rebased: Add Gitea Actions act runner #666

Merged
vjm merged 27 commits from gitea-actions into main 2024-11-10 13:35:57 +00:00
18 changed files with 118 additions and 89 deletions
Showing only changes of commit aca60bc626 - Show all commits

View File

@ -45,6 +45,7 @@
- [Persistence](#persistence-1)
- [Init](#init)
- [Signing](#signing)
- [Gitea Actions](#gitea-actions)
- [Gitea](#gitea)
- [LivenessProbe](#livenessprobe)
- [ReadinessProbe](#readinessprobe)
@ -1001,38 +1002,37 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
### Gitea Actions
| Name | Description | Value |
| ------------------------------------------ | --------------------------------------------------------------------------- | ------------------ |
| `actions.enabled` | Create an act runner StatefulSet. | `false` |
| `actions.statefulset.annotations` | Act runner annotations | `{}` |
| `actions.statefulset.labels` | Act runner labels | `{}` |
| `actions.statefulset.resources` | Act runner resources | `{}` |
| `actions.statefulset.nodeSelector` | NodeSelector for the statefulset | `{}` |
| `actions.statefulset.tolerations` | Tolerations for the statefulset | `[]` |
| `actions.statefulset.affinity` | Affinity for the statefulset | `{}` |
| `actions.statefulset.config` | Act runner custom configuration. | `""` |
| `actions.statefulset.runnerLabels` | Act runner labels. | `""` |
| `actions.statefulset.actRunner.repository` | The Gitea act runner image | `gitea/act_runner` |
| `actions.statefulset.actRunner.tag` | The Gitea act runner tag | `0.2.6` |
| `actions.statefulset.actRunner.pullPolicy` | The Gitea act runner pullPolicy | `IfNotPresent` |
| `actions.statefulset.dind.repository` | The Docker-in-Docker image | `docker` |
| `actions.statefulset.dind.tag` | The Docker-in-Docker image tag | `25.0.2-dind` |
| `actions.statefulset.dind.pullPolicy` | The Docker-in-Docker pullPolicy | `IfNotPresent` |
| `actions.job.enabled` | Create a job that will create and save the token in a Kubernetes Secret | `false` |
| `actions.job.annotations` | Job's annotations | `{}` |
| `actions.job.labels` | Job's labels | `{}` |
| `actions.job.resources` | Job's resources | `{}` |
| `actions.job.nodeSelector` | NodeSelector for the job | `{}` |
| `actions.job.tolerations` | Tolerations for the job | `[]` |
| `actions.job.affinity` | Affinity for the job | `{}` |
| `actions.job.token.repository` | The image that can create a token via `gitea actions generate-runner-token` | `gitea/gitea` |
| `actions.job.token.tag` | The token image tag that can create a token | `""` |
| `actions.job.token.pullPolicy` | The token image pullPolicy that can create a token | `IfNotPresent` |
| `actions.job.publish.repository` | The image that can create the secret via kubectl | `bitnami/kubectl` |
| `actions.job.publish.tag` | The publish image tag that can create the secret | `1.29.0` |
| `actions.job.publish.pullPolicy` | The publish image pullPolicy that can create the secret | `IfNotPresent` |
| `actions.existingSecret` | Secret that contains the token | `""` |
| `actions.existingSecretKey` | Secret key | `""` |
| Name | Description | Value |
| ------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ |
| `actions.enabled` | Create an act runner StatefulSet. | `false` |
| `actions.statefulset.annotations` | Act runner annotations | `{}` |
| `actions.statefulset.labels` | Act runner labels | `{}` |
| `actions.statefulset.resources` | Act runner resources | `{}` |
| `actions.statefulset.nodeSelector` | NodeSelector for the statefulset | `{}` |
| `actions.statefulset.tolerations` | Tolerations for the statefulset | `[]` |
| `actions.statefulset.affinity` | Affinity for the statefulset | `{}` |
| `actions.statefulset.actRunner.repository` | The Gitea act runner image | `gitea/act_runner` |
| `actions.statefulset.actRunner.tag` | The Gitea act runner tag | `0.2.6` |
| `actions.statefulset.actRunner.pullPolicy` | The Gitea act runner pullPolicy | `IfNotPresent` |
| `actions.statefulset.actRunner.config` | Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details. | `Too complex. See values.yaml` |
| `actions.statefulset.dind.repository` | The Docker-in-Docker image | `docker` |
| `actions.statefulset.dind.tag` | The Docker-in-Docker image tag | `25.0.2-dind` |
| `actions.statefulset.dind.pullPolicy` | The Docker-in-Docker pullPolicy | `IfNotPresent` |
| `actions.provisioning.enabled` | Create a job that will create and save the token in a Kubernetes Secret | `false` |
| `actions.provisioning.annotations` | Job's annotations | `{}` |
| `actions.provisioning.labels` | Job's labels | `{}` |
| `actions.provisioning.resources` | Job's resources | `{}` |
| `actions.provisioning.nodeSelector` | NodeSelector for the job | `{}` |
| `actions.provisioning.tolerations` | Tolerations for the job | `[]` |
| `actions.provisioning.affinity` | Affinity for the job | `{}` |
| `actions.provisioning.token.repository` | The image that can create a token via `gitea actions generate-runner-token` | `gitea/gitea` |
| `actions.provisioning.token.tag` | The token image tag that can create a token | `""` |
| `actions.provisioning.token.pullPolicy` | The token image pullPolicy that can create a token | `IfNotPresent` |
| `actions.provisioning.publish.repository` | The image that can create the secret via kubectl | `bitnami/kubectl` |
| `actions.provisioning.publish.tag` | The publish image tag that can create the secret | `1.29.0` |
| `actions.provisioning.publish.pullPolicy` | The publish image pullPolicy that can create the secret | `IfNotPresent` |
| `actions.existingSecret` | Secret that contains the token | `""` |
| `actions.existingSecretKey` | Secret key | `""` |
### Gitea

