
||||
{{- end -}}
|
||||
{{- if not .Values.gitea.config.actions.ENABLED -}}
|
||||
{{- $_ := set .Values.gitea.config.actions "ENABLED" (ternary "true" "false" .Values.actions.enabled) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "gitea.inline_configuration.defaults.server" -}}
|
||||
@ -328,6 +367,9 @@ https
|
||||
{{- if not .Values.gitea.config.server.ROOT_URL -}}
|
||||
{{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" (include "gitea.public_protocol" .) .Values.gitea.config.server.DOMAIN) -}}
|
||||
{{- end -}}
|
||||
{{- if .Values.actions.enabled -}}
|
||||
{{- $_ := set .Values.gitea.config.server "LOCAL_ROOT_URL" (include "gitea.act_runner.local_root_url" .) -}}
|
||||
{{- end -}}
|
||||
{{- if not .Values.gitea.config.server.SSH_DOMAIN -}}
|
||||
{{- $_ := set .Values.gitea.config.server "SSH_DOMAIN" .Values.gitea.config.server.DOMAIN -}}
|
||||
{{- end -}}
|
||||
@ -426,3 +468,7 @@ https
|
||||
{{- end -}}
|
||||
{{- toYaml $probe -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "gitea.metrics-secret-name" -}}
|
||||
{{ default (printf "%s-metrics-secret" (include "gitea.fullname" .)) }}
|
||||
{{- end -}}
|
||||
15
templates/gitea/act_runner/01-consistency-checks.yaml
Normal file
15
templates/gitea/act_runner/01-consistency-checks.yaml
Normal file
@ -0,0 +1,15 @@
|
||||
{{- if .Values.actions.enabled -}}
|
||||
{{- if .Values.actions.provisioning.enabled -}}
|
||||
{{- if not (and .Values.persistence.enabled .Values.persistence.mount) -}}
|
||||
{{- fail "persistence.enabled and persistence.mount are required when provisioning is enabled" -}}
|
||||
{{- end -}}
|
||||
{{- if and .Values.persistence.enabled .Values.persistence.mount -}}
|
||||
{{- if .Values.actions.existingSecret -}}
|
||||
{{- fail "Can't specify both actions.provisioning.enabled and actions.existingSecret" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- if and (not .Values.actions.provisioning.enabled) (or (empty .Values.actions.existingSecret) (empty .Values.actions.existingSecretKey)) -}}
|
||||
{{- fail "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
15
templates/gitea/act_runner/config-act-runner.yaml
Normal file
15
templates/gitea/act_runner/config-act-runner.yaml
Normal file
@ -0,0 +1,15 @@
|
||||
{{- if .Values.actions.enabled }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ include "gitea.fullname" . }}-act-runner-config
|
||||
namespace: {{ .Values.namespace | default .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "gitea.labels" . | nindent 4 }}
|
||||
data:
|
||||
config.yaml: |
|
||||
{{- with .Values.actions.statefulset.actRunner.config -}}
|
||||
{{ . | nindent 4}}
|
||||
{{- end -}}
|
||||
{{- end }}
|
||||
14
templates/gitea/act_runner/config-scripts.yaml
Normal file
14
templates/gitea/act_runner/config-scripts.yaml
Normal file
@ -0,0 +1,14 @@
|
||||
{{- if .Values.actions.enabled }}
|
||||
{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ include "gitea.fullname" . }}-scripts
|
||||
namespace: {{ .Values.namespace | default .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "gitea.labels" . | nindent 4 }}
|
||||
data:
|
||||
{{ (.Files.Glob "scripts/*.sh").AsConfig | indent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
115
templates/gitea/act_runner/job.yaml
Normal file
115
templates/gitea/act_runner/job.yaml
Normal file
@ -0,0 +1,115 @@
|
||||
{{- if .Values.actions.enabled }}
|
||||
{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
|
||||
{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
|
||||
{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: {{ $name }}
|
||||
namespace: {{ .Values.namespace | default .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "gitea.labels" . | nindent 4 }}
|
||||
{{- with .Values.actions.provisioning.labels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
app.kubernetes.io/component: token-job
|
||||
annotations:
|
||||
{{- with .Values.actions.provisioning.annotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
ttlSecondsAfterFinished: {{ .Values.actions.provisioning.ttlSecondsAfterFinished }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "gitea.labels" . | nindent 8 }}
|
||||
{{- with .Values.actions.provisioning.labels }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
app.kubernetes.io/component: token-job
|
||||
spec:
|
||||
initContainers:
|
||||
- name: init-gitea
|
||||
image: "{{ .Values.actions.init.image.repository }}:{{ .Values.actions.init.image.tag }}"
|
||||
command:
|
||||
- sh
|
||||
- -c
|
||||
- |
|
||||
while ! nc -z {{ include "gitea.fullname" . }}-http {{ .Values.service.http.port }}; do
|
||||
sleep 5
|
||||
done
|
||||
containers:
|
||||
- name: actions-token-create
|
||||
image: "{{ include "gitea.image" . }}"
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
env:
|
||||
- name: GITEA_APP_INI
|
||||
value: /data/gitea/conf/app.ini
|
||||
command:
|
||||
- sh
|
||||
- -c
|
||||
- |
|
||||
echo "Generating act_runner token via 'gitea actions generate-runner-token'..."
