rebased: Add Gitea Actions act runner #666

Merged
vjm merged 27 commits from gitea-actions into main 2024-11-10 13:35:57 +00:00
15 changed files with 118 additions and 78 deletions
Showing only changes of commit 938e0b09af - Show all commits

View File

@ -999,40 +999,40 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
| `signing.privateKey` | Inline private gpg key for signed internal Git activity | `""` | | `signing.privateKey` | Inline private gpg key for signed internal Git activity | `""` |
| `signing.existingSecret` | Use an existing secret to store the value of `signing.privateKey` | `""` | | `signing.existingSecret` | Use an existing secret to store the value of `signing.privateKey` | `""` |
### GiteaActions ### Gitea Actions
| Name | Description | Value | | Name | Description | Value |
| ----------------------------------------------- | --------------------------------------------------------------------------- | ------------------ | | ------------------------------------------ | --------------------------------------------------------------------------- | ------------------ |
| `actions.statefulset.enabled` | Create an act runner StatefulSet. | `false` | | `actions.enabled` | Create an act runner StatefulSet. | `false` |
| `actions.statefulset.annotations` | Act runner annotations | `{}` | | `actions.statefulset.annotations` | Act runner annotations | `{}` |
| `actions.statefulset.labels` | Act runner labels | `{}` | | `actions.statefulset.labels` | Act runner labels | `{}` |
| `actions.statefulset.resources` | Act runner resources | `{}` | | `actions.statefulset.resources` | Act runner resources | `{}` |
| `actions.statefulset.nodeSelector` | NodeSelector for the statefulset | `{}` | | `actions.statefulset.nodeSelector` | NodeSelector for the statefulset | `{}` |
| `actions.statefulset.tolerations` | Tolerations for the statefulset | `[]` | | `actions.statefulset.tolerations` | Tolerations for the statefulset | `[]` |
| `actions.statefulset.affinity` | Affinity for the statefulset | `{}` | | `actions.statefulset.affinity` | Affinity for the statefulset | `{}` |
| `actions.statefulset.config` | Act runner custom configuration. | `""` | | `actions.statefulset.config` | Act runner custom configuration. | `""` |
| `actions.statefulset.runnerLabels` | Act runner labels. | `""` | | `actions.statefulset.runnerLabels` | Act runner labels. | `""` |
| `actions.statefulset.actRunnerImage.repository` | The Gitea act runner image | `gitea/act_runner` | | `actions.statefulset.actRunner.repository` | The Gitea act runner image | `gitea/act_runner` |
| `actions.statefulset.actRunnerImage.tag` | The Gitea act runner tag | `0.2.6` | | `actions.statefulset.actRunner.tag` | The Gitea act runner tag | `0.2.6` |
| `actions.statefulset.actRunnerImage.pullPolicy` | The Gitea act runner pullPolicy | `IfNotPresent` | | `actions.statefulset.actRunner.pullPolicy` | The Gitea act runner pullPolicy | `IfNotPresent` |
| `actions.statefulset.dindImage.repository` | The Docker-in-Docker image | `docker` | | `actions.statefulset.dind.repository` | The Docker-in-Docker image | `docker` |
| `actions.statefulset.dindImage.tag` | The Docker-in-Docker image tag | `24.0.7-dind` | | `actions.statefulset.dind.tag` | The Docker-in-Docker image tag | `25.0.2-dind` |
| `actions.statefulset.dindImage.pullPolicy` | The Docker-in-Docker pullPolicy | `IfNotPresent` | | `actions.statefulset.dind.pullPolicy` | The Docker-in-Docker pullPolicy | `IfNotPresent` |
| `actions.job.enabled` | Create a job that will create and save the token in a Kubernetes Secret | `false` | | `actions.job.enabled` | Create a job that will create and save the token in a Kubernetes Secret | `false` |
| `actions.job.annotations` | Job's annotations | `{}` | | `actions.job.annotations` | Job's annotations | `{}` |
| `actions.job.labels` | Job's labels | `{}` | | `actions.job.labels` | Job's labels | `{}` |
| `actions.job.resources` | Job's resources | `{}` | | `actions.job.resources` | Job's resources | `{}` |
| `actions.job.nodeSelector` | NodeSelector for the job | `{}` | | `actions.job.nodeSelector` | NodeSelector for the job | `{}` |
| `actions.job.tolerations` | Tolerations for the job | `[]` | | `actions.job.tolerations` | Tolerations for the job | `[]` |
| `actions.job.affinity` | Affinity for the job | `{}` | | `actions.job.affinity` | Affinity for the job | `{}` |
| `actions.job.tokenImage.repository` | The image that can create a token via `gitea actions generate-runner-token` | `gitea/gitea` | | `actions.job.token.repository` | The image that can create a token via `gitea actions generate-runner-token` | `gitea/gitea` |
| `actions.job.tokenImage.tag` | The token image tag that can create a token | `""` | | `actions.job.token.tag` | The token image tag that can create a token | `""` |
| `actions.job.tokenImage.pullPolicy` | The token image pullPolicy that can create a token | `IfNotPresent` | | `actions.job.token.pullPolicy` | The token image pullPolicy that can create a token | `IfNotPresent` |
| `actions.job.publishImage.repository` | The image that can create the secret via kubectl | `bitnami/kubectl` | | `actions.job.publish.repository` | The image that can create the secret via kubectl | `bitnami/kubectl` |
| `actions.job.publishImage.tag` | The publish image tag that can create the secret | `1.29.0` | | `actions.job.publish.tag` | The publish image tag that can create the secret | `1.29.0` |
| `actions.job.publishImage.pullPolicy` | The publish image pullPolicy that can create the secret | `IfNotPresent` | | `actions.job.publish.pullPolicy` | The publish image pullPolicy that can create the secret | `IfNotPresent` |
| `actions.existingSecret` | Secret that contains the token | `""` | | `actions.existingSecret` | Secret that contains the token | `""` |
| `actions.existingSecretKey` | Secret key | `""` | | `actions.existingSecretKey` | Secret key | `""` |
### Gitea ### Gitea

