From de586b14d1b4525d9ee883220ada5483738d1f55 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 27 Jul 2024 00:19:12 +0000 Subject: [PATCH 01/24] chore(deps): update dependency helm-unittest/helm-unittest to v0.5.2 --- .gitea/workflows/test-pr.yml | 2 +- .vscode/settings.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitea/workflows/test-pr.yml b/.gitea/workflows/test-pr.yml index cbbfcbd..78ed267 100644 --- a/.gitea/workflows/test-pr.yml +++ b/.gitea/workflows/test-pr.yml @@ -11,7 +11,7 @@ on: env: # renovate: datasource=github-releases depName=helm-unittest/helm-unittest - HELM_UNITTEST_VERSION: "v0.5.1" + HELM_UNITTEST_VERSION: "v0.5.2" jobs: check-and-test: diff --git a/.vscode/settings.json b/.vscode/settings.json index f7fde3e..5271d28 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,6 +1,6 @@ { "yaml.schemas": { - "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.5.1/schema/helm-testsuite.json": [ + "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.5.2/schema/helm-testsuite.json": [ "/unittests/**/*.yaml" ] }, -- 2.40.1 From 1c71764d3c5ffd02869700412b277323f6511a06 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 27 Jul 2024 00:42:36 +0000 Subject: [PATCH 02/24] chore(deps): update dependency helm-unittest/helm-unittest to v0.5.2 (#692) Co-authored-by: Renovate Bot Co-committed-by: Renovate Bot --- .gitea/workflows/test-pr.yml | 2 +- .vscode/settings.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitea/workflows/test-pr.yml b/.gitea/workflows/test-pr.yml index cbbfcbd..78ed267 100644 --- a/.gitea/workflows/test-pr.yml +++ b/.gitea/workflows/test-pr.yml @@ -11,7 +11,7 @@ on: env: # renovate: datasource=github-releases depName=helm-unittest/helm-unittest - HELM_UNITTEST_VERSION: "v0.5.1" + HELM_UNITTEST_VERSION: "v0.5.2" jobs: check-and-test: diff --git a/.vscode/settings.json b/.vscode/settings.json index f7fde3e..5271d28 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,6 +1,6 @@ { "yaml.schemas": { - "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.5.1/schema/helm-testsuite.json": [ + "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.5.2/schema/helm-testsuite.json": [ "/unittests/**/*.yaml" ] }, -- 2.40.1 From 339ee942606fd89ec38f95e57df16bc555e902f9 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sun, 28 Jul 2024 00:21:27 +0000 Subject: [PATCH 03/24] chore(deps): update subcharts (minor & patch) (#693) Co-authored-by: Renovate Bot Co-committed-by: Renovate Bot --- Chart.lock | 12 ++++++------ Chart.yaml | 8 ++++---- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/Chart.lock b/Chart.lock index 0a1b8e3..9223ca5 100644 --- a/Chart.lock +++ b/Chart.lock @@ -1,15 +1,15 @@ dependencies: - name: postgresql repository: oci://registry-1.docker.io/bitnamicharts - version: 15.5.17 + version: 15.5.20 - name: postgresql-ha repository: oci://registry-1.docker.io/bitnamicharts - version: 14.2.12 + version: 14.2.14 - name: redis-cluster repository: oci://registry-1.docker.io/bitnamicharts - version: 10.2.7 + version: 10.2.9 - name: redis repository: oci://registry-1.docker.io/bitnamicharts - version: 19.6.2 -digest: sha256:842e8878e2da9cd62c2233f5ebfcdaa05598633a8bc2fa84803006929cf0c3cc -generated: "2024-07-20T00:44:58.227558466Z" + version: 19.6.4 +digest: sha256:b6d81fdd70e6c2928e815f169749cb8f773c113a08088b0180180829558e4c18 +generated: "2024-07-27T00:47:31.621904982Z" diff --git a/Chart.yaml b/Chart.yaml index d65e571..9b467c3 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -36,20 +36,20 @@ dependencies: # https://github.com/bitnami/charts/blob/main/bitnami/postgresql - name: postgresql repository: oci://registry-1.docker.io/bitnamicharts - version: 15.5.17 + version: 15.5.20 condition: postgresql.enabled # https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml - name: postgresql-ha repository: oci://registry-1.docker.io/bitnamicharts - version: 14.2.12 + version: 14.2.14 condition: postgresql-ha.enabled # https://github.com/bitnami/charts/blob/main/bitnami/redis-cluster/Chart.yaml - name: redis-cluster repository: oci://registry-1.docker.io/bitnamicharts - version: 10.2.7 + version: 10.2.9 condition: redis-cluster.enabled # https://github.com/bitnami/charts/blob/main/bitnami/redis/Chart.yaml - name: redis repository: oci://registry-1.docker.io/bitnamicharts - version: 19.6.2 + version: 19.6.4 condition: redis.enabled -- 2.40.1 From 036b469ff9d4c2c3fe385eb623d7356157140c69 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 3 Aug 2024 00:46:33 +0000 Subject: [PATCH 04/24] chore(deps): update subcharts (minor & patch) (#695) Co-authored-by: Renovate Bot Co-committed-by: Renovate Bot --- Chart.lock | 8 ++++---- Chart.yaml | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Chart.lock b/Chart.lock index 9223ca5..5023ad2 100644 --- a/Chart.lock +++ b/Chart.lock @@ -4,12 +4,12 @@ dependencies: version: 15.5.20 - name: postgresql-ha repository: oci://registry-1.docker.io/bitnamicharts - version: 14.2.14 + version: 14.2.16 - name: redis-cluster repository: oci://registry-1.docker.io/bitnamicharts - version: 10.2.9 + version: 10.3.0 - name: redis repository: oci://registry-1.docker.io/bitnamicharts version: 19.6.4 -digest: sha256:b6d81fdd70e6c2928e815f169749cb8f773c113a08088b0180180829558e4c18 -generated: "2024-07-27T00:47:31.621904982Z" +digest: sha256:a28c809273f313c482e3f803a0a002c3bb3a0d2090bf6b732d68ecc4710b4732 +generated: "2024-08-03T00:21:16.080925346Z" diff --git a/Chart.yaml b/Chart.yaml index 9b467c3..3e62db5 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -41,12 +41,12 @@ dependencies: # https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml - name: postgresql-ha repository: oci://registry-1.docker.io/bitnamicharts - version: 14.2.14 + version: 14.2.16 condition: postgresql-ha.enabled # https://github.com/bitnami/charts/blob/main/bitnami/redis-cluster/Chart.yaml - name: redis-cluster repository: oci://registry-1.docker.io/bitnamicharts - version: 10.2.9 + version: 10.3.0 condition: redis-cluster.enabled # https://github.com/bitnami/charts/blob/main/bitnami/redis/Chart.yaml - name: redis -- 2.40.1 From 9dc3f7c086797e1c9a104d699136c6dd3fe12b66 Mon Sep 17 00:00:00 2001 From: pat-s Date: Thu, 29 Aug 2024 09:20:27 +0000 Subject: [PATCH 05/24] Fix persistence for `postgresql-ha` (#704) fix #703 Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/704 Reviewed-by: techknowlogick Co-authored-by: pat-s Co-committed-by: pat-s --- README.md | 2 +- values.yaml | 7 +++---- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index ec29243..31bb251 100644 --- a/README.md +++ b/README.md @@ -1090,7 +1090,7 @@ Redis and [Redis cluster](#redis-cluster) cannot be enabled at the same time. | `postgresql-ha.postgresql.postgresPassword` | postgres Password | `changeme1` | | `postgresql-ha.pgpool.adminPassword` | pgpool adminPassword | `changeme3` | | `postgresql-ha.service.ports.postgresql` | PostgreSQL service port (overrides `service.ports.postgresql`) | `5432` | -| `postgresql-ha.primary.persistence.size` | PVC Storage Request for PostgreSQL HA volume | `10Gi` | +| `postgresql-ha.persistence.size` | PVC Storage Request for PostgreSQL HA volume | `10Gi` | ### PostgreSQL diff --git a/values.yaml b/values.yaml index af66f24..90b6f4f 100644 --- a/values.yaml +++ b/values.yaml @@ -529,7 +529,7 @@ redis: ## @param postgresql-ha.postgresql.postgresPassword postgres Password ## @param postgresql-ha.pgpool.adminPassword pgpool adminPassword ## @param postgresql-ha.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`) -## @param postgresql-ha.primary.persistence.size PVC Storage Request for PostgreSQL HA volume +## @param postgresql-ha.persistence.size PVC Storage Request for PostgreSQL HA volume postgresql-ha: global: postgresql: @@ -546,9 +546,8 @@ postgresql-ha: service: ports: postgresql: 5432 - primary: - persistence: - size: 10Gi + persistence: + size: 10Gi ## @section PostgreSQL # -- 2.40.1 From 3fdb39df6808cb04046acc7f5d33efd332ae7f3a Mon Sep 17 00:00:00 2001 From: tobiasbp Date: Wed, 11 Sep 2024 12:49:18 +0000 Subject: [PATCH 06/24] Do not log errors in init-directories container during Gitea launch (#708) When the _init-directories_ container runs, the shell script _init_directory_structure.sh_ logs to _stderr_ because debugging is enabled with _set -x_. The output from the script, should be logged to _stdout_ instead. The issue is discussed here: https://gitea.com/gitea/helm-chart/issues/701 ### Description of the change This PR uses the _verbose_ flag with all commands in the script to log what the script is doing. ### Benefits Log entries with incorrect severity _ERROR_ will no longer be logged in _Kubernetes_. ### Possible drawbacks Log output will change. If someone had a check for certain log entries from the _init container_, that check would break. ### Checklist Updated unit tests. Co-authored-by: tobias.petersen Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/708 Reviewed-by: techknowlogick Reviewed-by: pat-s Co-authored-by: tobiasbp Co-committed-by: tobiasbp --- templates/gitea/init.yaml | 22 +++++----- .../init_directory_structure.sh-rootless.yaml | 42 ++++++++----------- .../init/init_directory_structure.sh.yaml | 38 ++++++++--------- 3 files changed, 45 insertions(+), 57 deletions(-) diff --git a/templates/gitea/init.yaml b/templates/gitea/init.yaml index 0352836..71973e3 100644 --- a/templates/gitea/init.yaml +++ b/templates/gitea/init.yaml @@ -24,27 +24,25 @@ stringData: # END: initPreScript {{- end }} - set -x - {{- if not .Values.image.rootless }} - chown 1000:1000 /data + chown -v 1000:1000 /data {{- end }} - mkdir -p /data/git/.ssh - chmod -R 700 /data/git/.ssh - [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf + mkdir -pv /data/git/.ssh + chmod -Rv 700 /data/git/.ssh + [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf # prepare temp directory structure - mkdir -p "${GITEA_TEMP}" + mkdir -pv "${GITEA_TEMP}" {{- if not .Values.image.rootless }} - chown 1000:1000 "${GITEA_TEMP}" + chown -v 1000:1000 "${GITEA_TEMP}" {{- end }} - chmod ug+rwx "${GITEA_TEMP}" + chmod -v ug+rwx "${GITEA_TEMP}" {{ if .Values.signing.enabled -}} if [ ! -d "${GNUPGHOME}" ]; then - mkdir -p "${GNUPGHOME}" - chmod 700 "${GNUPGHOME}" - chown 1000:1000 "${GNUPGHOME}" + mkdir -pv "${GNUPGHOME}" + chmod -v 700 "${GNUPGHOME}" + chown -v 1000:1000 "${GNUPGHOME}" fi {{- end }} diff --git a/unittests/init/init_directory_structure.sh-rootless.yaml b/unittests/init/init_directory_structure.sh-rootless.yaml index 29dac81..e41ca4d 100644 --- a/unittests/init/init_directory_structure.sh-rootless.yaml +++ b/unittests/init/init_directory_structure.sh-rootless.yaml @@ -28,15 +28,13 @@ tests: #!/usr/bin/env bash set -euo pipefail - - set -x - mkdir -p /data/git/.ssh - chmod -R 700 /data/git/.ssh - [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf + mkdir -pv /data/git/.ssh + chmod -Rv 700 /data/git/.ssh + [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf # prepare temp directory structure - mkdir -p "${GITEA_TEMP}" - chmod ug+rwx "${GITEA_TEMP}" + mkdir -pv "${GITEA_TEMP}" + chmod -v ug+rwx "${GITEA_TEMP}" - it: adds gpg script block for enabled signing set: signing.enabled: true @@ -51,20 +49,18 @@ tests: #!/usr/bin/env bash set -euo pipefail - - set -x - mkdir -p /data/git/.ssh - chmod -R 700 /data/git/.ssh - [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf + mkdir -pv /data/git/.ssh + chmod -Rv 700 /data/git/.ssh + [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf # prepare temp directory structure - mkdir -p "${GITEA_TEMP}" - chmod ug+rwx "${GITEA_TEMP}" + mkdir -pv "${GITEA_TEMP}" + chmod -v ug+rwx "${GITEA_TEMP}" if [ ! -d "${GNUPGHOME}" ]; then - mkdir -p "${GNUPGHOME}" - chmod 700 "${GNUPGHOME}" - chown 1000:1000 "${GNUPGHOME}" + mkdir -pv "${GNUPGHOME}" + chmod -v 700 "${GNUPGHOME}" + chown -v 1000:1000 "${GNUPGHOME}" fi - it: it does not chown /data even when image.fullOverride is set template: templates/gitea/init.yaml @@ -77,12 +73,10 @@ tests: #!/usr/bin/env bash set -euo pipefail - - set -x - mkdir -p /data/git/.ssh - chmod -R 700 /data/git/.ssh - [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf + mkdir -pv /data/git/.ssh + chmod -Rv 700 /data/git/.ssh + [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf # prepare temp directory structure - mkdir -p "${GITEA_TEMP}" - chmod ug+rwx "${GITEA_TEMP}" + mkdir -pv "${GITEA_TEMP}" + chmod -v ug+rwx "${GITEA_TEMP}" diff --git a/unittests/init/init_directory_structure.sh.yaml b/unittests/init/init_directory_structure.sh.yaml index 7e59404..7327265 100644 --- a/unittests/init/init_directory_structure.sh.yaml +++ b/unittests/init/init_directory_structure.sh.yaml @@ -31,17 +31,15 @@ tests: #!/usr/bin/env bash set -euo pipefail - - set -x - chown 1000:1000 /data - mkdir -p /data/git/.ssh - chmod -R 700 /data/git/.ssh - [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf + chown -v 1000:1000 /data + mkdir -pv /data/git/.ssh + chmod -Rv 700 /data/git/.ssh + [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf # prepare temp directory structure - mkdir -p "${GITEA_TEMP}" - chown 1000:1000 "${GITEA_TEMP}" - chmod ug+rwx "${GITEA_TEMP}" + mkdir -pv "${GITEA_TEMP}" + chown -v 1000:1000 "${GITEA_TEMP}" + chmod -v ug+rwx "${GITEA_TEMP}" - it: adds gpg script block for enabled signing set: image.rootless: false @@ -57,20 +55,18 @@ tests: #!/usr/bin/env bash set -euo pipefail - - set -x - chown 1000:1000 /data - mkdir -p /data/git/.ssh - chmod -R 700 /data/git/.ssh - [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf + chown -v 1000:1000 /data + mkdir -pv /data/git/.ssh + chmod -Rv 700 /data/git/.ssh + [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf # prepare temp directory structure - mkdir -p "${GITEA_TEMP}" - chown 1000:1000 "${GITEA_TEMP}" - chmod ug+rwx "${GITEA_TEMP}" + mkdir -pv "${GITEA_TEMP}" + chown -v 1000:1000 "${GITEA_TEMP}" + chmod -v ug+rwx "${GITEA_TEMP}" if [ ! -d "${GNUPGHOME}" ]; then - mkdir -p "${GNUPGHOME}" - chmod 700 "${GNUPGHOME}" - chown 1000:1000 "${GNUPGHOME}" + mkdir -pv "${GNUPGHOME}" + chmod -v 700 "${GNUPGHOME}" + chown -v 1000:1000 "${GNUPGHOME}" fi -- 2.40.1 From 77aa11a3bbbbfc3864b91cd6055bbd3baa096787 Mon Sep 17 00:00:00 2001 From: pat-s Date: Wed, 11 Sep 2024 15:14:37 +0200 Subject: [PATCH 07/24] bump to gitea 1.22.2 --- Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Chart.yaml b/Chart.yaml index 3e62db5..235deb6 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -4,7 +4,7 @@ description: Gitea Helm chart for Kubernetes type: application version: 0.0.0 # renovate datasource=github-releases depName=go-gitea/gitea extractVersion=^v(?.*)$ -appVersion: 1.22.1 +appVersion: 1.22.2 icon: https://gitea.com/assets/img/logo.svg keywords: -- 2.40.1 From e636984db1009e7bd1cb4961bdd6906131eb196d Mon Sep 17 00:00:00 2001 From: Markus Pesch Date: Wed, 18 Sep 2024 17:55:28 +0000 Subject: [PATCH 08/24] feat(serviceMonitor): custom configuration (#710) This patch extends the serviceMonitor resource to specify a custom TLS configuration used by prometheus to scrape the metrics. Furthermore, the interval and scrapeTimeout can now be adapted without changing the global defaults of the prometheus instance. Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/710 Reviewed-by: pat-s Co-authored-by: Markus Pesch Co-committed-by: Markus Pesch --- README.md | 39 +++++++------ templates/gitea/servicemonitor.yaml | 19 +++++- unittests/servicemonitor/basic.yaml | 89 +++++++++++++++++++++++++++++ values.yaml | 12 +++- 4 files changed, 140 insertions(+), 19 deletions(-) create mode 100644 unittests/servicemonitor/basic.yaml diff --git a/README.md b/README.md index 31bb251..c0da2d2 100644 --- a/README.md +++ b/README.md @@ -1001,23 +1001,28 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo ### Gitea -| Name | Description | Value | -| -------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | -------------------- | -| `gitea.admin.username` | Username for the Gitea admin user | `gitea_admin` | -| `gitea.admin.existingSecret` | Use an existing secret to store admin user credentials | `nil` | -| `gitea.admin.password` | Password for the Gitea admin user | `r8sA8CPHD9!bt6d` | -| `gitea.admin.email` | Email for the Gitea admin user | `gitea@local.domain` | -| `gitea.admin.passwordMode` | Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated | `keepUpdated` | -| `gitea.metrics.enabled` | Enable Gitea metrics | `false` | -| `gitea.metrics.serviceMonitor.enabled` | Enable Gitea metrics service monitor | `false` | -| `gitea.ldap` | LDAP configuration | `[]` | -| `gitea.oauth` | OAuth configuration | `[]` | -| `gitea.config.server.SSH_PORT` | SSH port for rootlful Gitea image | `22` | -| `gitea.config.server.SSH_LISTEN_PORT` | SSH port for rootless Gitea image | `2222` | -| `gitea.additionalConfigSources` | Additional configuration from secret or configmap | `[]` | -| `gitea.additionalConfigFromEnvs` | Additional configuration sources from environment variables | `[]` | -| `gitea.podAnnotations` | Annotations for the Gitea pod | `{}` | -| `gitea.ssh.logLevel` | Configure OpenSSH's log level. Only available for root-based Gitea image. | `INFO` | +| Name | Description | Value | +| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | -------------------- | +| `gitea.admin.username` | Username for the Gitea admin user | `gitea_admin` | +| `gitea.admin.existingSecret` | Use an existing secret to store admin user credentials | `nil` | +| `gitea.admin.password` | Password for the Gitea admin user | `r8sA8CPHD9!bt6d` | +| `gitea.admin.email` | Email for the Gitea admin user | `gitea@local.domain` | +| `gitea.admin.passwordMode` | Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated | `keepUpdated` | +| `gitea.metrics.enabled` | Enable Gitea metrics | `false` | +| `gitea.metrics.serviceMonitor.enabled` | Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally. | `false` | +| `gitea.metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. | `""` | +| `gitea.metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping. | `[]` | +| `gitea.metrics.serviceMonitor.scheme` | HTTP scheme to use for scraping. For example `http` or `https`. Default is http. | `""` | +| `gitea.metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used. | `""` | +| `gitea.metrics.serviceMonitor.tlsConfig` | TLS configuration to use when scraping the metric endpoint by Prometheus. | `{}` | +| `gitea.ldap` | LDAP configuration | `[]` | +| `gitea.oauth` | OAuth configuration | `[]` | +| `gitea.config.server.SSH_PORT` | SSH port for rootlful Gitea image | `22` | +| `gitea.config.server.SSH_LISTEN_PORT` | SSH port for rootless Gitea image | `2222` | +| `gitea.additionalConfigSources` | Additional configuration from secret or configmap | `[]` | +| `gitea.additionalConfigFromEnvs` | Additional configuration sources from environment variables | `[]` | +| `gitea.podAnnotations` | Annotations for the Gitea pod | `{}` | +| `gitea.ssh.logLevel` | Configure OpenSSH's log level. Only available for root-based Gitea image. | `INFO` | ### LivenessProbe diff --git a/templates/gitea/servicemonitor.yaml b/templates/gitea/servicemonitor.yaml index 02750d0..d049f31 100644 --- a/templates/gitea/servicemonitor.yaml +++ b/templates/gitea/servicemonitor.yaml @@ -1,4 +1,4 @@ -{{- if .Values.gitea.metrics.serviceMonitor.enabled -}} +{{- if and .Values.gitea.metrics.enabled .Values.gitea.metrics.serviceMonitor.enabled -}} apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: @@ -14,4 +14,21 @@ spec: {{- include "gitea.selectorLabels" . | nindent 6 }} endpoints: - port: http + {{- if .Values.gitea.metrics.serviceMonitor.interval }} + interval: {{ .Values.gitea.metrics.serviceMonitor.interval }} + {{- end }} + {{- with .Values.gitea.metrics.serviceMonitor.relabelings }} + relabelings: + {{- . | toYaml | nindent 6 }} + {{- end }} + {{- if .Values.gitea.metrics.serviceMonitor.scheme }} + scheme: {{ .Values.gitea.metrics.serviceMonitor.scheme }} + {{- end }} + {{- if .Values.gitea.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.gitea.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + {{- with .Values.gitea.metrics.serviceMonitor.tlsConfig }} + tlsConfig: + {{- . | toYaml | nindent 6 }} + {{- end }} {{- end -}} \ No newline at end of file diff --git a/unittests/servicemonitor/basic.yaml b/unittests/servicemonitor/basic.yaml new file mode 100644 index 0000000..f5d0091 --- /dev/null +++ b/unittests/servicemonitor/basic.yaml @@ -0,0 +1,89 @@ +suite: ServiceMonitor template (basic) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/servicemonitor.yaml +tests: + - it: skips rendering by default + asserts: + - hasDocuments: + count: 0 + - it: renders default ServiceMonitor object with gitea.metrics.enabled=true + set: + gitea.metrics.enabled: true + asserts: + - hasDocuments: + count: 0 + - it: renders default ServiceMonitor object with gitea.metrics.serviceMonitor.enabled=true + set: + gitea.metrics.serviceMonitor.enabled: true + asserts: + - hasDocuments: + count: 0 + - it: renders defaults + set: + gitea.metrics.enabled: true + gitea.metrics.serviceMonitor.enabled: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: ServiceMonitor + apiVersion: monitoring.coreos.com/v1 + name: gitea-unittests + - notExists: + path: metadata.annotations + - notExists: + path: spec.endpoints[0].interval + - equal: + path: spec.endpoints[0].port + value: http + - notExists: + path: spec.endpoints[0].scheme + - notExists: + path: spec.endpoints[0].scrapeTimeout + - notExists: + path: spec.endpoints[0].tlsConfig + - it: renders custom scrape interval + set: + gitea.metrics.enabled: true + gitea.metrics.serviceMonitor.enabled: true + gitea.metrics.serviceMonitor.interval: 30s + gitea.metrics.serviceMonitor.scrapeTimeout: 5s + asserts: + - equal: + path: spec.endpoints[0].interval + value: 30s + - equal: + path: spec.endpoints[0].scrapeTimeout + value: 5s + - it: renders custom tls config + set: + gitea.metrics.enabled: true + gitea.metrics.serviceMonitor.enabled: true + gitea.metrics.serviceMonitor.scheme: https + gitea.metrics.serviceMonitor.tlsConfig.caFile: /etc/prometheus/tls/ca.crt + gitea.metrics.serviceMonitor.tlsConfig.certFile: /etc/prometheus/tls/tls.crt + gitea.metrics.serviceMonitor.tlsConfig.keyFile: /etc/prometheus/tls/tls.key + gitea.metrics.serviceMonitor.tlsConfig.insecureSkipVerify: false + gitea.metrics.serviceMonitor.tlsConfig.serverName: gitea-unittest + asserts: + - equal: + path: spec.endpoints[0].scheme + value: https + - equal: + path: spec.endpoints[0].tlsConfig.caFile + value: /etc/prometheus/tls/ca.crt + - equal: + path: spec.endpoints[0].tlsConfig.certFile + value: /etc/prometheus/tls/tls.crt + - equal: + path: spec.endpoints[0].tlsConfig.keyFile + value: /etc/prometheus/tls/tls.key + - equal: + path: spec.endpoints[0].tlsConfig.insecureSkipVerify + value: false + - equal: + path: spec.endpoints[0].tlsConfig.serverName + value: gitea-unittest diff --git a/values.yaml b/values.yaml index 90b6f4f..c9cc53b 100644 --- a/values.yaml +++ b/values.yaml @@ -356,13 +356,23 @@ gitea: passwordMode: keepUpdated ## @param gitea.metrics.enabled Enable Gitea metrics - ## @param gitea.metrics.serviceMonitor.enabled Enable Gitea metrics service monitor + ## @param gitea.metrics.serviceMonitor.enabled Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally. + ## @param gitea.metrics.serviceMonitor.interval Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. + ## @param gitea.metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping. + ## @param gitea.metrics.serviceMonitor.scheme HTTP scheme to use for scraping. For example `http` or `https`. Default is http. + ## @param gitea.metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used. + ## @param gitea.metrics.serviceMonitor.tlsConfig TLS configuration to use when scraping the metric endpoint by Prometheus. metrics: enabled: false serviceMonitor: enabled: false # additionalLabels: # prometheus-release: prom1 + interval: "" + relabelings: [] + scheme: "" + scrapeTimeout: "" + tlsConfig: {} ## @param gitea.ldap LDAP configuration ldap: -- 2.40.1 From c039673e5af0350811837cbab3cb02599faf92db Mon Sep 17 00:00:00 2001 From: pat-s Date: Thu, 19 Sep 2024 21:59:47 +0000 Subject: [PATCH 09/24] Add comments about redis password policy (#706) fix #690 Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/706 Co-authored-by: pat-s Co-committed-by: pat-s --- README.md | 3 +++ values.yaml | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/README.md b/README.md index c0da2d2..cf35855 100644 --- a/README.md +++ b/README.md @@ -498,6 +498,9 @@ redis-cluster: enabled: true ``` +⚠️ The redis charts [do not work well with special characters in the password](https://gitea.com/gitea/helm-chart/issues/690). +Consider omitting such or open an issue in the Bitnami repo and let us know once this got fixed. + ### Persistence Gitea will be deployed as a deployment. diff --git a/values.yaml b/values.yaml index c9cc53b..6e42107 100644 --- a/values.yaml +++ b/values.yaml @@ -498,6 +498,8 @@ gitea: ## @section redis-cluster ## @param redis-cluster.enabled Enable redis cluster +# ⚠️ The redis charts do not work well with special characters in the password (). +# Consider omitting such or open an issue in the Bitnami repo and let us know once this got fixed. ## @param redis-cluster.usePassword Whether to use password authentication ## @param redis-cluster.cluster.nodes Number of redis cluster master nodes ## @param redis-cluster.cluster.replicas Number of redis cluster master node replicas @@ -514,6 +516,8 @@ redis-cluster: ## @section redis ## @param redis.enabled Enable redis standalone or replicated ## @param redis.architecture Whether to use standalone or replication +# ⚠️ The redis charts do not work well with special characters in the password (). +# Consider omitting such or open an issue in the Bitnami repo and let us know once this got fixed. ## @param redis.global.redis.password Required password ## @param redis.master.count Number of Redis master instances to deploy ## @descriptionStart -- 2.40.1 From a08e39f8ff005a118769a2458f6a091c51ad53fd Mon Sep 17 00:00:00 2001 From: SorsOps Date: Tue, 8 Oct 2024 16:40:23 +0000 Subject: [PATCH 10/24] Fix namespace templating inconsistencies (#713) ### Description of the change Added namespaces to all the template files to better support alternate templaters in gitops systems ### Benefits Gitops system that have different ways of handling helm templates can actually deploy this chart correct, especially through subcharts ### Possible drawbacks Potential regression when upgrading, though this should be unlikely per @jessesanford 's comments with it defaulting back to the existing behaviour ### Applicable issues - Addresses https://gitea.com/gitea/helm-chart/issues/630 - Addresses https://gitea.com/gitea/helm-chart/issues/557 - Addresses https://gitea.com/gitea/helm-chart/issues/623 ### Checklist - [X] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm) - [X] Breaking changes are documented in the `README.md` Co-authored-by: SorsOps <80043879+sorsOps@users.noreply.github.com> Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/713 Reviewed-by: pat-s Reviewed-by: justusbunsi Co-authored-by: SorsOps Co-committed-by: SorsOps --- README.md | 15 ++++++++------- templates/gitea/config.yaml | 2 ++ templates/gitea/deployment.yaml | 1 + templates/gitea/gpg-secret.yaml | 1 + templates/gitea/http-svc.yaml | 1 + templates/gitea/ingress.yaml | 1 + templates/gitea/init.yaml | 1 + templates/gitea/poddisruptionbudget.yaml | 1 + templates/gitea/pvc.yaml | 2 +- templates/gitea/serviceaccount.yaml | 2 +- templates/gitea/servicemonitor.yaml | 1 + templates/gitea/ssh-svc.yaml | 1 + templates/tests/test-http-connection.yaml | 1 + values.yaml | 3 +++ 14 files changed, 24 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index cf35855..56c0ac2 100644 --- a/README.md +++ b/README.md @@ -852,13 +852,14 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo ### Global -| Name | Description | Value | -| ------------------------- | ------------------------------------------------------------------------- | ----- | -| `global.imageRegistry` | global image registry override | `""` | -| `global.imagePullSecrets` | global image pull secrets override; can be extended by `imagePullSecrets` | `[]` | -| `global.storageClass` | global storage class override | `""` | -| `global.hostAliases` | global hostAliases which will be added to the pod's hosts files | `[]` | -| `replicaCount` | number of replicas for the deployment | `1` | +| Name | Description | Value | +| ------------------------- | ---------------------------------------------------------------------------------------------- | ----- | +| `global.imageRegistry` | global image registry override | `""` | +| `global.imagePullSecrets` | global image pull secrets override; can be extended by `imagePullSecrets` | `[]` | +| `global.storageClass` | global storage class override | `""` | +| `global.hostAliases` | global hostAliases which will be added to the pod's hosts files | `[]` | +| `namespace` | An explicit namespace to deploy Gitea into. Defaults to the release namespace if not specified | `""` | +| `replicaCount` | number of replicas for the deployment | `1` | ### strategy diff --git a/templates/gitea/config.yaml b/templates/gitea/config.yaml index 68df5f8..897c8c9 100644 --- a/templates/gitea/config.yaml +++ b/templates/gitea/config.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ include "gitea.fullname" . }}-inline-config + namespace: {{ .Values.namespace | default .Release.Namespace }} labels: {{- include "gitea.labels" . | nindent 4 }} type: Opaque @@ -12,6 +13,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ include "gitea.fullname" . }} + namespace: {{ .Values.namespace | default .Release.Namespace }} labels: {{- include "gitea.labels" . | nindent 4 }} type: Opaque diff --git a/templates/gitea/deployment.yaml b/templates/gitea/deployment.yaml index f321f22..e66df68 100644 --- a/templates/gitea/deployment.yaml +++ b/templates/gitea/deployment.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "gitea.fullname" . }} + namespace: {{ .Values.namespace | default .Release.Namespace }} annotations: {{- if .Values.deployment.annotations }} {{- toYaml .Values.deployment.annotations | nindent 4 }} diff --git a/templates/gitea/gpg-secret.yaml b/templates/gitea/gpg-secret.yaml index 12dce66..46633c8 100644 --- a/templates/gitea/gpg-secret.yaml +++ b/templates/gitea/gpg-secret.yaml @@ -7,6 +7,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ include "gitea.gpg-key-secret-name" . }} + namespace: {{ .Values.namespace | default .Release.Namespace }} labels: {{- include "gitea.labels" . | nindent 4 }} type: Opaque diff --git a/templates/gitea/http-svc.yaml b/templates/gitea/http-svc.yaml index 06163a6..28bd218 100644 --- a/templates/gitea/http-svc.yaml +++ b/templates/gitea/http-svc.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: name: {{ include "gitea.fullname" . }}-http + namespace: {{ .Values.namespace | default .Release.Namespace }} labels: {{- include "gitea.labels" . | nindent 4 }} {{- if .Values.service.http.labels }} diff --git a/templates/gitea/ingress.yaml b/templates/gitea/ingress.yaml index cd743fe..dce7c90 100644 --- a/templates/gitea/ingress.yaml +++ b/templates/gitea/ingress.yaml @@ -13,6 +13,7 @@ apiVersion: {{ $apiVersion }} kind: Ingress metadata: name: {{ $fullName }} + namespace: {{ .Values.namespace | default .Release.Namespace }} labels: {{- include "gitea.labels" . | nindent 4 }} annotations: diff --git a/templates/gitea/init.yaml b/templates/gitea/init.yaml index 71973e3..5adc9a3 100644 --- a/templates/gitea/init.yaml +++ b/templates/gitea/init.