|
||||
mkdir -p /data/actions/
|
||||
gitea actions generate-runner-token | grep -E '^.{40}$' | tr -d '\n' > /data/actions/token
|
||||
resources:
|
||||
{{- toYaml .Values.actions.provisioning.resources | nindent 12 }}
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: /data
|
||||
{{- if .Values.persistence.subPath }}
|
||||
subPath: {{ .Values.persistence.subPath }}
|
||||
{{- end }}
|
||||
- name: actions-token-upload
|
||||
image: "{{ .Values.actions.provisioning.publish.repository }}:{{ .Values.actions.provisioning.publish.tag }}"
|
||||
imagePullPolicy: {{ .Values.actions.provisioning.publish.pullPolicy }}
|
||||
env:
|
||||
- name: SECRET_NAME
|
||||
value: {{ $secretName }}
|
||||
command:
|
||||
- sh
|
||||
- -c
|
||||
- |
|
||||
printf "Checking rights to update kubernetes act_runner secret..."
|
||||
kubectl auth can-i update secret/${SECRET_NAME}
|
||||
/scripts/token.sh
|
||||
resources:
|
||||
{{- toYaml .Values.actions.provisioning.resources | nindent 12 }}
|
||||
volumeMounts:
|
||||
- mountPath: /scripts
|
||||
name: scripts
|
||||
readOnly: true
|
||||
- mountPath: /data
|
||||
name: data
|
||||
readOnly: true
|
||||
{{- if .Values.persistence.subPath }}
|
||||
subPath: {{ .Values.persistence.subPath }}
|
||||
{{- end }}
|
||||
{{- with .Values.actions.provisioning.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.actions.provisioning.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.actions.provisioning.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
restartPolicy: Never
|
||||
serviceAccount: {{ $name }}
|
||||
volumes:
|
||||
- name: scripts
|
||||
configMap:
|
||||
name: {{ include "gitea.fullname" . }}-scripts
|
||||
defaultMode: 0755
|
||||
- name: data
|
||||
persistentVolumeClaim:
|
||||
claimName: {{ .Values.persistence.claimName }}
|
||||
parallelism: 1
|
||||
completions: 1
|
||||
backoffLimit: 1
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
26
templates/gitea/act_runner/role-job.yaml
Normal file
26
templates/gitea/act_runner/role-job.yaml
Normal file
@ -0,0 +1,26 @@
|
||||
{{- if .Values.actions.enabled }}
|
||||
{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
|
||||
{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
|
||||
{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ $name }}
|
||||
namespace: {{ .Values.namespace | default .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "gitea.labels" . | nindent 4 }}
|
||||
app.kubernetes.io/component: token-job
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
resourceNames:
|
||||
- {{ $secretName }}
|
||||
verbs:
|
||||
- get
|
||||
- update
|
||||
- patch
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
23
templates/gitea/act_runner/rolebinding-job.yaml
Normal file
23
templates/gitea/act_runner/rolebinding-job.yaml
Normal file
@ -0,0 +1,23 @@
|
||||
{{- if .Values.actions.enabled }}
|
||||
{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
|
||||
{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
|
||||
{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ $name }}
|
||||
namespace: {{ .Values.namespace | default .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "gitea.labels" . | nindent 4 }}
|
||||
app.kubernetes.io/component: token-job
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ $name }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ $name }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
20
templates/gitea/act_runner/secret-token.yaml
Normal file
20
templates/gitea/act_runner/secret-token.yaml
Normal file
@ -0,0 +1,20 @@
|
||||
{{- if .Values.actions.enabled }}
|
||||