44
readme-actions-dev.md Normal file
View File

@ -0,0 +1,44 @@
# Gitea Actions
In order to use the Gitea Actions act-runner you must:
- set the following environment variables to `deployment.env` (modify LOCAL_ROOT_URL if you used a different service name):
```yaml
deployment:
env:
- name: GITEA__ACTIONS__ENABLED
value: 'true'
- name: GITEA__SERVER__LOCAL_ROOT_URL
value: http://gitea-http:3000
```
- enable persistence (used for automatic deployment to be able to store the token in a place accessible for the Job)
In order to use Gitea Actions, you must log on the server that's running Gitea and run the command:
`gitea actions generate-runner-token`
This command will out a token that is needed by the act-runner to register with the Gitea backend.
Because this is a manual operation, we automated this using a Kubernetes Job using the following containers:
1) `actions-token-create`: it uses the current `gitea-rootless` image, mounts the persistent directory to `/data/` then it saves the output from `gitea actions generate-runner-token` to `/data/actions/token`
2) `actions-token-upload`: it uses a `bitnami/kubectl` image, mounts the scripts directory (`/scripts`) and
the persistent directory (`/data/`), and using the script from `/scripts/token.sh` stores the token in a Kubernetes secret
After the token is stored in a Kubernetes secret we can create the statefulset that contains the following containers:
1) `act-runner`: authenticates with Gitea using the token that was stored in the secret
2) `dind`: DockerInDocker image that is used to run the actions
If you are not using persistent volumes, you cannot use the Job to automatically generate the token.
In this case, you can use either the Web UI to generate the token or run a shell into a Gitea pod and invoke
the command `gitea actions generate-runner-token`. After generating the token, you must create a secret and use it via:
```yaml
actions:
job:
enabled: false
existingSecret: "secret-name"
existingSecretKey: "secret-key"
```

View File

@ -27,7 +27,6 @@ If release name contains chart name it will be used as a full name.
{{/* {{/*
Create a default worker name. Create a default worker name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}} */}}
{{- define "gitea.workername" -}} {{- define "gitea.workername" -}}
{{- printf "%s-%s" .global.Release.Name .worker | trunc 63 | trimSuffix "-" -}} {{- printf "%s-%s" .global.Release.Name .worker | trunc 63 | trimSuffix "-" -}}

