From d77793a52bf7797bd8397438d5bfd7b93e8d6f17 Mon Sep 17 00:00:00 2001 From: dementhorr Date: Fri, 5 Jan 2024 18:02:11 +0100 Subject: [PATCH 01/36] Added actions job that creates gitea-actions-token --- scripts/token.sh | 41 +++++++ templates/_helpers.tpl | 8 ++ templates/gitea/actions-job.yaml | 176 +++++++++++++++++++++++++++++++ templates/gitea/actions.yaml | 176 +++++++++++++++++++++++++++++++ values.yaml | 40 +++++++ 5 files changed, 441 insertions(+) create mode 100644 scripts/token.sh create mode 100644 templates/gitea/actions-job.yaml create mode 100644 templates/gitea/actions.yaml diff --git a/scripts/token.sh b/scripts/token.sh new file mode 100644 index 0000000..8186ddd --- /dev/null +++ b/scripts/token.sh @@ -0,0 +1,41 @@ +#!/bin/sh + +set -eu + +check_token() { + set +e + + echo "Checking for existing token..." + token="$(kubectl get secret "$SECRET_NAME" -o jsonpath="{.data['token']}" 2> /dev/null)" + [ $? -ne 0 ] && return 1 + [ -z "$token" ] && return 2 + return 0 +} + +create_token() { + echo "Waiting for new token to be generated..." + begin=$(date +%s) + end=$((begin + 300)) # 5 minutes + while true; do + [ -f /data/actions/token ] && return 0 + [ "$(date +%s)" -gt $end ] && return 1 + sleep 5 + done +} + +store_token() { + echo "Storing the token in Kubernetes secret..." + kubectl patch secret "$SECRET_NAME" -p "{\"data\":{\"token\":\"$(base64 /data/actions/token | tr -d '\n')\"}}" +} + +if check_token; then + echo "Key already in place, exiting." + exit +fi + +if ! create_token; then + echo "Timed out waiting for a token to appear." + exit 1 +fi + +store_token diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index c7d13d9..f000723 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -25,6 +25,14 @@ If release name contains chart name it will be used as a full name. {{- end -}} {{- end -}} +{{/* +Create a default worker name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "gitea.workername" -}} +{{- printf "%s-%s" .global.Release.Name .worker | trunc 63 | trimSuffix "-" -}} +{{- end -}} + {{/* Create chart name and version as used by the chart label. */}} diff --git a/templates/gitea/actions-job.yaml b/templates/gitea/actions-job.yaml new file mode 100644 index 0000000..4e3e130 --- /dev/null +++ b/templates/gitea/actions-job.yaml @@ -0,0 +1,176 @@ +{{- if and (and .Values.actions.job.enabled .Values.persistence.enabled) .Values.persistence.mount }} +{{- if .Values.actions.existingSecret }} +{{- fail "Can't specify both actions.job.enabled and actions.existingSecret" }} +{{- end }} +{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} +{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "gitea.fullname" . }}-scripts + labels: + {{- include "gitea.labels" . | nindent 4 }} + annotations: + # helm.sh/hook: post-install + # helm.sh/hook-delete-policy: hook-succeeded +data: +{{ (.Files.Glob "scripts/*.sh").AsConfig | indent 2 }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ $name }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + app.kubernetes.io/component: token-job + annotations: + # helm.sh/hook: post-install + # helm.sh/hook-delete-policy: hook-succeeded +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ $name }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + app.kubernetes.io/component: token-job + annotations: + # helm.sh/hook: post-install + # helm.sh/hook-delete-policy: hook-succeeded +rules: + - apiGroups: + - "" + resources: + - secrets + resourceNames: + - {{ $secretName }} + verbs: + - get + - update + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $name }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + app.kubernetes.io/component: token-job + annotations: + # helm.sh/hook: post-install + # helm.sh/hook-delete-policy: hook-succeeded +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $name }} +subjects: + - kind: ServiceAccount + name: {{ $name }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ $name }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + app.kubernetes.io/component: token-job + annotations: + # helm.sh/hook: post-install + # helm.sh/hook-delete-policy: hook-succeeded + {{- with .Values.actions.job.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ttlSecondsAfterFinished: 0 + template: + metadata: + labels: + {{- include "gitea.labels" . | nindent 8 }} + app.kubernetes.io/component: token-job + spec: + containers: + - name: actions-token-create + image: "{{ .Values.actions.job.tokenImage.repository }}:{{ .Values.actions.job.tokenImage.tag | default "latest-rootless" }}" + imagePullPolicy: {{ .Values.actions.job.tokenImage.pullPolicy }} + env: + - name: GITEA_APP_INI + value: /data/gitea/conf/app.ini + command: + - sh + - -c + - | + while ! nc -z gitea-http 3000; do + sleep 5 + done + + echo "Generating token..." + mkdir -p /data/actions/ + gitea actions generate-runner-token | grep -E '^.{40}$' | tr -d '\n' > /data/actions/token + resources: + {{- toYaml .Values.actions.resources | nindent 12 }} + volumeMounts: + - name: data + mountPath: /data + {{- if .Values.persistence.subPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + - name: actions-token-upload + image: "{{ .Values.actions.job.publishImage.repository }}:{{ .Values.actions.job.publishImage.tag | default "latest" }}" + imagePullPolicy: {{ .Values.actions.job.publishImage.pullPolicy }} + env: + - name: SECRET_NAME + value: {{ $secretName }} + command: + - sh + - -c + - | + printf "Checking rights to update secret... " + kubectl auth can-i update secret/${SECRET_NAME} + /scripts/token.sh + resources: + {{- toYaml .Values.actions.resources | nindent 12 }} + volumeMounts: + - mountPath: /scripts + name: scripts + readOnly: true + - mountPath: /data + name: data + readOnly: true + {{- if .Values.persistence.subPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + restartPolicy: Never + serviceAccount: {{ $name }} + volumes: + - name: scripts + configMap: + name: {{ include "gitea.fullname" . }}-scripts + defaultMode: 0755 + - name: data + persistentVolumeClaim: + claimName: {{ .Values.persistence.claimName }} + parallelism: 1 + completions: 1 + backoffLimit: 1 +--- +apiVersion: v1 +kind: Secret +metadata: + annotations: + # helm.sh/hook: post-install + # helm.sh/hook-delete-policy: never + helm.sh/resource-policy: keep + argocd.argoproj.io/hook: Skip + argocd.argoproj.io/hook-delete-policy: Never + name: {{ $secretName }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + app.kubernetes.io/component: token-job +{{ $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}} +{{ if $secret -}} +data: + signing.key: {{ (b64dec (index $secret.data "signing.key")) | b64enc }} +{{ end -}} +{{- end }} diff --git a/templates/gitea/actions.yaml b/templates/gitea/actions.yaml new file mode 100644 index 0000000..4e3e130 --- /dev/null +++ b/templates/gitea/actions.yaml @@ -0,0 +1,176 @@ +{{- if and (and .Values.actions.job.enabled .Values.persistence.enabled) .Values.persistence.mount }} +{{- if .Values.actions.existingSecret }} +{{- fail "Can't specify both actions.job.enabled and actions.existingSecret" }} +{{- end }} +{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} +{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "gitea.fullname" . }}-scripts + labels: + {{- include "gitea.labels" . | nindent 4 }} + annotations: + # helm.sh/hook: post-install + # helm.sh/hook-delete-policy: hook-succeeded +data: +{{ (.Files.Glob "scripts/*.sh").AsConfig | indent 2 }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ $name }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + app.kubernetes.io/component: token-job + annotations: + # helm.sh/hook: post-install + # helm.sh/hook-delete-policy: hook-succeeded +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ $name }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + app.kubernetes.io/component: token-job + annotations: + # helm.sh/hook: post-install + # helm.sh/hook-delete-policy: hook-succeeded +rules: + - apiGroups: + - "" + resources: + - secrets + resourceNames: + - {{ $secretName }} + verbs: + - get + - update + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $name }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + app.kubernetes.io/component: token-job + annotations: + # helm.sh/hook: post-install + # helm.sh/hook-delete-policy: hook-succeeded +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $name }} +subjects: + - kind: ServiceAccount + name: {{ $name }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ $name }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + app.kubernetes.io/component: token-job + annotations: + # helm.sh/hook: post-install + # helm.sh/hook-delete-policy: hook-succeeded + {{- with .Values.actions.job.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ttlSecondsAfterFinished: 0 + template: + metadata: + labels: + {{- include "gitea.labels" . | nindent 8 }} + app.kubernetes.io/component: token-job + spec: + containers: + - name: actions-token-create + image: "{{ .Values.actions.job.tokenImage.repository }}:{{ .Values.actions.job.tokenImage.tag | default "latest-rootless" }}" + imagePullPolicy: {{ .Values.actions.job.tokenImage.pullPolicy }} + env: + - name: GITEA_APP_INI + value: /data/gitea/conf/app.ini + command: + - sh + - -c + - | + while ! nc -z gitea-http 3000; do + sleep 5 + done + + echo "Generating token..." + mkdir -p /data/actions/ + gitea actions generate-runner-token | grep -E '^.{40}$' | tr -d '\n' > /data/actions/token + resources: + {{- toYaml .Values.actions.resources | nindent 12 }} + volumeMounts: + - name: data + mountPath: /data + {{- if .Values.persistence.subPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + - name: actions-token-upload + image: "{{ .Values.actions.job.publishImage.repository }}:{{ .Values.actions.job.publishImage.tag | default "latest" }}" + imagePullPolicy: {{ .Values.actions.job.publishImage.pullPolicy }} + env: + - name: SECRET_NAME + value: {{ $secretName }} + command: + - sh + - -c + - | + printf "Checking rights to update secret... " + kubectl auth can-i update secret/${SECRET_NAME} + /scripts/token.sh + resources: + {{- toYaml .Values.actions.resources | nindent 12 }} + volumeMounts: + - mountPath: /scripts + name: scripts + readOnly: true + - mountPath: /data + name: data + readOnly: true + {{- if .Values.persistence.subPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + restartPolicy: Never + serviceAccount: {{ $name }} + volumes: + - name: scripts + configMap: + name: {{ include "gitea.fullname" . }}-scripts + defaultMode: 0755 + - name: data + persistentVolumeClaim: + claimName: {{ .Values.persistence.claimName }} + parallelism: 1 + completions: 1 + backoffLimit: 1 +--- +apiVersion: v1 +kind: Secret +metadata: + annotations: + # helm.sh/hook: post-install + # helm.sh/hook-delete-policy: never + helm.sh/resource-policy: keep + argocd.argoproj.io/hook: Skip + argocd.argoproj.io/hook-delete-policy: Never + name: {{ $secretName }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + app.kubernetes.io/component: token-job +{{ $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}} +{{ if $secret -}} +data: + signing.key: {{ (b64dec (index $secret.data "signing.key")) | b64enc }} +{{ end -}} +{{- end }} diff --git a/values.yaml b/values.yaml index af66f24..729fc46 100644 --- a/values.yaml +++ b/values.yaml @@ -339,6 +339,46 @@ signing: # -----END PGP PRIVATE KEY BLOCK----- existingSecret: "" +# Configure Gitea Actions +# - must enable persistence +# - must define deployment.env.GITEA__ACTIONS__ENABLED and GITEA__SERVER__LOCAL_ROOT_URL +## @section GiteaActions +# +## @param actions.statefulset.enabled Create an act-runner StatefulSet. +## @param actions.job.enabled Create a job that will create and save the token in a Kubernetes Secret +## @param actions.job.tokenImage.repository The image that can create a token via `gitea actions generate-runner-token` +## @param actions.job.tokenImage.tag The token image tag that can create a token +## @param actions.job.tokenImage.pullPolicy The token image pullPolicy that can create a token +## @param actions.job.publishImage.repository The image that can create the secret via kubectl +## @param actions.job.publishImage.tag The publish image tag that can create the secret +## @param actions.job.publishImage.pullPolicy The publish image pullPolicy that can create the secret +## @param actions.existingSecret Secret that contains the token +## @param actions.existingSecretKey Secret key +actions: + statefulset: + enabled: false + + job: + enabled: false + + annotations: {} + resources: {} + + tokenImage: + repository: gitea/gitea + # tag: latest-rootless + pullPolicy: IfNotPresent + + publishImage: + repository: bitnami/kubectl + # tag: latest + pullPolicy: IfNotPresent + + ## Specify an existing token secret + ## + # existingSecret: secretName + # existingSecretKey: token + ## @section Gitea # gitea: -- 2.40.1 From 440560ef0bda51e7a165c592c79b7e4d8ecce5da Mon Sep 17 00:00:00 2001 From: dementhorr Date: Fri, 5 Jan 2024 20:19:24 +0100 Subject: [PATCH 02/36] Added actions statefulset --- templates/gitea/actions-job.yaml | 3 +- templates/gitea/actions-statefulset.yaml | 120 ++++++++++++++++ templates/gitea/actions.yaml | 176 ----------------------- values.yaml | 20 +++ 4 files changed, 141 insertions(+), 178 deletions(-) create mode 100644 templates/gitea/actions-statefulset.yaml delete mode 100644 templates/gitea/actions.yaml diff --git a/templates/gitea/actions-job.yaml b/templates/gitea/actions-job.yaml index 4e3e130..881fd83 100644 --- a/templates/gitea/actions-job.yaml +++ b/templates/gitea/actions-job.yaml @@ -161,7 +161,6 @@ metadata: annotations: # helm.sh/hook: post-install # helm.sh/hook-delete-policy: never - helm.sh/resource-policy: keep argocd.argoproj.io/hook: Skip argocd.argoproj.io/hook-delete-policy: Never name: {{ $secretName }} @@ -171,6 +170,6 @@ metadata: {{ $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}} {{ if $secret -}} data: - signing.key: {{ (b64dec (index $secret.data "signing.key")) | b64enc }} + token: {{ (b64dec (index $secret.data "token")) | b64enc }} {{ end -}} {{- end }} diff --git a/templates/gitea/actions-statefulset.yaml b/templates/gitea/actions-statefulset.yaml new file mode 100644 index 0000000..f0d76fc --- /dev/null +++ b/templates/gitea/actions-statefulset.yaml @@ -0,0 +1,120 @@ +{{- if and (and .Values.actions.statefulset.enabled .Values.persistence.enabled) .Values.persistence.mount }} +{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "gitea.fullname" . }}-act-runner-config + labels: + {{- include "gitea.labels" . | nindent 4 }} +data: + config.yaml: | + log: + level: debug + cache: + enabled: false +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + labels: + {{- include "gitea.labels" . | nindent 4 }} + {{- if .Values.actions.statefulset.labels }} + {{- toYaml .Values.actions.statefulset.labels | nindent 4 }} + {{- end }} + name: act-runner +spec: + selector: + matchLabels: + {{- include "gitea.selectorLabels" . | nindent 6 }} + {{- if .Values.actions.statefulset.labels }} + {{- toYaml .Values.actions.statefulset.labels | nindent 6 }} + {{- end }} + template: + metadata: + labels: + {{- include "gitea.labels" . | nindent 8 }} + {{- if .Values.actions.statefulset.labels }} + {{- toYaml .Values.actions.statefulset.labels | nindent 8 }} + {{- end }} + spec: + initContainers: + - name: init-gitea + image: busybox:latest + command: + - sh + - -c + - | + while ! nc -z gitea-http 3000; do + sleep 5 + done + containers: + - name: act-runner + image: "{{ .Values.actions.statefulset.actRunnerImage.repository }}:{{ .Values.actions.statefulset.actRunnerImage.tag | default "latest" }}" + imagePullPolicy: {{ .Values.actions.statefulset.actRunnerImage.pullPolicy }} + workingDir: /data + env: + - name: DOCKER_HOST + value: tcp://127.0.0.1:2376 + - name: DOCKER_TLS_VERIFY + value: "1" + - name: DOCKER_CERT_PATH + value: /certs/server + - name: GITEA_RUNNER_REGISTRATION_TOKEN + valueFrom: + secretKeyRef: + name: {{ $secretName }} + key: token + - name: GITEA_INSTANCE_URL + value: http://gitea-http:3000 + - name: GITEA_RUNNER_LABELS + value: ubuntu-latest + - name: CONFIG_FILE + value: /actrunner/config.yaml + lifecycle: + postStart: + exec: + command: + - sh + - -c + - | + apk --update add nodejs npm + volumeMounts: + - mountPath: /actrunner/config.yaml + name: act-runner-config + subPath: config.yaml + - mountPath: /certs/server + name: docker-certs + - mountPath: /data + name: data-act-runner + - name: dind + image: "{{ .Values.actions.statefulset.dindImage.repository }}:{{ .Values.actions.statefulset.dindImage.tag | default "24.0.7-dind" }}" + imagePullPolicy: {{ .Values.actions.statefulset.dindImage.pullPolicy }} + env: + - name: DOCKER_HOST + value: tcp://127.0.0.1:2376 + - name: DOCKER_TLS_VERIFY + value: "1" + - name: DOCKER_CERT_PATH + value: /certs/server + securityContext: + # allowPrivilegeEscalation: true + privileged: true + volumeMounts: + - mountPath: /certs/server + name: docker-certs + volumes: + - name: act-runner-config + configMap: + name: {{ include "gitea.fullname" . }}-act-runner-config + - name: docker-certs + emptyDir: {} + volumeClaimTemplates: + - metadata: + name: data-act-runner + spec: + accessModes: [ "ReadWriteOnce" ] + resources: + requests: + storage: 1Mi +{{- end }} diff --git a/templates/gitea/actions.yaml b/templates/gitea/actions.yaml deleted file mode 100644 index 4e3e130..0000000 --- a/templates/gitea/actions.yaml +++ /dev/null @@ -1,176 +0,0 @@ -{{- if and (and .Values.actions.job.enabled .Values.persistence.enabled) .Values.persistence.mount }} -{{- if .Values.actions.existingSecret }} -{{- fail "Can't specify both actions.job.enabled and actions.existingSecret" }} -{{- end }} -{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} -{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "gitea.fullname" . }}-scripts - labels: - {{- include "gitea.labels" . | nindent 4 }} - annotations: - # helm.sh/hook: post-install - # helm.sh/hook-delete-policy: hook-succeeded -data: -{{ (.Files.Glob "scripts/*.sh").AsConfig | indent 2 }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ $name }} - labels: - {{- include "gitea.labels" . | nindent 4 }} - app.kubernetes.io/component: token-job - annotations: - # helm.sh/hook: post-install - # helm.sh/hook-delete-policy: hook-succeeded ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ $name }} - labels: - {{- include "gitea.labels" . | nindent 4 }} - app.kubernetes.io/component: token-job - annotations: - # helm.sh/hook: post-install - # helm.sh/hook-delete-policy: hook-succeeded -rules: - - apiGroups: - - "" - resources: - - secrets - resourceNames: - - {{ $secretName }} - verbs: - - get - - update - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ $name }} - labels: - {{- include "gitea.labels" . | nindent 4 }} - app.kubernetes.io/component: token-job - annotations: - # helm.sh/hook: post-install - # helm.sh/hook-delete-policy: hook-succeeded -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ $name }} -subjects: - - kind: ServiceAccount - name: {{ $name }} - namespace: {{ .Release.Namespace }} ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ $name }} - labels: - {{- include "gitea.labels" . | nindent 4 }} - app.kubernetes.io/component: token-job - annotations: - # helm.sh/hook: post-install - # helm.sh/hook-delete-policy: hook-succeeded - {{- with .Values.actions.job.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ttlSecondsAfterFinished: 0 - template: - metadata: - labels: - {{- include "gitea.labels" . | nindent 8 }} - app.kubernetes.io/component: token-job - spec: - containers: - - name: actions-token-create - image: "{{ .Values.actions.job.tokenImage.repository }}:{{ .Values.actions.job.tokenImage.tag | default "latest-rootless" }}" - imagePullPolicy: {{ .Values.actions.job.tokenImage.pullPolicy }} - env: - - name: GITEA_APP_INI - value: /data/gitea/conf/app.ini - command: - - sh - - -c - - | - while ! nc -z gitea-http 3000; do - sleep 5 - done - - echo "Generating token..." - mkdir -p /data/actions/ - gitea actions generate-runner-token | grep -E '^.{40}$' | tr -d '\n' > /data/actions/token - resources: - {{- toYaml .Values.actions.resources | nindent 12 }} - volumeMounts: - - name: data - mountPath: /data - {{- if .Values.persistence.subPath }} - subPath: {{ .Values.persistence.subPath }} - {{- end }} - - name: actions-token-upload - image: "{{ .Values.actions.job.publishImage.repository }}:{{ .Values.actions.job.publishImage.tag | default "latest" }}" - imagePullPolicy: {{ .Values.actions.job.publishImage.pullPolicy }} - env: - - name: SECRET_NAME - value: {{ $secretName }} - command: - - sh - - -c - - | - printf "Checking rights to update secret... " - kubectl auth can-i update secret/${SECRET_NAME} - /scripts/token.sh - resources: - {{- toYaml .Values.actions.resources | nindent 12 }} - volumeMounts: - - mountPath: /scripts - name: scripts - readOnly: true - - mountPath: /data - name: data - readOnly: true - {{- if .Values.persistence.subPath }} - subPath: {{ .Values.persistence.subPath }} - {{- end }} - restartPolicy: Never - serviceAccount: {{ $name }} - volumes: - - name: scripts - configMap: - name: {{ include "gitea.fullname" . }}-scripts - defaultMode: 0755 - - name: data - persistentVolumeClaim: - claimName: {{ .Values.persistence.claimName }} - parallelism: 1 - completions: 1 - backoffLimit: 1 ---- -apiVersion: v1 -kind: Secret -metadata: - annotations: - # helm.sh/hook: post-install - # helm.sh/hook-delete-policy: never - helm.sh/resource-policy: keep - argocd.argoproj.io/hook: Skip - argocd.argoproj.io/hook-delete-policy: Never - name: {{ $secretName }} - labels: - {{- include "gitea.labels" . | nindent 4 }} - app.kubernetes.io/component: token-job -{{ $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}} -{{ if $secret -}} -data: - signing.key: {{ (b64dec (index $secret.data "signing.key")) | b64enc }} -{{ end -}} -{{- end }} diff --git a/values.yaml b/values.yaml index 729fc46..6389fc6 100644 --- a/values.yaml +++ b/values.yaml @@ -345,6 +345,12 @@ signing: ## @section GiteaActions # ## @param actions.statefulset.enabled Create an act-runner StatefulSet. +## @param actions.statefulset.actRunnerImage.repository The Gitea act runner image +## @param actions.statefulset.actRunnerImage.tag The Gitea act runner tag +## @param actions.statefulset.actRunnerImage.pullPolicy The Gitea act runner pullPolicy +## @param actions.statefulset.dindImage.repository The Docker-in-Docker image +## @param actions.statefulset.dindImage.tag The Docker-in-Docker image tag +## @param actions.statefulset.dindImage.pullPolicy The Docker-in-Docker pullPolicy ## @param actions.job.enabled Create a job that will create and save the token in a Kubernetes Secret ## @param actions.job.tokenImage.repository The image that can create a token via `gitea actions generate-runner-token` ## @param actions.job.tokenImage.tag The token image tag that can create a token @@ -358,6 +364,20 @@ actions: statefulset: enabled: false + annotations: {} + labels: {} + resources: {} + + actRunnerImage: + repository: gitea/act_runner + # tag: latest + pullPolicy: IfNotPresent + + dindImage: + repository: docker + # tag: 24.0.7-dind + pullPolicy: IfNotPresent + job: enabled: false -- 2.40.1 From df9314a1dfba799800dd7b9e9e4a1fb336bcf6b2 Mon Sep 17 00:00:00 2001 From: dementhorr Date: Sat, 6 Jan 2024 18:40:53 +0100 Subject: [PATCH 03/36] Removed lifecycle.postStart.exec.command --- templates/gitea/actions-statefulset.yaml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/templates/gitea/actions-statefulset.yaml b/templates/gitea/actions-statefulset.yaml index f0d76fc..5208996 100644 --- a/templates/gitea/actions-statefulset.yaml +++ b/templates/gitea/actions-statefulset.yaml @@ -71,14 +71,6 @@ spec: value: ubuntu-latest - name: CONFIG_FILE value: /actrunner/config.yaml - lifecycle: - postStart: - exec: - command: - - sh - - -c - - | - apk --update add nodejs npm volumeMounts: - mountPath: /actrunner/config.yaml name: act-runner-config -- 2.40.1 From 8d6269a8b104c3168ae877703e30a06ba1d19101 Mon Sep 17 00:00:00 2001 From: dementhorr Date: Tue, 9 Jan 2024 15:55:14 +0100 Subject: [PATCH 04/36] Refractored code --- .../gitea/actions/config-act-runner.yaml | 15 ++++ templates/gitea/actions/config-scripts.yaml | 14 ++++ .../{actions-job.yaml => actions/job.yaml} | 82 ------------------- templates/gitea/actions/role-job.yaml | 26 ++++++ templates/gitea/actions/rolebinding-job.yaml | 23 ++++++ templates/gitea/actions/secret-token.yaml | 22 +++++ .../gitea/actions/serviceaccount-job.yaml | 14 ++++ .../statefulset.yaml} | 15 +--- 8 files changed, 115 insertions(+), 96 deletions(-) create mode 100644 templates/gitea/actions/config-act-runner.yaml create mode 100644 templates/gitea/actions/config-scripts.yaml rename templates/gitea/{actions-job.yaml => actions/job.yaml} (62%) create mode 100644 templates/gitea/actions/role-job.yaml create mode 100644 templates/gitea/actions/rolebinding-job.yaml create mode 100644 templates/gitea/actions/secret-token.yaml create mode 100644 templates/gitea/actions/serviceaccount-job.yaml rename templates/gitea/{actions-statefulset.yaml => actions/statefulset.yaml} (92%) diff --git a/templates/gitea/actions/config-act-runner.yaml b/templates/gitea/actions/config-act-runner.yaml new file mode 100644 index 0000000..6f9423c --- /dev/null +++ b/templates/gitea/actions/config-act-runner.yaml @@ -0,0 +1,15 @@ +{{- if and (and .Values.actions.statefulset.enabled .Values.persistence.enabled) .Values.persistence.mount }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "gitea.fullname" . }}-act-runner-config + labels: + {{- include "gitea.labels" . | nindent 4 }} +data: + config.yaml: | + log: + level: debug + cache: + enabled: false +{{- end }} diff --git a/templates/gitea/actions/config-scripts.yaml b/templates/gitea/actions/config-scripts.yaml new file mode 100644 index 0000000..cbe5cdc --- /dev/null +++ b/templates/gitea/actions/config-scripts.yaml @@ -0,0 +1,14 @@ +{{- if and (and .Values.actions.job.enabled .Values.persistence.enabled) .Values.persistence.mount }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "gitea.fullname" . }}-scripts + labels: + {{- include "gitea.labels" . | nindent 4 }} + annotations: + # helm.sh/hook: post-install + # helm.sh/hook-delete-policy: hook-succeeded +data: +{{ (.Files.Glob "scripts/*.sh").AsConfig | indent 2 }} +{{- end }} diff --git a/templates/gitea/actions-job.yaml b/templates/gitea/actions/job.yaml similarity index 62% rename from templates/gitea/actions-job.yaml rename to templates/gitea/actions/job.yaml index 881fd83..4173f28 100644 --- a/templates/gitea/actions-job.yaml +++ b/templates/gitea/actions/job.yaml @@ -5,70 +5,6 @@ {{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} {{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} --- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "gitea.fullname" . }}-scripts - labels: - {{- include "gitea.labels" . | nindent 4 }} - annotations: - # helm.sh/hook: post-install - # helm.sh/hook-delete-policy: hook-succeeded -data: -{{ (.Files.Glob "scripts/*.sh").AsConfig | indent 2 }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ $name }} - labels: - {{- include "gitea.labels" . | nindent 4 }} - app.kubernetes.io/component: token-job - annotations: - # helm.sh/hook: post-install - # helm.sh/hook-delete-policy: hook-succeeded ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ $name }} - labels: - {{- include "gitea.labels" . | nindent 4 }} - app.kubernetes.io/component: token-job - annotations: - # helm.sh/hook: post-install - # helm.sh/hook-delete-policy: hook-succeeded -rules: - - apiGroups: - - "" - resources: - - secrets - resourceNames: - - {{ $secretName }} - verbs: - - get - - update - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ $name }} - labels: - {{- include "gitea.labels" . | nindent 4 }} - app.kubernetes.io/component: token-job - annotations: - # helm.sh/hook: post-install - # helm.sh/hook-delete-policy: hook-succeeded -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ $name }} -subjects: - - kind: ServiceAccount - name: {{ $name }} - namespace: {{ .Release.Namespace }} ---- apiVersion: batch/v1 kind: Job metadata: @@ -154,22 +90,4 @@ spec: parallelism: 1 completions: 1 backoffLimit: 1 ---- -apiVersion: v1 -kind: Secret -metadata: - annotations: - # helm.sh/hook: post-install - # helm.sh/hook-delete-policy: never - argocd.argoproj.io/hook: Skip - argocd.argoproj.io/hook-delete-policy: Never - name: {{ $secretName }} - labels: - {{- include "gitea.labels" . | nindent 4 }} - app.kubernetes.io/component: token-job -{{ $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}} -{{ if $secret -}} -data: - token: {{ (b64dec (index $secret.data "token")) | b64enc }} -{{ end -}} {{- end }} diff --git a/templates/gitea/actions/role-job.yaml b/templates/gitea/actions/role-job.yaml new file mode 100644 index 0000000..6f4ab74 --- /dev/null +++ b/templates/gitea/actions/role-job.yaml @@ -0,0 +1,26 @@ +{{- if and (and .Values.actions.job.enabled .Values.persistence.enabled) .Values.persistence.mount }} +{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} +{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ $name }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + app.kubernetes.io/component: token-job + annotations: + # helm.sh/hook: post-install + # helm.sh/hook-delete-policy: hook-succeeded +rules: + - apiGroups: + - "" + resources: + - secrets + resourceNames: + - {{ $secretName }} + verbs: + - get + - update + - patch +{{- end }} diff --git a/templates/gitea/actions/rolebinding-job.yaml b/templates/gitea/actions/rolebinding-job.yaml new file mode 100644 index 0000000..be2d2de --- /dev/null +++ b/templates/gitea/actions/rolebinding-job.yaml @@ -0,0 +1,23 @@ +{{- if and (and .Values.actions.job.enabled .Values.persistence.enabled) .Values.persistence.mount }} +{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} +{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $name }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + app.kubernetes.io/component: token-job + annotations: + # helm.sh/hook: post-install + # helm.sh/hook-delete-policy: hook-succeeded +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $name }} +subjects: + - kind: ServiceAccount + name: {{ $name }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/templates/gitea/actions/secret-token.yaml b/templates/gitea/actions/secret-token.yaml new file mode 100644 index 0000000..e2b1e12 --- /dev/null +++ b/templates/gitea/actions/secret-token.yaml @@ -0,0 +1,22 @@ +{{- if and (and .Values.actions.job.enabled .Values.persistence.enabled) .Values.persistence.mount }} +{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} +{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} +--- +apiVersion: v1 +kind: Secret +metadata: + annotations: + # helm.sh/hook: post-install + # helm.sh/hook-delete-policy: never + argocd.argoproj.io/hook: Skip + argocd.argoproj.io/hook-delete-policy: Never + name: {{ $secretName }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + app.kubernetes.io/component: token-job +{{ $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}} +{{ if $secret -}} +data: + token: {{ (b64dec (index $secret.data "token")) | b64enc }} +{{ end -}} +{{- end }} diff --git a/templates/gitea/actions/serviceaccount-job.yaml b/templates/gitea/actions/serviceaccount-job.yaml new file mode 100644 index 0000000..5731c0c --- /dev/null +++ b/templates/gitea/actions/serviceaccount-job.yaml @@ -0,0 +1,14 @@ +{{- if and (and .Values.actions.job.enabled .Values.persistence.enabled) .Values.persistence.mount }} +{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ $name }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + app.kubernetes.io/component: token-job + annotations: + # helm.sh/hook: post-install + # helm.sh/hook-delete-policy: hook-succeeded +{{- end }} diff --git a/templates/gitea/actions-statefulset.yaml b/templates/gitea/actions/statefulset.yaml similarity index 92% rename from templates/gitea/actions-statefulset.yaml rename to templates/gitea/actions/statefulset.yaml index 5208996..8fcb07d 100644 --- a/templates/gitea/actions-statefulset.yaml +++ b/templates/gitea/actions/statefulset.yaml @@ -1,19 +1,6 @@ {{- if and (and .Values.actions.statefulset.enabled .Values.persistence.enabled) .Values.persistence.mount }} {{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} --- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "gitea.fullname" . }}-act-runner-config - labels: - {{- include "gitea.labels" . | nindent 4 }} -data: - config.yaml: | - log: - level: debug - cache: - enabled: false ---- apiVersion: apps/v1 kind: StatefulSet metadata: @@ -22,7 +9,7 @@ metadata: {{- if .Values.actions.statefulset.labels }} {{- toYaml .Values.actions.statefulset.labels | nindent 4 }} {{- end }} - name: act-runner + name: {{ include "gitea.fullname" . }}-act-runner spec: selector: matchLabels: -- 2.40.1 From 19b6916f356f62507a202ead45de7ccda2e99410 Mon Sep 17 00:00:00 2001 From: dementhorr Date: Tue, 9 Jan 2024 16:05:49 +0100 Subject: [PATCH 05/36] Added initial unittests for gitea actions --- unittests/actions/config-act-runner.yaml | 20 ++++++++++++++++++++ unittests/actions/config-scripts.yaml | 20 ++++++++++++++++++++ unittests/actions/job.yaml | 20 ++++++++++++++++++++ unittests/actions/role-job.yaml | 20 ++++++++++++++++++++ unittests/actions/rolebinding-job.yaml | 20 ++++++++++++++++++++ unittests/actions/secret-token.yaml | 20 ++++++++++++++++++++ unittests/actions/serviceaccount-job.yaml | 20 ++++++++++++++++++++ unittests/actions/statefulset.yaml | 20 ++++++++++++++++++++ 8 files changed, 160 insertions(+) create mode 100644 unittests/actions/config-act-runner.yaml create mode 100644 unittests/actions/config-scripts.yaml create mode 100644 unittests/actions/job.yaml create mode 100644 unittests/actions/role-job.yaml create mode 100644 unittests/actions/rolebinding-job.yaml create mode 100644 unittests/actions/secret-token.yaml create mode 100644 unittests/actions/serviceaccount-job.yaml create mode 100644 unittests/actions/statefulset.yaml diff --git a/unittests/actions/config-act-runner.yaml b/unittests/actions/config-act-runner.yaml new file mode 100644 index 0000000..a4982e9 --- /dev/null +++ b/unittests/actions/config-act-runner.yaml @@ -0,0 +1,20 @@ +suite: actions template | config-act-runner +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/actions/config-act-runner.yaml +tests: + - it: renders a deployment + template: templates/gitea/actions/config-act-runner.yaml + set: + actions: + statefulset: + enabled: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: ConfigMap + apiVersion: v1 + name: gitea-unittests-act-runner-config diff --git a/unittests/actions/config-scripts.yaml b/unittests/actions/config-scripts.yaml new file mode 100644 index 0000000..862c554 --- /dev/null +++ b/unittests/actions/config-scripts.yaml @@ -0,0 +1,20 @@ +suite: actions template | config-scripts +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/actions/config-scripts.yaml +tests: + - it: renders a deployment + template: templates/gitea/actions/config-scripts.yaml + set: + actions: + job: + enabled: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: ConfigMap + apiVersion: v1 + name: gitea-unittests-scripts diff --git a/unittests/actions/job.yaml b/unittests/actions/job.yaml new file mode 100644 index 0000000..9702f4a --- /dev/null +++ b/unittests/actions/job.yaml @@ -0,0 +1,20 @@ +suite: actions template | job +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/actions/job.yaml +tests: + - it: renders a deployment + template: templates/gitea/actions/job.yaml + set: + actions: + job: + enabled: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: Job + apiVersion: batch/v1 + name: gitea-unittests-actions-token-job diff --git a/unittests/actions/role-job.yaml b/unittests/actions/role-job.yaml new file mode 100644 index 0000000..7aab92f --- /dev/null +++ b/unittests/actions/role-job.yaml @@ -0,0 +1,20 @@ +suite: actions template | role-job +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/actions/role-job.yaml +tests: + - it: renders a role + template: templates/gitea/actions/role-job.yaml + set: + actions: + job: + enabled: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: Role + apiVersion: rbac.authorization.k8s.io/v1 + name: gitea-unittests-actions-token-job diff --git a/unittests/actions/rolebinding-job.yaml b/unittests/actions/rolebinding-job.yaml new file mode 100644 index 0000000..ba1dc94 --- /dev/null +++ b/unittests/actions/rolebinding-job.yaml @@ -0,0 +1,20 @@ +suite: actions template | rolebinding-job +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/actions/rolebinding-job.yaml +tests: + - it: renders a deployment + template: templates/gitea/actions/rolebinding-job.yaml + set: + actions: + job: + enabled: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: RoleBinding + apiVersion: rbac.authorization.k8s.io/v1 + name: gitea-unittests-actions-token-job diff --git a/unittests/actions/secret-token.yaml b/unittests/actions/secret-token.yaml new file mode 100644 index 0000000..ed26899 --- /dev/null +++ b/unittests/actions/secret-token.yaml @@ -0,0 +1,20 @@ +suite: actions template | secret-token +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/actions/secret-token.yaml +tests: + - it: renders a deployment + template: templates/gitea/actions/secret-token.yaml + set: + actions: + job: + enabled: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: Secret + apiVersion: v1 + name: gitea-unittests-actions-token diff --git a/unittests/actions/serviceaccount-job.yaml b/unittests/actions/serviceaccount-job.yaml new file mode 100644 index 0000000..5933805 --- /dev/null +++ b/unittests/actions/serviceaccount-job.yaml @@ -0,0 +1,20 @@ +suite: actions template | serviceaccount-job +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/actions/serviceaccount-job.yaml +tests: + - it: renders a deployment + template: templates/gitea/actions/serviceaccount-job.yaml + set: + actions: + job: + enabled: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: ServiceAccount + apiVersion: v1 + name: gitea-unittests-actions-token-job diff --git a/unittests/actions/statefulset.yaml b/unittests/actions/statefulset.yaml new file mode 100644 index 0000000..89b4322 --- /dev/null +++ b/unittests/actions/statefulset.yaml @@ -0,0 +1,20 @@ +suite: actions template | statefulset +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/actions/statefulset.yaml +tests: + - it: renders a deployment + template: templates/gitea/actions/statefulset.yaml + set: + actions: + statefulset: + enabled: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: StatefulSet + apiVersion: apps/v1 + name: gitea-unittests-act-runner -- 2.40.1 From 07633d08bb9a7b7c3c67fdd7b1fe0178fe2a615c Mon Sep 17 00:00:00 2001 From: dementhorr Date: Fri, 12 Jan 2024 20:27:02 +0100 Subject: [PATCH 06/36] Fixed mistakes --- scripts/token.sh | 6 ++-- templates/_helpers.tpl | 14 +++++++++ .../config-act-runner.yaml | 9 +++++- .../config-scripts.yaml | 3 -- .../gitea/{actions => act_runner}/job.yaml | 25 ++++++++------- .../{actions => act_runner}/role-job.yaml | 3 -- .../rolebinding-job.yaml | 3 -- .../{actions => act_runner}/secret-token.yaml | 5 --- .../serviceaccount-job.yaml | 3 -- .../{actions => act_runner}/statefulset.yaml | 31 +++++++------------ unittests/actions/config-act-runner.yaml | 2 +- values.yaml | 13 +++++--- 12 files changed, 61 insertions(+), 56 deletions(-) rename templates/gitea/{actions => act_runner}/config-act-runner.yaml (62%) rename templates/gitea/{actions => act_runner}/config-scripts.yaml (77%) rename templates/gitea/{actions => act_runner}/job.yaml (83%) rename templates/gitea/{actions => act_runner}/role-job.yaml (86%) rename templates/gitea/{actions => act_runner}/rolebinding-job.yaml (87%) rename templates/gitea/{actions => act_runner}/secret-token.yaml (78%) rename templates/gitea/{actions => act_runner}/serviceaccount-job.yaml (79%) rename templates/gitea/{actions => act_runner}/statefulset.yaml (74%) diff --git a/scripts/token.sh b/scripts/token.sh index 8186ddd..cbb2ebd 100644 --- a/scripts/token.sh +++ b/scripts/token.sh @@ -2,6 +2,8 @@ set -eu +timeout_delay=15 + check_token() { set +e @@ -15,7 +17,7 @@ check_token() { create_token() { echo "Waiting for new token to be generated..." begin=$(date +%s) - end=$((begin + 300)) # 5 minutes + end=$((begin + timeout_delay)) while true; do [ -f /data/actions/token ] && return 0 [ "$(date +%s)" -gt $end ] && return 1 @@ -34,7 +36,7 @@ if check_token; then fi if ! create_token; then - echo "Timed out waiting for a token to appear." + echo "Checking for an existing act runner token in secret $SECRET_NAME timed out after $timeout_delay" exit 1 fi diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index f000723..392e306 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -100,6 +100,15 @@ version: {{ .Values.image.tag | default .Chart.AppVersion | quote }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end -}} +{{- define "gitea.labels.actRunner" -}} +helm.sh/chart: {{ include "gitea.chart" . }} +app: {{ include "gitea.name" . }}-act-runner +{{ include "gitea.selectorLabels.actRunner" . }} +app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }} +version: {{ .Values.image.tag | default .Chart.AppVersion | quote }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + {{/* Selector labels */}} @@ -108,6 +117,11 @@ app.kubernetes.io/name: {{ include "gitea.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end -}} +{{- define "gitea.selectorLabels.actRunner" -}} +app.kubernetes.io/name: {{ include "gitea.name" . }}-act-runner +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + {{- define "postgresql-ha.dns" -}} {{- if (index .Values "postgresql-ha").enabled -}} {{- printf "%s-postgresql-ha-pgpool.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "postgresql-ha" "service" "ports" "postgresql") -}} diff --git a/templates/gitea/actions/config-act-runner.yaml b/templates/gitea/act_runner/config-act-runner.yaml similarity index 62% rename from templates/gitea/actions/config-act-runner.yaml rename to templates/gitea/act_runner/config-act-runner.yaml index 6f9423c..091f200 100644 --- a/templates/gitea/actions/config-act-runner.yaml +++ b/templates/gitea/act_runner/config-act-runner.yaml @@ -7,9 +7,16 @@ metadata: labels: {{- include "gitea.labels" . | nindent 4 }} data: + {{- if .Values.actions.statefulset.config }} + config.yaml: | + {{- with .Values.actions.statefulset.config -}} + {{ . | nindent 4}} + {{- end -}} + {{- else }} config.yaml: | log: level: debug cache: - enabled: false + enabled: false + {{- end }} {{- end }} diff --git a/templates/gitea/actions/config-scripts.yaml b/templates/gitea/act_runner/config-scripts.yaml similarity index 77% rename from templates/gitea/actions/config-scripts.yaml rename to templates/gitea/act_runner/config-scripts.yaml index cbe5cdc..17d9bba 100644 --- a/templates/gitea/actions/config-scripts.yaml +++ b/templates/gitea/act_runner/config-scripts.yaml @@ -6,9 +6,6 @@ metadata: name: {{ include "gitea.fullname" . }}-scripts labels: {{- include "gitea.labels" . | nindent 4 }} - annotations: - # helm.sh/hook: post-install - # helm.sh/hook-delete-policy: hook-succeeded data: {{ (.Files.Glob "scripts/*.sh").AsConfig | indent 2 }} {{- end }} diff --git a/templates/gitea/actions/job.yaml b/templates/gitea/act_runner/job.yaml similarity index 83% rename from templates/gitea/actions/job.yaml rename to templates/gitea/act_runner/job.yaml index 4173f28..2814ffc 100644 --- a/templates/gitea/actions/job.yaml +++ b/templates/gitea/act_runner/job.yaml @@ -12,9 +12,6 @@ metadata: labels: {{- include "gitea.labels" . | nindent 4 }} app.kubernetes.io/component: token-job - annotations: - # helm.sh/hook: post-install - # helm.sh/hook-delete-policy: hook-succeeded {{- with .Values.actions.job.annotations }} {{- toYaml . | nindent 4 }} {{- end }} @@ -26,9 +23,19 @@ spec: {{- include "gitea.labels" . | nindent 8 }} app.kubernetes.io/component: token-job spec: + initContainers: + - name: init-gitea + image: busybox:1.36.1 + command: + - sh + - -c + - | + while ! nc -z {{ include "gitea.fullname" . }}-http {{ .Values.service.http.port }}; do + sleep 5 + done containers: - name: actions-token-create - image: "{{ .Values.actions.job.tokenImage.repository }}:{{ .Values.actions.job.tokenImage.tag | default "latest-rootless" }}" + image: "{{ .Values.actions.job.tokenImage.repository }}:{{ .Values.actions.job.tokenImage.tag | default (printf "%s-rootless" .Chart.AppVersion) }}" imagePullPolicy: {{ .Values.actions.job.tokenImage.pullPolicy }} env: - name: GITEA_APP_INI @@ -37,11 +44,7 @@ spec: - sh - -c - | - while ! nc -z gitea-http 3000; do - sleep 5 - done - - echo "Generating token..." + echo "Generating act_runner token via 'gitea actions generate-runner-token'..." mkdir -p /data/actions/ gitea actions generate-runner-token | grep -E '^.{40}$' | tr -d '\n' > /data/actions/token resources: @@ -53,7 +56,7 @@ spec: subPath: {{ .Values.persistence.subPath }} {{- end }} - name: actions-token-upload - image: "{{ .Values.actions.job.publishImage.repository }}:{{ .Values.actions.job.publishImage.tag | default "latest" }}" + image: "{{ .Values.actions.job.publishImage.repository }}:{{ .Values.actions.job.publishImage.tag }}" imagePullPolicy: {{ .Values.actions.job.publishImage.pullPolicy }} env: - name: SECRET_NAME @@ -62,7 +65,7 @@ spec: - sh - -c - | - printf "Checking rights to update secret... " + printf "Checking rights to update kubernetes act_runner secret..." kubectl auth can-i update secret/${SECRET_NAME} /scripts/token.sh resources: diff --git a/templates/gitea/actions/role-job.yaml b/templates/gitea/act_runner/role-job.yaml similarity index 86% rename from templates/gitea/actions/role-job.yaml rename to templates/gitea/act_runner/role-job.yaml index 6f4ab74..9b838b5 100644 --- a/templates/gitea/actions/role-job.yaml +++ b/templates/gitea/act_runner/role-job.yaml @@ -9,9 +9,6 @@ metadata: labels: {{- include "gitea.labels" . | nindent 4 }} app.kubernetes.io/component: token-job - annotations: - # helm.sh/hook: post-install - # helm.sh/hook-delete-policy: hook-succeeded rules: - apiGroups: - "" diff --git a/templates/gitea/actions/rolebinding-job.yaml b/templates/gitea/act_runner/rolebinding-job.yaml similarity index 87% rename from templates/gitea/actions/rolebinding-job.yaml rename to templates/gitea/act_runner/rolebinding-job.yaml index be2d2de..8442c73 100644 --- a/templates/gitea/actions/rolebinding-job.yaml +++ b/templates/gitea/act_runner/rolebinding-job.yaml @@ -9,9 +9,6 @@ metadata: labels: {{- include "gitea.labels" . | nindent 4 }} app.kubernetes.io/component: token-job - annotations: - # helm.sh/hook: post-install - # helm.sh/hook-delete-policy: hook-succeeded roleRef: apiGroup: rbac.authorization.k8s.io kind: Role diff --git a/templates/gitea/actions/secret-token.yaml b/templates/gitea/act_runner/secret-token.yaml similarity index 78% rename from templates/gitea/actions/secret-token.yaml rename to templates/gitea/act_runner/secret-token.yaml index e2b1e12..5de4111 100644 --- a/templates/gitea/actions/secret-token.yaml +++ b/templates/gitea/act_runner/secret-token.yaml @@ -5,11 +5,6 @@ apiVersion: v1 kind: Secret metadata: - annotations: - # helm.sh/hook: post-install - # helm.sh/hook-delete-policy: never - argocd.argoproj.io/hook: Skip - argocd.argoproj.io/hook-delete-policy: Never name: {{ $secretName }} labels: {{- include "gitea.labels" . | nindent 4 }} diff --git a/templates/gitea/actions/serviceaccount-job.yaml b/templates/gitea/act_runner/serviceaccount-job.yaml similarity index 79% rename from templates/gitea/actions/serviceaccount-job.yaml rename to templates/gitea/act_runner/serviceaccount-job.yaml index 5731c0c..5ef2101 100644 --- a/templates/gitea/actions/serviceaccount-job.yaml +++ b/templates/gitea/act_runner/serviceaccount-job.yaml @@ -8,7 +8,4 @@ metadata: labels: {{- include "gitea.labels" . | nindent 4 }} app.kubernetes.io/component: token-job - annotations: - # helm.sh/hook: post-install - # helm.sh/hook-delete-policy: hook-succeeded {{- end }} diff --git a/templates/gitea/actions/statefulset.yaml b/templates/gitea/act_runner/statefulset.yaml similarity index 74% rename from templates/gitea/actions/statefulset.yaml rename to templates/gitea/act_runner/statefulset.yaml index 8fcb07d..9a778c1 100644 --- a/templates/gitea/actions/statefulset.yaml +++ b/templates/gitea/act_runner/statefulset.yaml @@ -5,39 +5,30 @@ apiVersion: apps/v1 kind: StatefulSet metadata: labels: - {{- include "gitea.labels" . | nindent 4 }} - {{- if .Values.actions.statefulset.labels }} - {{- toYaml .Values.actions.statefulset.labels | nindent 4 }} - {{- end }} + {{- include "gitea.labels.actRunner" . | nindent 4 }} name: {{ include "gitea.fullname" . }}-act-runner spec: selector: matchLabels: - {{- include "gitea.selectorLabels" . | nindent 6 }} - {{- if .Values.actions.statefulset.labels }} - {{- toYaml .Values.actions.statefulset.labels | nindent 6 }} - {{- end }} + {{- include "gitea.selectorLabels.actRunner" . | nindent 6 }} template: metadata: labels: - {{- include "gitea.labels" . | nindent 8 }} - {{- if .Values.actions.statefulset.labels }} - {{- toYaml .Values.actions.statefulset.labels | nindent 8 }} - {{- end }} + {{- include "gitea.labels.actRunner" . | nindent 8 }} spec: initContainers: - name: init-gitea - image: busybox:latest + image: busybox:1.36.1 command: - sh - -c - | - while ! nc -z gitea-http 3000; do + while ! nc -z {{ include "gitea.fullname" . }}-http {{ .Values.service.http.port }}; do sleep 5 done containers: - name: act-runner - image: "{{ .Values.actions.statefulset.actRunnerImage.repository }}:{{ .Values.actions.statefulset.actRunnerImage.tag | default "latest" }}" + image: "{{ .Values.actions.statefulset.actRunnerImage.repository }}:{{ .Values.actions.statefulset.actRunnerImage.tag }}" imagePullPolicy: {{ .Values.actions.statefulset.actRunnerImage.pullPolicy }} workingDir: /data env: @@ -50,12 +41,12 @@ spec: - name: GITEA_RUNNER_REGISTRATION_TOKEN valueFrom: secretKeyRef: - name: {{ $secretName }} - key: token + name: "{{ .Values.actions.existingSecret | default $secretName }}" + key: "{{ .Values.actions.existingSecret | default "token" }}" - name: GITEA_INSTANCE_URL - value: http://gitea-http:3000 + value: "http://{{ include "gitea.fullname" . }}-http:{{ .Values.service.http.port }}" - name: GITEA_RUNNER_LABELS - value: ubuntu-latest + value: "{{ .Values.actions.statefulset.runnerLabels | default "ubuntu-latest" }}" - name: CONFIG_FILE value: /actrunner/config.yaml volumeMounts: @@ -67,7 +58,7 @@ spec: - mountPath: /data name: data-act-runner - name: dind - image: "{{ .Values.actions.statefulset.dindImage.repository }}:{{ .Values.actions.statefulset.dindImage.tag | default "24.0.7-dind" }}" + image: "{{ .Values.actions.statefulset.dindImage.repository }}:{{ .Values.actions.statefulset.dindImage.tag }}" imagePullPolicy: {{ .Values.actions.statefulset.dindImage.pullPolicy }} env: - name: DOCKER_HOST diff --git a/unittests/actions/config-act-runner.yaml b/unittests/actions/config-act-runner.yaml index a4982e9..01af7b2 100644 --- a/unittests/actions/config-act-runner.yaml +++ b/unittests/actions/config-act-runner.yaml @@ -5,7 +5,7 @@ release: templates: - templates/gitea/actions/config-act-runner.yaml tests: - - it: renders a deployment + - it: renders a ConfigMap template: templates/gitea/actions/config-act-runner.yaml set: actions: diff --git a/values.yaml b/values.yaml index 6389fc6..7e3a580 100644 --- a/values.yaml +++ b/values.yaml @@ -345,6 +345,8 @@ signing: ## @section GiteaActions # ## @param actions.statefulset.enabled Create an act-runner StatefulSet. +## @param actions.statefulset.config Act runner custom configuration. +## @param actions.statefulset.runnerLabels Act runner labels. ## @param actions.statefulset.actRunnerImage.repository The Gitea act runner image ## @param actions.statefulset.actRunnerImage.tag The Gitea act runner tag ## @param actions.statefulset.actRunnerImage.pullPolicy The Gitea act runner pullPolicy @@ -368,14 +370,17 @@ actions: labels: {} resources: {} + config: "" + runnerLabels: "" + actRunnerImage: repository: gitea/act_runner - # tag: latest + tag: 0.2.6 pullPolicy: IfNotPresent dindImage: repository: docker - # tag: 24.0.7-dind + tag: 24.0.7-dind pullPolicy: IfNotPresent job: @@ -386,12 +391,12 @@ actions: tokenImage: repository: gitea/gitea - # tag: latest-rootless + tag: "" pullPolicy: IfNotPresent publishImage: repository: bitnami/kubectl - # tag: latest + tag: 1.29.0 pullPolicy: IfNotPresent ## Specify an existing token secret -- 2.40.1 From ed8534e08488e542aaab9c1f7e36c22a9c300606 Mon Sep 17 00:00:00 2001 From: dementhorr Date: Sat, 13 Jan 2024 16:40:34 +0100 Subject: [PATCH 07/36] Fixed unittests --- unittests/{actions => act_runner}/config-act-runner.yaml | 4 ++-- unittests/{actions => act_runner}/config-scripts.yaml | 4 ++-- unittests/{actions => act_runner}/job.yaml | 4 ++-- unittests/{actions => act_runner}/role-job.yaml | 4 ++-- unittests/{actions => act_runner}/rolebinding-job.yaml | 4 ++-- unittests/{actions => act_runner}/secret-token.yaml | 4 ++-- unittests/{actions => act_runner}/serviceaccount-job.yaml | 4 ++-- unittests/{actions => act_runner}/statefulset.yaml | 4 ++-- 8 files changed, 16 insertions(+), 16 deletions(-) rename unittests/{actions => act_runner}/config-act-runner.yaml (76%) rename unittests/{actions => act_runner}/config-scripts.yaml (76%) rename unittests/{actions => act_runner}/job.yaml (80%) rename unittests/{actions => act_runner}/role-job.yaml (79%) rename unittests/{actions => act_runner}/rolebinding-job.yaml (78%) rename unittests/{actions => act_runner}/secret-token.yaml (77%) rename unittests/{actions => act_runner}/serviceaccount-job.yaml (76%) rename unittests/{actions => act_runner}/statefulset.yaml (78%) diff --git a/unittests/actions/config-act-runner.yaml b/unittests/act_runner/config-act-runner.yaml similarity index 76% rename from unittests/actions/config-act-runner.yaml rename to unittests/act_runner/config-act-runner.yaml index 01af7b2..a9a1a85 100644 --- a/unittests/actions/config-act-runner.yaml +++ b/unittests/act_runner/config-act-runner.yaml @@ -3,10 +3,10 @@ release: name: gitea-unittests namespace: testing templates: - - templates/gitea/actions/config-act-runner.yaml + - templates/gitea/act_runner/config-act-runner.yaml tests: - it: renders a ConfigMap - template: templates/gitea/actions/config-act-runner.yaml + template: templates/gitea/act_runner/config-act-runner.yaml set: actions: statefulset: diff --git a/unittests/actions/config-scripts.yaml b/unittests/act_runner/config-scripts.yaml similarity index 76% rename from unittests/actions/config-scripts.yaml rename to unittests/act_runner/config-scripts.yaml index 862c554..93314db 100644 --- a/unittests/actions/config-scripts.yaml +++ b/unittests/act_runner/config-scripts.yaml @@ -3,10 +3,10 @@ release: name: gitea-unittests namespace: testing templates: - - templates/gitea/actions/config-scripts.yaml + - templates/gitea/act_runner/config-scripts.yaml tests: - it: renders a deployment - template: templates/gitea/actions/config-scripts.yaml + template: templates/gitea/act_runner/config-scripts.yaml set: actions: job: diff --git a/unittests/actions/job.yaml b/unittests/act_runner/job.yaml similarity index 80% rename from unittests/actions/job.yaml rename to unittests/act_runner/job.yaml index 9702f4a..6ba7e7f 100644 --- a/unittests/actions/job.yaml +++ b/unittests/act_runner/job.yaml @@ -3,10 +3,10 @@ release: name: gitea-unittests namespace: testing templates: - - templates/gitea/actions/job.yaml + - templates/gitea/act_runner/job.yaml tests: - it: renders a deployment - template: templates/gitea/actions/job.yaml + template: templates/gitea/act_runner/job.yaml set: actions: job: diff --git a/unittests/actions/role-job.yaml b/unittests/act_runner/role-job.yaml similarity index 79% rename from unittests/actions/role-job.yaml rename to unittests/act_runner/role-job.yaml index 7aab92f..217f45a 100644 --- a/unittests/actions/role-job.yaml +++ b/unittests/act_runner/role-job.yaml @@ -3,10 +3,10 @@ release: name: gitea-unittests namespace: testing templates: - - templates/gitea/actions/role-job.yaml + - templates/gitea/act_runner/role-job.yaml tests: - it: renders a role - template: templates/gitea/actions/role-job.yaml + template: templates/gitea/act_runner/role-job.yaml set: actions: job: diff --git a/unittests/actions/rolebinding-job.yaml b/unittests/act_runner/rolebinding-job.yaml similarity index 78% rename from unittests/actions/rolebinding-job.yaml rename to unittests/act_runner/rolebinding-job.yaml index ba1dc94..7c9d416 100644 --- a/unittests/actions/rolebinding-job.yaml +++ b/unittests/act_runner/rolebinding-job.yaml @@ -3,10 +3,10 @@ release: name: gitea-unittests namespace: testing templates: - - templates/gitea/actions/rolebinding-job.yaml + - templates/gitea/act_runner/rolebinding-job.yaml tests: - it: renders a deployment - template: templates/gitea/actions/rolebinding-job.yaml + template: templates/gitea/act_runner/rolebinding-job.yaml set: actions: job: diff --git a/unittests/actions/secret-token.yaml b/unittests/act_runner/secret-token.yaml similarity index 77% rename from unittests/actions/secret-token.yaml rename to unittests/act_runner/secret-token.yaml index ed26899..9cae9b6 100644 --- a/unittests/actions/secret-token.yaml +++ b/unittests/act_runner/secret-token.yaml @@ -3,10 +3,10 @@ release: name: gitea-unittests namespace: testing templates: - - templates/gitea/actions/secret-token.yaml + - templates/gitea/act_runner/secret-token.yaml tests: - it: renders a deployment - template: templates/gitea/actions/secret-token.yaml + template: templates/gitea/act_runner/secret-token.yaml set: actions: job: diff --git a/unittests/actions/serviceaccount-job.yaml b/unittests/act_runner/serviceaccount-job.yaml similarity index 76% rename from unittests/actions/serviceaccount-job.yaml rename to unittests/act_runner/serviceaccount-job.yaml index 5933805..f0f82a9 100644 --- a/unittests/actions/serviceaccount-job.yaml +++ b/unittests/act_runner/serviceaccount-job.yaml @@ -3,10 +3,10 @@ release: name: gitea-unittests namespace: testing templates: - - templates/gitea/actions/serviceaccount-job.yaml + - templates/gitea/act_runner/serviceaccount-job.yaml tests: - it: renders a deployment - template: templates/gitea/actions/serviceaccount-job.yaml + template: templates/gitea/act_runner/serviceaccount-job.yaml set: actions: job: diff --git a/unittests/actions/statefulset.yaml b/unittests/act_runner/statefulset.yaml similarity index 78% rename from unittests/actions/statefulset.yaml rename to unittests/act_runner/statefulset.yaml index 89b4322..d94cb4a 100644 --- a/unittests/actions/statefulset.yaml +++ b/unittests/act_runner/statefulset.yaml @@ -3,10 +3,10 @@ release: name: gitea-unittests namespace: testing templates: - - templates/gitea/actions/statefulset.yaml + - templates/gitea/act_runner/statefulset.yaml tests: - it: renders a deployment - template: templates/gitea/actions/statefulset.yaml + template: templates/gitea/act_runner/statefulset.yaml set: actions: statefulset: -- 2.40.1 From 729ce0f0951519f59e540f5c20d48f9cf299dee8 Mon Sep 17 00:00:00 2001 From: dementhorr Date: Sun, 14 Jan 2024 14:22:56 +0100 Subject: [PATCH 08/36] Fixed readme --- templates/gitea/act_runner/job.yaml | 17 ++++++++++++----- templates/gitea/act_runner/statefulset.yaml | 14 ++++++++++++++ values.yaml | 13 ++++++++++--- 3 files changed, 36 insertions(+), 8 deletions(-) diff --git a/templates/gitea/act_runner/job.yaml b/templates/gitea/act_runner/job.yaml index 2814ffc..d20f809 100644 --- a/templates/gitea/act_runner/job.yaml +++ b/templates/gitea/act_runner/job.yaml @@ -11,16 +11,23 @@ metadata: name: {{ $name }} labels: {{- include "gitea.labels" . | nindent 4 }} - app.kubernetes.io/component: token-job - {{- with .Values.actions.job.annotations }} + {{- with .Values.actions.job.labels }} {{- toYaml . | nindent 4 }} - {{- end }} + {{- end }} + app.kubernetes.io/component: token-job + annotations: + {{- with .Values.actions.job.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: ttlSecondsAfterFinished: 0 template: metadata: labels: {{- include "gitea.labels" . | nindent 8 }} + {{- with .Values.actions.job.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} app.kubernetes.io/component: token-job spec: initContainers: @@ -48,7 +55,7 @@ spec: mkdir -p /data/actions/ gitea actions generate-runner-token | grep -E '^.{40}$' | tr -d '\n' > /data/actions/token resources: - {{- toYaml .Values.actions.resources | nindent 12 }} + {{- toYaml .Values.actions.job.resources | nindent 12 }} volumeMounts: - name: data mountPath: /data @@ -69,7 +76,7 @@ spec: kubectl auth can-i update secret/${SECRET_NAME} /scripts/token.sh resources: - {{- toYaml .Values.actions.resources | nindent 12 }} + {{- toYaml .Values.actions.job.resources | nindent 12 }} volumeMounts: - mountPath: /scripts name: scripts diff --git a/templates/gitea/act_runner/statefulset.yaml b/templates/gitea/act_runner/statefulset.yaml index 9a778c1..65a4ea0 100644 --- a/templates/gitea/act_runner/statefulset.yaml +++ b/templates/gitea/act_runner/statefulset.yaml @@ -6,6 +6,13 @@ kind: StatefulSet metadata: labels: {{- include "gitea.labels.actRunner" . | nindent 4 }} + {{- with .Values.actions.statefulset.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + {{- with .Values.actions.statefulset.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} name: {{ include "gitea.fullname" . }}-act-runner spec: selector: @@ -15,6 +22,9 @@ spec: metadata: labels: {{- include "gitea.labels.actRunner" . | nindent 8 }} + {{- with .Values.actions.statefulset.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} spec: initContainers: - name: init-gitea @@ -49,6 +59,8 @@ spec: value: "{{ .Values.actions.statefulset.runnerLabels | default "ubuntu-latest" }}" - name: CONFIG_FILE value: /actrunner/config.yaml + resources: + {{- toYaml .Values.actions.statefulset.resources | nindent 12 }} volumeMounts: - mountPath: /actrunner/config.yaml name: act-runner-config @@ -70,6 +82,8 @@ spec: securityContext: # allowPrivilegeEscalation: true privileged: true + resources: + {{- toYaml .Values.actions.statefulset.resources | nindent 12 }} volumeMounts: - mountPath: /certs/server name: docker-certs diff --git a/values.yaml b/values.yaml index 7e3a580..6d4a340 100644 --- a/values.yaml +++ b/values.yaml @@ -344,7 +344,10 @@ signing: # - must define deployment.env.GITEA__ACTIONS__ENABLED and GITEA__SERVER__LOCAL_ROOT_URL ## @section GiteaActions # -## @param actions.statefulset.enabled Create an act-runner StatefulSet. +## @param actions.statefulset.enabled Create an act runner StatefulSet. +## @param actions.statefulset.annotations Act runner annotations +## @param actions.statefulset.labels Act runner labels +## @param actions.statefulset.resources Act runner resources ## @param actions.statefulset.config Act runner custom configuration. ## @param actions.statefulset.runnerLabels Act runner labels. ## @param actions.statefulset.actRunnerImage.repository The Gitea act runner image @@ -354,6 +357,9 @@ signing: ## @param actions.statefulset.dindImage.tag The Docker-in-Docker image tag ## @param actions.statefulset.dindImage.pullPolicy The Docker-in-Docker pullPolicy ## @param actions.job.enabled Create a job that will create and save the token in a Kubernetes Secret +## @param actions.job.annotations Job's annotations +## @param actions.job.labels Job's labels +## @param actions.job.resources Job's resources ## @param actions.job.tokenImage.repository The image that can create a token via `gitea actions generate-runner-token` ## @param actions.job.tokenImage.tag The token image tag that can create a token ## @param actions.job.tokenImage.pullPolicy The token image pullPolicy that can create a token @@ -387,6 +393,7 @@ actions: enabled: false annotations: {} + labels: {} resources: {} tokenImage: @@ -401,8 +408,8 @@ actions: ## Specify an existing token secret ## - # existingSecret: secretName - # existingSecretKey: token + existingSecret: "" + existingSecretKey: "" ## @section Gitea # -- 2.40.1 From dbb603639d4b47a915ba3b84558890ba02cc9154 Mon Sep 17 00:00:00 2001 From: dementhorr Date: Wed, 7 Feb 2024 19:23:00 +0100 Subject: [PATCH 09/36] Added nodeSelector, tolerations and affinity for act runners --- README.md | 35 +++++++++++++++++++++ templates/gitea/act_runner/job.yaml | 12 +++++++ templates/gitea/act_runner/statefulset.yaml | 12 +++++++ values.yaml | 12 +++++++ 4 files changed, 71 insertions(+) diff --git a/README.md b/README.md index ec29243..3d90ae0 100644 --- a/README.md +++ b/README.md @@ -999,6 +999,41 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo | `signing.privateKey` | Inline private gpg key for signed internal Git activity | `""` | | `signing.existingSecret` | Use an existing secret to store the value of `signing.privateKey` | `""` | +### GiteaActions + +| Name | Description | Value | +| ----------------------------------------------- | --------------------------------------------------------------------------- | ------------------ | +| `actions.statefulset.enabled` | Create an act runner StatefulSet. | `false` | +| `actions.statefulset.annotations` | Act runner annotations | `{}` | +| `actions.statefulset.labels` | Act runner labels | `{}` | +| `actions.statefulset.resources` | Act runner resources | `{}` | +| `actions.statefulset.nodeSelector` | NodeSelector for the statefulset | `{}` | +| `actions.statefulset.tolerations` | Tolerations for the statefulset | `[]` | +| `actions.statefulset.affinity` | Affinity for the statefulset | `{}` | +| `actions.statefulset.config` | Act runner custom configuration. | `""` | +| `actions.statefulset.runnerLabels` | Act runner labels. | `""` | +| `actions.statefulset.actRunnerImage.repository` | The Gitea act runner image | `gitea/act_runner` | +| `actions.statefulset.actRunnerImage.tag` | The Gitea act runner tag | `0.2.6` | +| `actions.statefulset.actRunnerImage.pullPolicy` | The Gitea act runner pullPolicy | `IfNotPresent` | +| `actions.statefulset.dindImage.repository` | The Docker-in-Docker image | `docker` | +| `actions.statefulset.dindImage.tag` | The Docker-in-Docker image tag | `24.0.7-dind` | +| `actions.statefulset.dindImage.pullPolicy` | The Docker-in-Docker pullPolicy | `IfNotPresent` | +| `actions.job.enabled` | Create a job that will create and save the token in a Kubernetes Secret | `false` | +| `actions.job.annotations` | Job's annotations | `{}` | +| `actions.job.labels` | Job's labels | `{}` | +| `actions.job.resources` | Job's resources | `{}` | +| `actions.job.nodeSelector` | NodeSelector for the job | `{}` | +| `actions.job.tolerations` | Tolerations for the job | `[]` | +| `actions.job.affinity` | Affinity for the job | `{}` | +| `actions.job.tokenImage.repository` | The image that can create a token via `gitea actions generate-runner-token` | `gitea/gitea` | +| `actions.job.tokenImage.tag` | The token image tag that can create a token | `""` | +| `actions.job.tokenImage.pullPolicy` | The token image pullPolicy that can create a token | `IfNotPresent` | +| `actions.job.publishImage.repository` | The image that can create the secret via kubectl | `bitnami/kubectl` | +| `actions.job.publishImage.tag` | The publish image tag that can create the secret | `1.29.0` | +| `actions.job.publishImage.pullPolicy` | The publish image pullPolicy that can create the secret | `IfNotPresent` | +| `actions.existingSecret` | Secret that contains the token | `""` | +| `actions.existingSecretKey` | Secret key | `""` | + ### Gitea | Name | Description | Value | diff --git a/templates/gitea/act_runner/job.yaml b/templates/gitea/act_runner/job.yaml index d20f809..61b6a8a 100644 --- a/templates/gitea/act_runner/job.yaml +++ b/templates/gitea/act_runner/job.yaml @@ -87,6 +87,18 @@ spec: {{- if .Values.persistence.subPath }} subPath: {{ .Values.persistence.subPath }} {{- end }} + {{- with .Values.actions.job.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.actions.job.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.actions.job.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} restartPolicy: Never serviceAccount: {{ $name }} volumes: diff --git a/templates/gitea/act_runner/statefulset.yaml b/templates/gitea/act_runner/statefulset.yaml index 65a4ea0..b778820 100644 --- a/templates/gitea/act_runner/statefulset.yaml +++ b/templates/gitea/act_runner/statefulset.yaml @@ -87,6 +87,18 @@ spec: volumeMounts: - mountPath: /certs/server name: docker-certs + {{- with .Values.actions.statefulset.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.actions.statefulset.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.actions.statefulset.