{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
|
||||
{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
|
||||
{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ $secretName }}
|
||||
namespace: {{ .Values.namespace | default .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "gitea.labels" . | nindent 4 }}
|
||||
app.kubernetes.io/component: token-job
|
||||
{{ $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}}
|
||||
{{ if $secret -}}
|
||||
data:
|
||||
token: {{ (b64dec (index $secret.data "token")) | b64enc }}
|
||||
{{ end -}}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
14
templates/gitea/act_runner/serviceaccount-job.yaml
Normal file
14
templates/gitea/act_runner/serviceaccount-job.yaml
Normal file
@ -0,0 +1,14 @@
|
||||
{{- if .Values.actions.enabled }}
|
||||
{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
|
||||
{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ $name }}
|
||||
namespace: {{ .Values.namespace | default .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "gitea.labels" . | nindent 4 }}
|
||||
app.kubernetes.io/component: token-job
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
118
templates/gitea/act_runner/statefulset.yaml
Normal file
118
templates/gitea/act_runner/statefulset.yaml
Normal file
@ -0,0 +1,118 @@
|
||||
{{- if .Values.actions.enabled }}
|
||||
{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "gitea.labels.actRunner" . | nindent 4 }}
|
||||
{{- with .Values.actions.statefulset.labels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{- with .Values.actions.statefulset.annotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
name: {{ include "gitea.fullname" . }}-act-runner
|
||||
namespace: {{ .Values.namespace | default .Release.Namespace }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "gitea.selectorLabels.actRunner" . | nindent 6 }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "gitea.labels.actRunner" . | nindent 8 }}
|
||||
{{- with .Values.actions.statefulset.labels }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
initContainers:
|
||||
- name: init-gitea
|
||||
image: "{{ .Values.actions.init.image.repository }}:{{ .Values.actions.init.image.tag }}"
|
||||
command:
|
||||
- sh
|
||||
- -c
|
||||
- |
|
||||
while ! nc -z {{ include "gitea.fullname" . }}-http {{ .Values.service.http.port }}; do
|
||||
sleep 5
|
||||
done
|
||||
containers:
|
||||
- name: act-runner
|
||||
image: "{{ .Values.actions.statefulset.actRunner.repository }}:{{ .Values.actions.statefulset.actRunner.tag }}"
|
||||
imagePullPolicy: {{ .Values.actions.statefulset.actRunner.pullPolicy }}
|
||||
workingDir: /data
|
||||
env:
|
||||
- name: DOCKER_HOST
|
||||
value: tcp://127.0.0.1:2376
|
||||
- name: DOCKER_TLS_VERIFY
|
||||
value: "1"
|
||||
- name: DOCKER_CERT_PATH
|
||||
value: /certs/server
|
||||
- name: GITEA_RUNNER_REGISTRATION_TOKEN
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: "{{ .Values.actions.existingSecret | default $secretName }}"
|
||||
key: "{{ .Values.actions.existingSecretKey | default "token" }}"
|
||||
- name: GITEA_INSTANCE_URL
|
||||
value: {{ include "gitea.act_runner.local_root_url" . }}
|
||||
- name: CONFIG_FILE
|
||||
value: /actrunner/config.yaml
|
||||
resources:
|
||||
{{- toYaml .Values.actions.statefulset.resources | nindent 12 }}
|
||||
volumeMounts:
|
||||
- mountPath: /actrunner/config.yaml
|
||||
name: act-runner-config
|
||||
subPath: config.yaml
|
||||
- mountPath: /certs/server
|
||||
name: docker-certs
|
||||
- mountPath: /data
|
||||
name: data-act-runner
|
||||
- name: dind
|
||||