View File

@ -284,6 +284,9 @@ https
{{- if not (hasKey .Values.gitea.config "indexer") -}}
{{- $_ := set .Values.gitea.config "indexer" dict -}}
{{- end -}}
{{- if not (hasKey .Values.gitea.config "actions") -}}
{{- $_ := set .Values.gitea.config "actions" dict -}}
{{- end -}}
{{- end -}}
{{- define "gitea.inline_configuration.defaults" -}}
@ -330,6 +333,15 @@ https
{{- if not .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE -}}
{{- $_ := set .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE" "db" -}}
{{- end -}}
{{- if not .Values.gitea.config.actions.GITEA__ACTIONS__ENABLED -}}
{{- $_ := set .Values.gitea.config.actions "GITEA__ACTIONS__ENABLED" "true" -}}
{{- end -}}
{{- if not .Values.gitea.config.actions.GITEA__SERVER__LOCAL_ROOT_URL -}}
{{- $_ := set .Values.gitea.config.actions "GITEA__SERVER__LOCAL_ROOT_URL" (printf "http://%s-http:%.0f" (include "gitea.fullname" .) .Values.service.http.port) -}}
{{- end -}}
{{- if not .Values.gitea.config.actions.GITEA__INSTANCE__URL -}}
{{- $_ := set .Values.gitea.config.actions "GITEA__INSTANCE__URL" (printf "http://%s-http:%.0f" (include "gitea.fullname" .) .Values.service.http.port) -}}
{{- end -}}
{{- end -}}
{{- define "gitea.inline_configuration.defaults.server" -}}

View File

@ -7,16 +7,8 @@ metadata:
labels:
{{- include "gitea.labels" . | nindent 4 }}
data:
{{- if .Values.actions.statefulset.config }}
config.yaml: |
{{- with .Values.actions.statefulset.config -}}
{{- with .Values.actions.statefulset.actRunner.config -}}
{{ . | nindent 4}}
{{- end -}}
{{- else }}
config.yaml: |
log:
level: debug
cache:
enabled: false
{{- end }}
{{- end }}

View File

@ -1,4 +1,4 @@
{{- if and (and .Values.actions.job.enabled .Values.persistence.enabled) .Values.persistence.mount }}
{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
---
apiVersion: v1
kind: ConfigMap