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} volumes: - name: act-runner-config configMap: diff --git a/values.yaml b/values.yaml index 6d4a340..22fc864 100644 --- a/values.yaml +++ b/values.yaml @@ -348,6 +348,9 @@ signing: ## @param actions.statefulset.annotations Act runner annotations ## @param actions.statefulset.labels Act runner labels ## @param actions.statefulset.resources Act runner resources +## @param actions.statefulset.nodeSelector NodeSelector for the statefulset +## @param actions.statefulset.tolerations Tolerations for the statefulset +## @param actions.statefulset.affinity Affinity for the statefulset ## @param actions.statefulset.config Act runner custom configuration. ## @param actions.statefulset.runnerLabels Act runner labels. ## @param actions.statefulset.actRunnerImage.repository The Gitea act runner image @@ -360,6 +363,9 @@ signing: ## @param actions.job.annotations Job's annotations ## @param actions.job.labels Job's labels ## @param actions.job.resources Job's resources +## @param actions.job.nodeSelector NodeSelector for the job +## @param actions.job.tolerations Tolerations for the job +## @param actions.job.affinity Affinity for the job ## @param actions.job.tokenImage.repository The image that can create a token via `gitea actions generate-runner-token` ## @param actions.job.tokenImage.tag The token image tag that can create a token ## @param actions.job.tokenImage.pullPolicy The token image pullPolicy that can create a token @@ -375,6 +381,9 @@ actions: annotations: {} labels: {} resources: {} + nodeSelector: {} + tolerations: [] + affinity: {} config: "" runnerLabels: "" @@ -395,6 +404,9 @@ actions: annotations: {} labels: {} resources: {} + nodeSelector: {} + tolerations: [] + affinity: {} tokenImage: repository: gitea/gitea -- 2.40.1 From 4f00ac145625af04d4757a4fc59a0e8b0fc1cbc2 Mon Sep 17 00:00:00 2001 From: dementhorr Date: Sun, 11 Feb 2024 16:29:14 +0100 Subject: [PATCH 10/36] Changed actions from StatefulSet to Deployment --- README.md | 64 +++++++++---------- .../gitea/act_runner/config-act-runner.yaml | 6 +- .../{statefulset.yaml => deployment.yaml} | 40 +++++------- unittests/act_runner/config-act-runner.yaml | 2 +- unittests/act_runner/config-scripts.yaml | 2 +- .../{statefulset.yaml => deployment.yaml} | 12 ++-- unittests/act_runner/job.yaml | 2 +- unittests/act_runner/role-job.yaml | 2 +- unittests/act_runner/rolebinding-job.yaml | 2 +- unittests/act_runner/secret-token.yaml | 2 +- unittests/act_runner/serviceaccount-job.yaml | 2 +- values.yaml | 32 +++++----- 12 files changed, 79 insertions(+), 89 deletions(-) rename templates/gitea/act_runner/{statefulset.yaml => deployment.yaml} (67%) rename unittests/act_runner/{statefulset.yaml => deployment.yaml} (55%) diff --git a/README.md b/README.md index 3d90ae0..6045880 100644 --- a/README.md +++ b/README.md @@ -1001,38 +1001,38 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo ### GiteaActions -| Name | Description | Value | -| ----------------------------------------------- | --------------------------------------------------------------------------- | ------------------ | -| `actions.statefulset.enabled` | Create an act runner StatefulSet. | `false` | -| `actions.statefulset.annotations` | Act runner annotations | `{}` | -| `actions.statefulset.labels` | Act runner labels | `{}` | -| `actions.statefulset.resources` | Act runner resources | `{}` | -| `actions.statefulset.nodeSelector` | NodeSelector for the statefulset | `{}` | -| `actions.statefulset.tolerations` | Tolerations for the statefulset | `[]` | -| `actions.statefulset.affinity` | Affinity for the statefulset | `{}` | -| `actions.statefulset.config` | Act runner custom configuration. | `""` | -| `actions.statefulset.runnerLabels` | Act runner labels. | `""` | -| `actions.statefulset.actRunnerImage.repository` | The Gitea act runner image | `gitea/act_runner` | -| `actions.statefulset.actRunnerImage.tag` | The Gitea act runner tag | `0.2.6` | -| `actions.statefulset.actRunnerImage.pullPolicy` | The Gitea act runner pullPolicy | `IfNotPresent` | -| `actions.statefulset.dindImage.repository` | The Docker-in-Docker image | `docker` | -| `actions.statefulset.dindImage.tag` | The Docker-in-Docker image tag | `24.0.7-dind` | -| `actions.statefulset.dindImage.pullPolicy` | The Docker-in-Docker pullPolicy | `IfNotPresent` | -| `actions.job.enabled` | Create a job that will create and save the token in a Kubernetes Secret | `false` | -| `actions.job.annotations` | Job's annotations | `{}` | -| `actions.job.labels` | Job's labels | `{}` | -| `actions.job.resources` | Job's resources | `{}` | -| `actions.job.nodeSelector` | NodeSelector for the job | `{}` | -| `actions.job.tolerations` | Tolerations for the job | `[]` | -| `actions.job.affinity` | Affinity for the job | `{}` | -| `actions.job.tokenImage.repository` | The image that can create a token via `gitea actions generate-runner-token` | `gitea/gitea` | -| `actions.job.tokenImage.tag` | The token image tag that can create a token | `""` | -| `actions.job.tokenImage.pullPolicy` | The token image pullPolicy that can create a token | `IfNotPresent` | -| `actions.job.publishImage.repository` | The image that can create the secret via kubectl | `bitnami/kubectl` | -| `actions.job.publishImage.tag` | The publish image tag that can create the secret | `1.29.0` | -| `actions.job.publishImage.pullPolicy` | The publish image pullPolicy that can create the secret | `IfNotPresent` | -| `actions.existingSecret` | Secret that contains the token | `""` | -| `actions.existingSecretKey` | Secret key | `""` | +| Name | Description | Value | +| ---------------------------------------------- | --------------------------------------------------------------------------- | ------------------ | +| `actions.deployment.enabled` | Create an act runner Deployment | `false` | +| `actions.deployment.annotations` | Act runner annotations | `{}` | +| `actions.deployment.labels` | Act runner labels | `{}` | +| `actions.deployment.resources` | Act runner resources | `{}` | +| `actions.deployment.nodeSelector` | NodeSelector for the deployment | `{}` | +| `actions.deployment.tolerations` | Tolerations for the deployment | `[]` | +| `actions.deployment.affinity` | Affinity for the deployment | `{}` | +| `actions.deployment.config` | Act runner custom configuration | `""` | +| `actions.deployment.runnerLabels` | Act runner labels. | `""` | +| `actions.deployment.actRunnerImage.repository` | The Gitea act runner image | `gitea/act_runner` | +| `actions.deployment.actRunnerImage.tag` | The Gitea act runner tag | `0.2.6` | +| `actions.deployment.actRunnerImage.pullPolicy` | The Gitea act runner pullPolicy | `IfNotPresent` | +| `actions.deployment.dindImage.repository` | The Docker-in-Docker image | `docker` | +| `actions.deployment.dindImage.tag` | The Docker-in-Docker image tag | `24.0.7-dind` | +| `actions.deployment.dindImage.pullPolicy` | The Docker-in-Docker pullPolicy | `IfNotPresent` | +| `actions.job.enabled` | Create a job that will create and save the token in a Kubernetes Secret | `false` | +| `actions.job.annotations` | Job's annotations | `{}` | +| `actions.job.labels` | Job's labels | `{}` | +| `actions.job.resources` | Job's resources | `{}` | +| `actions.job.nodeSelector` | NodeSelector for the job | `{}` | +| `actions.job.tolerations` | Tolerations for the job | `[]` | +| `actions.job.affinity` | Affinity for the job | `{}` | +| `actions.job.tokenImage.repository` | The image that can create a token via `gitea actions generate-runner-token` | `gitea/gitea` | +| `actions.job.tokenImage.tag` | The token image tag that can create a token | `""` | +| `actions.job.tokenImage.pullPolicy` | The token image pullPolicy that can create a token | `IfNotPresent` | +| `actions.job.publishImage.repository` | The image that can create the secret via kubectl | `bitnami/kubectl` | +| `actions.job.publishImage.tag` | The publish image tag that can create the secret | `1.29.0` | +| `actions.job.publishImage.pullPolicy` | The publish image pullPolicy that can create the secret | `IfNotPresent` | +| `actions.existingSecret` | Secret that contains the token | `""` | +| `actions.existingSecretKey` | Secret key | `""` | ### Gitea diff --git a/templates/gitea/act_runner/config-act-runner.yaml b/templates/gitea/act_runner/config-act-runner.yaml index 091f200..07647a7 100644 --- a/templates/gitea/act_runner/config-act-runner.yaml +++ b/templates/gitea/act_runner/config-act-runner.yaml @@ -1,4 +1,4 @@ -{{- if and (and .Values.actions.statefulset.enabled .Values.persistence.enabled) .Values.persistence.mount }} +{{- if .Values.actions.deployment.enabled }} --- apiVersion: v1 kind: ConfigMap @@ -7,9 +7,9 @@ metadata: labels: {{- include "gitea.labels" . | nindent 4 }} data: - {{- if .Values.actions.statefulset.config }} + {{- if .Values.actions.deployment.config }} config.yaml: | - {{- with .Values.actions.statefulset.config -}} + {{- with .Values.actions.deployment.config -}} {{ . | nindent 4}} {{- end -}} {{- else }} diff --git a/templates/gitea/act_runner/statefulset.yaml b/templates/gitea/act_runner/deployment.yaml similarity index 67% rename from templates/gitea/act_runner/statefulset.yaml rename to templates/gitea/act_runner/deployment.yaml index b778820..47886d0 100644 --- a/templates/gitea/act_runner/statefulset.yaml +++ b/templates/gitea/act_runner/deployment.yaml @@ -1,16 +1,16 @@ -{{- if and (and .Values.actions.statefulset.enabled .Values.persistence.enabled) .Values.persistence.mount }} +{{- if .Values.actions.deployment.enabled }} {{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} --- apiVersion: apps/v1 -kind: StatefulSet +kind: Deployment metadata: labels: {{- include "gitea.labels.actRunner" . | nindent 4 }} - {{- with .Values.actions.statefulset.labels }} + {{- with .Values.actions.deployment.labels }} {{- toYaml . | nindent 4 }} {{- end }} annotations: - {{- with .Values.actions.statefulset.annotations }} + {{- with .Values.actions.deployment.annotations }} {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "gitea.fullname" . }}-act-runner @@ -22,7 +22,7 @@ spec: metadata: labels: {{- include "gitea.labels.actRunner" . | nindent 8 }} - {{- with .Values.actions.statefulset.labels }} + {{- with .Values.actions.deployment.labels }} {{- toYaml . | nindent 8 }} {{- end }} spec: @@ -38,8 +38,8 @@ spec: done containers: - name: act-runner - image: "{{ .Values.actions.statefulset.actRunnerImage.repository }}:{{ .Values.actions.statefulset.actRunnerImage.tag }}" - imagePullPolicy: {{ .Values.actions.statefulset.actRunnerImage.pullPolicy }} + image: "{{ .Values.actions.deployment.actRunnerImage.repository }}:{{ .Values.actions.deployment.actRunnerImage.tag }}" + imagePullPolicy: {{ .Values.actions.deployment.actRunnerImage.pullPolicy }} workingDir: /data env: - name: DOCKER_HOST @@ -56,22 +56,20 @@ spec: - name: GITEA_INSTANCE_URL value: "http://{{ include "gitea.fullname" . }}-http:{{ .Values.service.http.port }}" - name: GITEA_RUNNER_LABELS - value: "{{ .Values.actions.statefulset.runnerLabels | default "ubuntu-latest" }}" + value: "{{ .Values.actions.deployment.runnerLabels | default "ubuntu-latest" }}" - name: CONFIG_FILE value: /actrunner/config.yaml resources: - {{- toYaml .Values.actions.statefulset.resources | nindent 12 }} + {{- toYaml .Values.actions.deployment.resources | nindent 12 }} volumeMounts: - mountPath: /actrunner/config.yaml name: act-runner-config subPath: config.yaml - mountPath: /certs/server name: docker-certs - - mountPath: /data - name: data-act-runner - name: dind - image: "{{ .Values.actions.statefulset.dindImage.repository }}:{{ .Values.actions.statefulset.dindImage.tag }}" - imagePullPolicy: {{ .Values.actions.statefulset.dindImage.pullPolicy }} + image: "{{ .Values.actions.deployment.dindImage.repository }}:{{ .Values.actions.deployment.dindImage.tag }}" + imagePullPolicy: {{ .Values.actions.deployment.dindImage.pullPolicy }} env: - name: DOCKER_HOST value: tcp://127.0.0.1:2376 @@ -83,19 +81,19 @@ spec: # allowPrivilegeEscalation: true privileged: true resources: - {{- toYaml .Values.actions.statefulset.resources | nindent 12 }} + {{- toYaml .Values.actions.deployment.resources | nindent 12 }} volumeMounts: - mountPath: /certs/server name: docker-certs - {{- with .Values.actions.statefulset.nodeSelector }} + {{- with .Values.actions.deployment.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.actions.statefulset.affinity }} + {{- with .Values.actions.deployment.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.actions.statefulset.tolerations }} + {{- with .Values.actions.deployment.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} @@ -105,12 +103,4 @@ spec: name: {{ include "gitea.fullname" . }}-act-runner-config - name: docker-certs emptyDir: {} - volumeClaimTemplates: - - metadata: - name: data-act-runner - spec: - accessModes: [ "ReadWriteOnce" ] - resources: - requests: - storage: 1Mi {{- end }} diff --git a/unittests/act_runner/config-act-runner.yaml b/unittests/act_runner/config-act-runner.yaml index a9a1a85..34c4e47 100644 --- a/unittests/act_runner/config-act-runner.yaml +++ b/unittests/act_runner/config-act-runner.yaml @@ -9,7 +9,7 @@ tests: template: templates/gitea/act_runner/config-act-runner.yaml set: actions: - statefulset: + deployment: enabled: true asserts: - hasDocuments: diff --git a/unittests/act_runner/config-scripts.yaml b/unittests/act_runner/config-scripts.yaml index 93314db..6605c39 100644 --- a/unittests/act_runner/config-scripts.yaml +++ b/unittests/act_runner/config-scripts.yaml @@ -5,7 +5,7 @@ release: templates: - templates/gitea/act_runner/config-scripts.yaml tests: - - it: renders a deployment + - it: renders a ConfigMap template: templates/gitea/act_runner/config-scripts.yaml set: actions: diff --git a/unittests/act_runner/statefulset.yaml b/unittests/act_runner/deployment.yaml similarity index 55% rename from unittests/act_runner/statefulset.yaml rename to unittests/act_runner/deployment.yaml index d94cb4a..cece4d5 100644 --- a/unittests/act_runner/statefulset.yaml +++ b/unittests/act_runner/deployment.yaml @@ -1,20 +1,20 @@ -suite: actions template | statefulset +suite: actions template | deployment release: name: gitea-unittests namespace: testing templates: - - templates/gitea/act_runner/statefulset.yaml + - templates/gitea/act_runner/deployment.yaml tests: - - it: renders a deployment - template: templates/gitea/act_runner/statefulset.yaml + - it: renders a Deployment + template: templates/gitea/act_runner/deployment.yaml set: actions: - statefulset: + deployment: enabled: true asserts: - hasDocuments: count: 1 - containsDocument: - kind: StatefulSet + kind: Deployment apiVersion: apps/v1 name: gitea-unittests-act-runner diff --git a/unittests/act_runner/job.yaml b/unittests/act_runner/job.yaml index 6ba7e7f..55f195c 100644 --- a/unittests/act_runner/job.yaml +++ b/unittests/act_runner/job.yaml @@ -5,7 +5,7 @@ release: templates: - templates/gitea/act_runner/job.yaml tests: - - it: renders a deployment + - it: renders a Job template: templates/gitea/act_runner/job.yaml set: actions: diff --git a/unittests/act_runner/role-job.yaml b/unittests/act_runner/role-job.yaml index 217f45a..9c04ba4 100644 --- a/unittests/act_runner/role-job.yaml +++ b/unittests/act_runner/role-job.yaml @@ -5,7 +5,7 @@ release: templates: - templates/gitea/act_runner/role-job.yaml tests: - - it: renders a role + - it: renders a Role template: templates/gitea/act_runner/role-job.yaml set: actions: diff --git a/unittests/act_runner/rolebinding-job.yaml b/unittests/act_runner/rolebinding-job.yaml index 7c9d416..871364c 100644 --- a/unittests/act_runner/rolebinding-job.yaml +++ b/unittests/act_runner/rolebinding-job.yaml @@ -5,7 +5,7 @@ release: templates: - templates/gitea/act_runner/rolebinding-job.yaml tests: - - it: renders a deployment + - it: renders a RoleBinding template: templates/gitea/act_runner/rolebinding-job.yaml set: actions: diff --git a/unittests/act_runner/secret-token.yaml b/unittests/act_runner/secret-token.yaml index 9cae9b6..41458d9 100644 --- a/unittests/act_runner/secret-token.yaml +++ b/unittests/act_runner/secret-token.yaml @@ -5,7 +5,7 @@ release: templates: - templates/gitea/act_runner/secret-token.yaml tests: - - it: renders a deployment + - it: renders a Secret template: templates/gitea/act_runner/secret-token.yaml set: actions: diff --git a/unittests/act_runner/serviceaccount-job.yaml b/unittests/act_runner/serviceaccount-job.yaml index f0f82a9..753a421 100644 --- a/unittests/act_runner/serviceaccount-job.yaml +++ b/unittests/act_runner/serviceaccount-job.yaml @@ -5,7 +5,7 @@ release: templates: - templates/gitea/act_runner/serviceaccount-job.yaml tests: - - it: renders a deployment + - it: renders a ServiceAccount template: templates/gitea/act_runner/serviceaccount-job.yaml set: actions: diff --git a/values.yaml b/values.yaml index 22fc864..910d24a 100644 --- a/values.yaml +++ b/values.yaml @@ -344,21 +344,21 @@ signing: # - must define deployment.env.GITEA__ACTIONS__ENABLED and GITEA__SERVER__LOCAL_ROOT_URL ## @section GiteaActions # -## @param actions.statefulset.enabled Create an act runner StatefulSet. -## @param actions.statefulset.annotations Act runner annotations -## @param actions.statefulset.labels Act runner labels -## @param actions.statefulset.resources Act runner resources -## @param actions.statefulset.nodeSelector NodeSelector for the statefulset -## @param actions.statefulset.tolerations Tolerations for the statefulset -## @param actions.statefulset.affinity Affinity for the statefulset -## @param actions.statefulset.config Act runner custom configuration. -## @param actions.statefulset.runnerLabels Act runner labels. -## @param actions.statefulset.actRunnerImage.repository The Gitea act runner image -## @param actions.statefulset.actRunnerImage.tag The Gitea act runner tag -## @param actions.statefulset.actRunnerImage.pullPolicy The Gitea act runner pullPolicy -## @param actions.statefulset.dindImage.repository The Docker-in-Docker image -## @param actions.statefulset.dindImage.tag The Docker-in-Docker image tag -## @param actions.statefulset.dindImage.pullPolicy The Docker-in-Docker pullPolicy +## @param actions.deployment.enabled Create an act runner Deployment +## @param actions.deployment.annotations Act runner annotations +## @param actions.deployment.labels Act runner labels +## @param actions.deployment.resources Act runner resources +## @param actions.deployment.nodeSelector NodeSelector for the deployment +## @param actions.deployment.tolerations Tolerations for the deployment +## @param actions.deployment.affinity Affinity for the deployment +## @param actions.deployment.config Act runner custom configuration +## @param actions.deployment.runnerLabels Act runner labels. +## @param actions.deployment.actRunnerImage.repository The Gitea act runner image +## @param actions.deployment.actRunnerImage.tag The Gitea act runner tag +## @param actions.deployment.actRunnerImage.pullPolicy The Gitea act runner pullPolicy +## @param actions.deployment.dindImage.repository The Docker-in-Docker image +## @param actions.deployment.dindImage.tag The Docker-in-Docker image tag +## @param actions.deployment.dindImage.pullPolicy The Docker-in-Docker pullPolicy ## @param actions.job.enabled Create a job that will create and save the token in a Kubernetes Secret ## @param actions.job.annotations Job's annotations ## @param actions.job.labels Job's labels @@ -375,7 +375,7 @@ signing: ## @param actions.existingSecret Secret that contains the token ## @param actions.existingSecretKey Secret key actions: - statefulset: + deployment: enabled: false annotations: {} -- 2.40.1 From 5456b1b76e12474fd1fe302e8eade81848038979 Mon Sep 17 00:00:00 2001 From: dementhorr Date: Wed, 14 Feb 2024 19:14:28 +0100 Subject: [PATCH 11/36] Revert "Changed actions from StatefulSet to Deployment" This reverts commit e8aedb258cfa840107b2390a729c330bd1ead6e6. --- README.md | 64 +++++++++---------- .../gitea/act_runner/config-act-runner.yaml | 6 +- .../{deployment.yaml => statefulset.yaml} | 40 +++++++----- unittests/act_runner/config-act-runner.yaml | 2 +- unittests/act_runner/config-scripts.yaml | 2 +- unittests/act_runner/job.yaml | 2 +- unittests/act_runner/role-job.yaml | 2 +- unittests/act_runner/rolebinding-job.yaml | 2 +- unittests/act_runner/secret-token.yaml | 2 +- unittests/act_runner/serviceaccount-job.yaml | 2 +- .../{deployment.yaml => statefulset.yaml} | 12 ++-- values.yaml | 32 +++++----- 12 files changed, 89 insertions(+), 79 deletions(-) rename templates/gitea/act_runner/{deployment.yaml => statefulset.yaml} (67%) rename unittests/act_runner/{deployment.yaml => statefulset.yaml} (55%) diff --git a/README.md b/README.md index 6045880..3d90ae0 100644 --- a/README.md +++ b/README.md @@ -1001,38 +1001,38 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo ### GiteaActions -| Name | Description | Value | -| ---------------------------------------------- | --------------------------------------------------------------------------- | ------------------ | -| `actions.deployment.enabled` | Create an act runner Deployment | `false` | -| `actions.deployment.annotations` | Act runner annotations | `{}` | -| `actions.deployment.labels` | Act runner labels | `{}` | -| `actions.deployment.resources` | Act runner resources | `{}` | -| `actions.deployment.nodeSelector` | NodeSelector for the deployment | `{}` | -| `actions.deployment.tolerations` | Tolerations for the deployment | `[]` | -| `actions.deployment.affinity` | Affinity for the deployment | `{}` | -| `actions.deployment.config` | Act runner custom configuration | `""` | -| `actions.deployment.runnerLabels` | Act runner labels. | `""` | -| `actions.deployment.actRunnerImage.repository` | The Gitea act runner image | `gitea/act_runner` | -| `actions.deployment.actRunnerImage.tag` | The Gitea act runner tag | `0.2.6` | -| `actions.deployment.actRunnerImage.pullPolicy` | The Gitea act runner pullPolicy | `IfNotPresent` | -| `actions.deployment.dindImage.repository` | The Docker-in-Docker image | `docker` | -| `actions.deployment.dindImage.tag` | The Docker-in-Docker image tag | `24.0.7-dind` | -| `actions.deployment.dindImage.pullPolicy` | The Docker-in-Docker pullPolicy | `IfNotPresent` | -| `actions.job.enabled` | Create a job that will create and save the token in a Kubernetes Secret | `false` | -| `actions.job.annotations` | Job's annotations | `{}` | -| `actions.job.labels` | Job's labels | `{}` | -| `actions.job.resources` | Job's resources | `{}` | -| `actions.job.nodeSelector` | NodeSelector for the job | `{}` | -| `actions.job.tolerations` | Tolerations for the job | `[]` | -| `actions.job.affinity` | Affinity for the job | `{}` | -| `actions.job.tokenImage.repository` | The image that can create a token via `gitea actions generate-runner-token` | `gitea/gitea` | -| `actions.job.tokenImage.tag` | The token image tag that can create a token | `""` | -| `actions.job.tokenImage.pullPolicy` | The token image pullPolicy that can create a token | `IfNotPresent` | -| `actions.job.publishImage.repository` | The image that can create the secret via kubectl | `bitnami/kubectl` | -| `actions.job.publishImage.tag` | The publish image tag that can create the secret | `1.29.0` | -| `actions.job.publishImage.pullPolicy` | The publish image pullPolicy that can create the secret | `IfNotPresent` | -| `actions.existingSecret` | Secret that contains the token | `""` | -| `actions.existingSecretKey` | Secret key | `""` | +| Name | Description | Value | +| ----------------------------------------------- | --------------------------------------------------------------------------- | ------------------ | +| `actions.statefulset.enabled` | Create an act runner StatefulSet. | `false` | +| `actions.statefulset.annotations` | Act runner annotations | `{}` | +| `actions.statefulset.labels` | Act runner labels | `{}` | +| `actions.statefulset.resources` | Act runner resources | `{}` | +| `actions.statefulset.nodeSelector` | NodeSelector for the statefulset | `{}` | +| `actions.statefulset.tolerations` | Tolerations for the statefulset | `[]` | +| `actions.statefulset.affinity` | Affinity for the statefulset | `{}` | +| `actions.statefulset.config` | Act runner custom configuration. | `""` | +| `actions.statefulset.runnerLabels` | Act runner labels. | `""` | +| `actions.statefulset.actRunnerImage.repository` | The Gitea act runner image | `gitea/act_runner` | +| `actions.statefulset.actRunnerImage.tag` | The Gitea act runner tag | `0.2.6` | +| `actions.statefulset.actRunnerImage.pullPolicy` | The Gitea act runner pullPolicy | `IfNotPresent` | +| `actions.statefulset.dindImage.repository` | The Docker-in-Docker image | `docker` | +| `actions.statefulset.dindImage.tag` | The Docker-in-Docker image tag | `24.0.7-dind` | +| `actions.statefulset.dindImage.pullPolicy` | The Docker-in-Docker pullPolicy | `IfNotPresent` | +| `actions.job.enabled` | Create a job that will create and save the token in a Kubernetes Secret | `false` | +| `actions.job.annotations` | Job's annotations | `{}` | +| `actions.job.labels` | Job's labels | `{}` | +| `actions.job.resources` | Job's resources | `{}` | +| `actions.job.nodeSelector` | NodeSelector for the job | `{}` | +| `actions.job.tolerations` | Tolerations for the job | `[]` | +| `actions.job.affinity` | Affinity for the job | `{}` | +| `actions.job.tokenImage.repository` | The image that can create a token via `gitea actions generate-runner-token` | `gitea/gitea` | +| `actions.job.tokenImage.tag` | The token image tag that can create a token | `""` | +| `actions.job.tokenImage.pullPolicy` | The token image pullPolicy that can create a token | `IfNotPresent` | +| `actions.job.publishImage.repository` | The image that can create the secret via kubectl | `bitnami/kubectl` | +| `actions.job.publishImage.tag` | The publish image tag that can create the secret | `1.29.0` | +| `actions.job.publishImage.pullPolicy` | The publish image pullPolicy that can create the secret | `IfNotPresent` | +| `actions.existingSecret` | Secret that contains the token | `""` | +| `actions.existingSecretKey` | Secret key | `""` | ### Gitea diff --git a/templates/gitea/act_runner/config-act-runner.yaml b/templates/gitea/act_runner/config-act-runner.yaml index 07647a7..091f200 100644 --- a/templates/gitea/act_runner/config-act-runner.yaml +++ b/templates/gitea/act_runner/config-act-runner.yaml @@ -1,4 +1,4 @@ -{{- if .Values.actions.deployment.enabled }} +{{- if and (and .Values.actions.statefulset.enabled .Values.persistence.enabled) .Values.persistence.mount }} --- apiVersion: v1 kind: ConfigMap @@ -7,9 +7,9 @@ metadata: labels: {{- include "gitea.labels" . | nindent 4 }} data: - {{- if .Values.actions.deployment.config }} + {{- if .Values.actions.statefulset.config }} config.yaml: | - {{- with .Values.actions.deployment.config -}} + {{- with .Values.actions.statefulset.config -}} {{ . | nindent 4}} {{- end -}} {{- else }} diff --git a/templates/gitea/act_runner/deployment.yaml b/templates/gitea/act_runner/statefulset.yaml similarity index 67% rename from templates/gitea/act_runner/deployment.yaml rename to templates/gitea/act_runner/statefulset.yaml index 47886d0..b778820 100644 --- a/templates/gitea/act_runner/deployment.yaml +++ b/templates/gitea/act_runner/statefulset.yaml @@ -1,16 +1,16 @@ -{{- if .Values.actions.deployment.enabled }} +{{- if and (and .Values.actions.statefulset.enabled .Values.persistence.enabled) .Values.persistence.mount }} {{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} --- apiVersion: apps/v1 -kind: Deployment +kind: StatefulSet metadata: labels: {{- include "gitea.labels.actRunner" . | nindent 4 }} - {{- with .Values.actions.deployment.labels }} + {{- with .Values.actions.statefulset.labels }} {{- toYaml . | nindent 4 }} {{- end }} annotations: - {{- with .Values.actions.deployment.annotations }} + {{- with .Values.actions.statefulset.annotations }} {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "gitea.fullname" . }}-act-runner @@ -22,7 +22,7 @@ spec: metadata: labels: {{- include "gitea.labels.actRunner" . | nindent 8 }} - {{- with .Values.actions.deployment.labels }} + {{- with .Values.actions.statefulset.labels }} {{- toYaml . | nindent 8 }} {{- end }} spec: @@ -38,8 +38,8 @@ spec: done containers: - name: act-runner - image: "{{ .Values.actions.deployment.actRunnerImage.repository }}:{{ .Values.actions.deployment.actRunnerImage.tag }}" - imagePullPolicy: {{ .Values.actions.deployment.actRunnerImage.pullPolicy }} + image: "{{ .Values.actions.statefulset.actRunnerImage.repository }}:{{ .Values.actions.statefulset.actRunnerImage.tag }}" + imagePullPolicy: {{ .Values.actions.statefulset.actRunnerImage.pullPolicy }} workingDir: /data env: - name: DOCKER_HOST @@ -56,20 +56,22 @@ spec: - name: GITEA_INSTANCE_URL value: "http://{{ include "gitea.fullname" . }}-http:{{ .Values.service.http.port }}" - name: GITEA_RUNNER_LABELS - value: "{{ .Values.actions.deployment.runnerLabels | default "ubuntu-latest" }}" + value: "{{ .Values.actions.statefulset.runnerLabels | default "ubuntu-latest" }}" - name: CONFIG_FILE value: /actrunner/config.yaml resources: - {{- toYaml .Values.actions.deployment.resources | nindent 12 }} + {{- toYaml .Values.actions.statefulset.resources | nindent 12 }} volumeMounts: - mountPath: /actrunner/config.yaml name: act-runner-config subPath: config.yaml - mountPath: /certs/server name: docker-certs + - mountPath: /data + name: data-act-runner - name: dind - image: "{{ .Values.actions.deployment.dindImage.repository }}:{{ .Values.actions.deployment.dindImage.tag }}" - imagePullPolicy: {{ .Values.actions.deployment.dindImage.pullPolicy }} + image: "{{ .Values.actions.statefulset.dindImage.repository }}:{{ .Values.actions.statefulset.dindImage.tag }}" + imagePullPolicy: {{ .Values.actions.statefulset.dindImage.pullPolicy }} env: - name: DOCKER_HOST value: tcp://127.0.0.1:2376 @@ -81,19 +83,19 @@ spec: # allowPrivilegeEscalation: true privileged: true resources: - {{- toYaml .Values.actions.deployment.resources | nindent 12 }} + {{- toYaml .Values.actions.statefulset.resources | nindent 12 }} volumeMounts: - mountPath: /certs/server name: docker-certs - {{- with .Values.actions.deployment.nodeSelector }} + {{- with .Values.actions.statefulset.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.actions.deployment.affinity }} + {{- with .Values.actions.statefulset.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.actions.deployment.tolerations }} + {{- with .Values.actions.statefulset.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} @@ -103,4 +105,12 @@ spec: name: {{ include "gitea.fullname" . }}-act-runner-config - name: docker-certs emptyDir: {} + volumeClaimTemplates: + - metadata: + name: data-act-runner + spec: + accessModes: [ "ReadWriteOnce" ] + resources: + requests: + storage: 1Mi {{- end }} diff --git a/unittests/act_runner/config-act-runner.yaml b/unittests/act_runner/config-act-runner.yaml index 34c4e47..a9a1a85 100644 --- a/unittests/act_runner/config-act-runner.yaml +++ b/unittests/act_runner/config-act-runner.yaml @@ -9,7 +9,7 @@ tests: template: templates/gitea/act_runner/config-act-runner.yaml set: actions: - deployment: + statefulset: enabled: true asserts: - hasDocuments: diff --git a/unittests/act_runner/config-scripts.yaml b/unittests/act_runner/config-scripts.yaml index 6605c39..93314db 100644 --- a/unittests/act_runner/config-scripts.yaml +++ b/unittests/act_runner/config-scripts.yaml @@ -5,7 +5,7 @@ release: templates: - templates/gitea/act_runner/config-scripts.yaml tests: - - it: renders a ConfigMap + - it: renders a deployment template: templates/gitea/act_runner/config-scripts.yaml set: actions: diff --git a/unittests/act_runner/job.yaml b/unittests/act_runner/job.yaml index 55f195c..6ba7e7f 100644 --- a/unittests/act_runner/job.yaml +++ b/unittests/act_runner/job.yaml @@ -5,7 +5,7 @@ release: templates: - templates/gitea/act_runner/job.yaml tests: - - it: renders a Job + - it: renders a deployment template: templates/gitea/act_runner/job.yaml set: actions: diff --git a/unittests/act_runner/role-job.yaml b/unittests/act_runner/role-job.yaml index 9c04ba4..217f45a 100644 --- a/unittests/act_runner/role-job.yaml +++ b/unittests/act_runner/role-job.yaml @@ -5,7 +5,7 @@ release: templates: - templates/gitea/act_runner/role-job.yaml tests: - - it: renders a Role + - it: renders a role template: templates/gitea/act_runner/role-job.yaml set: actions: diff --git a/unittests/act_runner/rolebinding-job.yaml b/unittests/act_runner/rolebinding-job.yaml index 871364c..7c9d416 100644 --- a/unittests/act_runner/rolebinding-job.yaml +++ b/unittests/act_runner/rolebinding-job.yaml @@ -5,7 +5,7 @@ release: templates: - templates/gitea/act_runner/rolebinding-job.yaml tests: - - it: renders a RoleBinding + - it: renders a deployment template: templates/gitea/act_runner/rolebinding-job.yaml set: actions: diff --git a/unittests/act_runner/secret-token.yaml b/unittests/act_runner/secret-token.yaml index 41458d9..9cae9b6 100644 --- a/unittests/act_runner/secret-token.yaml +++ b/unittests/act_runner/secret-token.yaml @@ -5,7 +5,7 @@ release: templates: - templates/gitea/act_runner/secret-token.yaml tests: - - it: renders a Secret + - it: renders a deployment template: templates/gitea/act_runner/secret-token.yaml set: actions: diff --git a/unittests/act_runner/serviceaccount-job.yaml b/unittests/act_runner/serviceaccount-job.yaml index 753a421..f0f82a9 100644 --- a/unittests/act_runner/serviceaccount-job.yaml +++ b/unittests/act_runner/serviceaccount-job.yaml @@ -5,7 +5,7 @@ release: templates: - templates/gitea/act_runner/serviceaccount-job.yaml tests: - - it: renders a ServiceAccount + - it: renders a deployment template: templates/gitea/act_runner/serviceaccount-job.yaml set: actions: diff --git a/unittests/act_runner/deployment.yaml b/unittests/act_runner/statefulset.yaml similarity index 55% rename from unittests/act_runner/deployment.yaml rename to unittests/act_runner/statefulset.yaml index cece4d5..d94cb4a 100644 --- a/unittests/act_runner/deployment.yaml +++ b/unittests/act_runner/statefulset.yaml @@ -1,20 +1,20 @@ -suite: actions template | deployment +suite: actions template | statefulset release: name: gitea-unittests namespace: testing templates: - - templates/gitea/act_runner/deployment.yaml + - templates/gitea/act_runner/statefulset.yaml tests: - - it: renders a Deployment - template: templates/gitea/act_runner/deployment.yaml + - it: renders a deployment + template: templates/gitea/act_runner/statefulset.yaml set: actions: - deployment: + statefulset: enabled: true asserts: - hasDocuments: count: 1 - containsDocument: - kind: Deployment + kind: StatefulSet apiVersion: apps/v1 name: gitea-unittests-act-runner diff --git a/values.yaml b/values.yaml index 910d24a..22fc864 100644 --- a/values.yaml +++ b/values.yaml @@ -344,21 +344,21 @@ signing: # - must define deployment.env.GITEA__ACTIONS__ENABLED and GITEA__SERVER__LOCAL_ROOT_URL ## @section GiteaActions # -## @param actions.deployment.enabled Create an act runner Deployment -## @param actions.deployment.annotations Act runner annotations -## @param actions.deployment.labels Act runner labels -## @param actions.deployment.resources Act runner resources -## @param actions.deployment.nodeSelector NodeSelector for the deployment -## @param actions.deployment.tolerations Tolerations for the deployment -## @param actions.deployment.affinity Affinity for the deployment -## @param actions.deployment.config Act runner custom configuration -## @param actions.deployment.runnerLabels Act runner labels. -## @param actions.deployment.actRunnerImage.repository The Gitea act runner image -## @param actions.deployment.actRunnerImage.tag The Gitea act runner tag -## @param actions.deployment.actRunnerImage.pullPolicy The Gitea act runner pullPolicy -## @param actions.deployment.dindImage.repository The Docker-in-Docker image -## @param actions.deployment.dindImage.tag The Docker-in-Docker image tag -## @param actions.deployment.dindImage.pullPolicy The Docker-in-Docker pullPolicy +## @param actions.statefulset.enabled Create an act runner StatefulSet. +## @param actions.statefulset.annotations Act runner annotations +## @param actions.statefulset.labels Act runner labels +## @param actions.statefulset.resources Act runner resources +## @param actions.statefulset.nodeSelector NodeSelector for the statefulset +## @param actions.statefulset.tolerations Tolerations for the statefulset +## @param actions.statefulset.affinity Affinity for the statefulset +## @param actions.statefulset.config Act runner custom configuration. +## @param actions.statefulset.runnerLabels Act runner labels. +## @param actions.statefulset.actRunnerImage.repository