image: "{{ .Values.actions.statefulset.dind.repository }}:{{ .Values.actions.statefulset.dind.tag }}"
|
||||
imagePullPolicy: {{ .Values.actions.statefulset.dind.pullPolicy }}
|
||||
env:
|
||||
- name: DOCKER_HOST
|
||||
value: tcp://127.0.0.1:2376
|
||||
- name: DOCKER_TLS_VERIFY
|
||||
value: "1"
|
||||
- name: DOCKER_CERT_PATH
|
||||
value: /certs/server
|
||||
{{- if .Values.actions.statefulset.dind.extraEnvs }}
|
||||
{{- toYaml .Values.actions.statefulset.dind.extraEnvs | nindent 12 }}
|
||||
{{- end }}
|
||||
securityContext:
|
||||
privileged: true
|
||||
resources:
|
||||
{{- toYaml .Values.actions.statefulset.resources | nindent 12 }}
|
||||
volumeMounts:
|
||||
- mountPath: /certs/server
|
||||
name: docker-certs
|
||||
{{- with .Values.actions.statefulset.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.actions.statefulset.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.actions.statefulset.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: act-runner-config
|
||||
configMap:
|
||||
name: {{ include "gitea.fullname" . }}-act-runner-config
|
||||
- name: docker-certs
|
||||
emptyDir: {}
|
||||
volumeClaimTemplates:
|
||||
- metadata:
|
||||
name: data-act-runner
|
||||
spec:
|
||||
accessModes: [ "ReadWriteOnce" ]
|
||||
{{- include "gitea.persistence.storageClass" . | nindent 8 }}
|
||||
resources:
|
||||
requests:
|
||||
storage: 1Mi
|
||||
{{- end }}
|
||||
12
templates/gitea/metrics-secret.yaml
Normal file
12
templates/gitea/metrics-secret.yaml
Normal file
@ -0,0 +1,12 @@
|
||||
{{- if and (.Values.gitea.metrics.enabled) (.Values.gitea.metrics.serviceMonitor.enabled) (.Values.gitea.metrics.token) -}}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ include "gitea.metrics-secret-name" . }}
|
||||
namespace: {{ .Values.namespace | default .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "gitea.labels" . | nindent 4 }}
|
||||
type: Opaque
|
||||
data:
|
||||
token: {{ .Values.gitea.metrics.token | b64enc }}
|
||||
{{- end }}
|
||||
@ -32,4 +32,12 @@ spec:
|
||||
tlsConfig:
|
||||
{{- . | toYaml | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- if .Values.gitea.metrics.token }}
|
||||
authorization:
|
||||
type: Bearer
|
||||
credentials:
|
||||
name: {{ include "gitea.metrics-secret-name" . }}
|
||||
key: token
|
||||
optional: false
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
69
unittests/act_runner/01-consistency-checks.yaml
Normal file
69
unittests/act_runner/01-consistency-checks.yaml
Normal file
@ -0,0 +1,69 @@
|
||||
suite: actions template | consistency checks
|
||||
release:
|
||||
name: gitea-unittests
|
||||
namespace: testing
|
||||
templates:
|
||||
- templates/gitea/act_runner/01-consistency-checks.yaml
|
||||
tests:
|
||||
- it: fails when provisioning is enabled BUT persistence is completely disabled
|
||||
set:
|
||||
persistence:
|
||||
enabled: false
|
||||
actions:
|
||||
enabled: true
|
||||
provisioning:
|
||||
enabled: true
|
||||
asserts:
|
||||
- failedTemplate:
|
||||
errorMessage: "persistence.enabled and persistence.mount are required when provisioning is enabled"
|
||||
- it: fails when provisioning is enabled BUT mount is disabled, although persistence is enabled
|
||||
set:
|
||||
persistence:
|
||||
enabled: true
|
||||
mount: false
|
||||
actions:
|
||||
enabled: true
|
||||
provisioning:
|
||||
enabled: true
|
||||
asserts:
|
||||
- failedTemplate:
|
||||
errorMessage: "persistence.enabled and persistence.mount are required when provisioning is enabled"
|
||||
- it: fails when provisioning is enabled AND existingSecret is given
|
||||
set:
|
||||
actions:
|
||||
enabled: true
|
||||
provisioning:
|
||||