View File

@ -1,4 +1,4 @@
{{- if and (and .Values.actions.statefulset.enabled .Values.persistence.enabled) .Values.persistence.mount }} {{- if .Values.actions.enabled }}
--- ---
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap

View File

@ -42,8 +42,8 @@ spec:
done done
containers: containers:
- name: actions-token-create - name: actions-token-create
image: "{{ .Values.actions.job.tokenImage.repository }}:{{ .Values.actions.job.tokenImage.tag | default (printf "%s-rootless" .Chart.AppVersion) }}" image: "{{ .Values.actions.job.token.repository }}:{{ .Values.actions.job.token.tag | default (printf "%s-rootless" .Chart.AppVersion) }}"
imagePullPolicy: {{ .Values.actions.job.tokenImage.pullPolicy }} imagePullPolicy: {{ .Values.actions.job.token.pullPolicy }}
env: env:
- name: GITEA_APP_INI - name: GITEA_APP_INI
value: /data/gitea/conf/app.ini value: /data/gitea/conf/app.ini
@ -63,8 +63,8 @@ spec:
subPath: {{ .Values.persistence.subPath }} subPath: {{ .Values.persistence.subPath }}
{{- end }} {{- end }}
- name: actions-token-upload - name: actions-token-upload
image: "{{ .Values.actions.job.publishImage.repository }}:{{ .Values.actions.job.publishImage.tag }}" image: "{{ .Values.actions.job.publish.repository }}:{{ .Values.actions.job.publish.tag }}"
imagePullPolicy: {{ .Values.actions.job.publishImage.pullPolicy }} imagePullPolicy: {{ .Values.actions.job.publish.pullPolicy }}
env: env:
- name: SECRET_NAME - name: SECRET_NAME
value: {{ $secretName }} value: {{ $secretName }}

View File

@ -1,4 +1,4 @@
{{- if and (and .Values.actions.statefulset.enabled .Values.persistence.enabled) .Values.persistence.mount }} {{- if .Values.actions.enabled }}
{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} {{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
--- ---
apiVersion: apps/v1 apiVersion: apps/v1
@ -38,8 +38,8 @@ spec:
done done
containers: containers:
- name: act-runner - name: act-runner
image: "{{ .Values.actions.statefulset.actRunnerImage.repository }}:{{ .Values.actions.statefulset.actRunnerImage.tag }}" image: "{{ .Values.actions.statefulset.actRunner.repository }}:{{ .Values.actions.statefulset.actRunner.tag }}"
imagePullPolicy: {{ .Values.actions.statefulset.actRunnerImage.pullPolicy }} imagePullPolicy: {{ .Values.actions.statefulset.actRunner.pullPolicy }}
workingDir: /data workingDir: /data
env: env:
- name: DOCKER_HOST - name: DOCKER_HOST
@ -52,7 +52,7 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: "{{ .Values.actions.existingSecret | default $secretName }}" name: "{{ .Values.actions.existingSecret | default $secretName }}"
key: "{{ .Values.actions.existingSecret | default "token" }}" key: "{{ .Values.actions.existingSecretKey | default "token" }}"
- name: GITEA_INSTANCE_URL - name: GITEA_INSTANCE_URL
value: "http://{{ include "gitea.fullname" . }}-http:{{ .Values.service.http.port }}" value: "http://{{ include "gitea.fullname" . }}-http:{{ .Values.service.http.port }}"
- name: GITEA_RUNNER_LABELS - name: GITEA_RUNNER_LABELS
@ -70,8 +70,8 @@ spec:
- mountPath: /data - mountPath: /data
name: data-act-runner name: data-act-runner
- name: dind - name: dind
image: "{{ .Values.actions.statefulset.dindImage.repository }}:{{ .Values.actions.statefulset.dindImage.tag }}" image: "{{ .Values.actions.statefulset.dind.repository }}:{{ .Values.actions.statefulset.dind.tag }}"
imagePullPolicy: {{ .Values.actions.statefulset.dindImage.pullPolicy }} imagePullPolicy: {{ .Values.actions.statefulset.dind.pullPolicy }}
env: env:
- name: DOCKER_HOST - name: DOCKER_HOST
value: tcp://127.0.0.1:2376 value: tcp://127.0.0.1:2376