The Gitea act runner image +## @param actions.statefulset.actRunnerImage.tag The Gitea act runner tag +## @param actions.statefulset.actRunnerImage.pullPolicy The Gitea act runner pullPolicy +## @param actions.statefulset.dindImage.repository The Docker-in-Docker image +## @param actions.statefulset.dindImage.tag The Docker-in-Docker image tag +## @param actions.statefulset.dindImage.pullPolicy The Docker-in-Docker pullPolicy ## @param actions.job.enabled Create a job that will create and save the token in a Kubernetes Secret ## @param actions.job.annotations Job's annotations ## @param actions.job.labels Job's labels @@ -375,7 +375,7 @@ signing: ## @param actions.existingSecret Secret that contains the token ## @param actions.existingSecretKey Secret key actions: - deployment: + statefulset: enabled: false annotations: {} -- 2.40.1 From 938e0b09af2e950a9294d344f095dc588259fe29 Mon Sep 17 00:00:00 2001 From: dementhorr Date: Fri, 23 Feb 2024 19:30:05 +0100 Subject: [PATCH 12/36] Added tech-documentation for the Job --- README.md | 66 +++++++++---------- readme-actions-dev.md | 44 +++++++++++++ templates/_helpers.tpl | 1 - .../gitea/act_runner/config-act-runner.yaml | 2 +- templates/gitea/act_runner/job.yaml | 8 +-- templates/gitea/act_runner/statefulset.yaml | 12 ++-- unittests/act_runner/config-act-runner.yaml | 3 +- unittests/act_runner/config-scripts.yaml | 2 +- unittests/act_runner/job.yaml | 2 +- unittests/act_runner/role-job.yaml | 2 +- unittests/act_runner/rolebinding-job.yaml | 2 +- unittests/act_runner/secret-token.yaml | 2 +- unittests/act_runner/serviceaccount-job.yaml | 2 +- unittests/act_runner/statefulset.yaml | 5 +- values.yaml | 43 ++++++------ 15 files changed, 118 insertions(+), 78 deletions(-) create mode 100644 readme-actions-dev.md diff --git a/README.md b/README.md index 3d90ae0..028f4ff 100644 --- a/README.md +++ b/README.md @@ -999,40 +999,40 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo | `signing.privateKey` | Inline private gpg key for signed internal Git activity | `""` | | `signing.existingSecret` | Use an existing secret to store the value of `signing.privateKey` | `""` | -### GiteaActions +### Gitea Actions -| Name | Description | Value | -| ----------------------------------------------- | --------------------------------------------------------------------------- | ------------------ | -| `actions.statefulset.enabled` | Create an act runner StatefulSet. | `false` | -| `actions.statefulset.annotations` | Act runner annotations | `{}` | -| `actions.statefulset.labels` | Act runner labels | `{}` | -| `actions.statefulset.resources` | Act runner resources | `{}` | -| `actions.statefulset.nodeSelector` | NodeSelector for the statefulset | `{}` | -| `actions.statefulset.tolerations` | Tolerations for the statefulset | `[]` | -| `actions.statefulset.affinity` | Affinity for the statefulset | `{}` | -| `actions.statefulset.config` | Act runner custom configuration. | `""` | -| `actions.statefulset.runnerLabels` | Act runner labels. | `""` | -| `actions.statefulset.actRunnerImage.repository` | The Gitea act runner image | `gitea/act_runner` | -| `actions.statefulset.actRunnerImage.tag` | The Gitea act runner tag | `0.2.6` | -| `actions.statefulset.actRunnerImage.pullPolicy` | The Gitea act runner pullPolicy | `IfNotPresent` | -| `actions.statefulset.dindImage.repository` | The Docker-in-Docker image | `docker` | -| `actions.statefulset.dindImage.tag` | The Docker-in-Docker image tag | `24.0.7-dind` | -| `actions.statefulset.dindImage.pullPolicy` | The Docker-in-Docker pullPolicy | `IfNotPresent` | -| `actions.job.enabled` | Create a job that will create and save the token in a Kubernetes Secret | `false` | -| `actions.job.annotations` | Job's annotations | `{}` | -| `actions.job.labels` | Job's labels | `{}` | -| `actions.job.resources` | Job's resources | `{}` | -| `actions.job.nodeSelector` | NodeSelector for the job | `{}` | -| `actions.job.tolerations` | Tolerations for the job | `[]` | -| `actions.job.affinity` | Affinity for the job | `{}` | -| `actions.job.tokenImage.repository` | The image that can create a token via `gitea actions generate-runner-token` | `gitea/gitea` | -| `actions.job.tokenImage.tag` | The token image tag that can create a token | `""` | -| `actions.job.tokenImage.pullPolicy` | The token image pullPolicy that can create a token | `IfNotPresent` | -| `actions.job.publishImage.repository` | The image that can create the secret via kubectl | `bitnami/kubectl` | -| `actions.job.publishImage.tag` | The publish image tag that can create the secret | `1.29.0` | -| `actions.job.publishImage.pullPolicy` | The publish image pullPolicy that can create the secret | `IfNotPresent` | -| `actions.existingSecret` | Secret that contains the token | `""` | -| `actions.existingSecretKey` | Secret key | `""` | +| Name | Description | Value | +| ------------------------------------------ | --------------------------------------------------------------------------- | ------------------ | +| `actions.enabled` | Create an act runner StatefulSet. | `false` | +| `actions.statefulset.annotations` | Act runner annotations | `{}` | +| `actions.statefulset.labels` | Act runner labels | `{}` | +| `actions.statefulset.resources` | Act runner resources | `{}` | +| `actions.statefulset.nodeSelector` | NodeSelector for the statefulset | `{}` | +| `actions.statefulset.tolerations` | Tolerations for the statefulset | `[]` | +| `actions.statefulset.affinity` | Affinity for the statefulset | `{}` | +| `actions.statefulset.config` | Act runner custom configuration. | `""` | +| `actions.statefulset.runnerLabels` | Act runner labels. | `""` | +| `actions.statefulset.actRunner.repository` | The Gitea act runner image | `gitea/act_runner` | +| `actions.statefulset.actRunner.tag` | The Gitea act runner tag | `0.2.6` | +| `actions.statefulset.actRunner.pullPolicy` | The Gitea act runner pullPolicy | `IfNotPresent` | +| `actions.statefulset.dind.repository` | The Docker-in-Docker image | `docker` | +| `actions.statefulset.dind.tag` | The Docker-in-Docker image tag | `25.0.2-dind` | +| `actions.statefulset.dind.pullPolicy` | The Docker-in-Docker pullPolicy | `IfNotPresent` | +| `actions.job.enabled` | Create a job that will create and save the token in a Kubernetes Secret | `false` | +| `actions.job.annotations` | Job's annotations | `{}` | +| `actions.job.labels` | Job's labels | `{}` | +| `actions.job.resources` | Job's resources | `{}` | +| `actions.job.nodeSelector` | NodeSelector for the job | `{}` | +| `actions.job.tolerations` | Tolerations for the job | `[]` | +| `actions.job.affinity` | Affinity for the job | `{}` | +| `actions.job.token.repository` | The image that can create a token via `gitea actions generate-runner-token` | `gitea/gitea` | +| `actions.job.token.tag` | The token image tag that can create a token | `""` | +| `actions.job.token.pullPolicy` | The token image pullPolicy that can create a token | `IfNotPresent` | +| `actions.job.publish.repository` | The image that can create the secret via kubectl | `bitnami/kubectl` | +| `actions.job.publish.tag` | The publish image tag that can create the secret | `1.29.0` | +| `actions.job.publish.pullPolicy` | The publish image pullPolicy that can create the secret | `IfNotPresent` | +| `actions.existingSecret` | Secret that contains the token | `""` | +| `actions.existingSecretKey` | Secret key | `""` | ### Gitea diff --git a/readme-actions-dev.md b/readme-actions-dev.md new file mode 100644 index 0000000..65a2719 --- /dev/null +++ b/readme-actions-dev.md @@ -0,0 +1,44 @@ +# Gitea Actions + +In order to use the Gitea Actions act-runner you must: + +- set the following environment variables to `deployment.env` (modify LOCAL_ROOT_URL if you used a different service name): + +```yaml +deployment: + env: + - name: GITEA__ACTIONS__ENABLED + value: 'true' + - name: GITEA__SERVER__LOCAL_ROOT_URL + value: http://gitea-http:3000 +``` + +- enable persistence (used for automatic deployment to be able to store the token in a place accessible for the Job) + +In order to use Gitea Actions, you must log on the server that's running Gitea and run the command: + `gitea actions generate-runner-token` + +This command will out a token that is needed by the act-runner to register with the Gitea backend. + +Because this is a manual operation, we automated this using a Kubernetes Job using the following containers: + +1) `actions-token-create`: it uses the current `gitea-rootless` image, mounts the persistent directory to `/data/` then it saves the output from `gitea actions generate-runner-token` to `/data/actions/token` +2) `actions-token-upload`: it uses a `bitnami/kubectl` image, mounts the scripts directory (`/scripts`) and +the persistent directory (`/data/`), and using the script from `/scripts/token.sh` stores the token in a Kubernetes secret + +After the token is stored in a Kubernetes secret we can create the statefulset that contains the following containers: + +1) `act-runner`: authenticates with Gitea using the token that was stored in the secret +2) `dind`: DockerInDocker image that is used to run the actions + +If you are not using persistent volumes, you cannot use the Job to automatically generate the token. +In this case, you can use either the Web UI to generate the token or run a shell into a Gitea pod and invoke +the command `gitea actions generate-runner-token`. After generating the token, you must create a secret and use it via: + +```yaml +actions: + job: + enabled: false + existingSecret: "secret-name" + existingSecretKey: "secret-key" +``` diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 392e306..ee485ce 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -27,7 +27,6 @@ If release name contains chart name it will be used as a full name. {{/* Create a default worker name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). */}} {{- define "gitea.workername" -}} {{- printf "%s-%s" .global.Release.Name .worker | trunc 63 | trimSuffix "-" -}} diff --git a/templates/gitea/act_runner/config-act-runner.yaml b/templates/gitea/act_runner/config-act-runner.yaml index 091f200..42bd59b 100644 --- a/templates/gitea/act_runner/config-act-runner.yaml +++ b/templates/gitea/act_runner/config-act-runner.yaml @@ -1,4 +1,4 @@ -{{- if and (and .Values.actions.statefulset.enabled .Values.persistence.enabled) .Values.persistence.mount }} +{{- if .Values.actions.enabled }} --- apiVersion: v1 kind: ConfigMap diff --git a/templates/gitea/act_runner/job.yaml b/templates/gitea/act_runner/job.yaml index 61b6a8a..90aedae 100644 --- a/templates/gitea/act_runner/job.yaml +++ b/templates/gitea/act_runner/job.yaml @@ -42,8 +42,8 @@ spec: done containers: - name: actions-token-create - image: "{{ .Values.actions.job.tokenImage.repository }}:{{ .Values.actions.job.tokenImage.tag | default (printf "%s-rootless" .Chart.AppVersion) }}" - imagePullPolicy: {{ .Values.actions.job.tokenImage.pullPolicy }} + image: "{{ .Values.actions.job.token.repository }}:{{ .Values.actions.job.token.tag | default (printf "%s-rootless" .Chart.AppVersion) }}" + imagePullPolicy: {{ .Values.actions.job.token.pullPolicy }} env: - name: GITEA_APP_INI value: /data/gitea/conf/app.ini @@ -63,8 +63,8 @@ spec: subPath: {{ .Values.persistence.subPath }} {{- end }} - name: actions-token-upload - image: "{{ .Values.actions.job.publishImage.repository }}:{{ .Values.actions.job.publishImage.tag }}" - imagePullPolicy: {{ .Values.actions.job.publishImage.pullPolicy }} + image: "{{ .Values.actions.job.publish.repository }}:{{ .Values.actions.job.publish.tag }}" + imagePullPolicy: {{ .Values.actions.job.publish.pullPolicy }} env: - name: SECRET_NAME value: {{ $secretName }} diff --git a/templates/gitea/act_runner/statefulset.yaml b/templates/gitea/act_runner/statefulset.yaml index b778820..43d3e66 100644 --- a/templates/gitea/act_runner/statefulset.yaml +++ b/templates/gitea/act_runner/statefulset.yaml @@ -1,4 +1,4 @@ -{{- if and (and .Values.actions.statefulset.enabled .Values.persistence.enabled) .Values.persistence.mount }} +{{- if .Values.actions.enabled }} {{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} --- apiVersion: apps/v1 @@ -38,8 +38,8 @@ spec: done containers: - name: act-runner - image: "{{ .Values.actions.statefulset.actRunnerImage.repository }}:{{ .Values.actions.statefulset.actRunnerImage.tag }}" - imagePullPolicy: {{ .Values.actions.statefulset.actRunnerImage.pullPolicy }} + image: "{{ .Values.actions.statefulset.actRunner.repository }}:{{ .Values.actions.statefulset.actRunner.tag }}" + imagePullPolicy: {{ .Values.actions.statefulset.actRunner.pullPolicy }} workingDir: /data env: - name: DOCKER_HOST @@ -52,7 +52,7 @@ spec: valueFrom: secretKeyRef: name: "{{ .Values.actions.existingSecret | default $secretName }}" - key: "{{ .Values.actions.existingSecret | default "token" }}" + key: "{{ .Values.actions.existingSecretKey | default "token" }}" - name: GITEA_INSTANCE_URL value: "http://{{ include "gitea.fullname" . }}-http:{{ .Values.service.http.port }}" - name: GITEA_RUNNER_LABELS @@ -70,8 +70,8 @@ spec: - mountPath: /data name: data-act-runner - name: dind - image: "{{ .Values.actions.statefulset.dindImage.repository }}:{{ .Values.actions.statefulset.dindImage.tag }}" - imagePullPolicy: {{ .Values.actions.statefulset.dindImage.pullPolicy }} + image: "{{ .Values.actions.statefulset.dind.repository }}:{{ .Values.actions.statefulset.dind.tag }}" + imagePullPolicy: {{ .Values.actions.statefulset.dind.pullPolicy }} env: - name: DOCKER_HOST value: tcp://127.0.0.1:2376 diff --git a/unittests/act_runner/config-act-runner.yaml b/unittests/act_runner/config-act-runner.yaml index a9a1a85..9230194 100644 --- a/unittests/act_runner/config-act-runner.yaml +++ b/unittests/act_runner/config-act-runner.yaml @@ -9,8 +9,7 @@ tests: template: templates/gitea/act_runner/config-act-runner.yaml set: actions: - statefulset: - enabled: true + enabled: true asserts: - hasDocuments: count: 1 diff --git a/unittests/act_runner/config-scripts.yaml b/unittests/act_runner/config-scripts.yaml index 93314db..6605c39 100644 --- a/unittests/act_runner/config-scripts.yaml +++ b/unittests/act_runner/config-scripts.yaml @@ -5,7 +5,7 @@ release: templates: - templates/gitea/act_runner/config-scripts.yaml tests: - - it: renders a deployment + - it: renders a ConfigMap template: templates/gitea/act_runner/config-scripts.yaml set: actions: diff --git a/unittests/act_runner/job.yaml b/unittests/act_runner/job.yaml index 6ba7e7f..55f195c 100644 --- a/unittests/act_runner/job.yaml +++ b/unittests/act_runner/job.yaml @@ -5,7 +5,7 @@ release: templates: - templates/gitea/act_runner/job.yaml tests: - - it: renders a deployment + - it: renders a Job template: templates/gitea/act_runner/job.yaml set: actions: diff --git a/unittests/act_runner/role-job.yaml b/unittests/act_runner/role-job.yaml index 217f45a..9c04ba4 100644 --- a/unittests/act_runner/role-job.yaml +++ b/unittests/act_runner/role-job.yaml @@ -5,7 +5,7 @@ release: templates: - templates/gitea/act_runner/role-job.yaml tests: - - it: renders a role + - it: renders a Role template: templates/gitea/act_runner/role-job.yaml set: actions: diff --git a/unittests/act_runner/rolebinding-job.yaml b/unittests/act_runner/rolebinding-job.yaml index 7c9d416..871364c 100644 --- a/unittests/act_runner/rolebinding-job.yaml +++ b/unittests/act_runner/rolebinding-job.yaml @@ -5,7 +5,7 @@ release: templates: - templates/gitea/act_runner/rolebinding-job.yaml tests: - - it: renders a deployment + - it: renders a RoleBinding template: templates/gitea/act_runner/rolebinding-job.yaml set: actions: diff --git a/unittests/act_runner/secret-token.yaml b/unittests/act_runner/secret-token.yaml index 9cae9b6..41458d9 100644 --- a/unittests/act_runner/secret-token.yaml +++ b/unittests/act_runner/secret-token.yaml @@ -5,7 +5,7 @@ release: templates: - templates/gitea/act_runner/secret-token.yaml tests: - - it: renders a deployment + - it: renders a Secret template: templates/gitea/act_runner/secret-token.yaml set: actions: diff --git a/unittests/act_runner/serviceaccount-job.yaml b/unittests/act_runner/serviceaccount-job.yaml index f0f82a9..753a421 100644 --- a/unittests/act_runner/serviceaccount-job.yaml +++ b/unittests/act_runner/serviceaccount-job.yaml @@ -5,7 +5,7 @@ release: templates: - templates/gitea/act_runner/serviceaccount-job.yaml tests: - - it: renders a deployment + - it: renders a ServiceAccount template: templates/gitea/act_runner/serviceaccount-job.yaml set: actions: diff --git a/unittests/act_runner/statefulset.yaml b/unittests/act_runner/statefulset.yaml index d94cb4a..f3bbe9a 100644 --- a/unittests/act_runner/statefulset.yaml +++ b/unittests/act_runner/statefulset.yaml @@ -5,12 +5,11 @@ release: templates: - templates/gitea/act_runner/statefulset.yaml tests: - - it: renders a deployment + - it: renders a StatefulSet template: templates/gitea/act_runner/statefulset.yaml set: actions: - statefulset: - enabled: true + enabled: true asserts: - hasDocuments: count: 1 diff --git a/values.yaml b/values.yaml index 22fc864..da0ce5a 100644 --- a/values.yaml +++ b/values.yaml @@ -340,11 +340,11 @@ signing: existingSecret: "" # Configure Gitea Actions -# - must enable persistence +# - must enable persistence if the job is enabled # - must define deployment.env.GITEA__ACTIONS__ENABLED and GITEA__SERVER__LOCAL_ROOT_URL -## @section GiteaActions +## @section Gitea Actions # -## @param actions.statefulset.enabled Create an act runner StatefulSet. +## @param actions.enabled Create an act runner StatefulSet. ## @param actions.statefulset.annotations Act runner annotations ## @param actions.statefulset.labels Act runner labels ## @param actions.statefulset.resources Act runner resources @@ -353,12 +353,12 @@ signing: ## @param actions.statefulset.affinity Affinity for the statefulset ## @param actions.statefulset.config Act runner custom configuration. ## @param actions.statefulset.runnerLabels Act runner labels. -## @param actions.statefulset.actRunnerImage.repository The Gitea act runner image -## @param actions.statefulset.actRunnerImage.tag The Gitea act runner tag -## @param actions.statefulset.actRunnerImage.pullPolicy The Gitea act runner pullPolicy -## @param actions.statefulset.dindImage.repository The Docker-in-Docker image -## @param actions.statefulset.dindImage.tag The Docker-in-Docker image tag -## @param actions.statefulset.dindImage.pullPolicy The Docker-in-Docker pullPolicy +## @param actions.statefulset.actRunner.repository The Gitea act runner image +## @param actions.statefulset.actRunner.tag The Gitea act runner tag +## @param actions.statefulset.actRunner.pullPolicy The Gitea act runner pullPolicy +## @param actions.statefulset.dind.repository The Docker-in-Docker image +## @param actions.statefulset.dind.tag The Docker-in-Docker image tag +## @param actions.statefulset.dind.pullPolicy The Docker-in-Docker pullPolicy ## @param actions.job.enabled Create a job that will create and save the token in a Kubernetes Secret ## @param actions.job.annotations Job's annotations ## @param actions.job.labels Job's labels @@ -366,18 +366,17 @@ signing: ## @param actions.job.nodeSelector NodeSelector for the job ## @param actions.job.tolerations Tolerations for the job ## @param actions.job.affinity Affinity for the job -## @param actions.job.tokenImage.repository The image that can create a token via `gitea actions generate-runner-token` -## @param actions.job.tokenImage.tag The token image tag that can create a token -## @param actions.job.tokenImage.pullPolicy The token image pullPolicy that can create a token -## @param actions.job.publishImage.repository The image that can create the secret via kubectl -## @param actions.job.publishImage.tag The publish image tag that can create the secret -## @param actions.job.publishImage.pullPolicy The publish image pullPolicy that can create the secret +## @param actions.job.token.repository The image that can create a token via `gitea actions generate-runner-token` +## @param actions.job.token.tag The token image tag that can create a token +## @param actions.job.token.pullPolicy The token image pullPolicy that can create a token +## @param actions.job.publish.repository The image that can create the secret via kubectl +## @param actions.job.publish.tag The publish image tag that can create the secret +## @param actions.job.publish.pullPolicy The publish image pullPolicy that can create the secret ## @param actions.existingSecret Secret that contains the token ## @param actions.existingSecretKey Secret key actions: + enabled: false statefulset: - enabled: false - annotations: {} labels: {} resources: {} @@ -388,14 +387,14 @@ actions: config: "" runnerLabels: "" - actRunnerImage: + actRunner: repository: gitea/act_runner tag: 0.2.6 pullPolicy: IfNotPresent - dindImage: + dind: repository: docker - tag: 24.0.7-dind + tag: 25.0.2-dind pullPolicy: IfNotPresent job: @@ -408,12 +407,12 @@ actions: tolerations: [] affinity: {} - tokenImage: + token: repository: gitea/gitea tag: "" pullPolicy: IfNotPresent - publishImage: + publish: repository: bitnami/kubectl tag: 1.29.0 pullPolicy: IfNotPresent -- 2.40.1 From 3ee0c2b5911e538134434ec3d4a1ebd15864646c Mon Sep 17 00:00:00 2001 From: dementhorr Date: Fri, 23 Feb 2024 19:51:56 +0100 Subject: [PATCH 13/36] Fixed unittests --- unittests/act_runner/config-scripts.yaml | 3 +++ unittests/act_runner/job.yaml | 3 +++ unittests/act_runner/role-job.yaml | 3 +++ unittests/act_runner/rolebinding-job.yaml | 3 +++ unittests/act_runner/secret-token.yaml | 3 +++ unittests/act_runner/serviceaccount-job.yaml | 3 +++ 6 files changed, 18 insertions(+) diff --git a/unittests/act_runner/config-scripts.yaml b/unittests/act_runner/config-scripts.yaml index 6605c39..b7480df 100644 --- a/unittests/act_runner/config-scripts.yaml +++ b/unittests/act_runner/config-scripts.yaml @@ -11,6 +11,9 @@ tests: actions: job: enabled: true + persistence: + enabled: true + mount: true asserts: - hasDocuments: count: 1 diff --git a/unittests/act_runner/job.yaml b/unittests/act_runner/job.yaml index 55f195c..34f90e9 100644 --- a/unittests/act_runner/job.yaml +++ b/unittests/act_runner/job.yaml @@ -11,6 +11,9 @@ tests: actions: job: enabled: true + persistence: + enabled: true + mount: true asserts: - hasDocuments: count: 1 diff --git a/unittests/act_runner/role-job.yaml b/unittests/act_runner/role-job.yaml index 9c04ba4..494acae 100644 --- a/unittests/act_runner/role-job.yaml +++ b/unittests/act_runner/role-job.yaml @@ -11,6 +11,9 @@ tests: actions: job: enabled: true + persistence: + enabled: true + mount: true asserts: - hasDocuments: count: 1 diff --git a/unittests/act_runner/rolebinding-job.yaml b/unittests/act_runner/rolebinding-job.yaml index 871364c..a30d662 100644 --- a/unittests/act_runner/rolebinding-job.yaml +++ b/unittests/act_runner/rolebinding-job.yaml @@ -11,6 +11,9 @@ tests: actions: job: enabled: true + persistence: + enabled: true + mount: true asserts: - hasDocuments: count: 1 diff --git a/unittests/act_runner/secret-token.yaml b/unittests/act_runner/secret-token.yaml index 41458d9..d5e68d7 100644 --- a/unittests/act_runner/secret-token.yaml +++ b/unittests/act_runner/secret-token.yaml @@ -11,6 +11,9 @@ tests: actions: job: enabled: true + persistence: + enabled: true + mount: true asserts: - hasDocuments: count: 1 diff --git a/unittests/act_runner/serviceaccount-job.yaml b/unittests/act_runner/serviceaccount-job.yaml index 753a421..f2e7a70 100644 --- a/unittests/act_runner/serviceaccount-job.yaml +++ b/unittests/act_runner/serviceaccount-job.yaml @@ -11,6 +11,9 @@ tests: actions: job: enabled: true + persistence: + enabled: true + mount: true asserts: - hasDocuments: count: 1 -- 2.40.1 From aca60bc6261c3b0b0e5d81865adc7ddb13e3b1ec Mon Sep 17 00:00:00 2001 From: dementhorr Date: Tue, 19 Mar 2024 17:38:14 +0200 Subject: [PATCH 14/36] Refractored code --- README.md | 64 +++++++++---------- templates/_helpers.tpl | 12 ++++ .../gitea/act_runner/config-act-runner.yaml | 10 +-- .../gitea/act_runner/config-scripts.yaml | 2 +- templates/gitea/act_runner/job.yaml | 28 ++++---- templates/gitea/act_runner/role-job.yaml | 2 +- .../gitea/act_runner/rolebinding-job.yaml | 2 +- templates/gitea/act_runner/secret-token.yaml | 2 +- .../gitea/act_runner/serviceaccount-job.yaml | 2 +- templates/gitea/act_runner/statefulset.yaml | 3 - templates/gitea/deployment.yaml | 24 +++++++ unittests/act_runner/config-scripts.yaml | 2 +- unittests/act_runner/job.yaml | 2 +- unittests/act_runner/role-job.yaml | 2 +- unittests/act_runner/rolebinding-job.yaml | 2 +- unittests/act_runner/secret-token.yaml | 2 +- unittests/act_runner/serviceaccount-job.yaml | 2 +- values.yaml | 44 +++++++------ 18 files changed, 118 insertions(+), 89 deletions(-) diff --git a/README.md b/README.md index 028f4ff..55235b5 100644 --- a/README.md +++ b/README.md @@ -45,6 +45,7 @@ - [Persistence](#persistence-1) - [Init](#init) - [Signing](#signing) + - [Gitea Actions](#gitea-actions) - [Gitea](#gitea) - [LivenessProbe](#livenessprobe) - [ReadinessProbe](#readinessprobe) @@ -1001,38 +1002,37 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo ### Gitea Actions -| Name | Description | Value | -| ------------------------------------------ | --------------------------------------------------------------------------- | ------------------ | -| `actions.enabled` | Create an act runner StatefulSet. | `false` | -| `actions.statefulset.annotations` | Act runner annotations | `{}` | -| `actions.statefulset.labels` | Act runner labels | `{}` | -| `actions.statefulset.resources` | Act runner resources | `{}` | -| `actions.statefulset.nodeSelector` | NodeSelector for the statefulset | `{}` | -| `actions.statefulset.tolerations` | Tolerations for the statefulset | `[]` | -| `actions.statefulset.affinity` | Affinity for the statefulset | `{}` | -| `actions.statefulset.config` | Act runner custom configuration. | `""` | -| `actions.statefulset.runnerLabels` | Act runner labels. | `""` | -| `actions.statefulset.actRunner.repository` | The Gitea act runner image | `gitea/act_runner` | -| `actions.statefulset.actRunner.tag` | The Gitea act runner tag | `0.2.6` | -| `actions.statefulset.actRunner.pullPolicy` | The Gitea act runner pullPolicy | `IfNotPresent` | -| `actions.statefulset.dind.repository` | The Docker-in-Docker image | `docker` | -| `actions.statefulset.dind.tag` | The Docker-in-Docker image tag | `25.0.2-dind` | -| `actions.statefulset.dind.pullPolicy` | The Docker-in-Docker pullPolicy | `IfNotPresent` | -| `actions.job.enabled` | Create a job that will create and save the token in a Kubernetes Secret | `false` | -| `actions.job.annotations` | Job's annotations | `{}` | -| `actions.job.labels` | Job's labels | `{}` | -| `actions.job.resources` | Job's resources | `{}` | -| `actions.job.nodeSelector` | NodeSelector for the job | `{}` | -| `actions.job.tolerations` | Tolerations for the job | `[]` | -| `actions.job.affinity` | Affinity for the job | `{}` | -| `actions.job.token.repository` | The image that can create a token via `gitea actions generate-runner-token` | `gitea/gitea` | -| `actions.job.token.tag` | The token image tag that can create a token | `""` | -| `actions.job.token.pullPolicy` | The token image pullPolicy that can create a token | `IfNotPresent` | -| `actions.job.publish.repository` | The image that can create the secret via kubectl | `bitnami/kubectl` | -| `actions.job.publish.tag` | The publish image tag that can create the secret | `1.29.0` | -| `actions.job.publish.pullPolicy` | The publish image pullPolicy that can create the secret | `IfNotPresent` | -| `actions.existingSecret` | Secret that contains the token | `""` | -| `actions.existingSecretKey` | Secret key | `""` | +| Name | Description | Value | +| ------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ | +| `actions.enabled` | Create an act runner StatefulSet. | `false` | +| `actions.statefulset.annotations` | Act runner annotations | `{}` | +| `actions.statefulset.labels` | Act runner labels | `{}` | +| `actions.statefulset.resources` | Act runner resources | `{}` | +| `actions.statefulset.nodeSelector` | NodeSelector for the statefulset | `{}` | +| `actions.statefulset.tolerations` | Tolerations for the statefulset | `[]` | +| `actions.statefulset.affinity` | Affinity for the statefulset | `{}` | +| `actions.statefulset.actRunner.repository` | The Gitea act runner image | `gitea/act_runner` | +| `actions.statefulset.actRunner.tag` | The Gitea act runner tag | `0.2.6` | +| `actions.statefulset.actRunner.pullPolicy` | The Gitea act runner pullPolicy | `IfNotPresent` | +| `actions.statefulset.actRunner.config` | Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details. | `Too complex. See values.yaml` | +| `actions.statefulset.dind.repository` | The Docker-in-Docker image | `docker` | +| `actions.statefulset.dind.tag` | The Docker-in-Docker image tag | `25.0.2-dind` | +| `actions.statefulset.dind.pullPolicy` | The Docker-in-Docker pullPolicy | `IfNotPresent` | +| `actions.provisioning.enabled` | Create a job that will create and save the token in a Kubernetes Secret | `false` | +| `actions.provisioning.annotations` | Job's annotations | `{}` | +| `actions.provisioning.labels` | Job's labels | `{}` | +| `actions.provisioning.resources` | Job's resources | `{}` | +| `actions.provisioning.nodeSelector` | NodeSelector for the job | `{}` | +| `actions.provisioning.tolerations` | Tolerations for the job | `[]` | +| `actions.provisioning.affinity` | Affinity for the job | `{}` | +| `actions.provisioning.token.repository` | The image that can create a token via `gitea actions generate-runner-token` | `gitea/gitea` | +| `actions.provisioning.token.tag` | The token image tag that can create a token | `""` | +| `actions.provisioning.token.pullPolicy` | The token image pullPolicy that can create a token | `IfNotPresent` | +| `actions.provisioning.publish.repository` | The image that can create the secret via kubectl | `bitnami/kubectl` | +| `actions.provisioning.publish.tag` | The publish image tag that can create the secret | `1.29.0` | +| `actions.provisioning.publish.pullPolicy` | The publish image pullPolicy that can create the secret | `IfNotPresent` | +| `actions.existingSecret` | Secret that contains the token | `""` | +| `actions.existingSecretKey` | Secret key | `""` | ### Gitea diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index ee485ce..4284095 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -284,6 +284,9 @@ https {{- if not (hasKey .Values.gitea.config "indexer") -}} {{- $_ := set .Values.gitea.config "indexer" dict -}} {{- end -}} + {{- if not (hasKey .Values.gitea.config "actions") -}} + {{- $_ := set .Values.gitea.config "actions" dict -}} + {{- end -}} {{- end -}} {{- define "gitea.inline_configuration.defaults" -}} @@ -330,6 +333,15 @@ https {{- if not .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE -}} {{- $_ := set .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE" "db" -}} {{- end -}} + {{- if not .Values.gitea.config.actions.GITEA__ACTIONS__ENABLED -}} + {{- $_ := set .Values.gitea.config.actions "GITEA__ACTIONS__ENABLED" "true" -}} + {{- end -}} + {{- if not .Values.gitea.config.actions.GITEA__SERVER__LOCAL_ROOT_URL -}} + {{- $_ := set .Values.gitea.config.actions "GITEA__SERVER__LOCAL_ROOT_URL" (printf "http://%s-http:%.0f" (include "gitea.fullname" .) .Values.service.http.port) -}} + {{- end -}} + {{- if not .Values.gitea.config.actions.GITEA__INSTANCE__URL -}} + {{- $_ := set .Values.gitea.config.actions "GITEA__INSTANCE__URL" (printf "http://%s-http:%.0f" (include "gitea.fullname" .) .Values.service.http.port) -}} + {{- end -}} {{- end -}} {{- define "gitea.inline_configuration.defaults.server" -}} diff --git a/templates/gitea/act_runner/config-act-runner.yaml b/templates/gitea/act_runner/config-act-runner.yaml index 42bd59b..03961ae 100644 --- a/templates/gitea/act_runner/config-act-runner.yaml +++ b/templates/gitea/act_runner/config-act-runner.yaml @@ -7,16 +7,8 @@ metadata: labels: {{- include "gitea.labels" . | nindent 4 }} data: - {{- if .Values.actions.statefulset.config }} config.yaml: | - {{- with .Values.actions.statefulset.config -}} + {{- with .Values.actions.statefulset.actRunner.config -}} {{ . | nindent 4}} {{- end -}} - {{- else }} - config.yaml: | - log: - level: debug - cache: - enabled: false - {{- end }} {{- end }} diff --git a/templates/gitea/act_runner/config-scripts.yaml b/templates/gitea/act_runner/config-scripts.yaml index 17d9bba..778b1c9 100644 --- a/templates/gitea/act_runner/config-scripts.yaml +++ b/templates/gitea/act_runner/config-scripts.yaml @@ -1,4 +1,4 @@ -{{- if and (and .Values.actions.job.enabled .Values.persistence.enabled) .Values.persistence.mount }} +{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} --- apiVersion: v1 kind: ConfigMap diff --git a/templates/gitea/act_runner/job.yaml b/templates/gitea/act_runner/job.yaml index 90aedae..337861b 100644 --- a/templates/gitea/act_runner/job.yaml +++ b/templates/gitea/act_runner/job.yaml @@ -1,6 +1,6 @@ -{{- if and (and .Values.actions.job.enabled .Values.persistence.enabled) .Values.persistence.mount }} +{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} {{- if .Values.actions.existingSecret }} -{{- fail "Can't specify both actions.job.enabled and actions.existingSecret" }} +{{- fail "Can't specify both actions.provisioning.enabled and actions.existingSecret" }} {{- end }} {{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} {{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} @@ -11,12 +11,12 @@ metadata: name: {{ $name }} labels: {{- include "gitea.labels" . | nindent 4 }} - {{- with .Values.actions.job.labels }} + {{- with .Values.actions.provisioning.labels }} {{- toYaml . | nindent 4 }} {{- end }} app.kubernetes.io/component: token-job annotations: - {{- with .Values.actions.job.annotations }} + {{- with .Values.actions.provisioning.annotations }} {{- toYaml . | nindent 4 }} {{- end }} spec: @@ -25,7 +25,7 @@ spec: metadata: labels: {{- include "gitea.labels" . | nindent 8 }} - {{- with .Values.actions.job.labels }} + {{- with .Values.actions.provisioning.labels }} {{- toYaml . | nindent 8 }} {{- end }} app.kubernetes.io/component: token-job @@ -42,8 +42,8 @@ spec: done containers: - name: actions-token-create - image: "{{ .Values.actions.job.token.repository }}:{{ .Values.actions.job.token.tag | default (printf "%s-rootless" .Chart.AppVersion) }}" - imagePullPolicy: {{ .Values.actions.job.token.pullPolicy }} + image: "{{ .Values.actions.provisioning.token.repository }}:{{ .Values.actions.provisioning.token.tag | default (printf "%s-rootless" .Chart.AppVersion) }}" + imagePullPolicy: {{ .Values.actions.provisioning.token.pullPolicy }} env: - name: GITEA_APP_INI value: /data/gitea/conf/app.ini @@ -55,7 +55,7 @@ spec: mkdir -p /data/actions/ gitea actions generate-runner-token | grep -E '^.