enabled: true
|
||||
existingSecret: "secret-reference"
|
||||
asserts:
|
||||
- failedTemplate:
|
||||
errorMessage: "Can't specify both actions.provisioning.enabled and actions.existingSecret"
|
||||
- it: fails when provisioning is disabled BUT existingSecret and existingSecretKey are missing
|
||||
set:
|
||||
actions:
|
||||
enabled: true
|
||||
provisioning:
|
||||
enabled: false
|
||||
asserts:
|
||||
- failedTemplate:
|
||||
errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled"
|
||||
- it: fails when provisioning is disabled BUT existingSecretKey is missing
|
||||
set:
|
||||
actions:
|
||||
enabled: true
|
||||
provisioning:
|
||||
enabled: false
|
||||
existingSecret: "my-secret"
|
||||
asserts:
|
||||
- failedTemplate:
|
||||
errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled"
|
||||
- it: fails when provisioning is disabled BUT existingSecret is missing
|
||||
set:
|
||||
actions:
|
||||
enabled: true
|
||||
provisioning:
|
||||
enabled: false
|
||||
existingSecretKey: "my-secret-key"
|
||||
asserts:
|
||||
- failedTemplate:
|
||||
errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled"
|
||||
45
unittests/act_runner/config-act-runner.yaml
Normal file
45
unittests/act_runner/config-act-runner.yaml
Normal file
@ -0,0 +1,45 @@
|
||||
# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
|
||||
suite: actions template | config-act-runner
|
||||
release:
|
||||
name: gitea-unittests
|
||||
namespace: testing
|
||||
templates:
|
||||
- templates/gitea/act_runner/config-act-runner.yaml
|
||||
tests:
|
||||
- it: doesn't renders a ConfigMap by default
|
||||
template: templates/gitea/act_runner/config-act-runner.yaml
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 0
|
||||
- it: renders a ConfigMap
|
||||
template: templates/gitea/act_runner/config-act-runner.yaml
|
||||
set:
|
||||
actions:
|
||||
enabled: true
|
||||
statefulset:
|
||||
actRunner:
|
||||
config: |
|
||||
log:
|
||||
level: info
|
||||
cache:
|
||||
enabled: false
|
||||
runner:
|
||||
labels:
|
||||
- "ubuntu-latest"
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 1
|
||||
- containsDocument:
|
||||
kind: ConfigMap
|
||||
apiVersion: v1
|
||||
name: gitea-unittests-act-runner-config
|
||||
- equal:
|
||||
path: data["config.yaml"]
|
||||
value: |
|
||||
log:
|
||||
level: info
|
||||
cache:
|
||||
enabled: false
|
||||
runner:
|
||||
labels:
|
||||
- "ubuntu-latest"
|
||||
49
unittests/act_runner/config-scripts.yaml
Normal file
49
unittests/act_runner/config-scripts.yaml
Normal file
@ -0,0 +1,49 @@
|
||||
suite: actions template | config-scripts
|
||||
release:
|
||||
name: gitea-unittests
|
||||
namespace: testing
|
||||
templates:
|
||||
- templates/gitea/act_runner/config-scripts.yaml
|
||||
tests:
|
||||
- it: renders a ConfigMap when all criteria are met
|
||||
template: templates/gitea/act_runner/config-scripts.yaml
|
||||
set:
|
||||
actions:
|
||||
enabled: true
|
||||
provisioning:
|
||||
enabled: true
|
||||
persistence:
|
||||
enabled: true
|
||||
mount: true
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 1
|
||||
- containsDocument:
|
||||
kind: ConfigMap
|
||||
apiVersion: v1
|
||||
name: gitea-unittests-scripts
|
||||
- isNotNullOrEmpty:
|
||||
path: data["token.sh"]
|
||||
- it: doesn't renders a ConfigMap by default
|
||||
template: templates/gitea/act_runner/config-scripts.yaml
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 0
|
||||
- it: doesn't renders a ConfigMap with disabled actions but enabled provisioning
|
||||
template: templates/gitea/act_runner/config-scripts.yaml
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 0