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ include "gitea.fullname" . }}-init + namespace: {{ .Values.namespace | default .Release.Namespace }} labels: {{- include "gitea.labels" . | nindent 4 }} type: Opaque diff --git a/templates/gitea/poddisruptionbudget.yaml b/templates/gitea/poddisruptionbudget.yaml index d2b7e17..270d5cf 100644 --- a/templates/gitea/poddisruptionbudget.yaml +++ b/templates/gitea/poddisruptionbudget.yaml @@ -7,6 +7,7 @@ apiVersion: policy/v1beta1 kind: PodDisruptionBudget metadata: name: {{ include "gitea.fullname" . }} + namespace: {{ .Values.namespace | default .Release.Namespace }} labels: {{- include "gitea.labels" . | nindent 4 }} spec: diff --git a/templates/gitea/pvc.yaml b/templates/gitea/pvc.yaml index 601483e..035dbc4 100644 --- a/templates/gitea/pvc.yaml +++ b/templates/gitea/pvc.yaml @@ -3,7 +3,7 @@ kind: PersistentVolumeClaim apiVersion: v1 metadata: name: {{ .Values.persistence.claimName }} - namespace: {{ $.Release.Namespace }} + namespace: {{ .Values.namespace | default .Release.Namespace }} annotations: {{ .Values.persistence.annotations | toYaml | indent 4}} labels: diff --git a/templates/gitea/serviceaccount.yaml b/templates/gitea/serviceaccount.yaml index e730f9c..0c211c5 100644 --- a/templates/gitea/serviceaccount.yaml +++ b/templates/gitea/serviceaccount.yaml @@ -3,7 +3,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "gitea.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ .Values.namespace | default .Release.Namespace }} labels: {{- include "gitea.labels" . | nindent 4 }} {{- with .Values.serviceAccount.labels }} diff --git a/templates/gitea/servicemonitor.yaml b/templates/gitea/servicemonitor.yaml index d049f31..1774214 100644 --- a/templates/gitea/servicemonitor.yaml +++ b/templates/gitea/servicemonitor.yaml @@ -3,6 +3,7 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: {{ include "gitea.fullname" . }} + namespace: {{ .Values.namespace | default .Release.Namespace }} labels: {{- include "gitea.labels" . | nindent 4 }} {{- if .Values.gitea.metrics.serviceMonitor.additionalLabels }} diff --git a/templates/gitea/ssh-svc.yaml b/templates/gitea/ssh-svc.yaml index 131b0b9..b2046fe 100644 --- a/templates/gitea/ssh-svc.yaml +++ b/templates/gitea/ssh-svc.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: name: {{ include "gitea.fullname" . }}-ssh + namespace: {{ .Values.namespace | default .Release.Namespace }} labels: {{- include "gitea.labels" . | nindent 4 }} {{- if .Values.service.ssh.labels }} diff --git a/templates/tests/test-http-connection.yaml b/templates/tests/test-http-connection.yaml index 8157442..da28ea6 100644 --- a/templates/tests/test-http-connection.yaml +++ b/templates/tests/test-http-connection.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: Pod metadata: name: "{{ include "gitea.fullname" . }}-test-connection" + namespace: {{ .Values.namespace | default .Release.Namespace }} labels: {{ include "gitea.labels" . | nindent 4 }} annotations: diff --git a/values.yaml b/values.yaml index 6e42107..a919224 100644 --- a/values.yaml +++ b/values.yaml @@ -20,6 +20,9 @@ global: # hostnames: # - example.com +## @param namespace An explicit namespace to deploy gitea into. Defaults to the release namespace if not specified +namespace: "" + ## @param replicaCount number of replicas for the deployment replicaCount: 1 -- 2.40.1 From aa9808bc2766c90292a57218bf442b1a0714580a Mon Sep 17 00:00:00 2001 From: rossigee Date: Fri, 18 Oct 2024 13:44:37 +0000 Subject: [PATCH 11/24] Add 'extraContainers' parameter (#697) ### Description of the change Adds an 'extraContainers' parameter. ### Benefits Users will be able to run sidecar containers as required by their environment. ### Possible drawbacks N/A ### Applicable issues - Fixes #696 ### Checklist - [X] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm) Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/697 Reviewed-by: justusbunsi Co-authored-by: rossigee Co-committed-by: rossigee --- README.md | 1 + templates/gitea/deployment.yaml | 5 ++++- unittests/deployment/sidecar-container.yaml | 21 +++++++++++++++++++++ values.yaml | 6 ++++++ 4 files changed, 32 insertions(+), 1 deletion(-) create mode 100644 unittests/deployment/sidecar-container.yaml diff --git a/README.md b/README.md index 56c0ac2..3589736 100644 --- a/README.md +++ b/README.md @@ -980,6 +980,7 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo | `persistence.storageClass` | Name of the storage class to use | `nil` | | `persistence.subPath` | Subdirectory of the volume to mount at | `nil` | | `persistence.volumeName` | Name of persistent volume in PVC | `""` | +| `extraContainers` | Additional sidecar containers to run in the pod | `[]` | | `extraVolumes` | Additional volumes to mount to the Gitea deployment | `[]` | | `extraContainerVolumeMounts` | Mounts that are only mapped into the Gitea runtime/main container, to e.g. override custom templates. | `[]` | | `extraInitVolumeMounts` | Mounts that are only mapped into the init-containers. Can be used for additional preconfiguration. | `[]` | diff --git a/templates/gitea/deployment.yaml b/templates/gitea/deployment.yaml index e66df68..90f0e76 100644 --- a/templates/gitea/deployment.yaml +++ b/templates/gitea/deployment.yaml @@ -340,6 +340,9 @@ spec: subPath: {{ .Values.persistence.subPath }} {{- end }} {{- include "gitea.container-additional-mounts" . | nindent 12 }} + {{- if .Values.extraContainers }} + {{- toYaml .Values.extraContainers | nindent 8 }} + {{- end }} {{- with .Values.global.hostAliases }} hostAliases: {{- toYaml . | nindent 8 }} @@ -403,4 +406,4 @@ spec: {{- else if not .Values.persistence.enabled }} - name: data emptyDir: {} - {{- end }} \ No newline at end of file + {{- end }} diff --git a/unittests/deployment/sidecar-container.yaml b/unittests/deployment/sidecar-container.yaml new file mode 100644 index 0000000..e41e193 --- /dev/null +++ b/unittests/deployment/sidecar-container.yaml @@ -0,0 +1,21 @@ +suite: sidecar container +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/deployment.yaml + - templates/gitea/config.yaml +tests: + - it: supports adding a sidecar container + template: templates/gitea/deployment.yaml + set: + extraContainers: + - name: sidecar-bob + image: busybox + asserts: + - equal: + path: spec.template.spec.containers[1].name + value: "sidecar-bob" + - equal: + path: spec.template.spec.containers[1].image + value: "busybox" diff --git a/values.yaml b/values.yaml index a919224..2b7ad7d 100644 --- a/values.yaml +++ b/values.yaml @@ -283,6 +283,12 @@ persistence: annotations: helm.sh/resource-policy: keep +## @param extraContainers Additional sidecar containers to run in the pod +extraContainers: [] +# - name: sidecar-bob +# image: busybox +# command: [/bin/sh, -c, 'echo "Hello world"; sleep 86400'] + ## @param extraVolumes Additional volumes to mount to the Gitea deployment extraVolumes: [] # - name: postgres-ssl-vol -- 2.40.1 From 7c4d6c3797da5ca5aee05a8dc12a51a9f4ee4955 Mon Sep 17 00:00:00 2001 From: justusbunsi Date: Fri, 18 Oct 2024 13:50:35 +0000 Subject: [PATCH 12/24] Fix configuration in "external database" docs (#716) Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/716 Co-authored-by: justusbunsi Co-committed-by: justusbunsi --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 3589736..2888fc7 100644 --- a/README.md +++ b/README.md @@ -420,6 +420,9 @@ gitea: postgresql: enabled: false + +postgresql-ha: + enabled: false ``` ### Ports and external url -- 2.40.1 From 478af4e381b65a9236d262714c6808ac8c586f95 Mon Sep 17 00:00:00 2001 From: justusbunsi Date: Fri, 18 Oct 2024 15:09:14 +0000 Subject: [PATCH 13/24] Fix probe definition overrides (#717) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ### Description of the change This fixes an issue when trying to apply a custom probe that is not `tcpSocket`. ### Benefits Custom probes 🥳 ### Applicable issues - Fixes #694 ### Checklist - [x] Templating unittests are added Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/717 Co-authored-by: justusbunsi Co-committed-by: justusbunsi --- templates/_helpers.tpl | 18 +++ templates/gitea/deployment.yaml | 6 +- unittests/deployment/probes.yaml | 188 +++++++++++++++++++++++++++++++ 3 files changed, 209 insertions(+), 3 deletions(-) create mode 100644 unittests/deployment/probes.yaml diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index c7d13d9..9e9c613 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -408,3 +408,21 @@ https {{ printf "gitea.admin.passwordMode must be set to one of 'keepUpdated', 'initialOnlyNoReset', or 'initialOnlyRequireReset'. Received: '%s'" .Values.gitea.admin.passwordMode | fail }} {{- end -}} {{- end -}} + +{{/* Create a functioning probe object for rendering. Given argument must be either a livenessProbe, readinessProbe, or startupProbe */}} +{{- define "gitea.deployment.probe" -}} + {{- $probe := unset . "enabled" -}} + {{- $probeKeys := keys $probe -}} + {{- $containsCustomMethod := false -}} + {{- $chartDefaultMethod := "tcpSocket" -}} + {{- $nonChartDefaultMethods := list "exec" "httpGet" "grpc" -}} + {{- range $probeKeys -}} + {{- if has . $nonChartDefaultMethods -}} + {{- $containsCustomMethod = true -}} + {{- end -}} + {{- end -}} + {{- if $containsCustomMethod -}} + {{- $probe = unset . $chartDefaultMethod -}} + {{- end -}} + {{- toYaml $probe -}} +{{- end -}} diff --git a/templates/gitea/deployment.yaml b/templates/gitea/deployment.yaml index 90f0e76..9981e67 100644 --- a/templates/gitea/deployment.yaml +++ b/templates/gitea/deployment.yaml @@ -312,15 +312,15 @@ spec: {{- end }} {{- if .Values.gitea.livenessProbe.enabled }} livenessProbe: - {{- toYaml (omit .Values.gitea.livenessProbe "enabled") | nindent 12 }} + {{- include "gitea.deployment.probe" .Values.gitea.livenessProbe | nindent 12 }} {{- end }} {{- if .Values.gitea.readinessProbe.enabled }} readinessProbe: - {{- toYaml (omit .Values.gitea.readinessProbe "enabled") | nindent 12 }} + {{- include "gitea.deployment.probe" .Values.gitea.readinessProbe | nindent 12 }} {{- end }} {{- if .Values.gitea.startupProbe.enabled }} startupProbe: - {{- toYaml (omit .Values.gitea.startupProbe "enabled") | nindent 12 }} + {{- include "gitea.deployment.probe" .Values.gitea.startupProbe | nindent 12 }} {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} diff --git a/unittests/deployment/probes.yaml b/unittests/deployment/probes.yaml new file mode 100644 index 0000000..259f3bf --- /dev/null +++ b/unittests/deployment/probes.yaml @@ -0,0 +1,188 @@ +suite: deployment template (probes) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/deployment.yaml + - templates/gitea/config.yaml +tests: + - it: renders default liveness probe + template: templates/gitea/deployment.yaml + asserts: + - notExists: + path: spec.template.spec.containers[0].livenessProbe.enabled + - isSubset: + path: spec.template.spec.containers[0].livenessProbe + content: + failureThreshold: 10 + initialDelaySeconds: 200 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: http + timeoutSeconds: 1 + - it: renders default readiness probe + template: templates/gitea/deployment.yaml + asserts: + - notExists: + path: spec.template.spec.containers[0].readinessProbe.enabled + - isSubset: + path: spec.template.spec.containers[0].readinessProbe + content: + failureThreshold: 3 + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: http + timeoutSeconds: 1 + - it: does not render a default startup probe + template: templates/gitea/deployment.yaml + asserts: + - notExists: + path: spec.template.spec.containers[0].startupProbe + - it: allows enabling a startup probe + template: templates/gitea/deployment.yaml + set: + gitea.startupProbe.enabled: true + asserts: + - notExists: + path: spec.template.spec.containers[0].startupProbe.enabled + - isSubset: + path: spec.template.spec.containers[0].startupProbe + content: + failureThreshold: 10 + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: http + timeoutSeconds: 1 + + - it: allows overwriting the default port of the liveness probe + template: templates/gitea/deployment.yaml + set: + gitea: + livenessProbe: + tcpSocket: + port: my-port + asserts: + - isSubset: + path: spec.template.spec.containers[0].livenessProbe + content: + tcpSocket: + port: my-port + + - it: allows overwriting the default port of the readiness probe + template: templates/gitea/deployment.yaml + set: + gitea: + readinessProbe: + tcpSocket: + port: my-port + asserts: + - isSubset: + path: spec.template.spec.containers[0].readinessProbe + content: + tcpSocket: + port: my-port + + - it: allows overwriting the default port of the startup probe + template: templates/gitea/deployment.yaml + set: + gitea: + startupProbe: + enabled: true + tcpSocket: + port: my-port + asserts: + - isSubset: + path: spec.template.spec.containers[0].startupProbe + content: + tcpSocket: + port: my-port + + - it: allows using a non-default method as liveness probe + template: templates/gitea/deployment.yaml + set: + gitea: + livenessProbe: + httpGet: + path: /api/healthz + port: http + initialDelaySeconds: 13371 + timeoutSeconds: 13372 + periodSeconds: 13373 + successThreshold: 13374 + failureThreshold: 13375 + asserts: + - notExists: + path: spec.template.spec.containers[0].livenessProbe.tcpSocket + - isSubset: + path: spec.template.spec.containers[0].livenessProbe + content: + failureThreshold: 13375 + initialDelaySeconds: 13371 + periodSeconds: 13373 + successThreshold: 13374 + httpGet: + path: /api/healthz + port: http + timeoutSeconds: 13372 + + - it: allows using a non-default method as readiness probe + template: templates/gitea/deployment.yaml + set: + gitea: + readinessProbe: + httpGet: + path: /api/healthz + port: http + initialDelaySeconds: 13371 + timeoutSeconds: 13372 + periodSeconds: 13373 + successThreshold: 13374 + failureThreshold: 13375 + asserts: + - notExists: + path: spec.template.spec.containers[0].readinessProbe.tcpSocket + - isSubset: + path: spec.template.spec.containers[0].readinessProbe + content: + failureThreshold: 13375 + initialDelaySeconds: 13371 + periodSeconds: 13373 + successThreshold: 13374 + httpGet: + path: /api/healthz + port: http + timeoutSeconds: 13372 + + - it: allows using a non-default method as startup probe + template: templates/gitea/deployment.yaml + set: + gitea: + startupProbe: + enabled: true + httpGet: + path: /api/healthz + port: http + initialDelaySeconds: 13371 + timeoutSeconds: 13372 + periodSeconds: 13373 + successThreshold: 13374 + failureThreshold: 13375 + asserts: + - notExists: + path: spec.template.spec.containers[0].startupProbe.tcpSocket + - isSubset: + path: spec.template.spec.containers[0].startupProbe + content: + failureThreshold: 13375 + initialDelaySeconds: 13371 + periodSeconds: 13373 + successThreshold: 13374 + httpGet: + path: /api/healthz + port: http + timeoutSeconds: 13372 -- 2.40.1 From 5c7e78b467185e1d98df77dce3ba514b2a3e5a2d Mon Sep 17 00:00:00 2001 From: justusbunsi Date: Fri, 18 Oct 2024 15:14:56 +0000 Subject: [PATCH 14/24] Bump Gitea to 1.22.3 (#718) Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/718 Co-authored-by: justusbunsi Co-committed-by: justusbunsi --- Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Chart.yaml b/Chart.yaml index 235deb6..dbdcae0 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -4,7 +4,7 @@ description: Gitea Helm chart for Kubernetes type: application version: 0.0.0 # renovate datasource=github-releases depName=go-gitea/gitea extractVersion=^v(?.