View File

@ -9,8 +9,7 @@ tests:
template: templates/gitea/act_runner/config-act-runner.yaml template: templates/gitea/act_runner/config-act-runner.yaml
set: set:
actions: actions:
statefulset: enabled: true
enabled: true
asserts: asserts:
- hasDocuments: - hasDocuments:
count: 1 count: 1

View File

@ -5,7 +5,7 @@ release:
templates: templates:
- templates/gitea/act_runner/config-scripts.yaml - templates/gitea/act_runner/config-scripts.yaml
tests: tests:
- it: renders a deployment - it: renders a ConfigMap
template: templates/gitea/act_runner/config-scripts.yaml template: templates/gitea/act_runner/config-scripts.yaml
set: set:
actions: actions:

View File

@ -5,7 +5,7 @@ release:
templates: templates:
- templates/gitea/act_runner/job.yaml - templates/gitea/act_runner/job.yaml
tests: tests:
- it: renders a deployment - it: renders a Job
template: templates/gitea/act_runner/job.yaml template: templates/gitea/act_runner/job.yaml
set: set:
actions: actions:

View File

@ -5,7 +5,7 @@ release:
templates: templates:
- templates/gitea/act_runner/role-job.yaml - templates/gitea/act_runner/role-job.yaml
tests: tests:
- it: renders a role - it: renders a Role
template: templates/gitea/act_runner/role-job.yaml template: templates/gitea/act_runner/role-job.yaml
set: set:
actions: actions:

View File

@ -5,7 +5,7 @@ release:
templates: templates:
- templates/gitea/act_runner/rolebinding-job.yaml - templates/gitea/act_runner/rolebinding-job.yaml
tests: tests:
- it: renders a deployment - it: renders a RoleBinding
template: templates/gitea/act_runner/rolebinding-job.yaml template: templates/gitea/act_runner/rolebinding-job.yaml
set: set:
actions: actions:

View File

@ -5,7 +5,7 @@ release:
templates: templates:
- templates/gitea/act_runner/secret-token.yaml - templates/gitea/act_runner/secret-token.yaml
tests: tests:
- it: renders a deployment - it: renders a Secret
template: templates/gitea/act_runner/secret-token.yaml template: templates/gitea/act_runner/secret-token.yaml
set: set:
actions: actions:

View File

@ -5,7 +5,7 @@ release:
templates: templates:
- templates/gitea/act_runner/serviceaccount-job.yaml - templates/gitea/act_runner/serviceaccount-job.yaml
tests: tests:
- it: renders a deployment - it: renders a ServiceAccount
template: templates/gitea/act_runner/serviceaccount-job.yaml template: templates/gitea/act_runner/serviceaccount-job.yaml
set: set:
actions: actions:

View File

@ -5,12 +5,11 @@ release:
templates: templates:
- templates/gitea/act_runner/statefulset.yaml - templates/gitea/act_runner/statefulset.yaml
tests: tests:
- it: renders a deployment - it: renders a StatefulSet
template: templates/gitea/act_runner/statefulset.yaml template: templates/gitea/act_runner/statefulset.yaml
set: set:
actions: actions:
statefulset: enabled: true
enabled: true
asserts: asserts:
- hasDocuments: - hasDocuments:
count: 1 count: 1