|
||||
- it: doesn't renders a ConfigMap with disabled actions but otherwise met criteria
|
||||
template: templates/gitea/act_runner/config-scripts.yaml
|
||||
set:
|
||||
actions:
|
||||
enabled: false
|
||||
provisioning:
|
||||
enabled: true
|
||||
persistence:
|
||||
enabled: true
|
||||
mount: true
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 0
|
||||
65
unittests/act_runner/job.yaml
Normal file
65
unittests/act_runner/job.yaml
Normal file
@ -0,0 +1,65 @@
|
||||
suite: actions template | job
|
||||
release:
|
||||
name: gitea-unittests
|
||||
namespace: testing
|
||||
chart:
|
||||
# Override appVersion to have a pinned version for comparison
|
||||
appVersion: 1.19.3
|
||||
templates:
|
||||
- templates/gitea/act_runner/job.yaml
|
||||
tests:
|
||||
- it: renders a Job
|
||||
template: templates/gitea/act_runner/job.yaml
|
||||
set:
|
||||
actions:
|
||||
enabled: true
|
||||
provisioning:
|
||||
enabled: true
|
||||
persistence:
|
||||
enabled: true
|
||||
mount: true
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 1
|
||||
- containsDocument:
|
||||
kind: Job
|
||||
apiVersion: batch/v1
|
||||
name: gitea-unittests-actions-token-job
|
||||
- equal:
|
||||
path: spec.template.spec.containers[0].image
|
||||
value: "gitea/gitea:1.19.3-rootless"
|
||||
- it: tag override
|
||||
template: templates/gitea/act_runner/job.yaml
|
||||
set:
|
||||
image.tag: "1.19.4"
|
||||
actions:
|
||||
enabled: true
|
||||
provisioning:
|
||||
enabled: true
|
||||
publish:
|
||||
tag: "1.29.0"
|
||||
persistence:
|
||||
enabled: true
|
||||
mount: true
|
||||
asserts:
|
||||
- equal:
|
||||
path: spec.template.spec.containers[0].image
|
||||
value: "gitea/gitea:1.19.4-rootless"
|
||||
- equal:
|
||||
path: spec.template.spec.containers[1].image
|
||||
value: "bitnami/kubectl:1.29.0"
|
||||
- it: doesn't renders a Job by default
|
||||
template: templates/gitea/act_runner/job.yaml
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 0
|
||||
- it: doesn't renders a Job when provisioning is enabled BUT actions are not enabled
|
||||
template: templates/gitea/act_runner/job.yaml
|
||||
set:
|
||||
actions:
|
||||
enabled: false
|
||||
provisioning:
|
||||
enabled: true
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 0
|
||||
42
unittests/act_runner/role-job.yaml
Normal file
42
unittests/act_runner/role-job.yaml
Normal file
@ -0,0 +1,42 @@
|
||||
suite: actions template | role-job
|
||||
release:
|
||||
name: gitea-unittests
|
||||
namespace: testing
|
||||
templates:
|
||||
- templates/gitea/act_runner/role-job.yaml
|
||||
tests:
|
||||
- it: doesn't renders a Role by default
|
||||
template: templates/gitea/act_runner/role-job.yaml
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 0
|
||||
- it: renders a Role
|
||||
template: templates/gitea/act_runner/role-job.yaml
|
||||
set:
|
||||
actions:
|
||||
enabled: true
|
||||
provisioning:
|
||||
enabled: true
|
||||
persistence:
|
||||
enabled: true
|
||||
mount: true
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 1
|
||||
- containsDocument:
|
||||
kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
name: gitea-unittests-actions-token-job
|
||||
- it: doesn't renders a Role when criteria met BUT actions are not enabled
|
||||
template: templates/gitea/act_runner/role-job.yaml
|
||||
set:
|
||||
actions:
|
||||
enabled: false
|
||||
provisioning:
|
||||
enabled: true
|
||||
persistence:
|
||||
enabled: true
|
||||
mount: true
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 0
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
x
Reference in New Issue
Block a user