*)$ -appVersion: 1.22.2 +appVersion: 1.22.3 icon: https://gitea.com/assets/img/logo.svg keywords: -- 2.40.1 From f7c66c0336d211a5bfbdf9a6b95ead7c3ff6b5c0 Mon Sep 17 00:00:00 2001 From: vjm Date: Sun, 10 Nov 2024 13:35:56 +0000 Subject: [PATCH 15/24] Add Gitea Actions act runner (#666) Co-authored-by: dementhorr Co-authored-by: Vince Montalbano Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/666 Reviewed-by: justusbunsi Co-authored-by: vjm Co-committed-by: vjm --- README.md | 35 ++++++ readme-actions-dev.md | 34 ++++++ scripts/token.sh | 43 +++++++ templates/_helpers.tpl | 39 ++++++ .../act_runner/01-consistency-checks.yaml | 15 +++ .../gitea/act_runner/config-act-runner.yaml | 14 +++ .../gitea/act_runner/config-scripts.yaml | 13 ++ templates/gitea/act_runner/job.yaml | 114 ++++++++++++++++++ templates/gitea/act_runner/role-job.yaml | 25 ++++ .../gitea/act_runner/rolebinding-job.yaml | 22 ++++ templates/gitea/act_runner/secret-token.yaml | 19 +++ .../gitea/act_runner/serviceaccount-job.yaml | 13 ++ templates/gitea/act_runner/statefulset.yaml | 114 ++++++++++++++++++ .../act_runner/01-consistency-checks.yaml | 69 +++++++++++ unittests/act_runner/config-act-runner.yaml | 45 +++++++ unittests/act_runner/config-scripts.yaml | 49 ++++++++ unittests/act_runner/job.yaml | 65 ++++++++++ unittests/act_runner/role-job.yaml | 42 +++++++ unittests/act_runner/rolebinding-job.yaml | 42 +++++++ unittests/act_runner/secret-token.yaml | 42 +++++++ unittests/act_runner/serviceaccount-job.yaml | 42 +++++++ unittests/act_runner/statefulset.yaml | 95 +++++++++++++++ unittests/config/actions-config.yaml | 61 ++++++++++ values.yaml | 90 ++++++++++++++ 24 files changed, 1142 insertions(+) create mode 100644 readme-actions-dev.md create mode 100644 scripts/token.sh create mode 100644 templates/gitea/act_runner/01-consistency-checks.yaml create mode 100644 templates/gitea/act_runner/config-act-runner.yaml create mode 100644 templates/gitea/act_runner/config-scripts.yaml create mode 100644 templates/gitea/act_runner/job.yaml create mode 100644 templates/gitea/act_runner/role-job.yaml create mode 100644 templates/gitea/act_runner/rolebinding-job.yaml create mode 100644 templates/gitea/act_runner/secret-token.yaml create mode 100644 templates/gitea/act_runner/serviceaccount-job.yaml create mode 100644 templates/gitea/act_runner/statefulset.yaml create mode 100644 unittests/act_runner/01-consistency-checks.yaml create mode 100644 unittests/act_runner/config-act-runner.yaml create mode 100644 unittests/act_runner/config-scripts.yaml create mode 100644 unittests/act_runner/job.yaml create mode 100644 unittests/act_runner/role-job.yaml create mode 100644 unittests/act_runner/rolebinding-job.yaml create mode 100644 unittests/act_runner/secret-token.yaml create mode 100644 unittests/act_runner/serviceaccount-job.yaml create mode 100644 unittests/act_runner/statefulset.yaml create mode 100644 unittests/config/actions-config.yaml diff --git a/README.md b/README.md index 2888fc7..a6f4c2b 100644 --- a/README.md +++ b/README.md @@ -45,6 +45,7 @@ - [Persistence](#persistence-1) - [Init](#init) - [Signing](#signing) + - [Gitea Actions](#gitea-actions) - [Gitea](#gitea) - [LivenessProbe](#livenessprobe) - [ReadinessProbe](#readinessprobe) @@ -1007,6 +1008,40 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo | `signing.privateKey` | Inline private gpg key for signed internal Git activity | `""` | | `signing.existingSecret` | Use an existing secret to store the value of `signing.privateKey` | `""` | +### Gitea Actions + +| Name | Description | Value | +| ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ | +| `actions.enabled` | Create an act runner StatefulSet. | `false` | +| `actions.init.image.repository` | The image used for the init containers | `busybox` | +| `actions.init.image.tag` | The image tag used for the init containers | `1.36.1` | +| `actions.statefulset.annotations` | Act runner annotations | `{}` | +| `actions.statefulset.labels` | Act runner labels | `{}` | +| `actions.statefulset.resources` | Act runner resources | `{}` | +| `actions.statefulset.nodeSelector` | NodeSelector for the statefulset | `{}` | +| `actions.statefulset.tolerations` | Tolerations for the statefulset | `[]` | +| `actions.statefulset.affinity` | Affinity for the statefulset | `{}` | +| `actions.statefulset.actRunner.repository` | The Gitea act runner image | `gitea/act_runner` | +| `actions.statefulset.actRunner.tag` | The Gitea act runner tag | `0.2.11` | +| `actions.statefulset.actRunner.pullPolicy` | The Gitea act runner pullPolicy | `IfNotPresent` | +| `actions.statefulset.actRunner.config` | Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details. | `Too complex. See values.yaml` | +| `actions.statefulset.dind.repository` | The Docker-in-Docker image | `docker` | +| `actions.statefulset.dind.tag` | The Docker-in-Docker image tag | `25.0.2-dind` | +| `actions.statefulset.dind.pullPolicy` | The Docker-in-Docker pullPolicy | `IfNotPresent` | +| `actions.provisioning.enabled` | Create a job that will create and save the token in a Kubernetes Secret | `false` | +| `actions.provisioning.annotations` | Job's annotations | `{}` | +| `actions.provisioning.labels` | Job's labels | `{}` | +| `actions.provisioning.resources` | Job's resources | `{}` | +| `actions.provisioning.nodeSelector` | NodeSelector for the job | `{}` | +| `actions.provisioning.tolerations` | Tolerations for the job | `[]` | +| `actions.provisioning.affinity` | Affinity for the job | `{}` | +| `actions.provisioning.ttlSecondsAfterFinished` | ttl for the job after finished in order to allow helm to properly recognize that the job completed | `300` | +| `actions.provisioning.publish.repository` | The image that can create the secret via kubectl | `bitnami/kubectl` | +| `actions.provisioning.publish.tag` | The publish image tag that can create the secret | `1.29.0` | +| `actions.provisioning.publish.pullPolicy` | The publish image pullPolicy that can create the secret | `IfNotPresent` | +| `actions.existingSecret` | Secret that contains the token | `""` | +| `actions.existingSecretKey` | Secret key | `""` | + ### Gitea | Name | Description | Value | diff --git a/readme-actions-dev.md b/readme-actions-dev.md new file mode 100644 index 0000000..a633ad3 --- /dev/null +++ b/readme-actions-dev.md @@ -0,0 +1,34 @@ +# Gitea Actions + +In order to use the Gitea Actions act-runner you must either: + +- enable persistence (used for automatic deployment to be able to store the token in a place accessible for the Job) +- create a secret containing the act runner token and reference it as a `existingSecret` + +In order to use Gitea Actions, you must log on the server that's running Gitea and run the command: + `gitea actions generate-runner-token` + +This command will out a token that is needed by the act-runner to register with the Gitea backend. + +Because this is a manual operation, we automated this using a Kubernetes Job using the following containers: + +1) `actions-token-create`: it uses the current `gitea-rootless` image, mounts the persistent directory to `/data/` then it saves the output from `gitea actions generate-runner-token` to `/data/actions/token` +2) `actions-token-upload`: it uses a `bitnami/kubectl` image, mounts the scripts directory (`/scripts`) and +the persistent directory (`/data/`), and using the script from `/scripts/token.sh` stores the token in a Kubernetes secret + +After the token is stored in a Kubernetes secret we can create the statefulset that contains the following containers: + +1) `act-runner`: authenticates with Gitea using the token that was stored in the secret +2) `dind`: DockerInDocker image that is used to run the actions + +If you are not using persistent volumes, you cannot use the Job to automatically generate the token. +In this case, you can use either the Web UI to generate the token or run a shell into a Gitea pod and invoke +the command `gitea actions generate-runner-token`. After generating the token, you must create a secret and use it via: + +```yaml +actions: + provisioning: + enabled: false + existingSecret: "secret-name" + existingSecretKey: "secret-key" +``` diff --git a/scripts/token.sh b/scripts/token.sh new file mode 100644 index 0000000..cbb2ebd --- /dev/null +++ b/scripts/token.sh @@ -0,0 +1,43 @@ +#!/bin/sh + +set -eu + +timeout_delay=15 + +check_token() { + set +e + + echo "Checking for existing token..." + token="$(kubectl get secret "$SECRET_NAME" -o jsonpath="{.data['token']}" 2> /dev/null)" + [ $? -ne 0 ] && return 1 + [ -z "$token" ] && return 2 + return 0 +} + +create_token() { + echo "Waiting for new token to be generated..." + begin=$(date +%s) + end=$((begin + timeout_delay)) + while true; do + [ -f /data/actions/token ] && return 0 + [ "$(date +%s)" -gt $end ] && return 1 + sleep 5 + done +} + +store_token() { + echo "Storing the token in Kubernetes secret..." + kubectl patch secret "$SECRET_NAME" -p "{\"data\":{\"token\":\"$(base64 /data/actions/token | tr -d '\n')\"}}" +} + +if check_token; then + echo "Key already in place, exiting." + exit +fi + +if ! create_token; then + echo "Checking for an existing act runner token in secret $SECRET_NAME timed out after $timeout_delay" + exit 1 +fi + +store_token diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 9e9c613..64a5efb 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -25,6 +25,13 @@ If release name contains chart name it will be used as a full name. {{- end -}} {{- end -}} +{{/* +Create a default worker name. +*/}} +{{- define "gitea.workername" -}} +{{- printf "%s-%s" .global.Release.Name .worker | trunc 63 | trimSuffix "-" -}} +{{- end -}} + {{/* Create chart name and version as used by the chart label. */}} @@ -92,6 +99,15 @@ version: {{ .Values.image.tag | default .Chart.AppVersion | quote }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end -}} +{{- define "gitea.labels.actRunner" -}} +helm.sh/chart: {{ include "gitea.chart" . }} +app: {{ include "gitea.name" . }}-act-runner +{{ include "gitea.selectorLabels.actRunner" . }} +app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }} +version: {{ .Values.image.tag | default .Chart.AppVersion | quote }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + {{/* Selector labels */}} @@ -100,6 +116,11 @@ app.kubernetes.io/name: {{ include "gitea.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end -}} +{{- define "gitea.selectorLabels.actRunner" -}} +app.kubernetes.io/name: {{ include "gitea.name" . }}-act-runner +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + {{- define "postgresql-ha.dns" -}} {{- if (index .Values "postgresql-ha").enabled -}} {{- printf "%s-postgresql-ha-pgpool.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "postgresql-ha" "service" "ports" "postgresql") -}} @@ -199,6 +220,15 @@ https {{- end -}} {{- end -}} +{{- define "gitea.act_runner.local_root_url" -}} +{{- if not .Values.gitea.config.server.LOCAL_ROOT_URL -}} + {{- printf "http://%s-http:%.0f" (include "gitea.fullname" .) .Values.service.http.port -}} +{{- else -}} + {{/* fallback for allowing to overwrite this value via inline config */}} + {{- .Values.gitea.config.server.LOCAL_ROOT_URL -}} +{{- end -}} +{{- end -}} + {{- define "gitea.inline_configuration" -}} {{- include "gitea.inline_configuration.init" . -}} {{- include "gitea.inline_configuration.defaults" . -}} @@ -263,6 +293,9 @@ https {{- if not (hasKey .Values.gitea.config "indexer") -}} {{- $_ := set .Values.gitea.config "indexer" dict -}} {{- end -}} + {{- if not (hasKey .Values.gitea.config "actions") -}} + {{- $_ := set .Values.gitea.config "actions" dict -}} + {{- end -}} {{- end -}} {{- define "gitea.inline_configuration.defaults" -}} @@ -309,6 +342,9 @@ https {{- if not .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE -}} {{- $_ := set .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE" "db" -}} {{- end -}} + {{- if not .Values.gitea.config.actions.ENABLED -}} + {{- $_ := set .Values.gitea.config.actions "ENABLED" (ternary "true" "false" .Values.actions.enabled) -}} + {{- end -}} {{- end -}} {{- define "gitea.inline_configuration.defaults.server" -}} @@ -328,6 +364,9 @@ https {{- if not .Values.gitea.config.server.ROOT_URL -}} {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" (include "gitea.public_protocol" .) .Values.gitea.config.server.DOMAIN) -}} {{- end -}} + {{- if .Values.actions.enabled -}} + {{- $_ := set .Values.gitea.config.server "LOCAL_ROOT_URL" (include "gitea.act_runner.local_root_url" .) -}} + {{- end -}} {{- if not .Values.gitea.config.server.SSH_DOMAIN -}} {{- $_ := set .Values.gitea.config.server "SSH_DOMAIN" .Values.gitea.config.server.DOMAIN -}} {{- end -}} diff --git a/templates/gitea/act_runner/01-consistency-checks.yaml b/templates/gitea/act_runner/01-consistency-checks.yaml new file mode 100644 index 0000000..25ae556 --- /dev/null +++ b/templates/gitea/act_runner/01-consistency-checks.yaml @@ -0,0 +1,15 @@ +{{- if .Values.actions.enabled -}} + {{- if .Values.actions.provisioning.enabled -}} + {{- if not (and .Values.persistence.enabled .Values.persistence.mount) -}} + {{- fail "persistence.enabled and persistence.mount are required when provisioning is enabled" -}} + {{- end -}} + {{- if and .Values.persistence.enabled .Values.persistence.mount -}} + {{- if .Values.actions.existingSecret -}} + {{- fail "Can't specify both actions.provisioning.enabled and actions.existingSecret" -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- if and (not .Values.actions.provisioning.enabled) (or (empty .Values.actions.existingSecret) (empty .Values.actions.existingSecretKey)) -}} + {{- fail "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled" -}} + {{- end -}} +{{- end -}} diff --git a/templates/gitea/act_runner/config-act-runner.yaml b/templates/gitea/act_runner/config-act-runner.yaml new file mode 100644 index 0000000..03961ae --- /dev/null +++ b/templates/gitea/act_runner/config-act-runner.yaml @@ -0,0 +1,14 @@ +{{- if .Values.actions.enabled }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "gitea.fullname" . }}-act-runner-config + labels: + {{- include "gitea.labels" . | nindent 4 }} +data: + config.yaml: | + {{- with .Values.actions.statefulset.actRunner.config -}} + {{ . | nindent 4}} + {{- end -}} +{{- end }} diff --git a/templates/gitea/act_runner/config-scripts.yaml b/templates/gitea/act_runner/config-scripts.yaml new file mode 100644 index 0000000..688bd20 --- /dev/null +++ b/templates/gitea/act_runner/config-scripts.yaml @@ -0,0 +1,13 @@ +{{- if .Values.actions.enabled }} +{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "gitea.fullname" . }}-scripts + labels: + {{- include "gitea.labels" . | nindent 4 }} +data: +{{ (.Files.Glob "scripts/*.sh").AsConfig | indent 2 }} +{{- end }} +{{- end }} diff --git a/templates/gitea/act_runner/job.yaml b/templates/gitea/act_runner/job.yaml new file mode 100644 index 0000000..032671f --- /dev/null +++ b/templates/gitea/act_runner/job.yaml @@ -0,0 +1,114 @@ +{{- if .Values.actions.enabled }} +{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} +{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} +{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ $name }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + {{- with .Values.actions.provisioning.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + app.kubernetes.io/component: token-job + annotations: + {{- with .Values.actions.provisioning.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ttlSecondsAfterFinished: {{ .Values.actions.provisioning.ttlSecondsAfterFinished }} + template: + metadata: + labels: + {{- include "gitea.labels" . | nindent 8 }} + {{- with .Values.actions.provisioning.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + app.kubernetes.io/component: token-job + spec: + initContainers: + - name: init-gitea + image: "{{ .Values.actions.init.image.repository }}:{{ .Values.actions.init.image.tag }}" + command: + - sh + - -c + - | + while ! nc -z {{ include "gitea.fullname" . }}-http {{ .Values.service.http.port }}; do + sleep 5 + done + containers: + - name: actions-token-create + image: "{{ include "gitea.image" . }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: GITEA_APP_INI + value: /data/gitea/conf/app.ini + command: + - sh + - -c + - | + echo "Generating act_runner token via 'gitea actions generate-runner-token'..." + mkdir -p /data/actions/ + gitea actions generate-runner-token | grep -E '^.{40}$' | tr -d '\n' > /data/actions/token + resources: + {{- toYaml .Values.actions.provisioning.resources | nindent 12 }} + volumeMounts: + - name: data + mountPath: /data + {{- if .Values.persistence.subPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + - name: actions-token-upload + image: "{{ .Values.actions.provisioning.publish.repository }}:{{ .Values.actions.provisioning.publish.tag }}" + imagePullPolicy: {{ .Values.actions.provisioning.publish.pullPolicy }} + env: + - name: SECRET_NAME + value: {{ $secretName }} + command: + - sh + - -c + - | + printf "Checking rights to update kubernetes act_runner secret..." + kubectl auth can-i update secret/${SECRET_NAME} + /scripts/token.sh + resources: + {{- toYaml .Values.actions.provisioning.resources | nindent 12 }} + volumeMounts: + - mountPath: /scripts + name: scripts + readOnly: true + - mountPath: /data + name: data + readOnly: true + {{- if .Values.persistence.subPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + {{- with .Values.actions.provisioning.