View File

@ -1,6 +1,6 @@
{{- if and (and .Values.actions.job.enabled .Values.persistence.enabled) .Values.persistence.mount }}
{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
{{- if .Values.actions.existingSecret }}
{{- fail "Can't specify both actions.job.enabled and actions.existingSecret" }}
{{- fail "Can't specify both actions.provisioning.enabled and actions.existingSecret" }}
{{- end }}
{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
@ -11,12 +11,12 @@ metadata:
name: {{ $name }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
{{- with .Values.actions.job.labels }}
{{- with .Values.actions.provisioning.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
app.kubernetes.io/component: token-job
annotations:
{{- with .Values.actions.job.annotations }}
{{- with .Values.actions.provisioning.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
@ -25,7 +25,7 @@ spec:
metadata:
labels:
{{- include "gitea.labels" . | nindent 8 }}
{{- with .Values.actions.job.labels }}
{{- with .Values.actions.provisioning.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
app.kubernetes.io/component: token-job
@ -42,8 +42,8 @@ spec:
done
containers:
- name: actions-token-create
image: "{{ .Values.actions.job.token.repository }}:{{ .Values.actions.job.token.tag | default (printf "%s-rootless" .Chart.AppVersion) }}"
imagePullPolicy: {{ .Values.actions.job.token.pullPolicy }}
image: "{{ .Values.actions.provisioning.token.repository }}:{{ .Values.actions.provisioning.token.tag | default (printf "%s-rootless" .Chart.AppVersion) }}"
imagePullPolicy: {{ .Values.actions.provisioning.token.pullPolicy }}
env:
- name: GITEA_APP_INI
value: /data/gitea/conf/app.ini
@ -55,7 +55,7 @@ spec:
mkdir -p /data/actions/
gitea actions generate-runner-token | grep -E '^.{40}$' | tr -d '\n' > /data/actions/token
resources:
{{- toYaml .Values.actions.job.resources | nindent 12 }}
{{- toYaml .Values.actions.provisioning.resources | nindent 12 }}
volumeMounts:
- name: data
mountPath: /data
@ -63,8 +63,8 @@ spec:
subPath: {{ .Values.persistence.subPath }}
{{- end }}
- name: actions-token-upload
image: "{{ .Values.actions.job.publish.repository }}:{{ .Values.actions.job.publish.tag }}"
imagePullPolicy: {{ .Values.actions.job.publish.pullPolicy }}
image: "{{ .Values.actions.provisioning.publish.repository }}:{{ .Values.actions.provisioning.publish.tag }}"
imagePullPolicy: {{ .Values.actions.provisioning.publish.pullPolicy }}
env:
- name: SECRET_NAME
value: {{ $secretName }}
@ -76,7 +76,7 @@ spec:
kubectl auth can-i update secret/${SECRET_NAME}
/scripts/token.sh
resources:
{{- toYaml .Values.actions.job.resources | nindent 12 }}
{{- toYaml .Values.actions.provisioning.resources | nindent 12 }}
volumeMounts:
- mountPath: /scripts
name: scripts
@ -87,15 +87,15 @@ spec:
{{- if .Values.persistence.subPath }}
subPath: {{ .Values.persistence.subPath }}
{{- end }}
{{- with .Values.actions.job.nodeSelector }}
{{- with .Values.actions.provisioning.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.actions.job.affinity }}
{{- with .Values.actions.provisioning.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.actions.job.tolerations }}
{{- with .Values.actions.provisioning.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

View File

@ -1,4 +1,4 @@
{{- if and (and .Values.actions.job.enabled .Values.persistence.enabled) .Values.persistence.mount }}
{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
---

View File

@ -1,4 +1,4 @@
{{- if and (and .Values.actions.job.enabled .Values.persistence.enabled) .Values.persistence.mount }}
{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
---

View File

@ -1,4 +1,4 @@
{{- if and (and .Values.actions.job.enabled .Values.persistence.enabled) .Values.persistence.mount }}
{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
---

View File

@ -1,4 +1,4 @@
{{- if and (and .Values.actions.job.enabled .Values.persistence.enabled) .Values.persistence.mount }}
{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
---
apiVersion: v1