{40}$' | tr -d '\n' > /data/actions/token resources: - {{- toYaml .Values.actions.job.resources | nindent 12 }} + {{- toYaml .Values.actions.provisioning.resources | nindent 12 }} volumeMounts: - name: data mountPath: /data @@ -63,8 +63,8 @@ spec: subPath: {{ .Values.persistence.subPath }} {{- end }} - name: actions-token-upload - image: "{{ .Values.actions.job.publish.repository }}:{{ .Values.actions.job.publish.tag }}" - imagePullPolicy: {{ .Values.actions.job.publish.pullPolicy }} + image: "{{ .Values.actions.provisioning.publish.repository }}:{{ .Values.actions.provisioning.publish.tag }}" + imagePullPolicy: {{ .Values.actions.provisioning.publish.pullPolicy }} env: - name: SECRET_NAME value: {{ $secretName }} @@ -76,7 +76,7 @@ spec: kubectl auth can-i update secret/${SECRET_NAME} /scripts/token.sh resources: - {{- toYaml .Values.actions.job.resources | nindent 12 }} + {{- toYaml .Values.actions.provisioning.resources | nindent 12 }} volumeMounts: - mountPath: /scripts name: scripts @@ -87,15 +87,15 @@ spec: {{- if .Values.persistence.subPath }} subPath: {{ .Values.persistence.subPath }} {{- end }} - {{- with .Values.actions.job.nodeSelector }} + {{- with .Values.actions.provisioning.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.actions.job.affinity }} + {{- with .Values.actions.provisioning.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.actions.job.tolerations }} + {{- with .Values.actions.provisioning.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/templates/gitea/act_runner/role-job.yaml b/templates/gitea/act_runner/role-job.yaml index 9b838b5..3b21cea 100644 --- a/templates/gitea/act_runner/role-job.yaml +++ b/templates/gitea/act_runner/role-job.yaml @@ -1,4 +1,4 @@ -{{- if and (and .Values.actions.job.enabled .Values.persistence.enabled) .Values.persistence.mount }} +{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} {{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} {{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} --- diff --git a/templates/gitea/act_runner/rolebinding-job.yaml b/templates/gitea/act_runner/rolebinding-job.yaml index 8442c73..74f68e6 100644 --- a/templates/gitea/act_runner/rolebinding-job.yaml +++ b/templates/gitea/act_runner/rolebinding-job.yaml @@ -1,4 +1,4 @@ -{{- if and (and .Values.actions.job.enabled .Values.persistence.enabled) .Values.persistence.mount }} +{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} {{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} {{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} --- diff --git a/templates/gitea/act_runner/secret-token.yaml b/templates/gitea/act_runner/secret-token.yaml index 5de4111..5b57f3a 100644 --- a/templates/gitea/act_runner/secret-token.yaml +++ b/templates/gitea/act_runner/secret-token.yaml @@ -1,4 +1,4 @@ -{{- if and (and .Values.actions.job.enabled .Values.persistence.enabled) .Values.persistence.mount }} +{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} {{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} {{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} --- diff --git a/templates/gitea/act_runner/serviceaccount-job.yaml b/templates/gitea/act_runner/serviceaccount-job.yaml index 5ef2101..4e1738c 100644 --- a/templates/gitea/act_runner/serviceaccount-job.yaml +++ b/templates/gitea/act_runner/serviceaccount-job.yaml @@ -1,4 +1,4 @@ -{{- if and (and .Values.actions.job.enabled .Values.persistence.enabled) .Values.persistence.mount }} +{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} {{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} --- apiVersion: v1 diff --git a/templates/gitea/act_runner/statefulset.yaml b/templates/gitea/act_runner/statefulset.yaml index 43d3e66..48241e7 100644 --- a/templates/gitea/act_runner/statefulset.yaml +++ b/templates/gitea/act_runner/statefulset.yaml @@ -55,8 +55,6 @@ spec: key: "{{ .Values.actions.existingSecretKey | default "token" }}" - name: GITEA_INSTANCE_URL value: "http://{{ include "gitea.fullname" . }}-http:{{ .Values.service.http.port }}" - - name: GITEA_RUNNER_LABELS - value: "{{ .Values.actions.statefulset.runnerLabels | default "ubuntu-latest" }}" - name: CONFIG_FILE value: /actrunner/config.yaml resources: @@ -80,7 +78,6 @@ spec: - name: DOCKER_CERT_PATH value: /certs/server securityContext: - # allowPrivilegeEscalation: true privileged: true resources: {{- toYaml .Values.actions.statefulset.resources | nindent 12 }} diff --git a/templates/gitea/deployment.yaml b/templates/gitea/deployment.yaml index f321f22..9404218 100644 --- a/templates/gitea/deployment.yaml +++ b/templates/gitea/deployment.yaml @@ -71,6 +71,12 @@ spec: value: /data - name: GITEA_TEMP value: /tmp/gitea + {{- if .Values.actions.enabled }} + - name: GITEA__ACTIONS__ENABLED + value: {{ .Values.gitea.config.actions.GITEA__ACTIONS__ENABLED | quote }} + - name: GITEA__SERVER__LOCAL_ROOT_URL + value: {{ .Values.gitea.config.actions.GITEA__SERVER__LOCAL_ROOT_URL | quote }} + {{- end }} {{- if .Values.deployment.env }} {{- toYaml .Values.deployment.env | nindent 12 }} {{- end }} @@ -106,6 +112,12 @@ spec: value: /data - name: GITEA_TEMP value: /tmp/gitea + {{- if .Values.actions.enabled }} + - name: GITEA__ACTIONS__ENABLED + value: {{ .Values.gitea.config.actions.GITEA__ACTIONS__ENABLED | quote }} + - name: GITEA__SERVER__LOCAL_ROOT_URL + value: {{ .Values.gitea.config.actions.GITEA__SERVER__LOCAL_ROOT_URL | quote }} + {{- end }} {{- if .Values.deployment.env }} {{- toYaml .Values.deployment.env | nindent 12 }} {{- end }} @@ -245,6 +257,12 @@ spec: {{- end }} - name: GITEA_ADMIN_PASSWORD_MODE value: {{ include "gitea.admin.passwordMode" $ }} + {{- if .Values.actions.enabled }} + - name: GITEA__ACTIONS__ENABLED + value: {{ .Values.gitea.config.actions.GITEA__ACTIONS__ENABLED | quote }} + - name: GITEA__SERVER__LOCAL_ROOT_URL + value: {{ .Values.gitea.config.actions.GITEA__SERVER__LOCAL_ROOT_URL | quote }} + {{- end }} {{- if .Values.deployment.env }} {{- toYaml .Values.deployment.env | nindent 12 }} {{- end }} @@ -294,6 +312,12 @@ spec: - name: GNUPGHOME value: {{ .Values.signing.gpgHome }} {{- end }} + {{- if .Values.actions.enabled }} + - name: GITEA__ACTIONS__ENABLED + value: {{ .Values.gitea.config.actions.GITEA__ACTIONS__ENABLED | quote }} + - name: GITEA__SERVER__LOCAL_ROOT_URL + value: {{ .Values.gitea.config.actions.GITEA__SERVER__LOCAL_ROOT_URL | quote }} + {{- end }} {{- if .Values.deployment.env }} {{- toYaml .Values.deployment.env | nindent 12 }} {{- end }} diff --git a/unittests/act_runner/config-scripts.yaml b/unittests/act_runner/config-scripts.yaml index b7480df..c5a202c 100644 --- a/unittests/act_runner/config-scripts.yaml +++ b/unittests/act_runner/config-scripts.yaml @@ -9,7 +9,7 @@ tests: template: templates/gitea/act_runner/config-scripts.yaml set: actions: - job: + provisioning: enabled: true persistence: enabled: true diff --git a/unittests/act_runner/job.yaml b/unittests/act_runner/job.yaml index 34f90e9..da269d9 100644 --- a/unittests/act_runner/job.yaml +++ b/unittests/act_runner/job.yaml @@ -9,7 +9,7 @@ tests: template: templates/gitea/act_runner/job.yaml set: actions: - job: + provisioning: enabled: true persistence: enabled: true diff --git a/unittests/act_runner/role-job.yaml b/unittests/act_runner/role-job.yaml index 494acae..69bf54c 100644 --- a/unittests/act_runner/role-job.yaml +++ b/unittests/act_runner/role-job.yaml @@ -9,7 +9,7 @@ tests: template: templates/gitea/act_runner/role-job.yaml set: actions: - job: + provisioning: enabled: true persistence: enabled: true diff --git a/unittests/act_runner/rolebinding-job.yaml b/unittests/act_runner/rolebinding-job.yaml index a30d662..6c08aa5 100644 --- a/unittests/act_runner/rolebinding-job.yaml +++ b/unittests/act_runner/rolebinding-job.yaml @@ -9,7 +9,7 @@ tests: template: templates/gitea/act_runner/rolebinding-job.yaml set: actions: - job: + provisioning: enabled: true persistence: enabled: true diff --git a/unittests/act_runner/secret-token.yaml b/unittests/act_runner/secret-token.yaml index d5e68d7..bca06a5 100644 --- a/unittests/act_runner/secret-token.yaml +++ b/unittests/act_runner/secret-token.yaml @@ -9,7 +9,7 @@ tests: template: templates/gitea/act_runner/secret-token.yaml set: actions: - job: + provisioning: enabled: true persistence: enabled: true diff --git a/unittests/act_runner/serviceaccount-job.yaml b/unittests/act_runner/serviceaccount-job.yaml index f2e7a70..6e759b9 100644 --- a/unittests/act_runner/serviceaccount-job.yaml +++ b/unittests/act_runner/serviceaccount-job.yaml @@ -9,7 +9,7 @@ tests: template: templates/gitea/act_runner/serviceaccount-job.yaml set: actions: - job: + provisioning: enabled: true persistence: enabled: true diff --git a/values.yaml b/values.yaml index da0ce5a..00cf529 100644 --- a/values.yaml +++ b/values.yaml @@ -341,7 +341,6 @@ signing: # Configure Gitea Actions # - must enable persistence if the job is enabled -# - must define deployment.env.GITEA__ACTIONS__ENABLED and GITEA__SERVER__LOCAL_ROOT_URL ## @section Gitea Actions # ## @param actions.enabled Create an act runner StatefulSet. @@ -351,27 +350,26 @@ signing: ## @param actions.statefulset.nodeSelector NodeSelector for the statefulset ## @param actions.statefulset.tolerations Tolerations for the statefulset ## @param actions.statefulset.affinity Affinity for the statefulset -## @param actions.statefulset.config Act runner custom configuration. -## @param actions.statefulset.runnerLabels Act runner labels. ## @param actions.statefulset.actRunner.repository The Gitea act runner image ## @param actions.statefulset.actRunner.tag The Gitea act runner tag ## @param actions.statefulset.actRunner.pullPolicy The Gitea act runner pullPolicy +## @param actions.statefulset.actRunner.config [default: Too complex. See values.yaml] Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details. ## @param actions.statefulset.dind.repository The Docker-in-Docker image ## @param actions.statefulset.dind.tag The Docker-in-Docker image tag ## @param actions.statefulset.dind.pullPolicy The Docker-in-Docker pullPolicy -## @param actions.job.enabled Create a job that will create and save the token in a Kubernetes Secret -## @param actions.job.annotations Job's annotations -## @param actions.job.labels Job's labels -## @param actions.job.resources Job's resources -## @param actions.job.nodeSelector NodeSelector for the job -## @param actions.job.tolerations Tolerations for the job -## @param actions.job.affinity Affinity for the job -## @param actions.job.token.repository The image that can create a token via `gitea actions generate-runner-token` -## @param actions.job.token.tag The token image tag that can create a token -## @param actions.job.token.pullPolicy The token image pullPolicy that can create a token -## @param actions.job.publish.repository The image that can create the secret via kubectl -## @param actions.job.publish.tag The publish image tag that can create the secret -## @param actions.job.publish.pullPolicy The publish image pullPolicy that can create the secret +## @param actions.provisioning.enabled Create a job that will create and save the token in a Kubernetes Secret +## @param actions.provisioning.annotations Job's annotations +## @param actions.provisioning.labels Job's labels +## @param actions.provisioning.resources Job's resources +## @param actions.provisioning.nodeSelector NodeSelector for the job +## @param actions.provisioning.tolerations Tolerations for the job +## @param actions.provisioning.affinity Affinity for the job +## @param actions.provisioning.token.repository The image that can create a token via `gitea actions generate-runner-token` +## @param actions.provisioning.token.tag The token image tag that can create a token +## @param actions.provisioning.token.pullPolicy The token image pullPolicy that can create a token +## @param actions.provisioning.publish.repository The image that can create the secret via kubectl +## @param actions.provisioning.publish.tag The publish image tag that can create the secret +## @param actions.provisioning.publish.pullPolicy The publish image pullPolicy that can create the secret ## @param actions.existingSecret Secret that contains the token ## @param actions.existingSecretKey Secret key actions: @@ -384,20 +382,26 @@ actions: tolerations: [] affinity: {} - config: "" - runnerLabels: "" - actRunner: repository: gitea/act_runner tag: 0.2.6 pullPolicy: IfNotPresent + config: | + log: + level: debug + cache: + enabled: false + runner: + labels: + - "ubuntu-latest" + dind: repository: docker tag: 25.0.2-dind pullPolicy: IfNotPresent - job: + provisioning: enabled: false annotations: {} -- 2.40.1 From 1d52aca44d4e0c82cb06ce5c3122626eda6aeaaa Mon Sep 17 00:00:00 2001 From: dementhorr Date: Tue, 19 Mar 2024 17:42:21 +0200 Subject: [PATCH 15/36] Fixed readme --- readme-actions-dev.md | 17 +++-------------- 1 file changed, 3 insertions(+), 14 deletions(-) diff --git a/readme-actions-dev.md b/readme-actions-dev.md index 65a2719..66f0787 100644 --- a/readme-actions-dev.md +++ b/readme-actions-dev.md @@ -1,19 +1,8 @@ # Gitea Actions -In order to use the Gitea Actions act-runner you must: - -- set the following environment variables to `deployment.env` (modify LOCAL_ROOT_URL if you used a different service name): - -```yaml -deployment: - env: - - name: GITEA__ACTIONS__ENABLED - value: 'true' - - name: GITEA__SERVER__LOCAL_ROOT_URL - value: http://gitea-http:3000 -``` - +In order to use the Gitea Actions act-runner you must either: - enable persistence (used for automatic deployment to be able to store the token in a place accessible for the Job) +- create a secret containing the act runner token and reference it as a `existingSecret` In order to use Gitea Actions, you must log on the server that's running Gitea and run the command: `gitea actions generate-runner-token` @@ -37,7 +26,7 @@ the command `gitea actions generate-runner-token`. After generating the token, y ```yaml actions: - job: + provisioning: enabled: false existingSecret: "secret-name" existingSecretKey: "secret-key" -- 2.40.1 From b5a024602ca55aa9b72b37bb92fbf72ace575d03 Mon Sep 17 00:00:00 2001 From: Vince Montalbano Date: Tue, 11 Jun 2024 13:49:49 -0500 Subject: [PATCH 16/36] Set a 10 min ttl for the job after finished in order to allow helm to properly recognize that the job completed. --- templates/gitea/act_runner/job.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/gitea/act_runner/job.yaml b/templates/gitea/act_runner/job.yaml index 337861b..18ba798 100644 --- a/templates/gitea/act_runner/job.yaml +++ b/templates/gitea/act_runner/job.yaml @@ -20,7 +20,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: - ttlSecondsAfterFinished: 0 + ttlSecondsAfterFinished: 300 template: metadata: labels: -- 2.40.1 From 64e8e4f80291c066212e118e236be90e22e3e768 Mon Sep 17 00:00:00 2001 From: Vince Montalbano Date: Thu, 13 Jun 2024 15:56:12 -0500 Subject: [PATCH 17/36] make sure storageclass is consistent with the pvc for the main gitea server deployment --- templates/gitea/act_runner/statefulset.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/gitea/act_runner/statefulset.yaml b/templates/gitea/act_runner/statefulset.yaml index 48241e7..1149a07 100644 --- a/templates/gitea/act_runner/statefulset.yaml +++ b/templates/gitea/act_runner/statefulset.yaml @@ -107,6 +107,7 @@ spec: name: data-act-runner spec: accessModes: [ "ReadWriteOnce" ] + {{- include "gitea.persistence.storageClass" . | nindent 8 }} resources: requests: storage: 1Mi -- 2.40.1 From d30ac63d7b7578768bb66e4f10dbf11a4c353e0e Mon Sep 17 00:00:00 2001 From: Vince Montalbano Date: Tue, 23 Jul 2024 14:52:39 -0500 Subject: [PATCH 18/36] remove unnecessary environment variables allow for image to be edited via values file allow for ttl of job to be edited via values files --- templates/_helpers.tpl | 13 +++++------ templates/gitea/act_runner/job.yaml | 8 +++---- templates/gitea/act_runner/statefulset.yaml | 4 ++-- templates/gitea/deployment.yaml | 24 --------------------- values.yaml | 13 ++++++----- 5 files changed, 19 insertions(+), 43 deletions(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 4284095..b84c93b 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -333,14 +333,8 @@ https {{- if not .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE -}} {{- $_ := set .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE" "db" -}} {{- end -}} - {{- if not .Values.gitea.config.actions.GITEA__ACTIONS__ENABLED -}} - {{- $_ := set .Values.gitea.config.actions "GITEA__ACTIONS__ENABLED" "true" -}} - {{- end -}} - {{- if not .Values.gitea.config.actions.GITEA__SERVER__LOCAL_ROOT_URL -}} - {{- $_ := set .Values.gitea.config.actions "GITEA__SERVER__LOCAL_ROOT_URL" (printf "http://%s-http:%.0f" (include "gitea.fullname" .) .Values.service.http.port) -}} - {{- end -}} - {{- if not .Values.gitea.config.actions.GITEA__INSTANCE__URL -}} - {{- $_ := set .Values.gitea.config.actions "GITEA__INSTANCE__URL" (printf "http://%s-http:%.0f" (include "gitea.fullname" .) .Values.service.http.port) -}} + {{- if not .Values.gitea.config.actions.ENABLED -}} + {{- $_ := set .Values.gitea.config.actions "ENABLED" "false" -}} {{- end -}} {{- end -}} @@ -361,6 +355,9 @@ https {{- if not .Values.gitea.config.server.ROOT_URL -}} {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" (include "gitea.public_protocol" .) .Values.gitea.config.server.DOMAIN) -}} {{- end -}} + {{- if not .Values.gitea.config.server.LOCAL_ROOT_URL -}} + {{- $_ := set .Values.gitea.config.server "LOCAL_ROOT_URL" (printf "http://%s-http:%.0f" (include "gitea.fullname" .) .Values.service.http.port) -}} + {{- end -}} {{- if not .Values.gitea.config.server.SSH_DOMAIN -}} {{- $_ := set .Values.gitea.config.server "SSH_DOMAIN" .Values.gitea.config.server.DOMAIN -}} {{- end -}} diff --git a/templates/gitea/act_runner/job.yaml b/templates/gitea/act_runner/job.yaml index 18ba798..587150f 100644 --- a/templates/gitea/act_runner/job.yaml +++ b/templates/gitea/act_runner/job.yaml @@ -20,7 +20,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: - ttlSecondsAfterFinished: 300 + ttlSecondsAfterFinished: {{ .Values.actions.provisioning.ttlSecondsAfterFinished }} template: metadata: labels: @@ -32,7 +32,7 @@ spec: spec: initContainers: - name: init-gitea - image: busybox:1.36.1 + image: "{{ .Values.actions.init.repository }}:{{ .Values.actions.init.tag }}" command: - sh - -c @@ -42,8 +42,8 @@ spec: done containers: - name: actions-token-create - image: "{{ .Values.actions.provisioning.token.repository }}:{{ .Values.actions.provisioning.token.tag | default (printf "%s-rootless" .Chart.AppVersion) }}" - imagePullPolicy: {{ .Values.actions.provisioning.token.pullPolicy }} + image: "{{ include "gitea.image" . }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} env: - name: GITEA_APP_INI value: /data/gitea/conf/app.ini diff --git a/templates/gitea/act_runner/statefulset.yaml b/templates/gitea/act_runner/statefulset.yaml index 1149a07..66e724a 100644 --- a/templates/gitea/act_runner/statefulset.yaml +++ b/templates/gitea/act_runner/statefulset.yaml @@ -28,7 +28,7 @@ spec: spec: initContainers: - name: init-gitea - image: busybox:1.36.1 + image: "{{ .Values.actions.init.repository }}:{{ .Values.actions.init.tag }}" command: - sh - -c @@ -54,7 +54,7 @@ spec: name: "{{ .Values.actions.existingSecret | default $secretName }}" key: "{{ .Values.actions.existingSecretKey | default "token" }}" - name: GITEA_INSTANCE_URL - value: "http://{{ include "gitea.fullname" . }}-http:{{ .Values.service.http.port }}" + value: {{ .Values.gitea.config.server.LOCAL_ROOT_URL | quote }} - name: CONFIG_FILE value: /actrunner/config.yaml resources: diff --git a/templates/gitea/deployment.yaml b/templates/gitea/deployment.yaml index 9404218..f321f22 100644 --- a/templates/gitea/deployment.yaml +++ b/templates/gitea/deployment.yaml @@ -71,12 +71,6 @@ spec: value: /data - name: GITEA_TEMP value: /tmp/gitea - {{- if .Values.actions.enabled }} - - name: GITEA__ACTIONS__ENABLED - value: {{ .Values.gitea.config.actions.GITEA__ACTIONS__ENABLED | quote }} - - name: GITEA__SERVER__LOCAL_ROOT_URL - value: {{ .Values.gitea.config.actions.GITEA__SERVER__LOCAL_ROOT_URL | quote }} - {{- end }} {{- if .Values.deployment.env }} {{- toYaml .Values.deployment.env | nindent 12 }} {{- end }} @@ -112,12 +106,6 @@ spec: value: /data - name: GITEA_TEMP value: /tmp/gitea - {{- if .Values.actions.enabled }} - - name: GITEA__ACTIONS__ENABLED - value: {{ .Values.gitea.config.actions.GITEA__ACTIONS__ENABLED | quote }} - - name: GITEA__SERVER__LOCAL_ROOT_URL - value: {{ .Values.gitea.config.actions.GITEA__SERVER__LOCAL_ROOT_URL | quote }} - {{- end }} {{- if .Values.deployment.env }} {{- toYaml .Values.deployment.env | nindent 12 }} {{- end }} @@ -257,12 +245,6 @@ spec: {{- end }} - name: GITEA_ADMIN_PASSWORD_MODE value: {{ include "gitea.admin.passwordMode" $ }} - {{- if .Values.actions.enabled }} - - name: GITEA__ACTIONS__ENABLED - value: {{ .Values.gitea.config.actions.GITEA__ACTIONS__ENABLED | quote }} - - name: GITEA__SERVER__LOCAL_ROOT_URL - value: {{ .Values.gitea.config.actions.GITEA__SERVER__LOCAL_ROOT_URL | quote }} - {{- end }} {{- if .Values.deployment.env }} {{- toYaml .Values.deployment.env | nindent 12 }} {{- end }} @@ -312,12 +294,6 @@ spec: - name: GNUPGHOME value: {{ .Values.signing.gpgHome }} {{- end }} - {{- if .Values.actions.enabled }} - - name: GITEA__ACTIONS__ENABLED - value: {{ .Values.gitea.config.actions.GITEA__ACTIONS__ENABLED | quote }} - - name: GITEA__SERVER__LOCAL_ROOT_URL - value: {{ .Values.gitea.config.actions.GITEA__SERVER__LOCAL_ROOT_URL | quote }} - {{- end }} {{- if .Values.deployment.env }} {{- toYaml .Values.deployment.env | nindent 12 }} {{- end }} diff --git a/values.yaml b/values.yaml index 00cf529..3d2ac2c 100644 --- a/values.yaml +++ b/values.yaml @@ -401,6 +401,12 @@ actions: tag: 25.0.2-dind pullPolicy: IfNotPresent + init: + image: + repository: busybox + # Overrides the image tag whose default is the chart appVersion. + tag: "1.36.1" + provisioning: enabled: false @@ -411,16 +417,13 @@ actions: tolerations: [] affinity: {} - token: - repository: gitea/gitea - tag: "" - pullPolicy: IfNotPresent - publish: repository: bitnami/kubectl tag: 1.29.0 pullPolicy: IfNotPresent + ttlSecondsAfterFinished: 300 + ## Specify an existing token secret ## existingSecret: "" -- 2.40.1 From 7f2db131e89ad96d78ad2eb6d3a03cef55543ae8 Mon Sep 17 00:00:00 2001 From: Vince Montalbano Date: Tue, 23 Jul 2024 21:17:42 -0500 Subject: [PATCH 19/36] update values.yaml --- values.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/values.yaml b/values.yaml index 3d2ac2c..2513005 100644 --- a/values.yaml +++ b/values.yaml @@ -344,6 +344,8 @@ signing: ## @section Gitea Actions # ## @param actions.enabled Create an act runner StatefulSet. +## @param actions.init.image.repository The image used for the init containers +## @param actions.init.image.tag The image tag used for the init containers ## @param actions.statefulset.annotations Act runner annotations ## @param actions.statefulset.labels Act runner labels ## @param actions.statefulset.resources Act runner resources @@ -364,9 +366,7 @@ signing: ## @param actions.provisioning.nodeSelector NodeSelector for the job ## @param actions.provisioning.tolerations Tolerations for the job ## @param actions.provisioning.affinity Affinity for the job -## @param actions.provisioning.token.repository The image that can create a token via `gitea actions generate-runner-token` -## @param actions.provisioning.token.tag The token image tag that can create a token -## @param actions.provisioning.token.pullPolicy The token image pullPolicy that can create a token +## @param actions.provisioning.ttlSecondsAfterFinished ttl for the job after finished in order to allow helm to properly recognize that the job completed ## @param actions.provisioning.publish.repository The image that can create the secret via kubectl ## @param actions.provisioning.publish.tag The publish image tag that can create the secret ## @param actions.provisioning.publish.pullPolicy The publish image pullPolicy that can create the secret -- 2.40.1 From d318110a201c9140e6ca6fda27ddc420d2a3541a Mon Sep 17 00:00:00 2001 From: Vince Montalbano Date: Tue, 23 Jul 2024 21:29:24 -0500 Subject: [PATCH 20/36] updated readme --- README.md | 62 +++++++++++++++++++++---------------------- readme-actions-dev.md | 1 + 2 files changed, 32 insertions(+), 31 deletions(-) diff --git a/README.md b/README.md index 55235b5..dccf426 100644 --- a/README.md +++ b/README.md @@ -1002,37 +1002,37 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo ### Gitea Actions -| Name | Description | Value | -| ------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ | -| `actions.enabled` | Create an act runner StatefulSet. | `false` | -| `actions.statefulset.annotations` | Act runner annotations | `{}` | -| `actions.statefulset.labels` | Act runner labels | `{}` | -| `actions.statefulset.resources` | Act runner resources | `{}` | -| `actions.statefulset.nodeSelector` | NodeSelector for the statefulset | `{}` | -| `actions.statefulset.tolerations` | Tolerations for the statefulset | `[]` | -| `actions.statefulset.affinity` | Affinity for the statefulset | `{}` | -| `actions.statefulset.actRunner.repository` | The Gitea act runner image | `gitea/act_runner` | -| `actions.statefulset.actRunner.tag` | The Gitea act runner tag | `0.2.6` | -| `actions.statefulset.actRunner.pullPolicy` | The Gitea act runner pullPolicy | `IfNotPresent` | -| `actions.statefulset.actRunner.config` | Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details. | `Too complex. See values.yaml` | -| `actions.statefulset.dind.repository` | The Docker-in-Docker image | `docker` | -| `actions.statefulset.dind.tag` | The Docker-in-Docker image tag | `25.0.2-dind` | -| `actions.statefulset.dind.pullPolicy` | The Docker-in-Docker pullPolicy | `IfNotPresent` | -| `actions.provisioning.enabled` | Create a job that will create and save the token in a Kubernetes Secret | `false` | -| `actions.provisioning.annotations` | Job's annotations | `{}` | -| `actions.provisioning.labels` | Job's labels | `{}` | -| `actions.provisioning.resources` | Job's resources | `{}` | -| `actions.provisioning.nodeSelector` | NodeSelector for the job | `{}` | -| `actions.provisioning.tolerations` | Tolerations for the job | `[]` | -| `actions.provisioning.affinity` | Affinity for the job | `{}` | -| `actions.provisioning.token.repository` | The image that can create a token via `gitea actions generate-runner-token` | `gitea/gitea` | -| `actions.provisioning.token.tag` | The token image tag that can create a token | `""` | -| `actions.provisioning.token.pullPolicy` | The token image pullPolicy that can create a token | `IfNotPresent` | -| `actions.provisioning.publish.repository` | The image that can create the secret via kubectl | `bitnami/kubectl` | -| `actions.provisioning.publish.tag` | The publish image tag that can create the secret | `1.29.0` | -| `actions.provisioning.publish.pullPolicy` | The publish image pullPolicy that can create the secret | `IfNotPresent` | -| `actions.existingSecret` | Secret that contains the token | `""` | -| `actions.existingSecretKey` | Secret key | `""` | +| Name | Description | Value | +| ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ | +| `actions.enabled` | Create an act runner StatefulSet. | `false` | +| `actions.init.image.repository` | The image used for the init containers | `busybox` | +| `actions.init.image.tag` | The image tag used for the init containers | `1.36.1` | +| `actions.statefulset.annotations` | Act runner annotations | `{}` | +| `actions.statefulset.labels` | Act runner labels | `{}` | +| `actions.statefulset.resources` | Act runner resources | `{}` | +| `actions.statefulset.nodeSelector` | NodeSelector for the statefulset | `{}` | +| `actions.statefulset.tolerations` | Tolerations for the statefulset | `[]` | +| `actions.statefulset.affinity` | Affinity for the statefulset | `{}` | +| `actions.statefulset.actRunner.repository` | The Gitea act runner image | `gitea/act_runner` | +| `actions.statefulset.actRunner.tag` | The Gitea act runner tag | `0.2.6` | +| `actions.statefulset.actRunner.pullPolicy` | The Gitea act runner pullPolicy | `IfNotPresent` | +| `actions.statefulset.actRunner.config` | Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details. | `Too complex. See values.yaml` | +| `actions.statefulset.dind.repository` | The Docker-in-Docker image | `docker` | +| `actions.statefulset.dind.tag` | The Docker-in-Docker image tag | `25.0.2-dind` | +| `actions.statefulset.dind.pullPolicy` | The Docker-in-Docker pullPolicy | `IfNotPresent` | +| `actions.provisioning.enabled` | Create a job that will create and save the token in a Kubernetes Secret | `false` | +| `actions.provisioning.annotations` | Job's annotations | `{}` | +| `actions.provisioning.labels` | Job's labels | `{}` | +| `actions.provisioning.resources` | Job's resources | `{}` | +| `actions.provisioning.nodeSelector` | NodeSelector for the job | `{}` | +| `actions.provisioning.tolerations` | Tolerations for the job | `[]` | +| `actions.provisioning.affinity` | Affinity for the job | `{}` | +| `actions.provisioning.ttlSecondsAfterFinished` | ttl for the job after finished in order to allow helm to properly recognize that the job completed | `300` | +| `actions.provisioning.publish.repository` | The image that can create the secret via kubectl | `bitnami/kubectl` | +| `actions.provisioning.publish.tag` | The publish image tag that can create the secret | `1.29.0` | +| `actions.provisioning.publish.pullPolicy` | The publish image pullPolicy that can create the secret | `IfNotPresent` | +| `actions.existingSecret` | Secret that contains the token | `""` | +| `actions.existingSecretKey` | Secret key | `""` | ### Gitea diff --git a/readme-actions-dev.md b/readme-actions-dev.md index 66f0787..a633ad3 100644 --- a/readme-actions-dev.md +++ b/readme-actions-dev.md @@ -1,6 +1,7 @@ # Gitea Actions In order to use the Gitea Actions act-runner you must either: + - enable persistence (used for automatic deployment to be able to store the token in a place accessible for the Job) - create a secret containing the act runner token and reference it as a `existingSecret` -- 2.40.1 From 78272f9440ca2e9fc3ec6dab09c6f8eb5ca3ff53 Mon Sep 17 00:00:00 2001 From: Vince Montalbano Date: Wed, 24 Jul 2024 12:27:11 -0500 Subject: [PATCH 21/36] add unit tests --- unittests/act_runner/config-act-runner.yaml | 21 +++++++++++++++++ unittests/act_runner/config-scripts.yaml | 2 ++ unittests/act_runner/job.yaml | 25 +++++++++++++++++++++ unittests/act_runner/statefulset.yaml | 8 +++++++ 4 files changed, 56 insertions(+) diff --git a/unittests/act_runner/config-act-runner.yaml b/unittests/act_runner/config-act-runner.yaml index 9230194..3a78787 100644 --- a/unittests/act_runner/config-act-runner.yaml +++ b/unittests/act_runner/config-act-runner.yaml @@ -1,3 +1,4 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json suite: actions template | config-act-runner release: name: gitea-unittests @@ -10,6 +11,16 @@ tests: set: actions: enabled: true + statefulset: + actRunner: + config: | + log: + level: info + cache: + enabled: false + runner: + labels: + - "ubuntu-latest" asserts: - hasDocuments: count: 1 @@ -17,3 +28,13 @@ tests: kind: ConfigMap apiVersion: v1 name: gitea-unittests-act-runner-config + - equal: + path: data["config.yaml"] + value: | + log: + level: info + cache: + enabled: false + runner: + labels: + - "ubuntu-latest" diff --git a/unittests/act_runner/config-scripts.yaml b/unittests/act_runner/config-scripts.yaml index c5a202c..35cc225 100644 --- a/unittests/act_runner/config-scripts.yaml +++ b/unittests/act_runner/config-scripts.yaml @@ -21,3 +21,5 @@ tests: kind: ConfigMap apiVersion: v1 name: gitea-unittests-scripts + - isNotNullOrEmpty: + path: data["token.sh"] \ No newline at end of file diff --git a/unittests/act_runner/job.yaml b/unittests/act_runner/job.yaml index da269d9..8d527e4 100644 --- a/unittests/act_runner/job.yaml +++ b/unittests/act_runner/job.yaml @@ -2,6 +2,9 @@ suite: actions template | job release: name: gitea-unittests namespace: testing +chart: + # Override appVersion to be consistent with used digest :) + appVersion: 1.19.3 templates: - templates/gitea/act_runner/job.yaml tests: @@ -21,3 +24,25 @@ tests: kind: Job apiVersion: batch/v1 name: gitea-unittests-actions-token-job + - equal: + path: spec.template.spec.containers[0].image + value: "gitea/gitea:1.19.3-rootless" + - it: tag override + template: templates/gitea/act_runner/job.yaml + set: + image.tag: "1.19.4" + actions: + provisioning: + enabled: true + publish: + tag: "1.29.0" + persistence: + enabled: true + mount: true + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: "gitea/gitea:1.19.4-rootless" + - equal: + path: spec.template.spec.containers[1].image + value: "bitnami/kubectl:1.29.0" \ No newline at end of file diff --git a/unittests/act_runner/statefulset.yaml b/unittests/act_runner/statefulset.yaml index f3bbe9a..da36917 100644 --- a/unittests/act_runner/statefulset.yaml +++ b/unittests/act_runner/statefulset.yaml @@ -17,3 +17,11 @@ tests: kind: StatefulSet apiVersion: apps/v1 name: gitea-unittests-act-runner + - equal: + path: spec.template.spec.containers[0].env[3] + value: + name: GITEA_RUNNER_REGISTRATION_TOKEN + valueFrom: + secretKeyRef: + name: "gitea-unittests-actions-token" + key: "token" \ No newline at end of file -- 2.40.1 From f6d580210c6b19c9716c95577cec20ea85c55ce2 Mon Sep 17 00:00:00 2001 From: Vince Montalbano Date: Wed, 24 Jul 2024 12:29:25 -0500 Subject: [PATCH 22/36] add missing newlines --- unittests/act_runner/config-scripts.yaml | 2 +- unittests/act_runner/job.yaml | 2 +- unittests/act_runner/statefulset.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/unittests/act_runner/config-scripts.yaml b/unittests/act_runner/config-scripts.yaml index 35cc225..c8754ea 100644 --- a/unittests/act_runner/config-scripts.yaml +++ b/unittests/act_runner/config-scripts.yaml @@ -22,4 +22,4 @@ tests: apiVersion: v1 name: gitea-unittests-scripts - isNotNullOrEmpty: - path: data["token.sh"] \ No newline at end of file + path: data["token.sh"] diff --git a/unittests/act_runner/job.yaml b/unittests/act_runner/job.yaml index 8d527e4..c6fe62e 100644 --- a/unittests/act_runner/job.yaml +++ b/unittests/act_runner/job.yaml @@ -45,4 +45,4 @@ tests: value: "gitea/gitea:1.19.4-rootless" - equal: path: spec.template.spec.containers[1].image - value: "bitnami/kubectl:1.29.0" \ No newline at end of file + value: "bitnami/kubectl:1.29.0" diff --git a/unittests/act_runner/statefulset.yaml b/unittests/act_runner/statefulset.yaml index da36917..017ddc5 100644 --- a/unittests/act_runner/statefulset.yaml +++ b/unittests/act_runner/statefulset.yaml @@ -24,4 +24,4 @@ tests: valueFrom: secretKeyRef: name: "gitea-unittests-actions-token" - key: "token" \ No newline at end of file + key: "token" -- 2.40.1 From 86870d83202bd830d95b56114c4769015f49d1f0 Mon Sep 17 00:00:00 2001 From: Vince Montalbano Date: Wed, 24 Jul 2024 16:01:42 -0500 Subject: [PATCH 23/36] fix incorrect values for init containers --- templates/gitea/act_runner/job.yaml | 2 +- templates/gitea/act_runner/statefulset.