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.actions.provisioning.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.actions.provisioning.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + restartPolicy: Never + serviceAccount: {{ $name }} + volumes: + - name: scripts + configMap: + name: {{ include "gitea.fullname" . }}-scripts + defaultMode: 0755 + - name: data + persistentVolumeClaim: + claimName: {{ .Values.persistence.claimName }} + parallelism: 1 + completions: 1 + backoffLimit: 1 +{{- end }} +{{- end }} diff --git a/templates/gitea/act_runner/role-job.yaml b/templates/gitea/act_runner/role-job.yaml new file mode 100644 index 0000000..b06c18d --- /dev/null +++ b/templates/gitea/act_runner/role-job.yaml @@ -0,0 +1,25 @@ +{{- if .Values.actions.enabled }} +{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} +{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} +{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ $name }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + app.kubernetes.io/component: token-job +rules: + - apiGroups: + - "" + resources: + - secrets + resourceNames: + - {{ $secretName }} + verbs: + - get + - update + - patch +{{- end }} +{{- end }} diff --git a/templates/gitea/act_runner/rolebinding-job.yaml b/templates/gitea/act_runner/rolebinding-job.yaml new file mode 100644 index 0000000..c80bd3e --- /dev/null +++ b/templates/gitea/act_runner/rolebinding-job.yaml @@ -0,0 +1,22 @@ +{{- if .Values.actions.enabled }} +{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} +{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} +{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $name }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + app.kubernetes.io/component: token-job +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $name }} +subjects: + - kind: ServiceAccount + name: {{ $name }} + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/templates/gitea/act_runner/secret-token.yaml b/templates/gitea/act_runner/secret-token.yaml new file mode 100644 index 0000000..e6ee325 --- /dev/null +++ b/templates/gitea/act_runner/secret-token.yaml @@ -0,0 +1,19 @@ +{{- if .Values.actions.enabled }} +{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} +{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} +{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + app.kubernetes.io/component: token-job +{{ $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}} +{{ if $secret -}} +data: + token: {{ (b64dec (index $secret.data "token")) | b64enc }} +{{ end -}} +{{- end }} +{{- end }} diff --git a/templates/gitea/act_runner/serviceaccount-job.yaml b/templates/gitea/act_runner/serviceaccount-job.yaml new file mode 100644 index 0000000..e2c0fb4 --- /dev/null +++ b/templates/gitea/act_runner/serviceaccount-job.yaml @@ -0,0 +1,13 @@ +{{- if .Values.actions.enabled }} +{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} +{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ $name }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + app.kubernetes.io/component: token-job +{{- end }} +{{- end }} diff --git a/templates/gitea/act_runner/statefulset.yaml b/templates/gitea/act_runner/statefulset.yaml new file mode 100644 index 0000000..7d5d096 --- /dev/null +++ b/templates/gitea/act_runner/statefulset.yaml @@ -0,0 +1,114 @@ +{{- if .Values.actions.enabled }} +{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + labels: + {{- include "gitea.labels.actRunner" . | nindent 4 }} + {{- with .Values.actions.statefulset.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + {{- with .Values.actions.statefulset.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "gitea.fullname" . }}-act-runner +spec: + selector: + matchLabels: + {{- include "gitea.selectorLabels.actRunner" . | nindent 6 }} + template: + metadata: + labels: + {{- include "gitea.labels.actRunner" . | nindent 8 }} + {{- with .Values.actions.statefulset.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + initContainers: + - name: init-gitea + image: "{{ .Values.actions.init.image.repository }}:{{ .Values.actions.init.image.tag }}" + command: + - sh + - -c + - | + while ! nc -z {{ include "gitea.fullname" . }}-http {{ .Values.service.http.port }}; do + sleep 5 + done + containers: + - name: act-runner + image: "{{ .Values.actions.statefulset.actRunner.repository }}:{{ .Values.actions.statefulset.actRunner.tag }}" + imagePullPolicy: {{ .Values.actions.statefulset.actRunner.pullPolicy }} + workingDir: /data + env: + - name: DOCKER_HOST + value: tcp://127.0.0.1:2376 + - name: DOCKER_TLS_VERIFY + value: "1" + - name: DOCKER_CERT_PATH + value: /certs/server + - name: GITEA_RUNNER_REGISTRATION_TOKEN + valueFrom: + secretKeyRef: + name: "{{ .Values.actions.existingSecret | default $secretName }}" + key: "{{ .Values.actions.existingSecretKey | default "token" }}" + - name: GITEA_INSTANCE_URL + value: {{ include "gitea.act_runner.local_root_url" . }} + - name: CONFIG_FILE + value: /actrunner/config.yaml + resources: + {{- toYaml .Values.actions.statefulset.resources | nindent 12 }} + volumeMounts: + - mountPath: /actrunner/config.yaml + name: act-runner-config + subPath: config.yaml + - mountPath: /certs/server + name: docker-certs + - mountPath: /data + name: data-act-runner + - name: dind + image: "{{ .Values.actions.statefulset.dind.repository }}:{{ .Values.actions.statefulset.dind.tag }}" + imagePullPolicy: {{ .Values.actions.statefulset.dind.pullPolicy }} + env: + - name: DOCKER_HOST + value: tcp://127.0.0.1:2376 + - name: DOCKER_TLS_VERIFY + value: "1" + - name: DOCKER_CERT_PATH + value: /certs/server + securityContext: + privileged: true + resources: + {{- toYaml .Values.actions.statefulset.resources | nindent 12 }} + volumeMounts: + - mountPath: /certs/server + name: docker-certs + {{- with .Values.actions.statefulset.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.actions.statefulset.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.actions.statefulset.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: act-runner-config + configMap: + name: {{ include "gitea.fullname" . }}-act-runner-config + - name: docker-certs + emptyDir: {} + volumeClaimTemplates: + - metadata: + name: data-act-runner + spec: + accessModes: [ "ReadWriteOnce" ] + {{- include "gitea.persistence.storageClass" . | nindent 8 }} + resources: + requests: + storage: 1Mi +{{- end }} diff --git a/unittests/act_runner/01-consistency-checks.yaml b/unittests/act_runner/01-consistency-checks.yaml new file mode 100644 index 0000000..1c30924 --- /dev/null +++ b/unittests/act_runner/01-consistency-checks.yaml @@ -0,0 +1,69 @@ +suite: actions template | consistency checks +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/act_runner/01-consistency-checks.yaml +tests: + - it: fails when provisioning is enabled BUT persistence is completely disabled + set: + persistence: + enabled: false + actions: + enabled: true + provisioning: + enabled: true + asserts: + - failedTemplate: + errorMessage: "persistence.enabled and persistence.mount are required when provisioning is enabled" + - it: fails when provisioning is enabled BUT mount is disabled, although persistence is enabled + set: + persistence: + enabled: true + mount: false + actions: + enabled: true + provisioning: + enabled: true + asserts: + - failedTemplate: + errorMessage: "persistence.enabled and persistence.mount are required when provisioning is enabled" + - it: fails when provisioning is enabled AND existingSecret is given + set: + actions: + enabled: true + provisioning: + enabled: true + existingSecret: "secret-reference" + asserts: + - failedTemplate: + errorMessage: "Can't specify both actions.provisioning.enabled and actions.existingSecret" + - it: fails when provisioning is disabled BUT existingSecret and existingSecretKey are missing + set: + actions: + enabled: true + provisioning: + enabled: false + asserts: + - failedTemplate: + errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled" + - it: fails when provisioning is disabled BUT existingSecretKey is missing + set: + actions: + enabled: true + provisioning: + enabled: false + existingSecret: "my-secret" + asserts: + - failedTemplate: + errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled" + - it: fails when provisioning is disabled BUT existingSecret is missing + set: + actions: + enabled: true + provisioning: + enabled: false + existingSecretKey: "my-secret-key" + asserts: + - failedTemplate: + errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled" diff --git a/unittests/act_runner/config-act-runner.yaml b/unittests/act_runner/config-act-runner.yaml new file mode 100644 index 0000000..2cba6bc --- /dev/null +++ b/unittests/act_runner/config-act-runner.yaml @@ -0,0 +1,45 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json +suite: actions template | config-act-runner +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/act_runner/config-act-runner.yaml +tests: + - it: doesn't renders a ConfigMap by default + template: templates/gitea/act_runner/config-act-runner.yaml + asserts: + - hasDocuments: + count: 0 + - it: renders a ConfigMap + template: templates/gitea/act_runner/config-act-runner.yaml + set: + actions: + enabled: true + statefulset: + actRunner: + config: | + log: + level: info + cache: + enabled: false + runner: + labels: + - "ubuntu-latest" + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: ConfigMap + apiVersion: v1 + name: gitea-unittests-act-runner-config + - equal: + path: data["config.yaml"] + value: | + log: + level: info + cache: + enabled: false + runner: + labels: + - "ubuntu-latest" diff --git a/unittests/act_runner/config-scripts.yaml b/unittests/act_runner/config-scripts.yaml new file mode 100644 index 0000000..da6d9aa --- /dev/null +++ b/unittests/act_runner/config-scripts.yaml @@ -0,0 +1,49 @@ +suite: actions template | config-scripts +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/act_runner/config-scripts.yaml +tests: + - it: renders a ConfigMap when all criteria are met + template: templates/gitea/act_runner/config-scripts.yaml + set: + actions: + enabled: true + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: ConfigMap + apiVersion: v1 + name: gitea-unittests-scripts + - isNotNullOrEmpty: + path: data["token.sh"] + - it: doesn't renders a ConfigMap by default + template: templates/gitea/act_runner/config-scripts.yaml + asserts: + - hasDocuments: + count: 0 + - it: doesn't renders a ConfigMap with disabled actions but enabled provisioning + template: templates/gitea/act_runner/config-scripts.yaml + asserts: + - hasDocuments: + count: 0 + - it: doesn't renders a ConfigMap with disabled actions but otherwise met criteria + template: templates/gitea/act_runner/config-scripts.yaml + set: + actions: + enabled: false + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 0 diff --git a/unittests/act_runner/job.yaml b/unittests/act_runner/job.yaml new file mode 100644 index 0000000..c1d32e2 --- /dev/null +++ b/unittests/act_runner/job.yaml @@ -0,0 +1,65 @@ +suite: actions template | job +release: + name: gitea-unittests + namespace: testing +chart: + # Override appVersion to have a pinned version for comparison + appVersion: 1.19.3 +templates: + - templates/gitea/act_runner/job.yaml +tests: + - it: renders a Job + template: templates/gitea/act_runner/job.yaml + set: + actions: + enabled: true + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: Job + apiVersion: batch/v1 + name: gitea-unittests-actions-token-job + - equal: + path: spec.template.spec.containers[0].image + value: "gitea/gitea:1.19.3-rootless" + - it: tag override + template: templates/gitea/act_runner/job.yaml + set: + image.tag: "1.19.4" + actions: + enabled: true + provisioning: + enabled: true + publish: + tag: "1.29.0" + persistence: + enabled: true + mount: true + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: "gitea/gitea:1.19.4-rootless" + - equal: + path: spec.template.spec.containers[1].image + value: "bitnami/kubectl:1.29.0" + - it: doesn't renders a Job by default + template: templates/gitea/act_runner/job.yaml + asserts: + - hasDocuments: + count: 0 + - it: doesn't renders a Job when provisioning is enabled BUT actions are not enabled + template: templates/gitea/act_runner/job.yaml + set: + actions: + enabled: false + provisioning: + enabled: true + asserts: + - hasDocuments: + count: 0 diff --git a/unittests/act_runner/role-job.yaml b/unittests/act_runner/role-job.yaml new file mode 100644 index 0000000..8c511d8 --- /dev/null +++ b/unittests/act_runner/role-job.yaml @@ -0,0 +1,42 @@ +suite: actions template | role-job +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/act_runner/role-job.yaml +tests: + - it: doesn't renders a Role by default + template: templates/gitea/act_runner/role-job.yaml + asserts: + - hasDocuments: + count: 0 + - it: renders a Role + template: templates/gitea/act_runner/role-job.yaml + set: + actions: + enabled: true + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: Role + apiVersion: rbac.authorization.k8s.io/v1 + name: gitea-unittests-actions-token-job + - it: doesn't renders a Role when criteria met BUT actions are not enabled + template: templates/gitea/act_runner/role-job.yaml + set: + actions: + enabled: false + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 0 diff --git a/unittests/act_runner/rolebinding-job.yaml b/unittests/act_runner/rolebinding-job.yaml new file mode 100644 index 0000000..2073bfc --- /dev/null +++ b/unittests/act_runner/rolebinding-job.yaml @@ -0,0 +1,42 @@ +suite: actions template | rolebinding-job +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/act_runner/rolebinding-job.yaml +tests: + - it: doesn't renders a RoleBinding by default + template: templates/gitea/act_runner/rolebinding-job.yaml + asserts: + - hasDocuments: + count: 0 + - it: renders a RoleBinding + template: templates/gitea/act_runner/rolebinding-job.yaml + set: + actions: + enabled: true + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: RoleBinding + apiVersion: rbac.authorization.k8s.io/v1 + name: gitea-unittests-actions-token-job + - it: doesn't renders a RoleBinding when criteria met BUT actions are not enabled + template: templates/gitea/act_runner/rolebinding-job.yaml + set: + actions: + enabled: false + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 0 diff --git a/unittests/act_runner/secret-token.yaml b/unittests/act_runner/secret-token.yaml new file mode 100644 index 0000000..b5054f3 --- /dev/null +++ b/unittests/act_runner/secret-token.yaml @@ -0,0 +1,42 @@ +suite: actions template | secret-token +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/act_runner/secret-token.yaml +tests: + - it: doesn't renders a Secret by default + template: templates/gitea/act_runner/secret-token.yaml + asserts: + - hasDocuments: + count: 0 + - it: renders a Secret + template: templates/gitea/act_runner/secret-token.yaml + set: + actions: + enabled: true + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: Secret + apiVersion: v1 + name: gitea-unittests-actions-token + - it: doesn't renders a Secret when criteria met BUT actions are not enabled + template: templates/gitea/act_runner/secret-token.yaml + set: + actions: + enabled: false + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 0 diff --git a/unittests/act_runner/serviceaccount-job.yaml b/unittests/act_runner/serviceaccount-job.yaml new file mode 100644 index 0000000..bf8f0c8 --- /dev/null +++ b/unittests/act_runner/serviceaccount-job.yaml @@ -0,0 +1,42 @@ +suite: actions template | serviceaccount-job +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/act_runner/serviceaccount-job.yaml +tests: + - it: doesn't renders a ServiceAccount by default + template: templates/gitea/act_runner/serviceaccount-job.yaml + asserts: + - hasDocuments: + count: 0 + - it: renders a ServiceAccount + template: templates/gitea/act_runner/serviceaccount-job.yaml + set: + actions: + enabled: true + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: ServiceAccount + apiVersion: v1 + name: gitea-unittests-actions-token-job + - it: doesn't renders a ServiceAccount when criteria met BUT actions are not enabled + template: templates/gitea/act_runner/serviceaccount-job.yaml + set: + actions: + enabled: false + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 0 diff --git a/unittests/act_runner/statefulset.yaml b/unittests/act_runner/statefulset.yaml new file mode 100644 index 0000000..cc10157 --- /dev/null +++ b/unittests/act_runner/statefulset.yaml @@ -0,0 +1,95 @@ +suite: actions template | statefulset +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/act_runner/statefulset.yaml +tests: + - it: doesn't renders a StatefulSet by default + template: templates/gitea/act_runner/statefulset.yaml + asserts: + - hasDocuments: + count: 0 + - it: renders a StatefulSet (with given existingSecret/existingSecretKey) + template: templates/gitea/act_runner/statefulset.yaml + set: + actions: + enabled: true + existingSecret: "my-secret" + existingSecretKey: "my-secret-key" + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: StatefulSet + apiVersion: apps/v1 + name: gitea-unittests-act-runner + - equal: + path: spec.template.spec.containers[0].env[3] + value: + name: GITEA_RUNNER_REGISTRATION_TOKEN + valueFrom: + secretKeyRef: + name: "my-secret" + key: "my-secret-key" + - it: renders a StatefulSet (with secret reference defaults for enabled provisioning) + template: templates/gitea/act_runner/statefulset.yaml + set: + actions: + enabled: true + provisioning: + enabled: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: StatefulSet + apiVersion: apps/v1 + name: gitea-unittests-act-runner + - equal: + path: spec.template.spec.containers[0].env[3] + value: + name: GITEA_RUNNER_REGISTRATION_TOKEN + valueFrom: + secretKeyRef: + name: "gitea-unittests-actions-token" + key: "token" + - it: renders a StatefulSet (with correct GITEA_INSTANCE_URL env with default act-runner specific LOCAL_ROOT_URL) + template: templates/gitea/act_runner/statefulset.yaml + set: + actions: + enabled: true + existingSecret: "my-secret" + existingSecretKey: "my-secret-key" + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: StatefulSet + apiVersion: apps/v1 + name: gitea-unittests-act-runner + - equal: + path: spec.template.spec.containers[0].env[4] + value: + name: GITEA_INSTANCE_URL + value: "http://gitea-unittests-http:3000" + - it: renders a StatefulSet (with correct GITEA_INSTANCE_URL env from customized LOCAL_ROOT_URL) + template: templates/gitea/act_runner/statefulset.yaml + set: + gitea.config.server.LOCAL_ROOT_URL: "http://git.example.com" + actions: + enabled: true + existingSecret: "my-secret" + existingSecretKey: "my-secret-key" + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: StatefulSet + apiVersion: apps/v1 + name: gitea-unittests-act-runner + - equal: + path: spec.template.spec.containers[0].env[4] + value: + name: GITEA_INSTANCE_URL + value: "http://git.example.com" diff --git a/unittests/config/actions-config.yaml b/unittests/config/actions-config.yaml new file mode 100644 index 0000000..ada9694 --- /dev/null +++ b/unittests/config/actions-config.yaml @@ -0,0 +1,61 @@ +suite: config template | actions config +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/config.yaml +tests: + - it: "actions are not enabled by default" + template: templates/gitea/config.yaml + asserts: + - documentIndex: 0 + equal: + path: stringData.actions + value: |- + ENABLED=false + + - it: "actions can be enabled via inline config" + template: templates/gitea/config.yaml + set: + gitea.config.actions.ENABLED: true + asserts: + - documentIndex: 0 + equal: + path: stringData.actions + value: |- + ENABLED=true + + - it: "actions can be enabled via dedicated values object" + template: templates/gitea/config.yaml + set: + actions: + enabled: true + asserts: + - documentIndex: 0 + equal: + path: stringData.actions + value: |- + ENABLED=true + + - it: "defines LOCAL_ROOT_URL when actions are enabled" + template: templates/gitea/config.yaml + set: + actions: + enabled: true + asserts: + - documentIndex: 0 + matchRegex: + path: stringData.server + pattern: \nLOCAL_ROOT_URL=http://gitea-unittests-http:3000 + + - it: "respects custom LOCAL_ROOT_URL, even when actions are enabled" + template: templates/gitea/config.yaml + set: + actions: + enabled: true + gitea.config.server.LOCAL_ROOT_URL: "http://git.example.com" + asserts: + - documentIndex: 0 + matchRegex: + path: stringData.server + pattern: \nLOCAL_ROOT_URL=http://git.example.com diff --git a/values.yaml b/values.yaml index 2b7ad7d..31c1d21 100644 --- a/values.yaml +++ b/values.yaml @@ -348,6 +348,96 @@ signing: # -----END PGP PRIVATE KEY BLOCK----- existingSecret: "" +# Configure Gitea Actions +# - must enable persistence if the job is enabled +## @section Gitea Actions +# +## @param actions.enabled Create an act runner StatefulSet. +## @param actions.init.image.repository The image used for the init containers +## @param actions.init.image.tag The image tag used for the init containers +## @param actions.statefulset.annotations Act runner annotations +## @param actions.statefulset.labels Act runner labels +## @param actions.statefulset.resources Act runner resources +## @param actions.statefulset.nodeSelector NodeSelector for the statefulset +## @param actions.statefulset.tolerations Tolerations for the statefulset +## @param actions.statefulset.affinity Affinity for the statefulset +## @param actions.statefulset.actRunner.repository The Gitea act runner image +## @param actions.statefulset.actRunner.tag The Gitea act runner tag +## @param actions.statefulset.actRunner.pullPolicy The Gitea act runner pullPolicy +## @param actions.statefulset.actRunner.config [default: Too complex. See values.yaml] Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details. +## @param actions.statefulset.dind.repository The Docker-in-Docker image +## @param actions.statefulset.dind.tag The Docker-in-Docker image tag +## @param actions.statefulset.dind.pullPolicy The Docker-in-Docker pullPolicy +## @param actions.provisioning.enabled Create a job that will create and save the token in a Kubernetes Secret +## @param actions.provisioning.annotations Job's annotations +## @param actions.provisioning.labels Job's labels +## @param actions.provisioning.resources Job's resources +## @param actions.provisioning.nodeSelector NodeSelector for the job +## @param actions.provisioning.tolerations Tolerations for the job +## @param actions.provisioning.affinity Affinity for the job +## @param actions.provisioning.ttlSecondsAfterFinished ttl for the job after finished in order to allow helm to properly recognize that the job completed +## @param actions.provisioning.publish.repository The image that can create the secret via kubectl +## @param actions.provisioning.publish.tag The publish image tag that can create the secret +## @param actions.provisioning.publish.pullPolicy The publish image pullPolicy that can create the secret +## @param actions.existingSecret Secret that contains the token +## @param actions.existingSecretKey Secret key +actions: + enabled: false + statefulset: + annotations: {} + labels: {} + resources: {} + nodeSelector: {} + tolerations: [] + affinity: {} + + actRunner: + repository: gitea/act_runner + tag: 0.2.11 + pullPolicy: IfNotPresent + + config: | + log: + level: debug + cache: + enabled: false + runner: + labels: + - "ubuntu-latest" + + dind: + repository: docker + tag: 25.0.2-dind + pullPolicy: IfNotPresent + + init: + image: + repository: busybox + # Overrides the image tag whose default is the chart appVersion. + tag: "1.36.1" + + provisioning: + enabled: false + + annotations: {} + labels: {} + resources: {} + nodeSelector: {} + tolerations: [] + affinity: {} + + publish: + repository: bitnami/kubectl + tag: 1.29.0 + pullPolicy: IfNotPresent + + ttlSecondsAfterFinished: 300 + + ## Specify an existing token secret + ## + existingSecret: "" + existingSecretKey: "" + ## @section Gitea # gitea: -- 2.40.1 From 7b892431d6eb961f963dbd5ffca7cf6e28c33c0e Mon Sep 17 00:00:00 2001 From: justusbunsi Date: Sun, 10 Nov 2024 14:02:15 +0000 Subject: [PATCH 16/24] Support custom envs for Action DinD container (#722) Follow-up to https://gitea.com/gitea/helm-chart/pulls/666. Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/722 Co-authored-by: justusbunsi Co-committed-by: justusbunsi --- README.md | 1 + templates/gitea/act_runner/statefulset.yaml | 3 +++ unittests/act_runner/statefulset.yaml | 16 ++++++++++++++++ values.yaml | 6 ++++++ 4 files changed, 26 insertions(+) diff --git a/README.md b/README.md index a6f4c2b..ec41ac5 100644 --- a/README.md +++ b/README.md @@ -1028,6 +1028,7 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo | `actions.statefulset.dind.repository` | The Docker-in-Docker image | `docker` | | `actions.statefulset.dind.tag` | The Docker-in-Docker image tag | `25.0.2-dind` | | `actions.statefulset.dind.pullPolicy` | The Docker-in-Docker pullPolicy | `IfNotPresent` | +| `actions.statefulset.dind.extraEnvs` | Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY` | `[]` | | `actions.provisioning.enabled` | Create a job that will create and save the token in a Kubernetes Secret | `false` | | `actions.provisioning.annotations` | Job's annotations | `{}` | | `actions.provisioning.labels` | Job's labels | `{}` | diff --git a/templates/gitea/act_runner/statefulset.yaml b/templates/gitea/act_runner/statefulset.yaml index 7d5d096..58939d2 100644 --- a/templates/gitea/act_runner/statefulset.yaml +++ b/templates/gitea/act_runner/statefulset.yaml @@ -77,6 +77,9 @@ spec: value: "1" - name: DOCKER_CERT_PATH value: /certs/server + {{- if .Values.actions.statefulset.dind.extraEnvs }} + {{- toYaml .Values.actions.statefulset.dind.extraEnvs | nindent 12 }} + {{- end }} securityContext: privileged: true resources: diff --git a/unittests/act_runner/statefulset.yaml b/unittests/act_runner/statefulset.yaml index cc10157..cd350d9 100644 --- a/unittests/act_runner/statefulset.yaml +++ b/unittests/act_runner/statefulset.yaml @@ -93,3 +93,19 @@ tests: value: name: GITEA_INSTANCE_URL value: "http://git.example.com" + - it: allows adding custom environment variables to the docker-in-docker container + template: templates/gitea/act_runner/statefulset.yaml + set: + actions: + enabled: true + statefulset: + dind: + extraEnvs: + - name: "CUSTOM_ENV_NAME" + value: "custom env value" + asserts: + - equal: + path: spec.template.spec.containers[1].env[3] + value: + name: "CUSTOM_ENV_NAME" + value: "custom env value" diff --git a/values.yaml b/values.yaml index 31c1d21..f3998ec 100644 --- a/values.yaml +++ b/values.yaml @@ -368,6 +368,7 @@ signing: ## @param actions.statefulset.dind.repository The Docker-in-Docker image ## @param actions.statefulset.dind.tag The Docker-in-Docker image tag ## @param actions.statefulset.dind.pullPolicy The Docker-in-Docker pullPolicy +## @param actions.statefulset.dind.extraEnvs Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY` ## @param actions.provisioning.enabled Create a job that will create and save the token in a Kubernetes Secret ## @param actions.provisioning.annotations Job's annotations ## @param actions.provisioning.labels Job's labels @@ -409,6 +410,11 @@ actions: repository: docker tag: 25.0.2-dind pullPolicy: IfNotPresent + # If the container keeps crashing in your environment, you might have to add the `DOCKER_IPTABLES_LEGACY` environment variable. + # See https://github.com/docker-library/docker/issues/463#issuecomment-1881909456 + extraEnvs: [] + # - name: "DOCKER_IPTABLES_LEGACY" + # value: "1" init: image: -- 2.40.1 From 2be2e2a639edbc463b64ac1e4d755223def20a32 Mon Sep 17 00:00:00 2001 From: justusbunsi Date: Sun, 10 Nov 2024 20:15:46 +0000 Subject: [PATCH 17/24] Ensure dev-only files are not added to the tgz package (#723) Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/723 Reviewed-by: techknowlogick --- .helmignore | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.helmignore b/.helmignore index e608c23..c0341ca 100644 --- a/.helmignore +++ b/.helmignore @@ -31,3 +31,8 @@ Makefile .drone.yml CONTRIBUTING.md unittests/ +.editorconfig +.prettierignore +.yamllint +CODEOWNERS +renovate.json5 -- 2.40.1 From 3bacaaad84fdae1e81cbe5a73577d5872cf08fba Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 30 Nov 2024 02:09:16 +0000 Subject: [PATCH 18/24] chore(deps): update subcharts (minor & patch) (#733) Co-authored-by: Renovate Bot Co-committed-by: Renovate Bot --- Chart.lock | 8 ++++---- Chart.yaml | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Chart.lock b/Chart.lock index 5023ad2..17a14d8 100644 --- a/Chart.lock +++ b/Chart.lock @@ -1,15 +1,15 @@ dependencies: - name: postgresql repository: oci://registry-1.docker.io/bitnamicharts - version: 15.5.20 + version: 15.5.38 - name: postgresql-ha repository: oci://registry-1.docker.io/bitnamicharts - version: 14.2.16 + version: 14.3.10 - name: redis-cluster repository: oci://registry-1.docker.io/bitnamicharts version: 10.3.0 - name: redis repository: oci://registry-1.docker.io/bitnamicharts version: 19.6.4 -digest: sha256:a28c809273f313c482e3f803a0a002c3bb3a0d2090bf6b732d68ecc4710b4732 -generated: "2024-08-03T00:21:16.080925346Z" +digest: sha256:462d513ac8ef7abfe26030fd2ea93eb79df167a861ebe09d6c58c7dcd5601e85 +generated: "2024-11-30T00:41:29.178889496Z" diff --git a/Chart.yaml b/Chart.yaml index dbdcae0..6cf2c41 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -36,12 +36,12 @@ dependencies: # https://github.com/bitnami/charts/blob/main/bitnami/postgresql - name: postgresql repository: oci://registry-1.docker.io/bitnamicharts - version: 15.5.20 + version: 15.5.38 condition: postgresql.enabled # https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml - name: postgresql-ha repository: oci://registry-1.docker.io/bitnamicharts - version: 14.2.16 + version: 14.3.10 condition: postgresql-ha.enabled # https://github.com/bitnami/charts/blob/main/bitnami/redis-cluster/Chart.yaml - name: redis-cluster -- 2.40.1 From 389a8460e4d24b87d0644652cb5543a787333262 Mon Sep 17 00:00:00 2001 From: Hitesh Nayak Date: Sat, 30 Nov 2024 13:59:29 +0000 Subject: [PATCH 19/24] feat(service-monitor): support bearer token authentication on metrics endpoint (#719) ### Benefits Can protect metrics endpoint with `Bearer` token authentication provided by gitea. see PR #637 for previous discussion. ### Possible drawbacks No possible drawbacks ### Applicable issues - fixes #635 ### Additional information ``` gitea: metrics: enabled: true token: "somepassword" serviceMonitor: enabled: true ``` Using above configuration is sufficient to secure /metrics endpoint with bearer token and corresponding ServiceMonitor. ### Checklist - [x] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm) - [ ] ~~Breaking changes are documented in the `README.md`~~ Not applicable - [x] Templating unittests are added Signed-off-by: Hitesh Nayak Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/719 Reviewed-by: justusbunsi Co-authored-by: Hitesh Nayak Co-committed-by: Hitesh Nayak --- README.md | 17 +++++ templates/_helpers.tpl | 7 ++ templates/gitea/metrics-secret.yaml | 12 ++++ templates/gitea/servicemonitor.yaml | 8 +++ .../config/metrics-section_metrics-token.yaml | 58 +++++++++++++++ ...etrics-secret-servicemonitor-disabled.yaml | 23 ++++++ ...metrics-secret-servicemonitor-enabled.yaml | 33 +++++++++ .../servicemonitor-disabled.yaml | 23 ++++++ .../servicemonitor-enabled.yaml | 70 +++++++++++++++++++ values.yaml | 2 + 10 files changed, 253 insertions(+) create mode 100644 templates/gitea/metrics-secret.yaml create mode 100644 unittests/config/metrics-section_metrics-token.yaml create mode 100644 unittests/metric-secret/metrics-secret-servicemonitor-disabled.yaml create mode 100644 unittests/metric-secret/metrics-secret-servicemonitor-enabled.yaml create mode 