View File

@ -340,11 +340,11 @@ signing:
existingSecret: "" existingSecret: ""
# Configure Gitea Actions # Configure Gitea Actions
# - must enable persistence # - must enable persistence if the job is enabled
# - must define deployment.env.GITEA__ACTIONS__ENABLED and GITEA__SERVER__LOCAL_ROOT_URL # - must define deployment.env.GITEA__ACTIONS__ENABLED and GITEA__SERVER__LOCAL_ROOT_URL
## @section GiteaActions ## @section Gitea Actions
# #
## @param actions.statefulset.enabled Create an act runner StatefulSet. ## @param actions.enabled Create an act runner StatefulSet.
## @param actions.statefulset.annotations Act runner annotations ## @param actions.statefulset.annotations Act runner annotations
## @param actions.statefulset.labels Act runner labels ## @param actions.statefulset.labels Act runner labels
## @param actions.statefulset.resources Act runner resources ## @param actions.statefulset.resources Act runner resources
@ -353,12 +353,12 @@ signing:
## @param actions.statefulset.affinity Affinity for the statefulset ## @param actions.statefulset.affinity Affinity for the statefulset
## @param actions.statefulset.config Act runner custom configuration. ## @param actions.statefulset.config Act runner custom configuration.
## @param actions.statefulset.runnerLabels Act runner labels. ## @param actions.statefulset.runnerLabels Act runner labels.
## @param actions.statefulset.actRunnerImage.repository The Gitea act runner image ## @param actions.statefulset.actRunner.repository The Gitea act runner image
## @param actions.statefulset.actRunnerImage.tag The Gitea act runner tag ## @param actions.statefulset.actRunner.tag The Gitea act runner tag
## @param actions.statefulset.actRunnerImage.pullPolicy The Gitea act runner pullPolicy ## @param actions.statefulset.actRunner.pullPolicy The Gitea act runner pullPolicy
## @param actions.statefulset.dindImage.repository The Docker-in-Docker image ## @param actions.statefulset.dind.repository The Docker-in-Docker image
## @param actions.statefulset.dindImage.tag The Docker-in-Docker image tag ## @param actions.statefulset.dind.tag The Docker-in-Docker image tag
## @param actions.statefulset.dindImage.pullPolicy The Docker-in-Docker pullPolicy ## @param actions.statefulset.dind.pullPolicy The Docker-in-Docker pullPolicy
## @param actions.job.enabled Create a job that will create and save the token in a Kubernetes Secret ## @param actions.job.enabled Create a job that will create and save the token in a Kubernetes Secret
## @param actions.job.annotations Job's annotations ## @param actions.job.annotations Job's annotations
## @param actions.job.labels Job's labels ## @param actions.job.labels Job's labels
@ -366,18 +366,17 @@ signing:
## @param actions.job.nodeSelector NodeSelector for the job ## @param actions.job.nodeSelector NodeSelector for the job
## @param actions.job.tolerations Tolerations for the job ## @param actions.job.tolerations Tolerations for the job
## @param actions.job.affinity Affinity for the job ## @param actions.job.affinity Affinity for the job
## @param actions.job.tokenImage.repository The image that can create a token via `gitea actions generate-runner-token` ## @param actions.job.token.repository The image that can create a token via `gitea actions generate-runner-token`
## @param actions.job.tokenImage.tag The token image tag that can create a token ## @param actions.job.token.tag The token image tag that can create a token
## @param actions.job.tokenImage.pullPolicy The token image pullPolicy that can create a token ## @param actions.job.token.pullPolicy The token image pullPolicy that can create a token
## @param actions.job.publishImage.repository The image that can create the secret via kubectl ## @param actions.job.publish.repository The image that can create the secret via kubectl
## @param actions.job.publishImage.tag The publish image tag that can create the secret ## @param actions.job.publish.tag The publish image tag that can create the secret
## @param actions.job.publishImage.pullPolicy The publish image pullPolicy that can create the secret ## @param actions.job.publish.pullPolicy The publish image pullPolicy that can create the secret
## @param actions.existingSecret Secret that contains the token ## @param actions.existingSecret Secret that contains the token
## @param actions.existingSecretKey Secret key ## @param actions.existingSecretKey Secret key
actions: actions:
enabled: false
statefulset: statefulset:
enabled: false
annotations: {} annotations: {}
labels: {} labels: {}
resources: {} resources: {}
@ -388,14 +387,14 @@ actions:
config: "" config: ""
runnerLabels: "" runnerLabels: ""
actRunnerImage: actRunner:
repository: gitea/act_runner repository: gitea/act_runner
tag: 0.2.6 tag: 0.2.6
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
dindImage: dind:
repository: docker repository: docker
tag: 24.0.7-dind tag: 25.0.2-dind
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
job: job:
@ -408,12 +407,12 @@ actions:
tolerations: [] tolerations: []
affinity: {} affinity: {}
tokenImage: token:
repository: gitea/gitea repository: gitea/gitea
tag: "" tag: ""
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
publishImage: publish:
repository: bitnami/kubectl repository: bitnami/kubectl
tag: 1.29.0 tag: 1.29.0
pullPolicy: IfNotPresent pullPolicy: IfNotPresent