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/gitea/act_runner/job.yaml b/templates/gitea/act_runner/job.yaml index 587150f..795809f 100644 --- a/templates/gitea/act_runner/job.yaml +++ b/templates/gitea/act_runner/job.yaml @@ -32,7 +32,7 @@ spec: spec: initContainers: - name: init-gitea - image: "{{ .Values.actions.init.repository }}:{{ .Values.actions.init.tag }}" + image: "{{ .Values.actions.init.image.repository }}:{{ .Values.actions.init.image.tag }}" command: - sh - -c diff --git a/templates/gitea/act_runner/statefulset.yaml b/templates/gitea/act_runner/statefulset.yaml index 66e724a..c4d2375 100644 --- a/templates/gitea/act_runner/statefulset.yaml +++ b/templates/gitea/act_runner/statefulset.yaml @@ -28,7 +28,7 @@ spec: spec: initContainers: - name: init-gitea - image: "{{ .Values.actions.init.repository }}:{{ .Values.actions.init.tag }}" + image: "{{ .Values.actions.init.image.repository }}:{{ .Values.actions.init.image.tag }}" command: - sh - -c -- 2.40.1 From e6525acfb71f33144eb6ec84756ce89f4fc1c54f Mon Sep 17 00:00:00 2001 From: Vince Montalbano Date: Mon, 4 Nov 2024 15:09:50 -0600 Subject: [PATCH 24/36] Apply Patch https://gitea.com/gitea/helm-chart/pulls/666#issuecomment-897392 --- templates/_helpers.tpl | 15 +++- .../act_runner/01-consistency-checks.yaml | 15 ++++ .../gitea/act_runner/config-scripts.yaml | 2 + templates/gitea/act_runner/job.yaml | 5 +- templates/gitea/act_runner/role-job.yaml | 2 + .../gitea/act_runner/rolebinding-job.yaml | 2 + templates/gitea/act_runner/secret-token.yaml | 2 + .../gitea/act_runner/serviceaccount-job.yaml | 2 + templates/gitea/act_runner/statefulset.yaml | 2 +- .../act_runner/01-consistency-checks.yaml | 69 ++++++++++++++++++ unittests/act_runner/config-act-runner.yaml | 5 ++ unittests/act_runner/config-scripts.yaml | 26 ++++++- unittests/act_runner/job.yaml | 19 ++++- unittests/act_runner/role-job.yaml | 19 +++++ unittests/act_runner/rolebinding-job.yaml | 19 +++++ unittests/act_runner/secret-token.yaml | 19 +++++ unittests/act_runner/serviceaccount-job.yaml | 19 +++++ unittests/act_runner/statefulset.yaml | 70 ++++++++++++++++++- unittests/config/actions-config.yaml | 61 ++++++++++++++++ 19 files changed, 363 insertions(+), 10 deletions(-) create mode 100644 templates/gitea/act_runner/01-consistency-checks.yaml create mode 100644 unittests/act_runner/01-consistency-checks.yaml create mode 100644 unittests/config/actions-config.yaml diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index b84c93b..9fa86df 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -220,6 +220,15 @@ https {{- end -}} {{- end -}} +{{- define "gitea.act_runner.local_root_url" -}} +{{- if not .Values.gitea.config.server.LOCAL_ROOT_URL -}} + {{- printf "http://%s-http:%.0f" (include "gitea.fullname" .) .Values.service.http.port -}} +{{- else -}} + {{/* fallback for allowing to overwrite this value via inline config */}} + {{- .Values.gitea.config.server.LOCAL_ROOT_URL -}} +{{- end -}} +{{- end -}} + {{- define "gitea.inline_configuration" -}} {{- include "gitea.inline_configuration.init" . -}} {{- include "gitea.inline_configuration.defaults" . -}} @@ -334,7 +343,7 @@ https {{- $_ := set .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE" "db" -}} {{- end -}} {{- if not .Values.gitea.config.actions.ENABLED -}} - {{- $_ := set .Values.gitea.config.actions "ENABLED" "false" -}} + {{- $_ := set .Values.gitea.config.actions "ENABLED" (ternary "true" "false" .Values.actions.enabled) -}} {{- end -}} {{- end -}} @@ -355,8 +364,8 @@ https {{- if not .Values.gitea.config.server.ROOT_URL -}} {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" (include "gitea.public_protocol" .) .Values.gitea.config.server.DOMAIN) -}} {{- end -}} - {{- if not .Values.gitea.config.server.LOCAL_ROOT_URL -}} - {{- $_ := set .Values.gitea.config.server "LOCAL_ROOT_URL" (printf "http://%s-http:%.0f" (include "gitea.fullname" .) .Values.service.http.port) -}} + {{- if .Values.actions.enabled -}} + {{- $_ := set .Values.gitea.config.server "LOCAL_ROOT_URL" (include "gitea.act_runner.local_root_url" .) -}} {{- end -}} {{- if not .Values.gitea.config.server.SSH_DOMAIN -}} {{- $_ := set .Values.gitea.config.server "SSH_DOMAIN" .Values.gitea.config.server.DOMAIN -}} diff --git a/templates/gitea/act_runner/01-consistency-checks.yaml b/templates/gitea/act_runner/01-consistency-checks.yaml new file mode 100644 index 0000000..25ae556 --- /dev/null +++ b/templates/gitea/act_runner/01-consistency-checks.yaml @@ -0,0 +1,15 @@ +{{- if .Values.actions.enabled -}} + {{- if .Values.actions.provisioning.enabled -}} + {{- if not (and .Values.persistence.enabled .Values.persistence.mount) -}} + {{- fail "persistence.enabled and persistence.mount are required when provisioning is enabled" -}} + {{- end -}} + {{- if and .Values.persistence.enabled .Values.persistence.mount -}} + {{- if .Values.actions.existingSecret -}} + {{- fail "Can't specify both actions.provisioning.enabled and actions.existingSecret" -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- if and (not .Values.actions.provisioning.enabled) (or (empty .Values.actions.existingSecret) (empty .Values.actions.existingSecretKey)) -}} + {{- fail "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled" -}} + {{- end -}} +{{- end -}} diff --git a/templates/gitea/act_runner/config-scripts.yaml b/templates/gitea/act_runner/config-scripts.yaml index 778b1c9..688bd20 100644 --- a/templates/gitea/act_runner/config-scripts.yaml +++ b/templates/gitea/act_runner/config-scripts.yaml @@ -1,3 +1,4 @@ +{{- if .Values.actions.enabled }} {{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} --- apiVersion: v1 @@ -9,3 +10,4 @@ metadata: data: {{ (.Files.Glob "scripts/*.sh").AsConfig | indent 2 }} {{- end }} +{{- end }} diff --git a/templates/gitea/act_runner/job.yaml b/templates/gitea/act_runner/job.yaml index 795809f..032671f 100644 --- a/templates/gitea/act_runner/job.yaml +++ b/templates/gitea/act_runner/job.yaml @@ -1,7 +1,5 @@ +{{- if .Values.actions.enabled }} {{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} -{{- if .Values.actions.existingSecret }} -{{- fail "Can't specify both actions.provisioning.enabled and actions.existingSecret" }} -{{- end }} {{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} {{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} --- @@ -113,3 +111,4 @@ spec: completions: 1 backoffLimit: 1 {{- end }} +{{- end }} diff --git a/templates/gitea/act_runner/role-job.yaml b/templates/gitea/act_runner/role-job.yaml index 3b21cea..b06c18d 100644 --- a/templates/gitea/act_runner/role-job.yaml +++ b/templates/gitea/act_runner/role-job.yaml @@ -1,3 +1,4 @@ +{{- if .Values.actions.enabled }} {{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} {{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} {{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} @@ -21,3 +22,4 @@ rules: - update - patch {{- end }} +{{- end }} diff --git a/templates/gitea/act_runner/rolebinding-job.yaml b/templates/gitea/act_runner/rolebinding-job.yaml index 74f68e6..c80bd3e 100644 --- a/templates/gitea/act_runner/rolebinding-job.yaml +++ b/templates/gitea/act_runner/rolebinding-job.yaml @@ -1,3 +1,4 @@ +{{- if .Values.actions.enabled }} {{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} {{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} {{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} @@ -18,3 +19,4 @@ subjects: name: {{ $name }} namespace: {{ .Release.Namespace }} {{- end }} +{{- end }} diff --git a/templates/gitea/act_runner/secret-token.yaml b/templates/gitea/act_runner/secret-token.yaml index 5b57f3a..e6ee325 100644 --- a/templates/gitea/act_runner/secret-token.yaml +++ b/templates/gitea/act_runner/secret-token.yaml @@ -1,3 +1,4 @@ +{{- if .Values.actions.enabled }} {{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} {{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} {{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} @@ -15,3 +16,4 @@ data: token: {{ (b64dec (index $secret.data "token")) | b64enc }} {{ end -}} {{- end }} +{{- end }} diff --git a/templates/gitea/act_runner/serviceaccount-job.yaml b/templates/gitea/act_runner/serviceaccount-job.yaml index 4e1738c..e2c0fb4 100644 --- a/templates/gitea/act_runner/serviceaccount-job.yaml +++ b/templates/gitea/act_runner/serviceaccount-job.yaml @@ -1,3 +1,4 @@ +{{- if .Values.actions.enabled }} {{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} {{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} --- @@ -9,3 +10,4 @@ metadata: {{- include "gitea.labels" . | nindent 4 }} app.kubernetes.io/component: token-job {{- end }} +{{- end }} diff --git a/templates/gitea/act_runner/statefulset.yaml b/templates/gitea/act_runner/statefulset.yaml index c4d2375..7d5d096 100644 --- a/templates/gitea/act_runner/statefulset.yaml +++ b/templates/gitea/act_runner/statefulset.yaml @@ -54,7 +54,7 @@ spec: name: "{{ .Values.actions.existingSecret | default $secretName }}" key: "{{ .Values.actions.existingSecretKey | default "token" }}" - name: GITEA_INSTANCE_URL - value: {{ .Values.gitea.config.server.LOCAL_ROOT_URL | quote }} + value: {{ include "gitea.act_runner.local_root_url" . }} - name: CONFIG_FILE value: /actrunner/config.yaml resources: diff --git a/unittests/act_runner/01-consistency-checks.yaml b/unittests/act_runner/01-consistency-checks.yaml new file mode 100644 index 0000000..1c30924 --- /dev/null +++ b/unittests/act_runner/01-consistency-checks.yaml @@ -0,0 +1,69 @@ +suite: actions template | consistency checks +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/act_runner/01-consistency-checks.yaml +tests: + - it: fails when provisioning is enabled BUT persistence is completely disabled + set: + persistence: + enabled: false + actions: + enabled: true + provisioning: + enabled: true + asserts: + - failedTemplate: + errorMessage: "persistence.enabled and persistence.mount are required when provisioning is enabled" + - it: fails when provisioning is enabled BUT mount is disabled, although persistence is enabled + set: + persistence: + enabled: true + mount: false + actions: + enabled: true + provisioning: + enabled: true + asserts: + - failedTemplate: + errorMessage: "persistence.enabled and persistence.mount are required when provisioning is enabled" + - it: fails when provisioning is enabled AND existingSecret is given + set: + actions: + enabled: true + provisioning: + enabled: true + existingSecret: "secret-reference" + asserts: + - failedTemplate: + errorMessage: "Can't specify both actions.provisioning.enabled and actions.existingSecret" + - it: fails when provisioning is disabled BUT existingSecret and existingSecretKey are missing + set: + actions: + enabled: true + provisioning: + enabled: false + asserts: + - failedTemplate: + errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled" + - it: fails when provisioning is disabled BUT existingSecretKey is missing + set: + actions: + enabled: true + provisioning: + enabled: false + existingSecret: "my-secret" + asserts: + - failedTemplate: + errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled" + - it: fails when provisioning is disabled BUT existingSecret is missing + set: + actions: + enabled: true + provisioning: + enabled: false + existingSecretKey: "my-secret-key" + asserts: + - failedTemplate: + errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled" diff --git a/unittests/act_runner/config-act-runner.yaml b/unittests/act_runner/config-act-runner.yaml index 3a78787..2cba6bc 100644 --- a/unittests/act_runner/config-act-runner.yaml +++ b/unittests/act_runner/config-act-runner.yaml @@ -6,6 +6,11 @@ release: templates: - templates/gitea/act_runner/config-act-runner.yaml tests: + - it: doesn't renders a ConfigMap by default + template: templates/gitea/act_runner/config-act-runner.yaml + asserts: + - hasDocuments: + count: 0 - it: renders a ConfigMap template: templates/gitea/act_runner/config-act-runner.yaml set: diff --git a/unittests/act_runner/config-scripts.yaml b/unittests/act_runner/config-scripts.yaml index c8754ea..da6d9aa 100644 --- a/unittests/act_runner/config-scripts.yaml +++ b/unittests/act_runner/config-scripts.yaml @@ -5,10 +5,11 @@ release: templates: - templates/gitea/act_runner/config-scripts.yaml tests: - - it: renders a ConfigMap + - it: renders a ConfigMap when all criteria are met template: templates/gitea/act_runner/config-scripts.yaml set: actions: + enabled: true provisioning: enabled: true persistence: @@ -23,3 +24,26 @@ tests: name: gitea-unittests-scripts - isNotNullOrEmpty: path: data["token.sh"] + - it: doesn't renders a ConfigMap by default + template: templates/gitea/act_runner/config-scripts.yaml + asserts: + - hasDocuments: + count: 0 + - it: doesn't renders a ConfigMap with disabled actions but enabled provisioning + template: templates/gitea/act_runner/config-scripts.yaml + asserts: + - hasDocuments: + count: 0 + - it: doesn't renders a ConfigMap with disabled actions but otherwise met criteria + template: templates/gitea/act_runner/config-scripts.yaml + set: + actions: + enabled: false + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 0 diff --git a/unittests/act_runner/job.yaml b/unittests/act_runner/job.yaml index c6fe62e..c1d32e2 100644 --- a/unittests/act_runner/job.yaml +++ b/unittests/act_runner/job.yaml @@ -3,7 +3,7 @@ release: name: gitea-unittests namespace: testing chart: - # Override appVersion to be consistent with used digest :) + # Override appVersion to have a pinned version for comparison appVersion: 1.19.3 templates: - templates/gitea/act_runner/job.yaml @@ -12,6 +12,7 @@ tests: template: templates/gitea/act_runner/job.yaml set: actions: + enabled: true provisioning: enabled: true persistence: @@ -32,6 +33,7 @@ tests: set: image.tag: "1.19.4" actions: + enabled: true provisioning: enabled: true publish: @@ -46,3 +48,18 @@ tests: - equal: path: spec.template.spec.containers[1].image value: "bitnami/kubectl:1.29.0" + - it: doesn't renders a Job by default + template: templates/gitea/act_runner/job.yaml + asserts: + - hasDocuments: + count: 0 + - it: doesn't renders a Job when provisioning is enabled BUT actions are not enabled + template: templates/gitea/act_runner/job.yaml + set: + actions: + enabled: false + provisioning: + enabled: true + asserts: + - hasDocuments: + count: 0 diff --git a/unittests/act_runner/role-job.yaml b/unittests/act_runner/role-job.yaml index 69bf54c..8c511d8 100644 --- a/unittests/act_runner/role-job.yaml +++ b/unittests/act_runner/role-job.yaml @@ -5,10 +5,16 @@ release: templates: - templates/gitea/act_runner/role-job.yaml tests: + - it: doesn't renders a Role by default + template: templates/gitea/act_runner/role-job.yaml + asserts: + - hasDocuments: + count: 0 - it: renders a Role template: templates/gitea/act_runner/role-job.yaml set: actions: + enabled: true provisioning: enabled: true persistence: @@ -21,3 +27,16 @@ tests: kind: Role apiVersion: rbac.authorization.k8s.io/v1 name: gitea-unittests-actions-token-job + - it: doesn't renders a Role when criteria met BUT actions are not enabled + template: templates/gitea/act_runner/role-job.yaml + set: + actions: + enabled: false + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 0 diff --git a/unittests/act_runner/rolebinding-job.yaml b/unittests/act_runner/rolebinding-job.yaml index 6c08aa5..2073bfc 100644 --- a/unittests/act_runner/rolebinding-job.yaml +++ b/unittests/act_runner/rolebinding-job.yaml @@ -5,10 +5,16 @@ release: templates: - templates/gitea/act_runner/rolebinding-job.yaml tests: + - it: doesn't renders a RoleBinding by default + template: templates/gitea/act_runner/rolebinding-job.yaml + asserts: + - hasDocuments: + count: 0 - it: renders a RoleBinding template: templates/gitea/act_runner/rolebinding-job.yaml set: actions: + enabled: true provisioning: enabled: true persistence: @@ -21,3 +27,16 @@ tests: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 name: gitea-unittests-actions-token-job + - it: doesn't renders a RoleBinding when criteria met BUT actions are not enabled + template: templates/gitea/act_runner/rolebinding-job.yaml + set: + actions: + enabled: false + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 0 diff --git a/unittests/act_runner/secret-token.yaml b/unittests/act_runner/secret-token.yaml index bca06a5..b5054f3 100644 --- a/unittests/act_runner/secret-token.yaml +++ b/unittests/act_runner/secret-token.yaml @@ -5,10 +5,16 @@ release: templates: - templates/gitea/act_runner/secret-token.yaml tests: + - it: doesn't renders a Secret by default + template: templates/gitea/act_runner/secret-token.yaml + asserts: + - hasDocuments: + count: 0 - it: renders a Secret template: templates/gitea/act_runner/secret-token.yaml set: actions: + enabled: true provisioning: enabled: true persistence: @@ -21,3 +27,16 @@ tests: kind: Secret apiVersion: v1 name: gitea-unittests-actions-token + - it: doesn't renders a Secret when criteria met BUT actions are not enabled + template: templates/gitea/act_runner/secret-token.yaml + set: + actions: + enabled: false + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 0 diff --git a/unittests/act_runner/serviceaccount-job.yaml b/unittests/act_runner/serviceaccount-job.yaml index 6e759b9..bf8f0c8 100644 --- a/unittests/act_runner/serviceaccount-job.yaml +++ b/unittests/act_runner/serviceaccount-job.yaml @@ -5,10 +5,16 @@ release: templates: - templates/gitea/act_runner/serviceaccount-job.yaml tests: + - it: doesn't renders a ServiceAccount by default + template: templates/gitea/act_runner/serviceaccount-job.yaml + asserts: + - hasDocuments: + count: 0 - it: renders a ServiceAccount template: templates/gitea/act_runner/serviceaccount-job.yaml set: actions: + enabled: true provisioning: enabled: true persistence: @@ -21,3 +27,16 @@ tests: kind: ServiceAccount apiVersion: v1 name: gitea-unittests-actions-token-job + - it: doesn't renders a ServiceAccount when criteria met BUT actions are not enabled + template: templates/gitea/act_runner/serviceaccount-job.yaml + set: + actions: + enabled: false + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 0 diff --git a/unittests/act_runner/statefulset.yaml b/unittests/act_runner/statefulset.yaml index 017ddc5..cc10157 100644 --- a/unittests/act_runner/statefulset.yaml +++ b/unittests/act_runner/statefulset.yaml @@ -5,11 +5,40 @@ release: templates: - templates/gitea/act_runner/statefulset.yaml tests: - - it: renders a StatefulSet + - it: doesn't renders a StatefulSet by default + template: templates/gitea/act_runner/statefulset.yaml + asserts: + - hasDocuments: + count: 0 + - it: renders a StatefulSet (with given existingSecret/existingSecretKey) template: templates/gitea/act_runner/statefulset.yaml set: actions: enabled: true + existingSecret: "my-secret" + existingSecretKey: "my-secret-key" + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: StatefulSet + apiVersion: apps/v1 + name: gitea-unittests-act-runner + - equal: + path: spec.template.spec.containers[0].env[3] + value: + name: GITEA_RUNNER_REGISTRATION_TOKEN + valueFrom: + secretKeyRef: + name: "my-secret" + key: "my-secret-key" + - it: renders a StatefulSet (with secret reference defaults for enabled provisioning) + template: templates/gitea/act_runner/statefulset.yaml + set: + actions: + enabled: true + provisioning: + enabled: true asserts: - hasDocuments: count: 1 @@ -25,3 +54,42 @@ tests: secretKeyRef: name: "gitea-unittests-actions-token" key: "token" + - it: renders a StatefulSet (with correct GITEA_INSTANCE_URL env with default act-runner specific LOCAL_ROOT_URL) + template: templates/gitea/act_runner/statefulset.yaml + set: + actions: + enabled: true + existingSecret: "my-secret" + existingSecretKey: "my-secret-key" + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: StatefulSet + apiVersion: apps/v1 + name: gitea-unittests-act-runner + - equal: + path: spec.template.spec.containers[0].env[4] + value: + name: GITEA_INSTANCE_URL + value: "http://gitea-unittests-http:3000" + - it: renders a StatefulSet (with correct GITEA_INSTANCE_URL env from customized LOCAL_ROOT_URL) + template: templates/gitea/act_runner/statefulset.yaml + set: + gitea.config.server.LOCAL_ROOT_URL: "http://git.example.com" + actions: + enabled: true + existingSecret: "my-secret" + existingSecretKey: "my-secret-key" + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: StatefulSet + apiVersion: apps/v1 + name: gitea-unittests-act-runner + - equal: + path: spec.template.spec.containers[0].env[4] + value: + name: GITEA_INSTANCE_URL + value: "http://git.example.com" diff --git a/unittests/config/actions-config.yaml b/unittests/config/actions-config.yaml new file mode 100644 index 0000000..ada9694 --- /dev/null +++ b/unittests/config/actions-config.yaml @@ -0,0 +1,61 @@ +suite: config template | actions config +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/config.yaml +tests: + - it: "actions are not enabled by default" + template: templates/gitea/config.yaml + asserts: + - documentIndex: 0 + equal: + path: stringData.actions + value: |- + ENABLED=false + + - it: "actions can be enabled via inline config" + template: templates/gitea/config.yaml + set: + gitea.config.actions.ENABLED: true + asserts: + - documentIndex: 0 + equal: + path: stringData.actions + value: |- + ENABLED=true + + - it: "actions can be enabled via dedicated values object" + template: templates/gitea/config.yaml + set: + actions: + enabled: true + asserts: + - documentIndex: 0 + equal: + path: stringData.actions + value: |- + ENABLED=true + + - it: "defines LOCAL_ROOT_URL when actions are enabled" + template: templates/gitea/config.yaml + set: + actions: + enabled: true + asserts: + - documentIndex: 0 + matchRegex: + path: stringData.server + pattern: \nLOCAL_ROOT_URL=http://gitea-unittests-http:3000 + + - it: "respects custom LOCAL_ROOT_URL, even when actions are enabled" + template: templates/gitea/config.yaml + set: + actions: + enabled: true + gitea.config.server.LOCAL_ROOT_URL: "http://git.example.com" + asserts: + - documentIndex: 0 + matchRegex: + path: stringData.server + pattern: \nLOCAL_ROOT_URL=http://git.example.com -- 2.40.1 From ecceb1f4bba6de61c539624e3a183762db9cdb0f Mon Sep 17 00:00:00 2001 From: Vince Montalbano Date: Fri, 8 Nov 2024 13:08:18 -0600 Subject: [PATCH 25/36] upgrade act runner image tag --- README.md | 2 +- values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 87be467..a67a619 100644 --- a/README.md +++ b/README.md @@ -1022,7 +1022,7 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo | `actions.statefulset.tolerations` | Tolerations for the statefulset | `[]` | | `actions.statefulset.affinity` | Affinity for the statefulset | `{}` | | `actions.statefulset.actRunner.repository` | The Gitea act runner image | `gitea/act_runner` | -| `actions.statefulset.actRunner.tag` | The Gitea act runner tag | `0.2.6` | +| `actions.statefulset.actRunner.tag` | The Gitea act runner tag | `0.2.11` | | `actions.statefulset.actRunner.pullPolicy` | The Gitea act runner pullPolicy | `IfNotPresent` | | `actions.statefulset.actRunner.config` | Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details. | `Too complex. See values.yaml` | | `actions.statefulset.dind.repository` | The Docker-in-Docker image | `docker` | diff --git a/values.yaml b/values.yaml index e3486ac..31c1d21 100644 --- a/values.yaml +++ b/values.yaml @@ -393,7 +393,7 @@ actions: actRunner: repository: gitea/act_runner - tag: 0.2.6 + tag: 0.2.11 pullPolicy: IfNotPresent config: | -- 2.40.1 From 62acf9e06926974bff0ca946c08e35df1697b3e2 Mon Sep 17 00:00:00 2001 From: Vince Montalbano Date: Fri, 8 Nov 2024 13:16:33 -0600 Subject: [PATCH 26/36] fix typo in spacing --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a67a619..a6f4c2b 100644 --- a/README.md +++ b/README.md @@ -1022,7 +1022,7 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo | `actions.statefulset.tolerations` | Tolerations for the statefulset | `[]` | | `actions.statefulset.affinity` | Affinity for the statefulset | `{}` | | `actions.statefulset.actRunner.repository` | The Gitea act runner image | `gitea/act_runner` | -| `actions.statefulset.actRunner.tag` | The Gitea act runner tag | `0.2.11` | +| `actions.statefulset.actRunner.tag` | The Gitea act runner tag | `0.2.11` | | `actions.statefulset.actRunner.pullPolicy` | The Gitea act runner pullPolicy | `IfNotPresent` | | `actions.statefulset.actRunner.config` | Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details. | `Too complex. See values.yaml` | | `actions.statefulset.dind.repository` | The Docker-in-Docker image | `docker` | -- 2.40.1 From f7c66c0336d211a5bfbdf9a6b95ead7c3ff6b5c0 Mon Sep 17 00:00:00 2001 From: vjm Date: Sun, 10 Nov 2024 13:35:56 +0000 Subject: [PATCH 27/36] Add Gitea Actions act runner (#666) Co-authored-by: dementhorr Co-authored-by: Vince Montalbano Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/666 Reviewed-by: justusbunsi Co-authored-by: vjm Co-committed-by: vjm --- README.md | 35 ++++++ readme-actions-dev.md | 34 ++++++ scripts/token.sh | 43 +++++++ templates/_helpers.tpl | 39 ++++++ .../act_runner/01-consistency-checks.yaml | 15 +++ .../gitea/act_runner/config-act-runner.yaml | 14 +++ .../gitea/act_runner/config-scripts.yaml | 13 ++ templates/gitea/act_runner/job.yaml | 114 ++++++++++++++++++ templates/gitea/act_runner/role-job.yaml | 25 ++++ .../gitea/act_runner/rolebinding-job.yaml | 22 ++++ templates/gitea/act_runner/secret-token.yaml | 19 +++ .../gitea/act_runner/serviceaccount-job.yaml | 13 ++ templates/gitea/act_runner/statefulset.yaml | 114 ++++++++++++++++++ .../act_runner/01-consistency-checks.yaml | 69 +++++++++++ unittests/act_runner/config-act-runner.yaml | 45 +++++++ unittests/act_runner/config-scripts.yaml | 49 ++++++++ unittests/act_runner/job.yaml | 65 ++++++++++ unittests/act_runner/role-job.yaml | 42 +++++++ unittests/act_runner/rolebinding-job.yaml | 42 +++++++ unittests/act_runner/secret-token.yaml | 42 +++++++ unittests/act_runner/serviceaccount-job.yaml | 42 +++++++ unittests/act_runner/statefulset.yaml | 95 +++++++++++++++ unittests/config/actions-config.yaml | 61 ++++++++++ values.yaml | 90 ++++++++++++++ 24 files changed, 1142 insertions(+) create mode 100644 readme-actions-dev.md create mode 100644 scripts/token.sh create mode 100644 templates/gitea/act_runner/01-consistency-checks.yaml create mode 100644 templates/gitea/act_runner/config-act-runner.yaml create mode 100644 templates/gitea/act_runner/config-scripts.yaml create mode 100644 templates/gitea/act_runner/job.yaml create mode 100644 templates/gitea/act_runner/role-job.yaml create mode 100644 templates/gitea/act_runner/rolebinding-job.yaml create mode 100644 templates/gitea/act_runner/secret-token.yaml create mode 100644 templates/gitea/act_runner/serviceaccount-job.yaml create mode 100644 templates/gitea/act_runner/statefulset.yaml create mode 100644 unittests/act_runner/01-consistency-checks.yaml create mode 100644 unittests/act_runner/config-act-runner.yaml create mode 100644 unittests/act_runner/config-scripts.yaml create mode 100644 unittests/act_runner/job.yaml create mode 100644 unittests/act_runner/role-job.yaml create mode 100644 unittests/act_runner/rolebinding-job.yaml create mode 100644 unittests/act_runner/secret-token.yaml create mode 100644 unittests/act_runner/serviceaccount-job.yaml create mode 100644 unittests/act_runner/statefulset.yaml create mode 100644 unittests/config/actions-config.yaml diff --git a/README.md b/README.md index 2888fc7..a6f4c2b 100644 --- a/README.md +++ b/README.md @@ -45,6 +45,7 @@ - [Persistence](#persistence-1) - [Init](#init) - [Signing](#signing) + - [Gitea Actions](#gitea-actions) - [Gitea](#gitea) - [LivenessProbe](#livenessprobe) - [ReadinessProbe](#readinessprobe) @@ -1007,6 +1008,40 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo | `signing.privateKey` | Inline private gpg key for signed internal Git activity | `""` | | `signing.existingSecret` | Use an existing secret to store the value of `signing.privateKey` | `""` | +### Gitea Actions + +| Name | Description | Value | +| ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ | +| `actions.enabled` | Create an act runner StatefulSet. | `false` | +| `actions.init.image.repository` | The image used for the init containers | `busybox` | +| `actions.init.image.tag` | The image tag used for the init containers | `1.36.1` | +| `actions.statefulset.annotations` | Act runner annotations | `{}` | +| `actions.statefulset.labels` | Act runner labels | `{}` | +| `actions.statefulset.resources` | Act runner resources | `{}` | +| `actions.statefulset.nodeSelector` | NodeSelector for the statefulset | `{}` | +| `actions.statefulset.tolerations` | Tolerations for the statefulset | `[]` | +| `actions.statefulset.affinity` | Affinity for the statefulset | `{}` | +| `actions.statefulset.actRunner.repository` | The Gitea act runner image | `gitea/act_runner` | +| `actions.statefulset.actRunner.tag` | The Gitea act runner tag | `0.2.11` | +| `actions.statefulset.actRunner.pullPolicy` | The Gitea act runner pullPolicy | `IfNotPresent` | +| `actions.statefulset.actRunner.config` | Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details. | `Too complex. See values.yaml` | +| `actions.statefulset.dind.repository` | The Docker-in-Docker image | `docker` | +| `actions.statefulset.dind.tag` | The Docker-in-Docker image tag | `25.0.2-dind` | +| `actions.statefulset.dind.pullPolicy` | The Docker-in-Docker pullPolicy | `IfNotPresent` | +| `actions.provisioning.enabled` | Create a job that will create and save the token in a Kubernetes Secret | `false` | +| `actions.provisioning.annotations` | Job's annotations | `{}` | +| `actions.provisioning.labels` | Job's labels | `{}` | +| `actions.provisioning.resources` | Job's resources | `{}` | +| `actions.provisioning.nodeSelector` | NodeSelector for the job | `{}` | +| `actions.provisioning.tolerations` | Tolerations for the job | `[]` | +| `actions.provisioning.affinity` | Affinity for the job | `{}` | +| `actions.provisioning.ttlSecondsAfterFinished` | ttl for the job after finished in order to allow helm to properly recognize that the job completed | `300` | +| `actions.provisioning.publish.repository` | The image that can create the secret via kubectl | `bitnami/kubectl` | +| `actions.provisioning.publish.tag` | The publish image tag that can create the secret | `1.29.0` | +| `actions.provisioning.publish.pullPolicy` | The publish image pullPolicy that can create the secret | `IfNotPresent` | +| `actions.existingSecret` | Secret that contains the token | `""` | +| `actions.existingSecretKey` | Secret key | `""` | + ### Gitea | Name | Description | Value | diff --git a/readme-actions-dev.md b/readme-actions-dev.md new file mode 100644 index 0000000..a633ad3 --- /dev/null +++ b/readme-actions-dev.md @@ -0,0 +1,34 @@ +# Gitea Actions + +In order to use the Gitea Actions act-runner you must either: + +- enable persistence (used for automatic deployment to be able to store the token in a place accessible for the Job) +- create a secret containing the act runner token and reference it as a `existingSecret` + +In order to use Gitea Actions, you must log on the server that's running Gitea and run the command: + `gitea actions generate-runner-token` + +This command will out a token that is needed by the act-runner to register with the Gitea backend. + +Because this is a manual operation, we automated this using a Kubernetes Job using the following containers: + +1) `actions-token-create`: it uses the current `gitea-rootless` image, mounts the persistent directory to `/data/` then it saves the output from `gitea actions generate-runner-token` to `/data/actions/token` +2) `actions-token-upload`: it uses a `bitnami/kubectl` image, mounts the scripts directory (`/scripts`) and +the persistent directory (`/data/`), and using the script from `/scripts/token.sh` stores the token in a Kubernetes secret + +After the token is stored in a Kubernetes secret we can create the statefulset that contains the following containers: + +1) `act-runner`: authenticates with Gitea using the token that was stored in the secret +2) `dind`: DockerInDocker image that is used to run the actions + +If you are not using persistent volumes, you cannot use the Job to automatically generate the token. +In this case, you can use either the Web UI to generate the token or run a shell into a Gitea pod and invoke +the command `gitea actions generate-runner-token`. After generating the token, you must create a secret and use it via: + +```yaml +actions: + provisioning: + enabled: false + existingSecret: "secret-name" + existingSecretKey: "secret-key" +``` diff --git a/scripts/token.sh b/scripts/token.sh new file mode 100644 index 0000000..cbb2ebd --- /dev/null +++ b/scripts/token.sh @@ -0,0 +1,43 @@ +#!/bin/sh + +set -eu + +timeout_delay=15 + +check_token() { + set +e + + echo "Checking for existing token..." + token="$(kubectl get secret "$SECRET_NAME" -o jsonpath="{.data['token']}" 2> /dev/null)" + [ $? -ne 0 ] && return 1 + [ -z "$token" ] && return 2 + return 0 +} + +create_token() { + echo "Waiting for new token to be generated..." + begin=$(date +%s) + end=$((begin + timeout_delay)) + while true; do + [ -f /data/actions/token ] && return 0 + [ "$(date +%s)" -gt $end ] && return 1 + sleep 5 + done +} + +store_token() { + echo "Storing the token in Kubernetes secret..." + kubectl patch secret "$SECRET_NAME" -p "{\"data\":{\"token\":\"$(base64 /data/actions/token | tr -d '\n')\"}}" +} + +if check_token; then + echo "Key already in place, exiting." + exit +fi + +if ! create_token; then + echo "Checking for an existing act runner token in secret $SECRET_NAME timed out after $timeout_delay" + exit 1 +fi + +store_token diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 9e9c613..64a5efb 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -25,6 +25,13 @@ If release name contains chart name it will be used as a full name. {{- end -}} {{- end -}} +{{/* +Create a default worker name. +*/}} +{{- define "gitea.workername" -}} +{{- printf "%s-%s" .global.Release.Name .worker | trunc 63 | trimSuffix "-" -}} +{{- end -}} + {{/* Create chart name and version as used by the chart label. */}} @@ -92,6 +99,15 @@ version: {{ .Values.image.tag | default .Chart.AppVersion | quote }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end -}} +{{- define "gitea.labels.actRunner" -}} +helm.sh/chart: {{ include "gitea.chart" . }} +app: {{ include "gitea.name" . }}-act-runner +{{ include "gitea.selectorLabels.actRunner" . }} +app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }} +version: {{ .Values.image.tag | default .Chart.AppVersion | quote }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + {{/* Selector labels */}} @@ -100,6 +116,11 @@ app.kubernetes.io/name: {{ include "gitea.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end -}} +{{- define "gitea.selectorLabels.actRunner" -}} +app.kubernetes.io/name: {{ include "gitea.name" . }}-act-runner +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + {{- define "postgresql-ha.dns" -}} {{- if (index .Values "postgresql-ha").enabled -}} {{- printf "%s-postgresql-ha-pgpool.