View File

@ -55,8 +55,6 @@ spec:
key: "{{ .Values.actions.existingSecretKey | default "token" }}"
- name: GITEA_INSTANCE_URL
value: "http://{{ include "gitea.fullname" . }}-http:{{ .Values.service.http.port }}"
- name: GITEA_RUNNER_LABELS
value: "{{ .Values.actions.statefulset.runnerLabels | default "ubuntu-latest" }}"
- name: CONFIG_FILE
value: /actrunner/config.yaml
resources:
@ -80,7 +78,6 @@ spec:
- name: DOCKER_CERT_PATH
value: /certs/server
securityContext:
# allowPrivilegeEscalation: true
privileged: true
resources:
{{- toYaml .Values.actions.statefulset.resources | nindent 12 }}

View File

@ -71,6 +71,12 @@ spec:
value: /data
- name: GITEA_TEMP
value: /tmp/gitea
{{- if .Values.actions.enabled }}
- name: GITEA__ACTIONS__ENABLED
value: {{ .Values.gitea.config.actions.GITEA__ACTIONS__ENABLED | quote }}
- name: GITEA__SERVER__LOCAL_ROOT_URL
value: {{ .Values.gitea.config.actions.GITEA__SERVER__LOCAL_ROOT_URL | quote }}
{{- end }}
{{- if .Values.deployment.env }}
{{- toYaml .Values.deployment.env | nindent 12 }}
{{- end }}
@ -106,6 +112,12 @@ spec:
value: /data
- name: GITEA_TEMP
value: /tmp/gitea
{{- if .Values.actions.enabled }}
- name: GITEA__ACTIONS__ENABLED
value: {{ .Values.gitea.config.actions.GITEA__ACTIONS__ENABLED | quote }}
- name: GITEA__SERVER__LOCAL_ROOT_URL
value: {{ .Values.gitea.config.actions.GITEA__SERVER__LOCAL_ROOT_URL | quote }}
{{- end }}
{{- if .Values.deployment.env }}
{{- toYaml .Values.deployment.env | nindent 12 }}
{{- end }}
@ -245,6 +257,12 @@ spec:
{{- end }}
- name: GITEA_ADMIN_PASSWORD_MODE
value: {{ include "gitea.admin.passwordMode" $ }}
{{- if .Values.actions.enabled }}
- name: GITEA__ACTIONS__ENABLED
value: {{ .Values.gitea.config.actions.GITEA__ACTIONS__ENABLED | quote }}
- name: GITEA__SERVER__LOCAL_ROOT_URL
value: {{ .Values.gitea.config.actions.GITEA__SERVER__LOCAL_ROOT_URL | quote }}
{{- end }}
{{- if .Values.deployment.env }}
{{- toYaml .Values.deployment.env | nindent 12 }}
{{- end }}
@ -294,6 +312,12 @@ spec:
- name: GNUPGHOME
value: {{ .Values.signing.gpgHome }}
{{- end }}
{{- if .Values.actions.enabled }}
- name: GITEA__ACTIONS__ENABLED
value: {{ .Values.gitea.config.actions.GITEA__ACTIONS__ENABLED | quote }}
- name: GITEA__SERVER__LOCAL_ROOT_URL
value: {{ .Values.gitea.config.actions.GITEA__SERVER__LOCAL_ROOT_URL | quote }}
{{- end }}
{{- if .Values.deployment.env }}
{{- toYaml .Values.deployment.env | nindent 12 }}
{{- end }}

View File

@ -9,7 +9,7 @@ tests:
template: templates/gitea/act_runner/config-scripts.yaml
set:
actions:
job:
provisioning:
enabled: true
persistence:
enabled: true

View File

@ -9,7 +9,7 @@ tests:
template: templates/gitea/act_runner/job.yaml
set:
actions:
job:
provisioning:
enabled: true
persistence:
enabled: true

View File

@ -9,7 +9,7 @@ tests:
template: templates/gitea/act_runner/role-job.yaml
set:
actions:
job:
provisioning:
enabled: true
persistence:
enabled: true