100644 unittests/servicemonitor/servicemonitor-disabled.yaml create mode 100644 unittests/servicemonitor/servicemonitor-enabled.yaml diff --git a/README.md b/README.md index ec41ac5..d2dd0fd 100644 --- a/README.md +++ b/README.md @@ -30,6 +30,7 @@ - [OAuth2 Settings](#oauth2-settings) - [Configure commit signing](#configure-commit-signing) - [Metrics and profiling](#metrics-and-profiling) + - [Secure Metrics Endpoint](#secure-metrics-endpoint) - [Pod annotations](#pod-annotations) - [Themes](#themes) - [Renovate](#renovate) @@ -747,6 +748,21 @@ gitea: ENABLE_PPROF: true ``` +### Secure Metrics Endpoint + +Metrics endpoint `/metrics` can be secured by using `Bearer` token authentication. + +**Note:** Providing non-empty `TOKEN` value will also require authentication for `ServiceMonitor`. + +```yaml +gitea: + metrics: + token: "secure-token" + enabled: true + serviceMonitor: + enabled: true +``` + ## Pod annotations Annotations can be added to the Gitea pod. @@ -1053,6 +1069,7 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo | `gitea.admin.email` | Email for the Gitea admin user | `gitea@local.domain` | | `gitea.admin.passwordMode` | Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated | `keepUpdated` | | `gitea.metrics.enabled` | Enable Gitea metrics | `false` | +| `gitea.metrics.token` | used for `bearer` token authentication on metrics endpoint. If not specified or empty metrics endpoint is public. | `nil` | | `gitea.metrics.serviceMonitor.enabled` | Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally. | `false` | | `gitea.metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. | `""` | | `gitea.metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping. | `[]` | diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 64a5efb..1b7cf3b 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -311,6 +311,9 @@ https {{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}} {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}} {{- end -}} + {{- if and (not (hasKey .Values.gitea.config.metrics "TOKEN")) (.Values.gitea.metrics.token) (.Values.gitea.metrics.enabled) -}} + {{- $_ := set .Values.gitea.config.metrics "TOKEN" .Values.gitea.metrics.token -}} + {{- end -}} {{- /* redis queue */ -}} {{- if or ((index .Values "redis-cluster").enabled) ((index .Values "redis").enabled) -}} {{- $_ := set .Values.gitea.config.queue "TYPE" "redis" -}} @@ -465,3 +468,7 @@ https {{- end -}} {{- toYaml $probe -}} {{- end -}} + +{{- define "gitea.metrics-secret-name" -}} +{{ default (printf "%s-metrics-secret" (include "gitea.fullname" .)) }} +{{- end -}} \ No newline at end of file diff --git a/templates/gitea/metrics-secret.yaml b/templates/gitea/metrics-secret.yaml new file mode 100644 index 0000000..fe26596 --- /dev/null +++ b/templates/gitea/metrics-secret.yaml @@ -0,0 +1,12 @@ +{{- if and (.Values.gitea.metrics.enabled) (.Values.gitea.metrics.serviceMonitor.enabled) (.Values.gitea.metrics.token) -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "gitea.metrics-secret-name" . }} + namespace: {{ .Values.namespace | default .Release.Namespace }} + labels: + {{- include "gitea.labels" . | nindent 4 }} +type: Opaque +data: + token: {{ .Values.gitea.metrics.token | b64enc }} +{{- end }} \ No newline at end of file diff --git a/templates/gitea/servicemonitor.yaml b/templates/gitea/servicemonitor.yaml index 1774214..502a1a8 100644 --- a/templates/gitea/servicemonitor.yaml +++ b/templates/gitea/servicemonitor.yaml @@ -32,4 +32,12 @@ spec: tlsConfig: {{- . | toYaml | nindent 6 }} {{- end }} + {{- if .Values.gitea.metrics.token }} + authorization: + type: Bearer + credentials: + name: {{ include "gitea.metrics-secret-name" . }} + key: token + optional: false + {{- end }} {{- end -}} \ No newline at end of file diff --git a/unittests/config/metrics-section_metrics-token.yaml b/unittests/config/metrics-section_metrics-token.yaml new file mode 100644 index 0000000..b8115a1 --- /dev/null +++ b/unittests/config/metrics-section_metrics-token.yaml @@ -0,0 +1,58 @@ +suite: config template | metrics section (metrics token) +release: + name: gitea-unittests + namespace: testing +tests: + - it: metrics token is set + template: templates/gitea/config.yaml + set: + gitea: + metrics: + enabled: true + token: "somepassword" + asserts: + - documentIndex: 0 + equal: + path: stringData.metrics + value: |- + ENABLED=true + TOKEN=somepassword + - it: metrics token is empty + template: templates/gitea/config.yaml + set: + gitea: + metrics: + enabled: true + token: "" + asserts: + - documentIndex: 0 + equal: + path: stringData.metrics + value: |- + ENABLED=true + - it: metrics token is nil + template: templates/gitea/config.yaml + set: + gitea: + metrics: + enabled: true + token: + asserts: + - documentIndex: 0 + equal: + path: stringData.metrics + value: |- + ENABLED=true + - it: does not configures a token if metrics are disabled + template: templates/gitea/config.yaml + set: + gitea: + metrics: + enabled: false + token: "somepassword" + asserts: + - documentIndex: 0 + equal: + path: stringData.metrics + value: |- + ENABLED=false diff --git a/unittests/metric-secret/metrics-secret-servicemonitor-disabled.yaml b/unittests/metric-secret/metrics-secret-servicemonitor-disabled.yaml new file mode 100644 index 0000000..e3776ca --- /dev/null +++ b/unittests/metric-secret/metrics-secret-servicemonitor-disabled.yaml @@ -0,0 +1,23 @@ +suite: Metrics secret template (monitoring disabled) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/metrics-secret.yaml +tests: + - it: renders nothing if monitoring disabled and gitea.metrics.token empty + set: + gitea.metrics.enabled: false + gitea.metrics.serviceMonitor.enabled: false + gitea.metrics.token: "" + asserts: + - hasDocuments: + count: 0 + - it: renders nothing if monitoring disabled and gitea.metrics.token not empty + set: + gitea.metrics.enabled: false + gitea.metrics.serviceMonitor.enabled: false + gitea.metrics.token: "test-token" + asserts: + - hasDocuments: + count: 0 diff --git a/unittests/metric-secret/metrics-secret-servicemonitor-enabled.yaml b/unittests/metric-secret/metrics-secret-servicemonitor-enabled.yaml new file mode 100644 index 0000000..78e714a --- /dev/null +++ b/unittests/metric-secret/metrics-secret-servicemonitor-enabled.yaml @@ -0,0 +1,33 @@ +suite: Metrics secret template (monitoring enabled) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/metrics-secret.yaml +tests: + - it: renders nothing if monitoring enabled and gitea.metrics.token empty + set: + gitea.metrics.enabled: true + gitea.metrics.serviceMonitor.enabled: true + gitea.metrics.token: "" + asserts: + - hasDocuments: + count: 0 + - it: renders Secret if monitoring enabled and gitea.metrics.token not empty + set: + gitea.metrics.enabled: true + gitea.metrics.serviceMonitor.enabled: true + gitea.metrics.token: "test-token" + asserts: + - hasDocuments: + count: 1 + - documentIndex: 0 + containsDocument: + kind: Secret + apiVersion: v1 + name: gitea-unittests-metrics-secret + - isNotNullOrEmpty: + path: metadata.labels + - equal: + path: data.token + value: "dGVzdC10b2tlbg==" diff --git a/unittests/servicemonitor/servicemonitor-disabled.yaml b/unittests/servicemonitor/servicemonitor-disabled.yaml new file mode 100644 index 0000000..5b2de44 --- /dev/null +++ b/unittests/servicemonitor/servicemonitor-disabled.yaml @@ -0,0 +1,23 @@ +suite: ServiceMonitor template (monitoring disabled) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/servicemonitor.yaml +tests: + - it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.metrics.token empty + set: + gitea.metrics.enabled: false + gitea.metrics.token: "" + gitea.metrics.serviceMonitor.enabled: false + asserts: + - hasDocuments: + count: 0 + - it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.metrics.token not empty + set: + gitea.metrics.enabled: false + gitea.metrics.token: "test-token" + gitea.metrics.serviceMonitor.enabled: false + asserts: + - hasDocuments: + count: 0 diff --git a/unittests/servicemonitor/servicemonitor-enabled.yaml b/unittests/servicemonitor/servicemonitor-enabled.yaml new file mode 100644 index 0000000..29d83ca --- /dev/null +++ b/unittests/servicemonitor/servicemonitor-enabled.yaml @@ -0,0 +1,70 @@ +suite: ServiceMonitor template (monitoring enabled) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/servicemonitor.yaml +tests: + - it: renders unsecure ServiceMonitor if gitea.metrics.token nil + set: + gitea.metrics.enabled: true + gitea.metrics.token: + gitea.metrics.serviceMonitor.enabled: true + asserts: + - hasDocuments: + count: 1 + - documentIndex: 0 + containsDocument: + kind: ServiceMonitor + apiVersion: monitoring.coreos.com/v1 + name: gitea-unittests + - isNotNullOrEmpty: + path: metadata.labels + - equal: + path: spec.endpoints + value: + - port: http + - it: renders unsecure ServiceMonitor if gitea.metrics.token empty + set: + gitea.metrics.enabled: true + gitea.metrics.token: "" + gitea.metrics.serviceMonitor.enabled: true + asserts: + - hasDocuments: + count: 1 + - documentIndex: 0 + containsDocument: + kind: ServiceMonitor + apiVersion: monitoring.coreos.com/v1 + name: gitea-unittests + - isNotNullOrEmpty: + path: metadata.labels + - equal: + path: spec.endpoints + value: + - port: http + - it: renders secure ServiceMonitor if gitea.metrics.token not empty + set: + gitea.metrics.enabled: true + gitea.metrics.token: "test-token" + gitea.metrics.serviceMonitor.enabled: true + asserts: + - hasDocuments: + count: 1 + - documentIndex: 0 + containsDocument: + kind: ServiceMonitor + apiVersion: monitoring.coreos.com/v1 + name: gitea-unittests + - isNotNullOrEmpty: + path: metadata.labels + - equal: + path: spec.endpoints + value: + - port: http + authorization: + type: Bearer + credentials: + name: gitea-unittests-metrics-secret + key: token + optional: false diff --git a/values.yaml b/values.yaml index f3998ec..2dfb62d 100644 --- a/values.yaml +++ b/values.yaml @@ -461,6 +461,7 @@ gitea: passwordMode: keepUpdated ## @param gitea.metrics.enabled Enable Gitea metrics + ## @param gitea.metrics.token used for `bearer` token authentication on metrics endpoint. If not specified or empty metrics endpoint is public. ## @param gitea.metrics.serviceMonitor.enabled Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally. ## @param gitea.metrics.serviceMonitor.interval Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. ## @param gitea.metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping. @@ -469,6 +470,7 @@ gitea: ## @param gitea.metrics.serviceMonitor.tlsConfig TLS configuration to use when scraping the metric endpoint by Prometheus. metrics: enabled: false + token: serviceMonitor: enabled: false # additionalLabels: -- 2.40.1 From 5f7d35390127e523b64449631a55c88773f0ef90 Mon Sep 17 00:00:00 2001 From: justusbunsi Date: Sat, 30 Nov 2024 14:47:18 +0000 Subject: [PATCH 20/24] Prevent reoccurring namespace inconsistencies (#737) https://gitea.com/gitea/helm-chart/pulls/713 ensured that all resources contain a `namespace` field. When adding Gitea actions runner support in https://gitea.com/gitea/helm-chart/pulls/666, this was an oversight. Signed-off-by: justusbunsi Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/737 Co-authored-by: justusbunsi Co-committed-by: justusbunsi --- .gitea/PULL_REQUEST_TEMPLATE.md | 1 + templates/gitea/act_runner/config-act-runner.yaml | 1 + templates/gitea/act_runner/config-scripts.yaml | 1 + templates/gitea/act_runner/job.yaml | 1 + templates/gitea/act_runner/role-job.yaml | 1 + templates/gitea/act_runner/rolebinding-job.yaml | 1 + templates/gitea/act_runner/secret-token.yaml | 1 + templates/gitea/act_runner/serviceaccount-job.yaml | 1 + templates/gitea/act_runner/statefulset.yaml | 1 + 9 files changed, 9 insertions(+) diff --git a/.gitea/PULL_REQUEST_TEMPLATE.md b/.gitea/PULL_REQUEST_TEMPLATE.md index 01ad275..686d550 100644 --- a/.gitea/PULL_REQUEST_TEMPLATE.md +++ b/.gitea/PULL_REQUEST_TEMPLATE.md @@ -40,3 +40,4 @@ - [ ] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm) - [ ] Breaking changes are documented in the `README.md` - [ ] Templating unittests are added +- [ ] All added template resources MUST render a namespace in metadata diff --git a/templates/gitea/act_runner/config-act-runner.yaml b/templates/gitea/act_runner/config-act-runner.yaml index 03961ae..433fb69 100644 --- a/templates/gitea/act_runner/config-act-runner.yaml +++ b/templates/gitea/act_runner/config-act-runner.yaml @@ -4,6 +4,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ include "gitea.fullname" . }}-act-runner-config + namespace: {{ .Values.namespace | default .Release.Namespace }} labels: {{- include "gitea.labels" . | nindent 4 }} data: diff --git a/templates/gitea/act_runner/config-scripts.yaml b/templates/gitea/act_runner/config-scripts.yaml index 688bd20..31b926e 100644 --- a/templates/gitea/act_runner/config-scripts.yaml +++ b/templates/gitea/act_runner/config-scripts.yaml @@ -5,6 +5,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ include "gitea.fullname" . }}-scripts + namespace: {{ .Values.namespace | default .Release.Namespace }} labels: {{- include "gitea.labels" . | nindent 4 }} data: diff --git a/templates/gitea/act_runner/job.yaml b/templates/gitea/act_runner/job.yaml index 032671f..e8189d9 100644 --- a/templates/gitea/act_runner/job.yaml +++ b/templates/gitea/act_runner/job.yaml @@ -7,6 +7,7 @@ apiVersion: batch/v1 kind: Job metadata: name: {{ $name }} + namespace: {{ .Values.namespace | default .Release.Namespace }} labels: {{- include "gitea.labels" . | nindent 4 }} {{- with .Values.actions.provisioning.labels }} diff --git a/templates/gitea/act_runner/role-job.yaml b/templates/gitea/act_runner/role-job.yaml index b06c18d..c2afa57 100644 --- a/templates/gitea/act_runner/role-job.yaml +++ b/templates/gitea/act_runner/role-job.yaml @@ -7,6 +7,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ $name }} + namespace: {{ .Values.namespace | default .Release.Namespace }} labels: {{- include "gitea.labels" . | nindent 4 }} app.kubernetes.io/component: token-job diff --git a/templates/gitea/act_runner/rolebinding-job.yaml b/templates/gitea/act_runner/rolebinding-job.yaml index c80bd3e..1c67e84 100644 --- a/templates/gitea/act_runner/rolebinding-job.yaml +++ b/templates/gitea/act_runner/rolebinding-job.yaml @@ -7,6 +7,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ $name }} + namespace: {{ .Values.namespace | default .Release.Namespace }} labels: {{- include "gitea.labels" . | nindent 4 }} app.kubernetes.io/component: token-job diff --git a/templates/gitea/act_runner/secret-token.yaml b/templates/gitea/act_runner/secret-token.yaml index e6ee325..bc3416b 100644 --- a/templates/gitea/act_runner/secret-token.yaml +++ b/templates/gitea/act_runner/secret-token.yaml @@ -7,6 +7,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ $secretName }} + namespace: {{ .Values.namespace | default .Release.Namespace }} labels: {{- include "gitea.labels" . | nindent 4 }} app.kubernetes.io/component: token-job diff --git a/templates/gitea/act_runner/serviceaccount-job.yaml b/templates/gitea/act_runner/serviceaccount-job.yaml index e2c0fb4..dd39752 100644 --- a/templates/gitea/act_runner/serviceaccount-job.yaml +++ b/templates/gitea/act_runner/serviceaccount-job.yaml @@ -6,6 +6,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ $name }} + namespace: {{ .Values.namespace | default .Release.Namespace }} labels: {{- include "gitea.labels" . | nindent 4 }} app.kubernetes.io/component: token-job diff --git a/templates/gitea/act_runner/statefulset.yaml b/templates/gitea/act_runner/statefulset.yaml index 58939d2..46382bf 100644 --- a/templates/gitea/act_runner/statefulset.yaml +++ b/templates/gitea/act_runner/statefulset.yaml @@ -14,6 +14,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "gitea.fullname" . }}-act-runner + namespace: {{ .Values.namespace | default .Release.Namespace }} spec: selector: matchLabels: -- 2.40.1 From 52153021e33953d0861af4b86c78fe2cc393b135 Mon Sep 17 00:00:00 2001 From: justusbunsi Date: Sat, 30 Nov 2024 16:07:23 +0000 Subject: [PATCH 21/24] Finetune