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "postgresql-ha" "service" "ports" "postgresql") -}} @@ -199,6 +220,15 @@ https {{- end -}} {{- end -}} +{{- define "gitea.act_runner.local_root_url" -}} +{{- if not .Values.gitea.config.server.LOCAL_ROOT_URL -}} + {{- printf "http://%s-http:%.0f" (include "gitea.fullname" .) .Values.service.http.port -}} +{{- else -}} + {{/* fallback for allowing to overwrite this value via inline config */}} + {{- .Values.gitea.config.server.LOCAL_ROOT_URL -}} +{{- end -}} +{{- end -}} + {{- define "gitea.inline_configuration" -}} {{- include "gitea.inline_configuration.init" . -}} {{- include "gitea.inline_configuration.defaults" . -}} @@ -263,6 +293,9 @@ https {{- if not (hasKey .Values.gitea.config "indexer") -}} {{- $_ := set .Values.gitea.config "indexer" dict -}} {{- end -}} + {{- if not (hasKey .Values.gitea.config "actions") -}} + {{- $_ := set .Values.gitea.config "actions" dict -}} + {{- end -}} {{- end -}} {{- define "gitea.inline_configuration.defaults" -}} @@ -309,6 +342,9 @@ https {{- if not .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE -}} {{- $_ := set .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE" "db" -}} {{- end -}} + {{- if not .Values.gitea.config.actions.ENABLED -}} + {{- $_ := set .Values.gitea.config.actions "ENABLED" (ternary "true" "false" .Values.actions.enabled) -}} + {{- end -}} {{- end -}} {{- define "gitea.inline_configuration.defaults.server" -}} @@ -328,6 +364,9 @@ https {{- if not .Values.gitea.config.server.ROOT_URL -}} {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" (include "gitea.public_protocol" .) .Values.gitea.config.server.DOMAIN) -}} {{- end -}} + {{- if .Values.actions.enabled -}} + {{- $_ := set .Values.gitea.config.server "LOCAL_ROOT_URL" (include "gitea.act_runner.local_root_url" .) -}} + {{- end -}} {{- if not .Values.gitea.config.server.SSH_DOMAIN -}} {{- $_ := set .Values.gitea.config.server "SSH_DOMAIN" .Values.gitea.config.server.DOMAIN -}} {{- end -}} diff --git a/templates/gitea/act_runner/01-consistency-checks.yaml b/templates/gitea/act_runner/01-consistency-checks.yaml new file mode 100644 index 0000000..25ae556 --- /dev/null +++ b/templates/gitea/act_runner/01-consistency-checks.yaml @@ -0,0 +1,15 @@ +{{- if .Values.actions.enabled -}} + {{- if .Values.actions.provisioning.enabled -}} + {{- if not (and .Values.persistence.enabled .Values.persistence.mount) -}} + {{- fail "persistence.enabled and persistence.mount are required when provisioning is enabled" -}} + {{- end -}} + {{- if and .Values.persistence.enabled .Values.persistence.mount -}} + {{- if .Values.actions.existingSecret -}} + {{- fail "Can't specify both actions.provisioning.enabled and actions.existingSecret" -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- if and (not .Values.actions.provisioning.enabled) (or (empty .Values.actions.existingSecret) (empty .Values.actions.existingSecretKey)) -}} + {{- fail "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled" -}} + {{- end -}} +{{- end -}} diff --git a/templates/gitea/act_runner/config-act-runner.yaml b/templates/gitea/act_runner/config-act-runner.yaml new file mode 100644 index 0000000..03961ae --- /dev/null +++ b/templates/gitea/act_runner/config-act-runner.yaml @@ -0,0 +1,14 @@ +{{- if .Values.actions.enabled }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "gitea.fullname" . }}-act-runner-config + labels: + {{- include "gitea.labels" . | nindent 4 }} +data: + config.yaml: | + {{- with .Values.actions.statefulset.actRunner.config -}} + {{ . | nindent 4}} + {{- end -}} +{{- end }} diff --git a/templates/gitea/act_runner/config-scripts.yaml b/templates/gitea/act_runner/config-scripts.yaml new file mode 100644 index 0000000..688bd20 --- /dev/null +++ b/templates/gitea/act_runner/config-scripts.yaml @@ -0,0 +1,13 @@ +{{- if .Values.actions.enabled }} +{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "gitea.fullname" . }}-scripts + labels: + {{- include "gitea.labels" . | nindent 4 }} +data: +{{ (.Files.Glob "scripts/*.sh").AsConfig | indent 2 }} +{{- end }} +{{- end }} diff --git a/templates/gitea/act_runner/job.yaml b/templates/gitea/act_runner/job.yaml new file mode 100644 index 0000000..032671f --- /dev/null +++ b/templates/gitea/act_runner/job.yaml @@ -0,0 +1,114 @@ +{{- if .Values.actions.enabled }} +{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} +{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} +{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ $name }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + {{- with .Values.actions.provisioning.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + app.kubernetes.io/component: token-job + annotations: + {{- with .Values.actions.provisioning.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ttlSecondsAfterFinished: {{ .Values.actions.provisioning.ttlSecondsAfterFinished }} + template: + metadata: + labels: + {{- include "gitea.labels" . | nindent 8 }} + {{- with .Values.actions.provisioning.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + app.kubernetes.io/component: token-job + spec: + initContainers: + - name: init-gitea + image: "{{ .Values.actions.init.image.repository }}:{{ .Values.actions.init.image.tag }}" + command: + - sh + - -c + - | + while ! nc -z {{ include "gitea.fullname" . }}-http {{ .Values.service.http.port }}; do + sleep 5 + done + containers: + - name: actions-token-create + image: "{{ include "gitea.image" . }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: GITEA_APP_INI + value: /data/gitea/conf/app.ini + command: + - sh + - -c + - | + echo "Generating act_runner token via 'gitea actions generate-runner-token'..." + mkdir -p /data/actions/ + gitea actions generate-runner-token | grep -E '^.{40}$' | tr -d '\n' > /data/actions/token + resources: + {{- toYaml .Values.actions.provisioning.resources | nindent 12 }} + volumeMounts: + - name: data + mountPath: /data + {{- if .Values.persistence.subPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + - name: actions-token-upload + image: "{{ .Values.actions.provisioning.publish.repository }}:{{ .Values.actions.provisioning.publish.tag }}" + imagePullPolicy: {{ .Values.actions.provisioning.publish.pullPolicy }} + env: + - name: SECRET_NAME + value: {{ $secretName }} + command: + - sh + - -c + - | + printf "Checking rights to update kubernetes act_runner secret..." + kubectl auth can-i update secret/${SECRET_NAME} + /scripts/token.sh + resources: + {{- toYaml .Values.actions.provisioning.resources | nindent 12 }} + volumeMounts: + - mountPath: /scripts + name: scripts + readOnly: true + - mountPath: /data + name: data + readOnly: true + {{- if .Values.persistence.subPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + {{- with .Values.actions.provisioning.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.actions.provisioning.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.actions.provisioning.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + restartPolicy: Never + serviceAccount: {{ $name }} + volumes: + - name: scripts + configMap: + name: {{ include "gitea.fullname" . }}-scripts + defaultMode: 0755 + - name: data + persistentVolumeClaim: + claimName: {{ .Values.persistence.claimName }} + parallelism: 1 + completions: 1 + backoffLimit: 1 +{{- end }} +{{- end }} diff --git a/templates/gitea/act_runner/role-job.yaml b/templates/gitea/act_runner/role-job.yaml new file mode 100644 index 0000000..b06c18d --- /dev/null +++ b/templates/gitea/act_runner/role-job.yaml @@ -0,0 +1,25 @@ +{{- if .Values.actions.enabled }} +{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} +{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} +{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ $name }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + app.kubernetes.io/component: token-job +rules: + - apiGroups: + - "" + resources: + - secrets + resourceNames: + - {{ $secretName }} + verbs: + - get + - update + - patch +{{- end }} +{{- end }} diff --git a/templates/gitea/act_runner/rolebinding-job.yaml b/templates/gitea/act_runner/rolebinding-job.yaml new file mode 100644 index 0000000..c80bd3e --- /dev/null +++ b/templates/gitea/act_runner/rolebinding-job.yaml @@ -0,0 +1,22 @@ +{{- if .Values.actions.enabled }} +{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} +{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} +{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $name }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + app.kubernetes.io/component: token-job +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $name }} +subjects: + - kind: ServiceAccount + name: {{ $name }} + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/templates/gitea/act_runner/secret-token.yaml b/templates/gitea/act_runner/secret-token.yaml new file mode 100644 index 0000000..e6ee325 --- /dev/null +++ b/templates/gitea/act_runner/secret-token.yaml @@ -0,0 +1,19 @@ +{{- if .Values.actions.enabled }} +{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} +{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} +{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + app.kubernetes.io/component: token-job +{{ $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}} +{{ if $secret -}} +data: + token: {{ (b64dec (index $secret.data "token")) | b64enc }} +{{ end -}} +{{- end }} +{{- end }} diff --git a/templates/gitea/act_runner/serviceaccount-job.yaml b/templates/gitea/act_runner/serviceaccount-job.yaml new file mode 100644 index 0000000..e2c0fb4 --- /dev/null +++ b/templates/gitea/act_runner/serviceaccount-job.yaml @@ -0,0 +1,13 @@ +{{- if .Values.actions.enabled }} +{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} +{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ $name }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + app.kubernetes.io/component: token-job +{{- end }} +{{- end }} diff --git a/templates/gitea/act_runner/statefulset.yaml b/templates/gitea/act_runner/statefulset.yaml new file mode 100644 index 0000000..7d5d096 --- /dev/null +++ b/templates/gitea/act_runner/statefulset.yaml @@ -0,0 +1,114 @@ +{{- if .Values.actions.enabled }} +{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + labels: + {{- include "gitea.labels.actRunner" . | nindent 4 }} + {{- with .Values.actions.statefulset.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + {{- with .Values.actions.statefulset.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "gitea.fullname" . }}-act-runner +spec: + selector: + matchLabels: + {{- include "gitea.selectorLabels.actRunner" . | nindent 6 }} + template: + metadata: + labels: + {{- include "gitea.labels.actRunner" . | nindent 8 }} + {{- with .Values.actions.statefulset.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + initContainers: + - name: init-gitea + image: "{{ .Values.actions.init.image.repository }}:{{ .Values.actions.init.image.tag }}" + command: + - sh + - -c + - | + while ! nc -z {{ include "gitea.fullname" . }}-http {{ .Values.service.http.port }}; do + sleep 5 + done + containers: + - name: act-runner + image: "{{ .Values.actions.statefulset.actRunner.repository }}:{{ .Values.actions.statefulset.actRunner.tag }}" + imagePullPolicy: {{ .Values.actions.statefulset.actRunner.pullPolicy }} + workingDir: /data + env: + - name: DOCKER_HOST + value: tcp://127.0.0.1:2376 + - name: DOCKER_TLS_VERIFY + value: "1" + - name: DOCKER_CERT_PATH + value: /certs/server + - name: GITEA_RUNNER_REGISTRATION_TOKEN + valueFrom: + secretKeyRef: + name: "{{ .Values.actions.existingSecret | default $secretName }}" + key: "{{ .Values.actions.existingSecretKey | default "token" }}" + - name: GITEA_INSTANCE_URL + value: {{ include "gitea.act_runner.local_root_url" . }} + - name: CONFIG_FILE + value: /actrunner/config.yaml + resources: + {{- toYaml .Values.actions.statefulset.resources | nindent 12 }} + volumeMounts: + - mountPath: /actrunner/config.yaml + name: act-runner-config + subPath: config.yaml + - mountPath: /certs/server + name: docker-certs + - mountPath: /data + name: data-act-runner + - name: dind + image: "{{ .Values.actions.statefulset.dind.repository }}:{{ .Values.actions.statefulset.dind.tag }}" + imagePullPolicy: {{ .Values.actions.statefulset.dind.pullPolicy }} + env: + - name: DOCKER_HOST + value: tcp://127.0.0.1:2376 + - name: DOCKER_TLS_VERIFY + value: "1" + - name: DOCKER_CERT_PATH + value: /certs/server + securityContext: + privileged: true + resources: + {{- toYaml .Values.actions.statefulset.resources | nindent 12 }} + volumeMounts: + - mountPath: /certs/server + name: docker-certs + {{- with .Values.actions.statefulset.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.actions.statefulset.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.actions.statefulset.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: act-runner-config + configMap: + name: {{ include "gitea.fullname" . }}-act-runner-config + - name: docker-certs + emptyDir: {} + volumeClaimTemplates: + - metadata: + name: data-act-runner + spec: + accessModes: [ "ReadWriteOnce" ] + {{- include "gitea.persistence.storageClass" . | nindent 8 }} + resources: + requests: + storage: 1Mi +{{- end }} diff --git a/unittests/act_runner/01-consistency-checks.yaml b/unittests/act_runner/01-consistency-checks.yaml new file mode 100644 index 0000000..1c30924 --- /dev/null +++ b/unittests/act_runner/01-consistency-checks.yaml @@ -0,0 +1,69 @@ +suite: actions template | consistency checks +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/act_runner/01-consistency-checks.yaml +tests: + - it: fails when provisioning is enabled BUT persistence is completely disabled + set: + persistence: + enabled: false + actions: + enabled: true + provisioning: + enabled: true + asserts: + - failedTemplate: + errorMessage: "persistence.enabled and persistence.mount are required when provisioning is enabled" + - it: fails when provisioning is enabled BUT mount is disabled, although persistence is enabled + set: + persistence: + enabled: true + mount: false + actions: + enabled: true + provisioning: + enabled: true + asserts: + - failedTemplate: + errorMessage: "persistence.enabled and persistence.mount are required when provisioning is enabled" + - it: fails when provisioning is enabled AND existingSecret is given + set: + actions: + enabled: true + provisioning: + enabled: true + existingSecret: "secret-reference" + asserts: + - failedTemplate: + errorMessage: "Can't specify both actions.provisioning.enabled and actions.existingSecret" + - it: fails when provisioning is disabled BUT existingSecret and existingSecretKey are missing + set: + actions: + enabled: true + provisioning: + enabled: false + asserts: + - failedTemplate: + errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled" + - it: fails when provisioning is disabled BUT existingSecretKey is missing + set: + actions: + enabled: true + provisioning: + enabled: false + existingSecret: "my-secret" + asserts: + - failedTemplate: + errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled" + - it: fails when provisioning is disabled BUT existingSecret is missing + set: + actions: + enabled: true + provisioning: + enabled: false + existingSecretKey: "my-secret-key" + asserts: + - failedTemplate: + errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled" diff --git a/unittests/act_runner/config-act-runner.yaml b/unittests/act_runner/config-act-runner.yaml new file mode 100644 index 0000000..2cba6bc --- /dev/null +++ b/unittests/act_runner/config-act-runner.yaml @@ -0,0 +1,45 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json +suite: actions template | config-act-runner +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/act_runner/config-act-runner.yaml +tests: + - it: doesn't renders a ConfigMap by default + template: templates/gitea/act_runner/config-act-runner.yaml + asserts: + - hasDocuments: + count: 0 + - it: renders a ConfigMap + template: templates/gitea/act_runner/config-act-runner.yaml + set: + actions: + enabled: true + statefulset: + actRunner: + config: | + log: + level: info + cache: + enabled: false + runner: + labels: + - "ubuntu-latest" + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: ConfigMap + apiVersion: v1 + name: gitea-unittests-act-runner-config + - equal: + path: data["config.yaml"] + value: | + log: + level: info + cache: + enabled: false + runner: + labels: + - "ubuntu-latest" diff --git a/unittests/act_runner/config-scripts.yaml b/unittests/act_runner/config-scripts.yaml new file mode 100644 index 0000000..da6d9aa --- /dev/null +++ b/unittests/act_runner/config-scripts.yaml @@ -0,0 +1,49 @@ +suite: actions template | config-scripts +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/act_runner/config-scripts.yaml +tests: + - it: renders a ConfigMap when all criteria are met + template: templates/gitea/act_runner/config-scripts.yaml + set: + actions: + enabled: true + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: ConfigMap + apiVersion: v1 + name: gitea-unittests-scripts + - isNotNullOrEmpty: + path: data["token.sh"] + - it: doesn't renders a ConfigMap by default + template: templates/gitea/act_runner/config-scripts.yaml + asserts: + - hasDocuments: + count: 0 + - it: doesn't renders a ConfigMap with disabled actions but enabled provisioning + template: templates/gitea/act_runner/config-scripts.yaml + asserts: + - hasDocuments: + count: 0 + - it: doesn't renders a ConfigMap with disabled actions but otherwise met criteria + template: templates/gitea/act_runner/config-scripts.yaml + set: + actions: + enabled: false + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 0 diff --git a/unittests/act_runner/job.yaml b/unittests/act_runner/job.yaml new file mode 100644 index 0000000..c1d32e2 --- /dev/null +++ b/unittests/act_runner/job.yaml @@ -0,0 +1,65 @@ +suite: actions template | job +release: + name: gitea-unittests + namespace: testing +chart: + # Override appVersion to have a pinned version for comparison + appVersion: 1.19.3 +templates: + - templates/gitea/act_runner/job.yaml +tests: + - it: renders a Job + template: templates/gitea/act_runner/job.yaml + set: + actions: + enabled: true + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: Job + apiVersion: batch/v1 + name: gitea-unittests-actions-token-job + - equal: + path: spec.template.spec.containers[0].image + value: "gitea/gitea:1.19.3-rootless" + - it: tag override + template: templates/gitea/act_runner/job.yaml + set: + image.tag: "1.19.4" + actions: + enabled: true + provisioning: + enabled: true + publish: + tag: "1.29.0" + persistence: + enabled: true + mount: true + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: "gitea/gitea:1.19.4-rootless" + - equal: + path: spec.template.spec.containers[1].image + value: "bitnami/kubectl:1.29.0" + - it: doesn't renders a Job by default + template: templates/gitea/act_runner/job.yaml + asserts: + - hasDocuments: + count: 0 + - it: doesn't renders a Job when provisioning is enabled BUT actions are not enabled + template: templates/gitea/act_runner/job.yaml + set: + actions: + enabled: false + provisioning: + enabled: true + asserts: + - hasDocuments: + count: 0 diff --git a/unittests/act_runner/role-job.yaml b/unittests/act_runner/role-job.yaml new file mode 100644 index 0000000..8c511d8 --- /dev/null +++ b/unittests/act_runner/role-job.yaml @@ -0,0 +1,42 @@ +suite: actions template | role-job +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/act_runner/role-job.yaml +tests: + - it: doesn't renders a Role by default + template: templates/gitea/act_runner/role-job.yaml + asserts: + - hasDocuments: + count: 0 + - it: renders a Role + template: templates/gitea/act_runner/role-job.yaml + set: + actions: + enabled: true + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: Role + apiVersion: rbac.authorization.k8s.io/v1 + name: gitea-unittests-actions-token-job + - it: doesn't renders a Role when criteria met BUT actions are not enabled + template: templates/gitea/act_runner/role-job.yaml + set: + actions: + enabled: false + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 0 diff --git a/unittests/act_runner/rolebinding-job.yaml b/unittests/act_runner/rolebinding-job.yaml new file mode 100644 index 0000000..2073bfc --- /dev/null +++ b/unittests/act_runner/rolebinding-job.yaml @@ -0,0 +1,42 @@ +suite: actions template | rolebinding-job +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/act_runner/rolebinding-job.yaml +tests: + - it: doesn't renders a RoleBinding by default + template: templates/gitea/act_runner/rolebinding-job.yaml + asserts: + - hasDocuments: + count: 0 + - it: renders a RoleBinding + template: templates/gitea/act_runner/rolebinding-job.yaml + set: + actions: + enabled: true + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: RoleBinding + apiVersion: rbac.authorization.k8s.io/v1 + name: gitea-unittests-actions-token-job + - it: doesn't renders a RoleBinding when criteria met BUT actions are not enabled + template: templates/gitea/act_runner/rolebinding-job.yaml + set: + actions: + enabled: false + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 0 diff --git a/unittests/act_runner/secret-token.yaml b/unittests/act_runner/secret-token.yaml new file mode 100644 index 0000000..b5054f3 --- /dev/null +++ b/unittests/act_runner/secret-token.yaml @@ -0,0 +1,42 @@ +suite: actions template | secret-token +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/act_runner/secret-token.yaml +tests: + - it: doesn't renders a Secret by default + template: templates/gitea/act_runner/secret-token.yaml + asserts: + - hasDocuments: + count: 0 + - it: renders a Secret + template: templates/gitea/act_runner/secret-token.yaml + set: + actions: + enabled: true + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: Secret + apiVersion: v1 + name: gitea-unittests-actions-token + - it: doesn't renders a Secret when criteria met BUT actions are not enabled + template: templates/gitea/act_runner/secret-token.yaml + set: + actions: + enabled: false + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 0 diff --git a/unittests/act_runner/serviceaccount-job.yaml b/unittests/act_runner/serviceaccount-job.yaml new file mode 100644 index 0000000..bf8f0c8 --- /dev/null +++ b/unittests/act_runner/serviceaccount-job.yaml @@ -0,0 +1,42 @@ +suite: actions template | serviceaccount-job +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/act_runner/serviceaccount-job.yaml +tests: + - it: doesn't renders a ServiceAccount by default + template: templates/gitea/act_runner/serviceaccount-job.yaml + asserts: + - hasDocuments: + count: 0 + - it: renders a ServiceAccount + template: templates/gitea/act_runner/serviceaccount-job.yaml + set: + actions: + enabled: true + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: ServiceAccount + apiVersion: v1 + name: gitea-unittests-actions-token-job + - it: doesn't renders a ServiceAccount when criteria met BUT actions are not enabled + template: templates/gitea/act_runner/serviceaccount-job.yaml + set: + actions: + enabled: false + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 0 diff --git a/unittests/act_runner/statefulset.yaml b/unittests/act_runner/statefulset.yaml new file mode 100644 index 0000000..cc10157 --- /dev/null +++ b/unittests/act_runner/statefulset.yaml @@ -0,0 +1,95 @@ +suite: actions template | statefulset +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/act_runner/statefulset.yaml +tests: + - it: doesn't renders a StatefulSet by default + template: templates/gitea/act_runner/statefulset.yaml + asserts: + - hasDocuments: + count: 0 + - it: renders a StatefulSet (with given existingSecret/existingSecretKey) + template: templates/gitea/act_runner/statefulset.yaml + set: + actions: + enabled: true + existingSecret: "my-secret" + existingSecretKey: "my-secret-key" + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: StatefulSet + apiVersion: apps/v1 + name: gitea-unittests-act-runner + - equal: + path: spec.template.spec.containers[0].env[3] + value: + name: GITEA_RUNNER_REGISTRATION_TOKEN + valueFrom: + secretKeyRef: + name: "my-secret" + key: "my-secret-key" + - it: renders a StatefulSet (with secret reference defaults for enabled provisioning) + template: templates/gitea/act_runner/statefulset.yaml + set: + actions: + enabled: true + provisioning: + enabled: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: StatefulSet + apiVersion: apps/v1 + name: gitea-unittests-act-runner + - equal: + path: spec.template.spec.containers[0].env[3] + value: + name: GITEA_RUNNER_REGISTRATION_TOKEN + valueFrom: + secretKeyRef: + name: "gitea-unittests-actions-token" + key: "token" + - it: renders a StatefulSet (with correct GITEA_INSTANCE_URL env with default act-runner specific LOCAL_ROOT_URL) + template: templates/gitea/act_runner/statefulset.yaml + set: + actions: + enabled: true + existingSecret: "my-secret" + existingSecretKey: "my-secret-key" + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: StatefulSet + apiVersion: apps/v1 + name: gitea-unittests-act-runner + - equal: + path: spec.template.spec.containers[0].env[4] + value: + name: GITEA_INSTANCE_URL + value: "http://gitea-unittests-http:3000" + - it: renders a StatefulSet (with correct GITEA_INSTANCE_URL env from customized LOCAL_ROOT_URL) + template: templates/gitea/act_runner/statefulset.yaml + set: + gitea.config.server.LOCAL_ROOT_URL: "http://git.example.com" + actions: + enabled: true + existingSecret: "my-secret" + existingSecretKey: "my-secret-key" + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: StatefulSet + apiVersion: apps/v1 + name: gitea-unittests-act-runner + - equal: + path: spec.template.spec.containers[0].env[4] + value: + name: GITEA_INSTANCE_URL + value: "http://git.example.com" diff --git a/unittests/config/actions-config.yaml b/unittests/config/actions-config.yaml new file mode 100644 index 0000000..ada9694 --- /dev/null +++ b/unittests/config/actions-config.yaml @@ -0,0 +1,61 @@ +suite: config template | actions config +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/config.yaml +tests: + - it: "actions are not enabled by default" + template: templates/gitea/config.yaml + asserts: + - documentIndex: 0 + equal: + path: stringData.actions + value: |- + ENABLED=false + + - it: "actions can be enabled via inline config" + template: templates/gitea/config.yaml + set: + gitea.config.actions.ENABLED: true + asserts: + - documentIndex: 0 + equal: + path: stringData.actions + value: |- + ENABLED=true + + - it: "actions can be enabled via dedicated values object" + template: templates/gitea/config.yaml + set: + actions: + enabled: true + asserts: + - documentIndex: 0 + equal: + path: stringData.actions + value: |- + ENABLED=true + + - it: "defines LOCAL_ROOT_URL when actions are enabled" + template: templates/gitea/config.yaml + set: + actions: + enabled: true + asserts: + - documentIndex: 0 + matchRegex: + path: stringData.server + pattern: \nLOCAL_ROOT_URL=http://gitea-unittests-http:3000 + + - it: "respects custom LOCAL_ROOT_URL, even when actions are enabled" + template: templates/gitea/config.yaml + set: + actions: + enabled: true + gitea.config.server.LOCAL_ROOT_URL: "http://git.example.com" + asserts: + - documentIndex: 0 + matchRegex: + path: stringData.server + pattern: \nLOCAL_ROOT_URL=http://git.example.com diff --git a/values.yaml b/values.yaml index 2b7ad7d..31c1d21 100644 --- a/values.yaml +++ b/values.yaml @@ -348,6 +348,96 @@ signing: # -----END PGP PRIVATE KEY BLOCK----- existingSecret: "" +# Configure Gitea Actions +# - must enable persistence if the job is enabled +## @section Gitea Actions +# +## @param actions.enabled Create an act runner StatefulSet. +## @param actions.init.image.repository The image used for the init containers +## @param actions.init.image.tag The image tag used for the init containers +## @param actions.statefulset.annotations Act runner annotations +## @param actions.statefulset.labels Act runner labels +## @param actions.statefulset.resources Act runner resources +## @param actions.statefulset.nodeSelector NodeSelector for the statefulset +## @param actions.statefulset.tolerations Tolerations for the statefulset +## @param actions.statefulset.affinity Affinity for the statefulset +## @param actions.statefulset.actRunner.repository The Gitea act runner image +## @param actions.statefulset.actRunner.tag The Gitea act runner tag +## @param actions.statefulset.actRunner.pullPolicy The Gitea act runner pullPolicy +## @param actions.statefulset.actRunner.config [default: Too complex. See values.yaml] Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details. +## @param actions.statefulset.dind.repository The Docker-in-Docker image +## @param actions.statefulset.dind.tag The Docker-in-Docker image tag +## @param actions.statefulset.dind.pullPolicy The Docker-in-Docker pullPolicy +## @param actions.provisioning.enabled Create a job that will create and save the token in a Kubernetes Secret +## @param actions.provisioning.annotations Job's annotations +## @param actions.provisioning.labels Job's labels +## @param actions.provisioning.resources Job's resources +## @param actions.provisioning.nodeSelector NodeSelector for the job +## @param actions.provisioning.tolerations Tolerations for the job +## @param actions.provisioning.affinity Affinity for the job +## @param actions.provisioning.ttlSecondsAfterFinished ttl for the job after finished in order to allow helm to properly recognize that the job completed +## @param actions.provisioning.publish.repository The image that can create the secret via kubectl +## @param actions.provisioning.publish.tag The publish image tag that can create the secret +## @param actions.provisioning.publish.pullPolicy The publish image pullPolicy that can create the secret +## @param actions.existingSecret Secret that contains the token +## @param actions.existingSecretKey Secret key +actions: + enabled: false + statefulset: + annotations: {} + labels: {} + resources: {} + nodeSelector: {} + tolerations: [] + affinity: {} + + actRunner: + repository: gitea/act_runner + tag: 0.2.11 + pullPolicy: IfNotPresent + + config: | + log: + level: debug + cache: + enabled: false + runner: + labels: + - "ubuntu-latest" + + dind: + repository: docker + tag: 25.0.2-dind + pullPolicy: IfNotPresent + + init: + image: + repository: busybox + # Overrides the image tag whose default is the chart appVersion. + tag: "1.36.1" + + provisioning: + enabled: false + + annotations: {} + labels: {} + resources: {} + nodeSelector: {} + tolerations: [] + affinity: {} + + publish: + repository: bitnami/kubectl + tag: 1.29.0 + pullPolicy: IfNotPresent + + ttlSecondsAfterFinished: 300 + + ## Specify an existing token secret + ## + existingSecret: "" + existingSecretKey: "" + ## @section Gitea # gitea: -- 2.40.1 From 7b892431d6eb961f963dbd5ffca7cf6e28c33c0e Mon Sep 17 00:00:00 2001 From: justusbunsi Date: Sun, 10 Nov 2024 14:02:15 +0000 Subject: [PATCH 28/36] Support custom envs for Action DinD container (#722) Follow-up to https://gitea.com/gitea/helm-chart/pulls/666. Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/722 Co-authored-by: justusbunsi Co-committed-by: justusbunsi --- README.md | 1 + templates/gitea/act_runner/statefulset.yaml | 3 +++ unittests/act_runner/statefulset.yaml | 16 ++++++++++++++++ values.yaml | 6 ++++++ 4 files changed, 26 insertions(+) diff --git a/README.md b/README.md index a6f4c2b..ec41ac5 100644 --- a/README.md +++ b/README.md @@ -1028,6 +1028,7 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo | `actions.statefulset.dind.repository` | The Docker-in-Docker image | `docker` | | `actions.statefulset.dind.tag` | The Docker-in-Docker image tag | `25.0.2-dind` | | `actions.statefulset.dind.pullPolicy` | The Docker-in-Docker pullPolicy | `IfNotPresent` | +| `actions.statefulset.dind.extraEnvs` | Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY` | `[]` | | `actions.provisioning.enabled` | Create a job that will create and save the token in a Kubernetes Secret | `false` | | `actions.provisioning.annotations` | Job's annotations | `{}` | | `actions.provisioning.labels` | Job's labels | `{}` | diff --git a/templates/gitea/act_runner/statefulset.yaml b/templates/gitea/act_runner/statefulset.yaml index 7d5d096..58939d2 100644 --- a/templates/gitea/act_runner/statefulset.yaml +++ b/templates/gitea/act_runner/statefulset.yaml @@ -77,6 +77,9 @@ spec: value: "1" - name: DOCKER_CERT_PATH value: /certs/server + {{- if .Values.actions.statefulset.dind.extraEnvs }} + {{- toYaml .Values.actions.statefulset.dind.extraEnvs | nindent 12 }} + {{- end }} securityContext: privileged: true resources: diff --git a/unittests/act_runner/statefulset.yaml b/unittests/act_runner/statefulset.yaml index cc10157..cd350d9 100644 --- a/unittests/act_runner/statefulset.yaml +++ b/unittests/act_runner/statefulset.yaml @@ -93,3 +93,19 @@ tests: value: name: GITEA_INSTANCE_URL value: "http://git.example.com" + - it: allows adding custom environment variables to the docker-in-docker container + template: templates/gitea/act_runner/statefulset.yaml + set: + actions: + enabled: true + statefulset: + dind: + extraEnvs: + - name: "CUSTOM_ENV_NAME" + value: "custom env value" + asserts: + - equal: + path: spec.template.spec.containers[1].env[3] + value: + name: "CUSTOM_ENV_NAME" + value: "custom env value" diff --git a/values.yaml b/values.yaml index 31c1d21..f3998ec 100644 --- a/values.yaml +++ b/values.yaml @@ -368,6 +368,7 @@ signing: ## @param actions.statefulset.dind.repository The Docker-in-Docker image ## @param actions.statefulset.dind.tag The Docker-in-Docker image tag ## @param actions.statefulset.dind.pullPolicy The Docker-in-Docker pullPolicy +## @param actions.statefulset.dind.extraEnvs Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY` ## @param actions.provisioning.enabled Create a job that will create and save the token in a Kubernetes Secret ## @param actions.provisioning.annotations Job's annotations ## @param actions.provisioning.labels Job's labels @@ -409,6 +410,11 @@ actions: repository: docker tag: 25.0.2-dind pullPolicy: IfNotPresent + # If the container keeps crashing in your environment, you might have to add the `DOCKER_IPTABLES_LEGACY` environment variable. + # See https://github.com/docker-library/docker/issues/463#issuecomment-1881909456 + extraEnvs: [] + # - name: "DOCKER_IPTABLES_LEGACY" + # value: "1" init: image: -- 2.40.1 From 2be2e2a639edbc463b64ac1e4d755223def20a32 Mon Sep 17 00:00:00 2001 From: justusbunsi Date: Sun, 10 Nov 2024 20:15:46 +0000 Subject: [PATCH 29/36] Ensure dev-only files are not added to the tgz package (#723) Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/723 Reviewed-by: techknowlogick --- .helmignore | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.helmignore b/.helmignore index e608c23..c0341ca 100644 --- a/.helmignore +++ b/.helmignore @@ -31,3 +31,8 @@ Makefile .drone.yml CONTRIBUTING.md unittests/ +.editorconfig +.prettierignore +.yamllint +CODEOWNERS +renovate.json5 -- 2.40.1 From 3bacaaad84fdae1e81cbe5a73577d5872cf08fba Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 30 Nov 2024 02:09:16 +0000 Subject: [PATCH 30/36] chore(deps): update subcharts (minor & patch) (#733) Co-authored-by: Renovate Bot Co-committed-by: Renovate Bot --- Chart.lock | 8 ++++---- Chart.yaml | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Chart.lock b/Chart.lock index 5023ad2..17a14d8 100644 --- a/Chart.lock +++ b/Chart.lock @@ -1,15 +1,15 @@ dependencies: - name: postgresql repository: oci://registry-1.docker.io/bitnamicharts - version: 15.5.20 + version: 15.5.38 - name: postgresql-ha repository: oci://registry-1.docker.io/bitnamicharts - version: 14.2.16 + version: 14.3.10 - name: redis-cluster repository: oci://registry-1.docker.io/bitnamicharts version: 10.3.0 - name: redis repository: oci://registry-1.docker.io/bitnamicharts version: 19.6.4 -digest: sha256:a28c809273f313c482e3f803a0a002c3bb3a0d2090bf6b732d68ecc4710b4732 -generated: "2024-08-03T00:21:16.080925346Z" +digest: sha256:462d513ac8ef7abfe26030fd2ea93eb79df167a861ebe09d6c58c7dcd5601e85 +generated: "2024-11-30T00:41:29.178889496Z" diff --git a/Chart.yaml b/Chart.yaml index dbdcae0..6cf2c41 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -36,12 +36,12 @@ dependencies: # https://github.com/bitnami/charts/blob/main/bitnami/postgresql - name: postgresql repository: oci://registry-1.docker.io/bitnamicharts - version: 15.5.20 + version: 15.5.38 condition: postgresql.enabled # https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml - name: postgresql-ha repository: oci://registry-1.docker.io/bitnamicharts - version: 14.2.16 + version: 14.3.10 condition: postgresql-ha.enabled # https://github.com/bitnami/charts/blob/main/bitnami/redis-cluster/Chart.yaml - name: redis-cluster -- 2.40.1 From 389a8460e4d24b87d0644652cb5543a787333262 Mon Sep 17 00:00:00 2001 From: Hitesh Nayak Date: Sat, 30 Nov 2024 13:59:29 +0000 Subject: [PATCH 31/36] feat(service-monitor): support bearer token authentication on metrics endpoint (#719) ### Benefits Can protect metrics endpoint with `Bearer` token authentication provided by gitea. see PR #637 for previous discussion. ### Possible drawbacks No possible drawbacks ### Applicable issues - fixes #635 ### Additional information ``` gitea: metrics: enabled: true token: "somepassword" serviceMonitor: enabled: true ``` Using above configuration is sufficient to secure /metrics endpoint with bearer token and corresponding ServiceMonitor. ### Checklist - [x] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm) - [ ] ~~Breaking changes are documented in the `README.md`~~ Not applicable - [x] Templating unittests are added Signed-off-by: Hitesh Nayak Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/719 Reviewed-by: justusbunsi Co-authored-by: Hitesh Nayak Co-committed-by: Hitesh Nayak --- README.md | 17 +++++ templates/_helpers.tpl | 7 ++ templates/gitea/metrics-secret.yaml | 12 ++++ templates/gitea/servicemonitor.yaml | 8 +++ .../config/metrics-section_metrics-token.yaml | 58 +++++++++++++++ ...etrics-secret-servicemonitor-disabled.yaml | 23 ++++++ ...metrics-secret-servicemonitor-enabled.yaml | 33 +++++++++ .../servicemonitor-disabled.yaml | 23 ++++++ .../servicemonitor-enabled.yaml | 70 +++++++++++++++++++ values.yaml | 2 + 10 files changed, 253 insertions(+) create mode 100644 templates/gitea/metrics-secret.yaml create mode 100644 unittests/config/metrics-section_metrics-token.yaml create mode 100644 unittests/metric-secret/metrics-secret-servicemonitor-disabled.yaml create mode 100644 unittests/metric-secret/metrics-secret-servicemonitor-enabled.yaml create mode 100644 unittests/servicemonitor/servicemonitor-disabled.yaml create mode 100644 unittests/servicemonitor/servicemonitor-enabled.yaml diff --git a/README.md b/README.md index ec41ac5..d2dd0fd 100644 --- a/README.md +++ b/README.md @@ -30,6 +30,7 @@ - [OAuth2 Settings](#oauth2-settings) - [Configure commit signing](#configure-commit-signing) - [Metrics and profiling](#metrics-and-profiling) + - [Secure Metrics Endpoint](#secure-metrics-endpoint) - [Pod annotations](#pod-annotations) - [Themes](#themes) - [Renovate](#renovate) @@ -747,6 +748,21 @@ gitea: ENABLE_PPROF: true ``` +### Secure Metrics Endpoint + +Metrics endpoint `/metrics` can be secured by using `Bearer` token authentication. + +**Note:** Providing non-empty `TOKEN` value will also require authentication for `ServiceMonitor`. + +```yaml +gitea: + metrics: + token: "secure-token" + enabled: true + serviceMonitor: + enabled: true +``` + ## Pod annotations Annotations can be added to the Gitea pod. @@ -1053,6 +1069,7 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo | `gitea.admin.email` | Email for the Gitea admin user | `gitea@local.domain` | | `gitea.admin.passwordMode` | Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated | `keepUpdated` | | `gitea.metrics.enabled` | Enable Gitea metrics | `false` | +| `gitea.metrics.token` | used for `bearer` token authentication on metrics endpoint. If not specified or empty metrics endpoint is public. | `nil` | | `gitea.metrics.serviceMonitor.enabled` | Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally. | `false` | | `gitea.metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. | `""` | | `gitea.metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping. | `[]` | diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 64a5efb..1b7cf3b 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -311,6 +311,9 @@ https {{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}} {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}} {{- end -}} + {{- if and (not (hasKey .Values.gitea.config.metrics "TOKEN")) (.Values.gitea.metrics.token) (.Values.gitea.metrics.enabled) -}} + {{- $_ := set .Values.gitea.config.metrics "TOKEN" .Values.gitea.metrics.token -}} + {{- end -}} {{- /* redis queue */ -}} {{- if or ((index .Values "redis-cluster").enabled) ((index .Values "redis").enabled) -}} {{- $_ := set .Values.gitea.config.queue "TYPE" "redis" -}} @@ -465,3 +468,7 @@ https {{- end -}} {{- toYaml $probe -}} {{- end -}} + +{{- define "gitea.metrics-secret-name" -}} +{{ default (printf "%s-metrics-secret" (include "gitea.fullname" .)) }} +{{- end -}} \ No newline at end of file diff --git a/templates/gitea/metrics-secret.yaml b/templates/gitea/metrics-secret.yaml new file mode 100644 index 0000000..fe26596 --- /dev/null +++ b/templates/gitea/metrics-secret.yaml @@ -0,0 +1,12 @@ +{{- if and (.Values.gitea.metrics.enabled) (.Values.gitea.metrics.serviceMonitor.enabled) (.Values.gitea.metrics.token) -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "gitea.metrics-secret-name" . }} + namespace: {{ .Values.namespace | default .Release.Namespace }} + labels: + {{- include "gitea.labels" . | nindent 4 }} +type: Opaque +data: + token: {{ .Values.gitea.metrics.token | b64enc }} +{{- end }} \ No newline at end of file diff --git a/templates/gitea/servicemonitor.yaml b/templates/gitea/servicemonitor.yaml index 1774214..502a1a8 100644 --- a/templates/gitea/servicemonitor.yaml +++ b/templates/gitea/servicemonitor.yaml @@ -32,4 +32,12 @@ spec: tlsConfig: {{- . | toYaml | nindent 6 }} {{- end }} + {{- if .Values.gitea.metrics.token }} + authorization: + type: Bearer + credentials: + name: {{ include "gitea.metrics-secret-name" . }} + key: token + optional: false + {{- end }} {{- end -}} \ No newline at end of file diff --git a/unittests/config/metrics-section_metrics-token.yaml b/unittests/config/metrics-section_metrics-token.yaml new file mode 100644 index 0000000..b8115a1 --- /dev/null +++ b/unittests/config/metrics-section_metrics-token.yaml @@ -0,0 +1,58 @@ +suite: config template | metrics section (metrics token) +release: + name: gitea-unittests + namespace: testing +tests: + - it: metrics token is set + template: templates/gitea/config.yaml + set: + gitea: + metrics: + enabled: true + token: "somepassword" + asserts: + - documentIndex: 0 + equal: + path: stringData.metrics + value: |- + ENABLED=true + TOKEN=somepassword + - it: metrics token is empty + template: templates/gitea/config.yaml + set: + gitea: + metrics: + enabled: true + token: "" + asserts: + - documentIndex: 0 + equal: + path: stringData.metrics + value: |- + ENABLED=true + - it: metrics token is nil + template: templates/gitea/config.yaml + set: + gitea: + metrics: + enabled: true + token: + asserts: + - documentIndex: 0 + equal: + path: stringData.metrics + value: |- + ENABLED=true + - it: does not configures a token if metrics are disabled + template: templates/gitea/config.yaml + set: + gitea: + metrics: + enabled: false + token: "somepassword" + asserts: + - documentIndex: 0 + equal: + path: stringData.metrics + value: |- + ENABLED=false diff --git a/unittests/metric-secret/metrics-secret-servicemonitor-disabled.yaml b/unittests/metric-secret/metrics-secret-servicemonitor-disabled.yaml new file mode 100644 index 0000000..e3776ca --- /dev/null +++ b/unittests/metric-secret/metrics-secret-servicemonitor-disabled.yaml @@ -0,0 +1,23 @@ +suite: Metrics secret template (monitoring disabled) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/metrics-secret.yaml +tests: + - it: renders nothing if monitoring disabled and gitea.metrics.token empty + set: + gitea.metrics.enabled: false + gitea.metrics.serviceMonitor.enabled: false + gitea.metrics.token: "" + asserts: + - hasDocuments: + count: 0 + - it: renders nothing if monitoring disabled and gitea.metrics.token not empty + set: + gitea.metrics.enabled: false + gitea.metrics.serviceMonitor.enabled: false + gitea.metrics.token: "test-token" + asserts: + - hasDocuments: + count: 0 diff --git a/unittests/metric-secret/metrics-secret-servicemonitor-enabled.yaml b/unittests/metric-secret/metrics-secret-servicemonitor-enabled.yaml new file mode 100644 index 0000000..78e714a --- /dev/null +++ b/unittests/metric-secret/metrics-secret-servicemonitor-enabled.yaml @@ -0,0 +1,33 @@ +suite: Metrics secret template (monitoring enabled) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/metrics-secret.yaml +tests: + - it: renders nothing if monitoring enabled and gitea.metrics.token empty + set: + gitea.metrics.enabled: true + gitea.metrics.serviceMonitor.enabled: true + gitea.metrics.token: "" + asserts: + - hasDocuments: + count: 0 + - it: renders Secret if monitoring enabled and gitea.metrics.token not empty + set: + gitea.metrics.enabled: true + gitea.metrics.serviceMonitor.enabled: true + gitea.metrics.token: "test-token" + asserts: + - hasDocuments: + count: 1 + - documentIndex: 0 + containsDocument: + kind: Secret + apiVersion: v1 + name: gitea-unittests-metrics-secret + - isNotNullOrEmpty: + path: metadata.labels + - equal: + path: data.token + value: "dGVzdC10b2tlbg==" diff --git a/unittests/servicemonitor/servicemonitor-disabled.yaml b/unittests/servicemonitor/servicemonitor-disabled.yaml new file mode 100644 index 0000000..5b2de44 --- /dev/null +++ b/unittests/servicemonitor/servicemonitor-disabled.yaml @@ -0,0 +1,23 @@ +suite: ServiceMonitor template (monitoring disabled) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/servicemonitor.yaml +tests: + - it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.metrics.token empty + set: + gitea.metrics.enabled: false + gitea.metrics.token: "" + gitea.metrics.serviceMonitor.enabled: false + asserts: + - hasDocuments: + count: 0 + - it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.metrics.token not empty + set: + gitea.metrics.enabled: false + gitea.metrics.token: "test-token" + gitea.metrics.serviceMonitor.enabled: false + asserts: + - hasDocuments: + count: 0 diff --git a/unittests/servicemonitor/servicemonitor-enabled.yaml b/unittests/servicemonitor/servicemonitor-enabled.yaml new file mode 100644 index 0000000..29d83ca --- /dev/null +++ b/unittests/servicemonitor/servicemonitor-enabled.yaml @@ -0,0 +1,70 @@ +suite: ServiceMonitor template (monitoring enabled) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/servicemonitor.yaml +tests: + - it: renders unsecure ServiceMonitor if gitea.metrics.token nil + set: + gitea.metrics.enabled: true + gitea.metrics.token: + gitea.metrics.serviceMonitor.enabled: true + asserts: + - hasDocuments: + count: 1 + - documentIndex: 0 + containsDocument: + kind: ServiceMonitor + apiVersion: monitoring.coreos.com/v1 + name: gitea-unittests + - isNotNullOrEmpty: + path: metadata.labels + - equal: + path: spec.endpoints + value: + - port: http + - it: renders unsecure ServiceMonitor if gitea.metrics.token empty + set: + gitea.metrics.enabled: true + gitea.metrics.token: "" + gitea.metrics.serviceMonitor.enabled: true + asserts: + - hasDocuments: + count: 1 + - documentIndex: 0 + containsDocument: + kind: ServiceMonitor + apiVersion: monitoring.coreos.com/v1 + name: gitea-unittests + - isNotNullOrEmpty: + path: metadata.labels + - equal: + path: spec.endpoints + value: + - port: http + - it: renders secure ServiceMonitor if gitea.metrics.token not empty + set: + gitea.metrics.enabled: true + gitea.metrics.token: "test-token" + gitea.metrics.serviceMonitor.enabled: true + asserts: + - hasDocuments: + count: 1 + - documentIndex: 0 + containsDocument: + kind: ServiceMonitor + apiVersion: monitoring.coreos.com/v1 + name: gitea-unittests + - isNotNullOrEmpty: + path: metadata.labels + - equal: + path: spec.endpoints + value: + - port: http + authorization: + type: Bearer + credentials: + name: gitea-unittests-metrics-secret + key: token + optional: false diff --git a/values.yaml b/values.yaml index f3998ec..2dfb62d 100644 --- a/values.yaml +++ b/values.yaml @@ -461,6 +461,7 @@ gitea: passwordMode: keepUpdated ## @param gitea.metrics.enabled Enable Gitea metrics + ## @param gitea.metrics.token used for `bearer` token authentication on metrics endpoint. If not specified or empty metrics endpoint is public. ## @param gitea.metrics.serviceMonitor.enabled Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally. ## @param gitea.metrics.serviceMonitor.interval Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. ## @param gitea.metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping. @@ -469,6 +470,7 @@ gitea: ## @param gitea.metrics.serviceMonitor.tlsConfig TLS configuration to use when scraping the metric endpoint by Prometheus. metrics: enabled: false + token: serviceMonitor: enabled: false # additionalLabels: -- 2.40.1 From 5f7d35390127e523b64449631a55c88773f0ef90 Mon Sep 17 00:00:00 2001 From: justusbunsi Date: Sat, 30 Nov 2024 14:47:18 +0000 Subject: [PATCH 32/36] Prevent reoccurring namespace inconsistencies (#737) https://gitea.com/gitea/helm-chart/pulls/713 ensured that all resources contain a `namespace` field. When adding Gitea actions runner support in https://gitea.com/gitea/helm-chart/pulls/666, this was an oversight. Signed-off-by: justusbunsi Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/737 Co-authored-by: justusbunsi Co-committed-by: justusbunsi --- .gitea/PULL_REQUEST_TEMPLATE.md | 1 + templates/gitea/act_runner/config-act-runner.yaml | 1 + templates/gitea/act_runner/config-scripts.yaml | 1 + templates/gitea/act_runner/job.yaml | 1 + templates/gitea/act_runner/role-job.yaml | 1 + templates/gitea/act_runner/rolebinding-job.yaml | 1 + templates/gitea/act_runner/secret-token.yaml | 1 + templates/gitea/act_runner/serviceaccount-job.yaml | 1 + templates/gitea/act_runner/statefulset.yaml | 1 + 9 files changed, 9 insertions(+) diff --git a/.gitea/PULL_REQUEST_TEMPLATE.md b/.gitea/PULL_REQUEST_TEMPLATE.md index 01ad275..686d550 100644 --- a/.gitea/PULL_REQUEST_TEMPLATE.md +++ b/.gitea/PULL_REQUEST_TEMPLATE.md @@ -40,3 +40,4 @@ - [ ] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm) - [ ] Breaking changes are documented in the `README.md` - [ ] Templating unittests are added +- [ ] All added template resources MUST render a namespace in metadata diff --git a/templates/gitea/act_runner/config-act-runner.yaml b/templates/gitea/act_runner/config-act-runner.yaml index 03961ae..433fb69 100644 --- a/templates/gitea/act_runner/config-act-runner.yaml +++ b/templates/gitea/act_runner/config-act-runner.yaml @@ -4,6 +4,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ include "gitea.fullname" . }}-act-runner-config + namespace: {{ .Values.namespace | default .Release.Namespace }} labels: {{- include "gitea.labels" . | nindent 4 }} data: diff --git a/templates/gitea/act_runner/config-scripts.yaml b/templates/gitea/act_runner/config-scripts.yaml index 688bd20..31b926e 100644 --- a/templates/gitea/act_runner/config-scripts.yaml +++ b/templates/gitea/act_runner/config-scripts.yaml @@ -5,6 +5,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ include "gitea.fullname" . }}-scripts + namespace: {{ .Values.namespace | default .Release.Namespace }} labels: {{- include "gitea.labels" . | nindent 4 }} data: diff --git a/templates/gitea/act_runner/job.yaml b/templates/gitea/act_runner/job.yaml index 032671f..e8189d9 100644 --- a/templates/gitea/act_runner/job.yaml +++ b/templates/gitea/act_runner/job.yaml @@ -7,6 +7,7 @@ apiVersion: batch/v1 kind: Job metadata: name: {{ $name }} + namespace: {{ .Values.namespace | default .Release.Namespace }} labels: {{- include "gitea.labels" . | nindent 4 }} {{- with .Values.actions.provisioning.labels }} diff --git a/templates/gitea/act_runner/role-job.yaml b/templates/gitea/act_runner/role-job.yaml index b06c18d..c2afa57 100644 --- a/templates/gitea/act_runner/role-job.yaml +++ b/templates/gitea/act_runner/role-job.yaml @@ -7,6 +7,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ $name }} + namespace: {{ .Values.namespace | default .Release.Namespace }} labels: {{- include "gitea.labels" . | nindent 4 }} app.kubernetes.io/component: token-job diff --git a/templates/gitea/act_runner/rolebinding-job.yaml b/templates/gitea/act_runner/rolebinding-job.yaml index c80bd3e..1c67e84 100644 --- a/templates/gitea/act_runner/rolebinding-job.yaml +++ b/templates/gitea/act_runner/rolebinding-job.yaml @@ -7,6 +7,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ $name }} + namespace: {{ .Values.namespace | default .Release.Namespace }} labels: {{- include "gitea.labels" . | nindent 4 }} app.kubernetes.io/component: token-job diff --git a/templates/gitea/act_runner/secret-token.yaml b/templates/gitea/act_runner/secret-token.yaml index e6ee325..bc3416b 100644 --- a/templates/gitea/act_runner/secret-token.yaml +++ b/templates/gitea/act_runner/secret-token.yaml @@ -7,6 +7,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ $secretName }} + namespace: {{ .Values.namespace | default .Release.Namespace }} labels: {{- include "gitea.labels" . | nindent 4 }} app.kubernetes.io/component: token-job diff --git a/templates/gitea/act_runner/serviceaccount-job.yaml b/templates/gitea/act_runner/serviceaccount-job.yaml index e2c0fb4..dd39752 100644 --- a/templates/gitea/act_runner/serviceaccount-job.yaml +++ b/templates/gitea/act_runner/serviceaccount-job.yaml @@ -6,6 +6,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ $name }} + namespace: {{ .Values.namespace | default .Release.Namespace }} labels: {{- include "gitea.labels" . | nindent 4 }} app.kubernetes.io/component: token-job diff --git a/templates/gitea/act_runner/statefulset.yaml b/templates/gitea/act_runner/statefulset.yaml index 58939d2..46382bf 100644 --- a/templates/gitea/act_runner/statefulset.yaml +++ b/templates/gitea/act_runner/statefulset.yaml @@ -14,6 +14,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "gitea.fullname" . }}-act-runner + namespace: {{ .Values.namespace | default .Release.Namespace }} spec: selector: matchLabels: -- 2.40.1 From 52153021e33953d0861af4b86c78fe2cc393b135 Mon Sep 17 00:00:00 2001 From: justusbunsi Date: Sat, 30 Nov 2024 16:07:23 +0000 Subject: [PATCH 33/36] Finetune Renovate configuration (#738) `go-gitea/gitea` is no workflow dependency and therefore should not be grouped as such. It got automatically matched due to `custom.regex` manager in that rule. Since we now have image dependencies in our `values.yaml`, PR builds will fail when these changes are not represented in `README.md`. Using a [postUpgradeTask](https://docs.renovatebot.com/configuration-options/#postupgradetasks) allows customized Renovate behavior. Signed-off-by: justusbunsi Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/738 Co-authored-by: justusbunsi Co-committed-by: justusbunsi --- renovate.json5 | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/renovate.json5 b/renovate.json5 index d0a0ac6..7605fa7 100644 --- a/renovate.json5 +++ b/renovate.json5 @@ -63,6 +63,25 @@ 'patch', 'digest', ], + matchFileNames: [ + '!Chart.yaml', + ], + }, + { + description: 'Update README.md on changes in values.yaml', + matchManagers: [ + 'helm-values', + ], + postUpgradeTasks: { + commands: [ + 'install-tool node', + 'make readme', + ], + fileFilters: [ + 'README.md', + ], + executionMode: 'update', + }, }, { description: 'Override changelog url for Helm image, to have release notes in our PRs', -- 2.40.1 From 7cae9d3404a2b55b562c6cd546a1b042d7ef67de Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 30 Nov 2024 23:34:16 +0000 Subject: [PATCH 34/36] chore(deps): update busybox docker tag to v1.37.0 (#734) This PR contains the following updates: | Package | Update | Change | |---|---|---| | busybox | minor | `1.36.1` -> `1.37.0` | --- Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/734 Reviewed-by: techknowlogick Co-authored-by: Renovate Bot Co-committed-by: Renovate Bot --- README.md | 2 +- values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index d2dd0fd..2f9c9ba 100644 --- a/README.md +++ b/README.md @@ -1030,7 +1030,7 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo | ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ | | `actions.enabled` | Create an act runner StatefulSet. | `false` | | `actions.init.image.repository` | The image used for the init containers | `busybox` | -| `actions.init.image.tag` | The image tag used for the init containers | `1.36.1` | +| `actions.init.image.tag` | The image tag used for the init containers | `1.37.0` | | `actions.statefulset.annotations` | Act runner annotations | `{}` | | `actions.statefulset.labels` | Act runner labels | `{}` | | `actions.statefulset.resources` | Act runner resources | `{}` | diff --git a/values.yaml b/values.yaml index 2dfb62d..cf9308d 100644 --- a/values.yaml +++ b/values.yaml @@ -420,7 +420,7 @@ actions: image: repository: busybox # Overrides the image tag whose default is the chart appVersion. - tag: "1.36.1" + tag: "1.37.0" provisioning: enabled: false -- 2.40.1 From e3db83e22b923bbea7aec27c9c4dfc3e69675f35 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 30 Nov 2024 23:44:11 +0000 Subject: [PATCH 35/36] chore(deps): update dependency go-gitea/gitea to v1.22.4 (#740) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [go-gitea/gitea](https://github.com/go-gitea/gitea) | patch | `1.22.3` -> `1.22.4` | --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/740 Co-authored-by: Renovate Bot Co-committed-by: Renovate Bot --- Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Chart.yaml b/Chart.yaml index 6cf2c41..21a0e63 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -4,7 +4,7 @@ description: Gitea Helm chart for Kubernetes type: application version: 0.0.0 # renovate datasource=github-releases depName=go-gitea/gitea extractVersion=^v(?.*)$ -appVersion: 1.22.3 +appVersion: 1.22.4 icon: https://gitea.com/assets/img/logo.svg keywords: -- 2.40.1 From aec87c249050aca00e560e3d560dceaf13df8d0c Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 30 Nov 2024 23:47:49 +0000 Subject: [PATCH 36/36] chore(deps): update workflow dependencies (minor & patch) (#735) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [alpine/helm](https://github.com/alpine-docker/helm) ([changelog](https://github.com/helm/helm)) | | minor | `3.15.3` -> `3.16.3` | | [alpine/helm](https://github.com/alpine-docker/helm) ([changelog](https://github.com/helm/helm)) | container | minor | `3.15.3` -> `3.16.3` | | [helm-unittest/helm-unittest](https://github.com/helm-unittest/helm-unittest) | | minor | `v0.5.2` -> `v0.7.0` | | [markdownlint-cli](https://github.com/igorshubovych/markdownlint-cli) | devDependencies | minor | [`^0.41.0` -> `^0.43.0`](https://renovatebot.com/diffs/npm/markdownlint-cli/0.41.0/0.43.0) | --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/735 Co-authored-by: Renovate Bot Co-committed-by: Renovate Bot --- .gitea/workflows/release-version.yml | 2 +- .gitea/workflows/test-pr.yml | 4 +- .vscode/settings.json | 2 +- package-lock.json | 149 +++++++++++++-------------- package.json | 2 +- 5 files changed, 74 insertions(+), 85 deletions(-) diff --git a/.gitea/workflows/release-version.yml b/.gitea/workflows/release-version.yml index 994add0..3b95267 100644 --- a/.gitea/workflows/release-version.yml +++ b/.gitea/workflows/release-version.yml @@ -7,7 +7,7 @@ on: env: # renovate: datasource=docker depName=alpine/helm - HELM_VERSION: "3.15.3" + HELM_VERSION: "3.16.3" jobs: generate-chart-publish: diff --git a/.gitea/workflows/test-pr.yml b/.gitea/workflows/test-pr.yml index 78ed267..2797c75 100644 --- a/.gitea/workflows/test-pr.yml +++ b/.gitea/workflows/test-pr.yml @@ -11,12 +11,12 @@ on: env: # renovate: datasource=github-releases depName=helm-unittest/helm-unittest - HELM_UNITTEST_VERSION: "v0.5.2" + HELM_UNITTEST_VERSION: "v0.7.0" jobs: check-and-test: runs-on: ubuntu-latest - container: alpine/helm:3.15.3 + container: alpine/helm:3.16.3 steps: - name: install tools run: | diff --git a/.vscode/settings.json b/.vscode/settings.json index 5271d28..1b31698 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,6 +1,6 @@ { "yaml.schemas": { - "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.5.2/schema/helm-testsuite.json": [ + "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.7.0/schema/helm-testsuite.json": [ "/unittests/**/*.yaml" ] }, diff --git a/package-lock.json b/package-lock.json index c00c95e..3edacb1 100644 --- a/package-lock.json +++ b/package-lock.json @@ -8,7 +8,7 @@ "license": "MIT", "devDependencies": { "@bitnami/readme-generator-for-helm": "^2.5.0", - "markdownlint-cli": "^0.41.0" + "markdownlint-cli": "^0.43.0" }, "engines": { "node": ">=16.0.0", @@ -48,16 +48,6 @@ "node": ">=12" } }, - "node_modules/@pkgjs/parseargs": { - "version": "0.11.0", - "resolved": "https://registry.npmjs.org/@pkgjs/parseargs/-/parseargs-0.11.0.tgz", - "integrity": "sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg==", - "dev": true, - "optional": true, - "engines": { - "node": ">=14" - } - }, "node_modules/ansi-regex": { "version": "6.0.1", "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.0.1.tgz", @@ -228,18 +218,6 @@ "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==", "dev": true }, - "node_modules/get-stdin": { - "version": "9.0.0", - "resolved": "https://registry.npmjs.org/get-stdin/-/get-stdin-9.0.0.tgz", - "integrity": "sha512-dVKBjfWisLAicarI2Sf+JuBE/DghV4UzNAVe9yhEJuzeREd3JhOTE9cUaJTeSa77fsbQUK3pcOpJfM59+VKZaA==", - "dev": true, - "engines": { - "node": ">=12" - }, - "funding": { - "url": "https://github.com/sponsors/sindresorhus" - } - }, "node_modules/glob": { "version": "7.2.3", "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz", @@ -261,10 +239,11 @@ } }, "node_modules/ignore": { - "version": "5.3.1", - "resolved": "https://registry.npmjs.org/ignore/-/ignore-5.3.1.tgz", - "integrity": "sha512-5Fytz/IraMjqpwfd34ke28PTVMjZjJG2MPn5t7OE4eUCUNf8BAa7b5WUS9/Qvr6mwOQS7Mk6vdsMno5he+T8Xw==", + "version": "6.0.2", + "resolved": "https://registry.npmjs.org/ignore/-/ignore-6.0.2.tgz", + "integrity": "sha512-InwqeHHN2XpumIkMvpl/DCJVrAHgCsG5+cn1XlnLWGwtZBm8QJfSusItfrwx81CTp5agNZqpKU2J/ccC5nGT4A==", "dev": true, + "license": "MIT", "engines": { "node": ">= 4" } @@ -310,22 +289,19 @@ "dev": true }, "node_modules/jackspeak": { - "version": "3.1.2", - "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-3.1.2.tgz", - "integrity": "sha512-kWmLKn2tRtfYMF/BakihVVRzBKOxz4gJMiL2Rj91WnAB5TPZumSH99R/Yf1qE1u4uRimvCSJfm6hnxohXeEXjQ==", + "version": "4.0.2", + "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-4.0.2.tgz", + "integrity": "sha512-bZsjR/iRjl1Nk1UkjGpAzLNfQtzuijhn2g+pbZb98HQ1Gk8vM9hfbxeMBP+M2/UUdwj0RqGG3mlvk2MsAqwvEw==", "dev": true, "license": "BlueOak-1.0.0", "dependencies": { "@isaacs/cliui": "^8.0.2" }, "engines": { - "node": ">=14" + "node": "20 || >=22" }, "funding": { "url": "https://github.com/sponsors/isaacs" - }, - "optionalDependencies": { - "@pkgjs/parseargs": "^0.11.0" } }, "node_modules/js-yaml": { @@ -341,10 +317,11 @@ } }, "node_modules/jsonc-parser": { - "version": "3.2.1", - "resolved": "https://registry.npmjs.org/jsonc-parser/-/jsonc-parser-3.2.1.tgz", - "integrity": "sha512-AilxAyFOAcK5wA1+LeaySVBrHsGQvUFCDWXKpZjzaL0PqW+xfBOttn8GNtWKFWqneyMZj41MWF9Kl6iPWLwgOA==", - "dev": true + "version": "3.3.1", + "resolved": "https://registry.npmjs.org/jsonc-parser/-/jsonc-parser-3.3.1.tgz", + "integrity": "sha512-HUgH65KyejrUFPvHFPbqOY0rsFip3Bo5wb4ngvdi1EpCYWUQDC5V+Y7mZws+DLkr4M//zQJoanu1SP+87Dv1oQ==", + "dev": true, + "license": "MIT" }, "node_modules/jsonpointer": { "version": "5.0.1", @@ -371,12 +348,13 @@ "dev": true }, "node_modules/lru-cache": { - "version": "10.2.2", - "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.2.2.tgz", - "integrity": "sha512-9hp3Vp2/hFQUiIwKo8XCeFVnrg8Pk3TYNPIR7tJADKi5YfcF7vEaK7avFHTlSy3kOKYaJQaalfEo6YuXdceBOQ==", + "version": "11.0.2", + "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-11.0.2.tgz", + "integrity": "sha512-123qHRfJBmo2jXDbo/a5YOQrJoHF/GNQTLzQ5+IdK5pWpceK17yRc6ozlWd25FxvGKQbIUs91fDFkXmDHTKcyA==", "dev": true, + "license": "ISC", "engines": { - "node": "14 || >=16.14" + "node": "20 || >=22" } }, "node_modules/markdown-it": { @@ -410,13 +388,14 @@ } }, "node_modules/markdownlint": { - "version": "0.34.0", - "resolved": "https://registry.npmjs.org/markdownlint/-/markdownlint-0.34.0.tgz", - "integrity": "sha512-qwGyuyKwjkEMOJ10XN6OTKNOVYvOIi35RNvDLNxTof5s8UmyGHlCdpngRHoRGNvQVGuxO3BJ7uNSgdeX166WXw==", + "version": "0.36.1", + "resolved": "https://registry.npmjs.org/markdownlint/-/markdownlint-0.36.1.tgz", + "integrity": "sha512-s73fU2CQN7WCgjhaQUQ8wYESQNzGRNOKDd+3xgVqu8kuTEhmwepd/mxOv1LR2oV046ONrTLBFsM7IoKWNvmy5g==", "dev": true, + "license": "MIT", "dependencies": { "markdown-it": "14.1.0", - "markdownlint-micromark": "0.1.9" + "markdownlint-micromark": "0.1.12" }, "engines": { "node": ">=18" @@ -426,23 +405,22 @@ } }, "node_modules/markdownlint-cli": { - "version": "0.41.0", - "resolved": "https://registry.npmjs.org/markdownlint-cli/-/markdownlint-cli-0.41.0.tgz", - "integrity": "sha512-kp29tKrMKdn+xonfefjp3a/MsNzAd9c5ke0ydMEI9PR98bOjzglYN4nfMSaIs69msUf1DNkgevAIAPtK2SeX0Q==", + "version": "0.43.0", + "resolved": "https://registry.npmjs.org/markdownlint-cli/-/markdownlint-cli-0.43.0.tgz", + "integrity": "sha512-6vwurKK4B21eyYzwgX6ph13cZS7hE6LZfcS8QyD722CyxVD2RtAvbZK2p7k+FZbbKORulEuwl+hJaEq1l6/hoQ==", "dev": true, "license": "MIT", "dependencies": { "commander": "~12.1.0", - "get-stdin": "~9.0.0", - "glob": "~10.4.1", - "ignore": "~5.3.1", + "glob": "~11.0.0", + "ignore": "~6.0.2", "js-yaml": "^4.1.0", - "jsonc-parser": "~3.2.1", + "jsonc-parser": "~3.3.1", "jsonpointer": "5.0.1", - "markdownlint": "~0.34.0", - "minimatch": "~9.0.4", + "markdownlint": "~0.36.1", + "minimatch": "~10.0.1", "run-con": "~1.3.2", - "smol-toml": "~1.2.0" + "smol-toml": "~1.3.1" }, "bin": { "markdownlint": "markdownlint.js" @@ -472,49 +450,51 @@ } }, "node_modules/markdownlint-cli/node_modules/glob": { - "version": "10.4.1", - "resolved": "https://registry.npmjs.org/glob/-/glob-10.4.1.tgz", - "integrity": "sha512-2jelhlq3E4ho74ZyVLN03oKdAZVUa6UDZzFLVH1H7dnoax+y9qyaq8zBkfDIggjniU19z0wU18y16jMB2eyVIw==", + "version": "11.0.0", + "resolved": "https://registry.npmjs.org/glob/-/glob-11.0.0.tgz", + "integrity": "sha512-9UiX/Bl6J2yaBbxKoEBRm4Cipxgok8kQYcOPEhScPwebu2I0HoQOuYdIO6S3hLuWoZgpDpwQZMzTFxgpkyT76g==", "dev": true, "license": "ISC", "dependencies": { "foreground-child": "^3.1.0", - "jackspeak": "^3.1.2", - "minimatch": "^9.0.4", + "jackspeak": "^4.0.1", + "minimatch": "^10.0.0", "minipass": "^7.1.2", - "path-scurry": "^1.11.1" + "package-json-from-dist": "^1.0.0", + "path-scurry": "^2.0.0" }, "bin": { "glob": "dist/esm/bin.mjs" }, "engines": { - "node": ">=16 || 14 >=14.18" + "node": "20 || >=22" }, "funding": { "url": "https://github.com/sponsors/isaacs" } }, "node_modules/markdownlint-cli/node_modules/minimatch": { - "version": "9.0.4", - "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.4.tgz", - "integrity": "sha512-KqWh+VchfxcMNRAJjj2tnsSJdNbHsVgnkBhTNrW7AjVo6OvLtxw8zfT9oLw1JSohlFzJ8jCoTgaoXvJ+kHt6fw==", + "version": "10.0.1", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.0.1.tgz", + "integrity": "sha512-ethXTt3SGGR+95gudmqJ1eNhRO7eGEGIgYA9vnPatK4/etz2MEVDno5GMCibdMTuBMyElzIlgxMna3K94XDIDQ==", "dev": true, "license": "ISC", "dependencies": { "brace-expansion": "^2.0.1" }, "engines": { - "node": ">=16 || 14 >=14.17" + "node": "20 || >=22" }, "funding": { "url": "https://github.com/sponsors/isaacs" } }, "node_modules/markdownlint-micromark": { - "version": "0.1.9", - "resolved": "https://registry.npmjs.org/markdownlint-micromark/-/markdownlint-micromark-0.1.9.tgz", - "integrity": "sha512-5hVs/DzAFa8XqYosbEAEg6ok6MF2smDj89ztn9pKkCtdKHVdPQuGMH7frFfYL9mLkvfFe4pTyAMffLbjf3/EyA==", + "version": "0.1.12", + "resolved": "https://registry.npmjs.org/markdownlint-micromark/-/markdownlint-micromark-0.1.12.tgz", + "integrity": "sha512-RlB6EwMGgc0sxcIhOQ2+aq7Zw1V2fBnzbXKGgYK/mVWdT7cz34fteKSwfYeo4rL6+L/q2tyC9QtD/PgZbkdyJQ==", "dev": true, + "license": "MIT", "engines": { "node": ">=18" }, @@ -568,6 +548,13 @@ "wrappy": "1" } }, + "node_modules/package-json-from-dist": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/package-json-from-dist/-/package-json-from-dist-1.0.1.tgz", + "integrity": "sha512-UEZIS3/by4OC8vL3P2dTXRETpebLI2NiI5vIrjaD/5UtrkFX/tNbwjTSRAGC/+7CAo2pIcBaRgWmcBBHcsaCIw==", + "dev": true, + "license": "BlueOak-1.0.0" + }, "node_modules/path-is-absolute": { "version": "1.0.1", "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz", @@ -587,17 +574,17 @@ } }, "node_modules/path-scurry": { - "version": "1.11.1", - "resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-1.11.1.tgz", - "integrity": "sha512-Xa4Nw17FS9ApQFJ9umLiJS4orGjm7ZzwUrwamcGQuHSzDyth9boKDaycYdDcZDuqYATXw4HFXgaqWTctW/v1HA==", + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-2.0.0.tgz", + "integrity": "sha512-ypGJsmGtdXUOeM5u93TyeIEfEhM6s+ljAhrk5vAvSx8uyY/02OvrZnA0YNGUrPXfpJMgI1ODd3nwz8Npx4O4cg==", "dev": true, "license": "BlueOak-1.0.0", "dependencies": { - "lru-cache": "^10.2.0", - "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0" + "lru-cache": "^11.0.0", + "minipass": "^7.1.2" }, "engines": { - "node": ">=16 || 14 >=14.18" + "node": "20 || >=22" }, "funding": { "url": "https://github.com/sponsors/isaacs" @@ -670,14 +657,16 @@ } }, "node_modules/smol-toml": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/smol-toml/-/smol-toml-1.2.0.tgz", - "integrity": "sha512-KObxdQANC/xje3OoatMbSwQf2XAvJ0RbK+4nmQRszFNZptbNRnMWqbLF/zb4sMi9xJ6HNyhWXeuZ9zC/I/XY7w==", + "version": "1.3.1", + "resolved": "https://registry.npmjs.org/smol-toml/-/smol-toml-1.3.1.tgz", + "integrity": "sha512-tEYNll18pPKHroYSmLLrksq233j021G0giwW7P3D24jC54pQ5W5BXMsQ/Mvw1OJCmEYDgY+lrzT+3nNUtoNfXQ==", "dev": true, "license": "BSD-3-Clause", "engines": { - "node": ">= 18", - "pnpm": ">= 9" + "node": ">= 18" + }, + "funding": { + "url": "https://github.com/sponsors/cyyynthia" } }, "node_modules/string-width": { diff --git a/package.json b/package.json index 3cc3449..1b02f2a 100644 --- a/package.json +++ b/package.json @@ -14,6 +14,6 @@ }, "devDependencies": { "@bitnami/readme-generator-for-helm": "^2.5.0", - "markdownlint-cli": "^0.41.0" + "markdownlint-cli": "^0.43.0" } } -- 2.40.1