View File

@ -9,7 +9,7 @@ tests:
template: templates/gitea/act_runner/rolebinding-job.yaml
set:
actions:
job:
provisioning:
enabled: true
persistence:
enabled: true

View File

@ -9,7 +9,7 @@ tests:
template: templates/gitea/act_runner/secret-token.yaml
set:
actions:
job:
provisioning:
enabled: true
persistence:
enabled: true

View File

@ -9,7 +9,7 @@ tests:
template: templates/gitea/act_runner/serviceaccount-job.yaml
set:
actions:
job:
provisioning:
enabled: true
persistence:
enabled: true

View File

@ -341,7 +341,6 @@ signing:
# Configure Gitea Actions
# - must enable persistence if the job is enabled
# - must define deployment.env.GITEA__ACTIONS__ENABLED and GITEA__SERVER__LOCAL_ROOT_URL
## @section Gitea Actions
#
## @param actions.enabled Create an act runner StatefulSet.
@ -351,27 +350,26 @@ signing:
## @param actions.statefulset.nodeSelector NodeSelector for the statefulset
## @param actions.statefulset.tolerations Tolerations for the statefulset
## @param actions.statefulset.affinity Affinity for the statefulset
## @param actions.statefulset.config Act runner custom configuration.
## @param actions.statefulset.runnerLabels Act runner labels.
## @param actions.statefulset.actRunner.repository The Gitea act runner image
## @param actions.statefulset.actRunner.tag The Gitea act runner tag
## @param actions.statefulset.actRunner.pullPolicy The Gitea act runner pullPolicy
## @param actions.statefulset.actRunner.config [default: Too complex. See values.yaml] Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details.
## @param actions.statefulset.dind.repository The Docker-in-Docker image
## @param actions.statefulset.dind.tag The Docker-in-Docker image tag
## @param actions.statefulset.dind.pullPolicy The Docker-in-Docker pullPolicy
## @param actions.job.enabled Create a job that will create and save the token in a Kubernetes Secret
## @param actions.job.annotations Job's annotations
## @param actions.job.labels Job's labels
## @param actions.job.resources Job's resources
## @param actions.job.nodeSelector NodeSelector for the job
## @param actions.job.tolerations Tolerations for the job
## @param actions.job.affinity Affinity for the job
## @param actions.job.token.repository The image that can create a token via `gitea actions generate-runner-token`
## @param actions.job.token.tag The token image tag that can create a token
## @param actions.job.token.pullPolicy The token image pullPolicy that can create a token
## @param actions.job.publish.repository The image that can create the secret via kubectl
## @param actions.job.publish.tag The publish image tag that can create the secret
## @param actions.job.publish.pullPolicy The publish image pullPolicy that can create the secret
## @param actions.provisioning.enabled Create a job that will create and save the token in a Kubernetes Secret
## @param actions.provisioning.annotations Job's annotations
## @param actions.provisioning.labels Job's labels
## @param actions.provisioning.resources Job's resources
## @param actions.provisioning.nodeSelector NodeSelector for the job
## @param actions.provisioning.tolerations Tolerations for the job
## @param actions.provisioning.affinity Affinity for the job
## @param actions.provisioning.token.repository The image that can create a token via `gitea actions generate-runner-token`
## @param actions.provisioning.token.tag The token image tag that can create a token
## @param actions.provisioning.token.pullPolicy The token image pullPolicy that can create a token
## @param actions.provisioning.publish.repository The image that can create the secret via kubectl
## @param actions.provisioning.publish.tag The publish image tag that can create the secret
## @param actions.provisioning.publish.pullPolicy The publish image pullPolicy that can create the secret
## @param actions.existingSecret Secret that contains the token
## @param actions.existingSecretKey Secret key
actions:
@ -384,20 +382,26 @@ actions:
tolerations: []
affinity: {}
config: ""
runnerLabels: ""
actRunner:
repository: gitea/act_runner
tag: 0.2.6
pullPolicy: IfNotPresent
config: |
log:
level: debug
cache:
enabled: false
runner:
labels:
- "ubuntu-latest"
dind:
repository: docker
tag: 25.0.2-dind
pullPolicy: IfNotPresent
job:
provisioning:
enabled: false
annotations: {}