Renovate configuration (#738) `go-gitea/gitea` is no workflow dependency and therefore should not be grouped as such. It got automatically matched due to `custom.regex` manager in that rule. Since we now have image dependencies in our `values.yaml`, PR builds will fail when these changes are not represented in `README.md`. Using a [postUpgradeTask](https://docs.renovatebot.com/configuration-options/#postupgradetasks) allows customized Renovate behavior. Signed-off-by: justusbunsi Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/738 Co-authored-by: justusbunsi Co-committed-by: justusbunsi --- renovate.json5 | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/renovate.json5 b/renovate.json5 index d0a0ac6..7605fa7 100644 --- a/renovate.json5 +++ b/renovate.json5 @@ -63,6 +63,25 @@ 'patch', 'digest', ], + matchFileNames: [ + '!Chart.yaml', + ], + }, + { + description: 'Update README.md on changes in values.yaml', + matchManagers: [ + 'helm-values', + ], + postUpgradeTasks: { + commands: [ + 'install-tool node', + 'make readme', + ], + fileFilters: [ + 'README.md', + ], + executionMode: 'update', + }, }, { description: 'Override changelog url for Helm image, to have release notes in our PRs', -- 2.40.1 From 7cae9d3404a2b55b562c6cd546a1b042d7ef67de Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 30 Nov 2024 23:34:16 +0000 Subject: [PATCH 22/24] chore(deps): update busybox docker tag to v1.37.0 (#734) This PR contains the following updates: | Package | Update | Change | |---|---|---| | busybox | minor | `1.36.1` -> `1.37.0` | --- Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/734 Reviewed-by: techknowlogick Co-authored-by: Renovate Bot Co-committed-by: Renovate Bot --- README.md | 2 +- values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index d2dd0fd..2f9c9ba 100644 --- a/README.md +++ b/README.md @@ -1030,7 +1030,7 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo | ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ | | `actions.enabled` | Create an act runner StatefulSet. | `false` | | `actions.init.image.repository` | The image used for the init containers | `busybox` | -| `actions.init.image.tag` | The image tag used for the init containers | `1.36.1` | +| `actions.init.image.tag` | The image tag used for the init containers | `1.37.0` | | `actions.statefulset.annotations` | Act runner annotations | `{}` | | `actions.statefulset.labels` | Act runner labels | `{}` | | `actions.statefulset.resources` | Act runner resources | `{}` | diff --git a/values.yaml b/values.yaml index 2dfb62d..cf9308d 100644 --- a/values.yaml +++ b/values.yaml @@ -420,7 +420,7 @@ actions: image: repository: busybox # Overrides the image tag whose default is the chart appVersion. - tag: "1.36.1" + tag: "1.37.0" provisioning: enabled: false -- 2.40.1 From e3db83e22b923bbea7aec27c9c4dfc3e69675f35 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 30 Nov 2024 23:44:11 +0000 Subject: [PATCH 23/24] chore(deps): update dependency go-gitea/gitea to v1.22.4 (#740) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [go-gitea/gitea](https://github.com/go-gitea/gitea) | patch | `1.22.3` -> `1.22.4` | --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/740 Co-authored-by: Renovate Bot Co-committed-by: Renovate Bot --- Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Chart.yaml b/Chart.yaml index 6cf2c41..21a0e63 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -4,7 +4,7 @@ description: Gitea Helm chart for Kubernetes type: application version: 0.0.0 # renovate datasource=github-releases depName=go-gitea/gitea extractVersion=^v(?.*)$ -appVersion: 1.22.3 +appVersion: 1.22.4 icon: https://gitea.com/assets/img/logo.svg keywords: -- 2.40.1 From aec87c249050aca00e560e3d560dceaf13df8d0c Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 30 Nov 2024 23:47:49 +0000 Subject: [PATCH 24/24] chore(deps): update workflow dependencies (minor & patch) (#735) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [alpine/helm](https://github.com/alpine-docker/helm) ([changelog](https://github.com/helm/helm)) | | minor | `3.15.3` -> `3.16.3` | | [alpine/helm](https://github.com/alpine-docker/helm) ([changelog](https://github.com/helm/helm)) | container | minor | `3.15.3` -> `3.16.3` | | [helm-unittest/helm-unittest](https://github.com/helm-unittest/helm-unittest) | | minor | `v0.5.2` -> `v0.7.0` | | [markdownlint-cli](https://github.com/igorshubovych/markdownlint-cli) | devDependencies | minor | [`^0.41.0` -> `^0.43.0`](https://renovatebot.com/diffs/npm/markdownlint-cli/0.41.0/0.43.0) | --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/735 Co-authored-by: Renovate Bot Co-committed-by: Renovate Bot --- .gitea/workflows/release-version.yml | 2 +- .gitea/workflows/test-pr.yml | 4 +- .vscode/settings.json | 2 +- package-lock.json | 149 +++++++++++++-------------- package.json | 2 +- 5 files changed, 74 insertions(+), 85 deletions(-) diff --git a/.gitea/workflows/release-version.yml b/.gitea/workflows/release-version.yml index 994add0..3b95267 100644 --- a/.gitea/workflows/release-version.yml +++ b/.gitea/workflows/release-version.yml @@ -7,7 +7,7 @@ on: env: # renovate: datasource=docker depName=alpine/helm - HELM_VERSION: "3.15.3" + HELM_VERSION: "3.16.3" jobs: generate-chart-publish: diff --git a/.gitea/workflows/test-pr.yml b/.gitea/workflows/test-pr.yml index 78ed267..2797c75 100644 --- a/.gitea/workflows/test-pr.yml +++ b/.gitea/workflows/test-pr.yml @@ -11,12 +11,12 @@ on: env: # renovate: datasource=github-releases depName=helm-unittest/helm-unittest - HELM_UNITTEST_VERSION: "v0.5.2" + HELM_UNITTEST_VERSION: "v0.7.0" jobs: check-and-test: runs-on: ubuntu-latest - container: alpine/helm:3.15.3 + container: alpine/helm:3.16.3 steps: - name: install tools run: | diff --git a/.vscode/settings.json b/.vscode/settings.json index 5271d28..1b31698 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,6 +1,6 @@ { "yaml.schemas": { - "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.5.2/schema/helm-testsuite.json": [ + "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.7.0/schema/helm-testsuite.json": [ "/unittests/**/*.yaml" ] }, diff --git a/package-lock.json b/package-lock.json index c00c95e..3edacb1 100644 --- a/package-lock.json +++ b/package-lock.json @@ -8,7 +8,7 @@ "license": "MIT", "devDependencies": { "@bitnami/readme-generator-for-helm": "^2.5.0", - "markdownlint-cli": "^0.41.0" + "markdownlint-cli": "^0.43.0" }, "engines": { "node": ">=16.0.0", @@ -48,16 +48,6 @@ "node": ">=12" } }, - "node_modules/@pkgjs/parseargs": { - "version": "0.11.0", - "resolved": "https://registry.npmjs.org/@pkgjs/parseargs/-/parseargs-0.11.0.tgz", - "integrity": "sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg==", - "dev": true, - "optional": true, - "engines": { - "node": ">=14" - } - }, "node_modules/ansi-regex": { "version": "6.0.1", "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.0.1.tgz", @@ -228,18 +218,6 @@ "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==", "dev": true }, - "node_modules/get-stdin": { - "version": "9.0.0", - "resolved": "https://registry.npmjs.org/get-stdin/-/get-stdin-9.0.0.tgz", - "integrity": "sha512-dVKBjfWisLAicarI2Sf+JuBE/DghV4UzNAVe9yhEJuzeREd3JhOTE9cUaJTeSa77fsbQUK3pcOpJfM59+VKZaA==", - "dev": true, - "engines": { - "node": ">=12" - }, - "funding": { - "url": "https://github.com/sponsors/sindresorhus" - } - }, "node_modules/glob": { "version": "7.2.3", "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz", @@ -261,10 +239,11 @@ } }, "node_modules/ignore": { - "version": "5.3.1", - "resolved": "https://registry.npmjs.org/ignore/-/ignore-5.3.1.tgz", - "integrity": "sha512-5Fytz/IraMjqpwfd34ke28PTVMjZjJG2MPn5t7OE4eUCUNf8BAa7b5WUS9/Qvr6mwOQS7Mk6vdsMno5he+T8Xw==", + "version": "6.0.2", + "resolved": "https://registry.npmjs.org/ignore/-/ignore-6.0.2.tgz", + "integrity": "sha512-InwqeHHN2XpumIkMvpl/DCJVrAHgCsG5+cn1XlnLWGwtZBm8QJfSusItfrwx81CTp5agNZqpKU2J/ccC5nGT4A==", "dev": true, + "license": "MIT", "engines": { "node": ">= 4" } @@ -310,22 +289,19 @@ "dev": true }, "node_modules/jackspeak": { - "version": "3.1.2", - "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-3.1.2.tgz", - "integrity": "sha512-kWmLKn2tRtfYMF/BakihVVRzBKOxz4gJMiL2Rj91WnAB5TPZumSH99R/Yf1qE1u4uRimvCSJfm6hnxohXeEXjQ==", + "version": "4.0.2", + "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-4.0.2.tgz", + "integrity": "sha512-bZsjR/iRjl1Nk1UkjGpAzLNfQtzuijhn2g+pbZb98HQ1Gk8vM9hfbxeMBP+M2/UUdwj0RqGG3mlvk2MsAqwvEw==", "dev": true, "license": "BlueOak-1.0.0", "dependencies": { "@isaacs/cliui": "^8.0.2" }, "engines": { - "node": ">=14" + "node": "20 || >=22" }, "funding": { "url": "https://github.com/sponsors/isaacs" - }, - "optionalDependencies": { - "@pkgjs/parseargs": "^0.11.0" } }, "node_modules/js-yaml": { @@ -341,10 +317,11 @@ } }, "node_modules/jsonc-parser": { - "version": "3.2.1", - "resolved": "https://registry.npmjs.org/jsonc-parser/-/jsonc-parser-3.2.1.tgz", - "integrity": "sha512-AilxAyFOAcK5wA1+LeaySVBrHsGQvUFCDWXKpZjzaL0PqW+xfBOttn8GNtWKFWqneyMZj41MWF9Kl6iPWLwgOA==", - "dev": true + "version": "3.3.1", + "resolved": "https://registry.npmjs.org/jsonc-parser/-/jsonc-parser-3.3.1.tgz", + "integrity": "sha512-HUgH65KyejrUFPvHFPbqOY0rsFip3Bo5wb4ngvdi1EpCYWUQDC5V+Y7mZws+DLkr4M//zQJoanu1SP+87Dv1oQ==", + "dev": true, + "license": "MIT" }, "node_modules/jsonpointer": { "version": "5.0.1", @@ -371,12 +348,13 @@ "dev": true }, "node_modules/lru-cache": { - "version": "10.2.2", - "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.2.2.tgz", - "integrity": "sha512-9hp3Vp2/hFQUiIwKo8XCeFVnrg8Pk3TYNPIR7tJADKi5YfcF7vEaK7avFHTlSy3kOKYaJQaalfEo6YuXdceBOQ==", + "version": "11.0.2", + "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-11.0.2.tgz", + "integrity": "sha512-123qHRfJBmo2jXDbo/a5YOQrJoHF/GNQTLzQ5+IdK5pWpceK17yRc6ozlWd25FxvGKQbIUs91fDFkXmDHTKcyA==", "dev": true, + "license": "ISC", "engines": { - "node": "14 || >=16.14" + "node": "20 || >=22" } }, "node_modules/markdown-it": { @@ -410,13 +388,14 @@ } }, "node_modules/markdownlint": { - "version": "0.34.0", - "resolved": "https://registry.npmjs.org/markdownlint/-/markdownlint-0.34.0.tgz", - "integrity": "sha512-qwGyuyKwjkEMOJ10XN6OTKNOVYvOIi35RNvDLNxTof5s8UmyGHlCdpngRHoRGNvQVGuxO3BJ7uNSgdeX166WXw==", + "version": "0.36.1", + "resolved": "https://registry.npmjs.org/markdownlint/-/markdownlint-0.36.1.tgz", + "integrity": "sha512-s73fU2CQN7WCgjhaQUQ8wYESQNzGRNOKDd+3xgVqu8kuTEhmwepd/mxOv1LR2oV046ONrTLBFsM7IoKWNvmy5g==", "dev": true, + "license": "MIT", "dependencies": { "markdown-it": "14.1.0", - "markdownlint-micromark": "0.1.9" + "markdownlint-micromark": "0.1.12" }, "engines": { "node": ">=18" @@ -426,23 +405,22 @@ } }, "node_modules/markdownlint-cli": { - "version": "0.41.0", - "resolved": "https://registry.npmjs.org/markdownlint-cli/-/markdownlint-cli-0.41.0.tgz", - "integrity": "sha512-kp29tKrMKdn+xonfefjp3a/MsNzAd9c5ke0ydMEI9PR98bOjzglYN4nfMSaIs69msUf1DNkgevAIAPtK2SeX0Q==", + "version": "0.43.0", + "resolved": "https://registry.npmjs.org/markdownlint-cli/-/markdownlint-cli-0.43.0.tgz", + "integrity": "sha512-6vwurKK4B21eyYzwgX6ph13cZS7hE6LZfcS8QyD722CyxVD2RtAvbZK2p7k+FZbbKORulEuwl+hJaEq1l6/hoQ==", "dev": true, "license": "MIT", "dependencies": { "commander": "~12.1.0", - "get-stdin": "~9.0.0", - "glob": "~10.4.1", - "ignore": "~5.3.1", + "glob": "~11.0.0", + "ignore": "~6.0.2", "js-yaml": "^4.1.0", - "jsonc-parser": "~3.2.1", + "jsonc-parser": "~3.3.1", "jsonpointer": "5.0.1", - "markdownlint": "~0.34.0", - "minimatch": "~9.0.4", + "markdownlint": "~0.36.1", + "minimatch": "~10.0.1", "run-con": "~1.3.2", - "smol-toml": "~1.2.0" + "smol-toml": "~1.3.1" }, "bin": { "markdownlint": "markdownlint.js" @@ -472,49 +450,51 @@ } }, "node_modules/markdownlint-cli/node_modules/glob": { - "version": "10.4.1", - "resolved": "https://registry.npmjs.org/glob/-/glob-10.4.1.tgz", - "integrity": "sha512-2jelhlq3E4ho74ZyVLN03oKdAZVUa6UDZzFLVH1H7dnoax+y9qyaq8zBkfDIggjniU19z0wU18y16jMB2eyVIw==", + "version": "11.0.0", + "resolved": "https://registry.npmjs.org/glob/-/glob-11.0.0.tgz", + "integrity": "sha512-9UiX/Bl6J2yaBbxKoEBRm4Cipxgok8kQYcOPEhScPwebu2I0HoQOuYdIO6S3hLuWoZgpDpwQZMzTFxgpkyT76g==", "dev": true, "license": "ISC", "dependencies": { "foreground-child": "^3.1.0", - "jackspeak": "^3.1.2", - "minimatch": "^9.0.4", + "jackspeak": "^4.0.1", + "minimatch": "^10.0.0", "minipass": "^7.1.2", - "path-scurry": "^1.11.1" + "package-json-from-dist": "^1.0.0", + "path-scurry": "^2.0.0" }, "bin": { "glob": "dist/esm/bin.mjs" }, "engines": { - "node": ">=16 || 14 >=14.18" + "node": "20 || >=22" }, "funding": { "url": "https://github.com/sponsors/isaacs" } }, "node_modules/markdownlint-cli/node_modules/minimatch": { - "version": "9.0.4", - "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.4.tgz", - "integrity": "sha512-KqWh+VchfxcMNRAJjj2tnsSJdNbHsVgnkBhTNrW7AjVo6OvLtxw8zfT9oLw1JSohlFzJ8jCoTgaoXvJ+kHt6fw==", + "version": "10.0.1", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.0.1.tgz", + "integrity": "sha512-ethXTt3SGGR+95gudmqJ1eNhRO7eGEGIgYA9vnPatK4/etz2MEVDno5GMCibdMTuBMyElzIlgxMna3K94XDIDQ==", "dev": true, "license": "ISC", "dependencies": { "brace-expansion": "^2.0.1" }, "engines": { - "node": ">=16 || 14 >=14.17" + "node": "20 || >=22" }, "funding": { "url": "https://github.com/sponsors/isaacs" } }, "node_modules/markdownlint-micromark": { - "version": "0.1.9", - "resolved": "https://registry.npmjs.org/markdownlint-micromark/-/markdownlint-micromark-0.1.9.tgz", - "integrity": "sha512-5hVs/DzAFa8XqYosbEAEg6ok6MF2smDj89ztn9pKkCtdKHVdPQuGMH7frFfYL9mLkvfFe4pTyAMffLbjf3/EyA==", + "version": "0.1.12", + "resolved": "https://registry.npmjs.org/markdownlint-micromark/-/markdownlint-micromark-0.1.12.tgz", + "integrity": "sha512-RlB6EwMGgc0sxcIhOQ2+aq7Zw1V2fBnzbXKGgYK/mVWdT7cz34fteKSwfYeo4rL6+L/q2tyC9QtD/PgZbkdyJQ==", "dev": true, + "license": "MIT", "engines": { "node": ">=18" }, @@ -568,6 +548,13 @@ "wrappy": "1" } }, + "node_modules/package-json-from-dist": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/package-json-from-dist/-/package-json-from-dist-1.0.1.tgz", + "integrity": "sha512-UEZIS3/by4OC8vL3P2dTXRETpebLI2NiI5vIrjaD/5UtrkFX/tNbwjTSRAGC/+7CAo2pIcBaRgWmcBBHcsaCIw==", + "dev": true, + "license": "BlueOak-1.0.0" + }, "node_modules/path-is-absolute": { "version": "1.0.1", "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz", @@ -587,17 +574,17 @@ } }, "node_modules/path-scurry": { - "version": "1.11.1", - "resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-1.11.1.tgz", - "integrity": "sha512-Xa4Nw17FS9ApQFJ9umLiJS4orGjm7ZzwUrwamcGQuHSzDyth9boKDaycYdDcZDuqYATXw4HFXgaqWTctW/v1HA==", + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-2.0.0.tgz", + "integrity": "sha512-ypGJsmGtdXUOeM5u93TyeIEfEhM6s+ljAhrk5vAvSx8uyY/02OvrZnA0YNGUrPXfpJMgI1ODd3nwz8Npx4O4cg==", "dev": true, "license": "BlueOak-1.0.0", "dependencies": { - "lru-cache": "^10.2.0", - "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0" + "lru-cache": "^11.0.0", + "minipass": "^7.1.2" }, "engines": { - "node": ">=16 || 14 >=14.18" + "node": "20 || >=22" }, "funding": { "url": "https://github.com/sponsors/isaacs" @@ -670,14 +657,16 @@ } }, "node_modules/smol-toml": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/smol-toml/-/smol-toml-1.2.0.tgz", - "integrity": "sha512-KObxdQANC/xje3OoatMbSwQf2XAvJ0RbK+4nmQRszFNZptbNRnMWqbLF/zb4sMi9xJ6HNyhWXeuZ9zC/I/XY7w==", + "version": "1.3.1", + "resolved": "https://registry.npmjs.org/smol-toml/-/smol-toml-1.3.1.tgz", + "integrity": "sha512-tEYNll18pPKHroYSmLLrksq233j021G0giwW7P3D24jC54pQ5W5BXMsQ/Mvw1OJCmEYDgY+lrzT+3nNUtoNfXQ==", "dev": true, "license": "BSD-3-Clause", "engines": { - "node": ">= 18", - "pnpm": ">= 9" + "node": ">= 18" + }, + "funding": { + "url": "https://github.com/sponsors/cyyynthia" } }, "node_modules/string-width": { diff --git a/package.json b/package.json index 3cc3449..1b02f2a 100644 --- a/package.json +++ b/package.json @@ -14,6 +14,6 @@ }, "devDependencies": { "@bitnami/readme-generator-for-helm": "^2.5.0", - "markdownlint-cli": "^0.41.0" + "markdownlint-cli": "^0.43.0" } } -- 2.40.1