From 1058735d1e5cb77cc28c526aeefa43a7d0b99918 Mon Sep 17 00:00:00 2001 From: justusbunsi Date: Fri, 18 Oct 2024 15:45:50 +0200 Subject: [PATCH 01/14] Fix configuration in "external database" docs Signed-off-by: justusbunsi --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 3589736..2888fc7 100644 --- a/README.md +++ b/README.md @@ -420,6 +420,9 @@ gitea: postgresql: enabled: false + +postgresql-ha: + enabled: false ``` ### Ports and external url -- 2.40.1 From 7c4d6c3797da5ca5aee05a8dc12a51a9f4ee4955 Mon Sep 17 00:00:00 2001 From: justusbunsi Date: Fri, 18 Oct 2024 13:50:35 +0000 Subject: [PATCH 02/14] Fix configuration in "external database" docs (#716) Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/716 Co-authored-by: justusbunsi Co-committed-by: justusbunsi --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 3589736..2888fc7 100644 --- a/README.md +++ b/README.md @@ -420,6 +420,9 @@ gitea: postgresql: enabled: false + +postgresql-ha: + enabled: false ``` ### Ports and external url -- 2.40.1 From 478af4e381b65a9236d262714c6808ac8c586f95 Mon Sep 17 00:00:00 2001 From: justusbunsi Date: Fri, 18 Oct 2024 15:09:14 +0000 Subject: [PATCH 03/14] Fix probe definition overrides (#717) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ### Description of the change This fixes an issue when trying to apply a custom probe that is not `tcpSocket`. ### Benefits Custom probes 🥳 ### Applicable issues - Fixes #694 ### Checklist - [x] Templating unittests are added Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/717 Co-authored-by: justusbunsi Co-committed-by: justusbunsi --- templates/_helpers.tpl | 18 +++ templates/gitea/deployment.yaml | 6 +- unittests/deployment/probes.yaml | 188 +++++++++++++++++++++++++++++++ 3 files changed, 209 insertions(+), 3 deletions(-) create mode 100644 unittests/deployment/probes.yaml diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index c7d13d9..9e9c613 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -408,3 +408,21 @@ https {{ printf "gitea.admin.passwordMode must be set to one of 'keepUpdated', 'initialOnlyNoReset', or 'initialOnlyRequireReset'. Received: '%s'" .Values.gitea.admin.passwordMode | fail }} {{- end -}} {{- end -}} + +{{/* Create a functioning probe object for rendering. Given argument must be either a livenessProbe, readinessProbe, or startupProbe */}} +{{- define "gitea.deployment.probe" -}} + {{- $probe := unset . "enabled" -}} + {{- $probeKeys := keys $probe -}} + {{- $containsCustomMethod := false -}} + {{- $chartDefaultMethod := "tcpSocket" -}} + {{- $nonChartDefaultMethods := list "exec" "httpGet" "grpc" -}} + {{- range $probeKeys -}} + {{- if has . $nonChartDefaultMethods -}} + {{- $containsCustomMethod = true -}} + {{- end -}} + {{- end -}} + {{- if $containsCustomMethod -}} + {{- $probe = unset . $chartDefaultMethod -}} + {{- end -}} + {{- toYaml $probe -}} +{{- end -}} diff --git a/templates/gitea/deployment.yaml b/templates/gitea/deployment.yaml index 90f0e76..9981e67 100644 --- a/templates/gitea/deployment.yaml +++ b/templates/gitea/deployment.yaml @@ -312,15 +312,15 @@ spec: {{- end }} {{- if .Values.gitea.livenessProbe.enabled }} livenessProbe: - {{- toYaml (omit .Values.gitea.livenessProbe "enabled") | nindent 12 }} + {{- include "gitea.deployment.probe" .Values.gitea.livenessProbe | nindent 12 }} {{- end }} {{- if .Values.gitea.readinessProbe.enabled }} readinessProbe: - {{- toYaml (omit .Values.gitea.readinessProbe "enabled") | nindent 12 }} + {{- include "gitea.deployment.probe" .Values.gitea.readinessProbe | nindent 12 }} {{- end }} {{- if .Values.gitea.startupProbe.enabled }} startupProbe: - {{- toYaml (omit .Values.gitea.startupProbe "enabled") | nindent 12 }} + {{- include "gitea.deployment.probe" .Values.gitea.startupProbe | nindent 12 }} {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} diff --git a/unittests/deployment/probes.yaml b/unittests/deployment/probes.yaml new file mode 100644 index 0000000..259f3bf --- /dev/null +++ b/unittests/deployment/probes.yaml @@ -0,0 +1,188 @@ +suite: deployment template (probes) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/deployment.yaml + - templates/gitea/config.yaml +tests: + - it: renders default liveness probe + template: templates/gitea/deployment.yaml + asserts: + - notExists: + path: spec.template.spec.containers[0].livenessProbe.enabled + - isSubset: + path: spec.template.spec.containers[0].livenessProbe + content: + failureThreshold: 10 + initialDelaySeconds: 200 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: http + timeoutSeconds: 1 + - it: renders default readiness probe + template: templates/gitea/deployment.yaml + asserts: + - notExists: + path: spec.template.spec.containers[0].readinessProbe.enabled + - isSubset: + path: spec.template.spec.containers[0].readinessProbe + content: + failureThreshold: 3 + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: http + timeoutSeconds: 1 + - it: does not render a default startup probe + template: templates/gitea/deployment.yaml + asserts: + - notExists: + path: spec.template.spec.containers[0].startupProbe + - it: allows enabling a startup probe + template: templates/gitea/deployment.yaml + set: + gitea.startupProbe.enabled: true + asserts: + - notExists: + path: spec.template.spec.containers[0].startupProbe.enabled + - isSubset: + path: spec.template.spec.containers[0].startupProbe + content: + failureThreshold: 10 + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: http + timeoutSeconds: 1 + + - it: allows overwriting the default port of the liveness probe + template: templates/gitea/deployment.yaml + set: + gitea: + livenessProbe: + tcpSocket: + port: my-port + asserts: + - isSubset: + path: spec.template.spec.containers[0].livenessProbe + content: + tcpSocket: + port: my-port + + - it: allows overwriting the default port of the readiness probe + template: templates/gitea/deployment.yaml + set: + gitea: + readinessProbe: + tcpSocket: + port: my-port + asserts: + - isSubset: + path: spec.template.spec.containers[0].readinessProbe + content: + tcpSocket: + port: my-port + + - it: allows overwriting the default port of the startup probe + template: templates/gitea/deployment.yaml + set: + gitea: + startupProbe: + enabled: true + tcpSocket: + port: my-port + asserts: + - isSubset: + path: spec.template.spec.containers[0].startupProbe + content: + tcpSocket: + port: my-port + + - it: allows using a non-default method as liveness probe + template: templates/gitea/deployment.yaml + set: + gitea: + livenessProbe: + httpGet: + path: /api/healthz + port: http + initialDelaySeconds: 13371 + timeoutSeconds: 13372 + periodSeconds: 13373 + successThreshold: 13374 + failureThreshold: 13375 + asserts: + - notExists: + path: spec.template.spec.containers[0].livenessProbe.tcpSocket + - isSubset: + path: spec.template.spec.containers[0].livenessProbe + content: + failureThreshold: 13375 + initialDelaySeconds: 13371 + periodSeconds: 13373 + successThreshold: 13374 + httpGet: + path: /api/healthz + port: http + timeoutSeconds: 13372 + + - it: allows using a non-default method as readiness probe + template: templates/gitea/deployment.yaml + set: + gitea: + readinessProbe: + httpGet: + path: /api/healthz + port: http + initialDelaySeconds: 13371 + timeoutSeconds: 13372 + periodSeconds: 13373 + successThreshold: 13374 + failureThreshold: 13375 + asserts: + - notExists: + path: spec.template.spec.containers[0].readinessProbe.tcpSocket + - isSubset: + path: spec.template.spec.containers[0].readinessProbe + content: + failureThreshold: 13375 + initialDelaySeconds: 13371 + periodSeconds: 13373 + successThreshold: 13374 + httpGet: + path: /api/healthz + port: http + timeoutSeconds: 13372 + + - it: allows using a non-default method as startup probe + template: templates/gitea/deployment.yaml + set: + gitea: + startupProbe: + enabled: true + httpGet: + path: /api/healthz + port: http + initialDelaySeconds: 13371 + timeoutSeconds: 13372 + periodSeconds: 13373 + successThreshold: 13374 + failureThreshold: 13375 + asserts: + - notExists: + path: spec.template.spec.containers[0].startupProbe.tcpSocket + - isSubset: + path: spec.template.spec.containers[0].startupProbe + content: + failureThreshold: 13375 + initialDelaySeconds: 13371 + periodSeconds: 13373 + successThreshold: 13374 + httpGet: + path: /api/healthz + port: http + timeoutSeconds: 13372 -- 2.40.1 From 5c7e78b467185e1d98df77dce3ba514b2a3e5a2d Mon Sep 17 00:00:00 2001 From: justusbunsi Date: Fri, 18 Oct 2024 15:14:56 +0000 Subject: [PATCH 04/14] Bump Gitea to 1.22.3 (#718) Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/718 Co-authored-by: justusbunsi Co-committed-by: justusbunsi --- Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Chart.yaml b/Chart.yaml index 235deb6..dbdcae0 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -4,7 +4,7 @@ description: Gitea Helm chart for Kubernetes type: application version: 0.0.0 # renovate datasource=github-releases depName=go-gitea/gitea extractVersion=^v(?.*)$ -appVersion: 1.22.2 +appVersion: 1.22.3 icon: https://gitea.com/assets/img/logo.svg keywords: -- 2.40.1 From f7c66c0336d211a5bfbdf9a6b95ead7c3ff6b5c0 Mon Sep 17 00:00:00 2001 From: vjm Date: Sun, 10 Nov 2024 13:35:56 +0000 Subject: [PATCH 05/14] Add Gitea Actions act runner (#666) Co-authored-by: dementhorr Co-authored-by: Vince Montalbano Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/666 Reviewed-by: justusbunsi Co-authored-by: vjm Co-committed-by: vjm --- README.md | 35 ++++++ readme-actions-dev.md | 34 ++++++ scripts/token.sh | 43 +++++++ templates/_helpers.tpl | 39 ++++++ .../act_runner/01-consistency-checks.yaml | 15 +++ .../gitea/act_runner/config-act-runner.yaml | 14 +++ .../gitea/act_runner/config-scripts.yaml | 13 ++ templates/gitea/act_runner/job.yaml | 114 ++++++++++++++++++ templates/gitea/act_runner/role-job.yaml | 25 ++++ .../gitea/act_runner/rolebinding-job.yaml | 22 ++++ templates/gitea/act_runner/secret-token.yaml | 19 +++ .../gitea/act_runner/serviceaccount-job.yaml | 13 ++ templates/gitea/act_runner/statefulset.yaml | 114 ++++++++++++++++++ .../act_runner/01-consistency-checks.yaml | 69 +++++++++++ unittests/act_runner/config-act-runner.yaml | 45 +++++++ unittests/act_runner/config-scripts.yaml | 49 ++++++++ unittests/act_runner/job.yaml | 65 ++++++++++ unittests/act_runner/role-job.yaml | 42 +++++++ unittests/act_runner/rolebinding-job.yaml | 42 +++++++ unittests/act_runner/secret-token.yaml | 42 +++++++ unittests/act_runner/serviceaccount-job.yaml | 42 +++++++ unittests/act_runner/statefulset.yaml | 95 +++++++++++++++ unittests/config/actions-config.yaml | 61 ++++++++++ values.yaml | 90 ++++++++++++++ 24 files changed, 1142 insertions(+) create mode 100644 readme-actions-dev.md create mode 100644 scripts/token.sh create mode 100644 templates/gitea/act_runner/01-consistency-checks.yaml create mode 100644 templates/gitea/act_runner/config-act-runner.yaml create mode 100644 templates/gitea/act_runner/config-scripts.yaml create mode 100644 templates/gitea/act_runner/job.yaml create mode 100644 templates/gitea/act_runner/role-job.yaml create mode 100644 templates/gitea/act_runner/rolebinding-job.yaml create mode 100644 templates/gitea/act_runner/secret-token.yaml create mode 100644 templates/gitea/act_runner/serviceaccount-job.yaml create mode 100644 templates/gitea/act_runner/statefulset.yaml create mode 100644 unittests/act_runner/01-consistency-checks.yaml create mode 100644 unittests/act_runner/config-act-runner.yaml create mode 100644 unittests/act_runner/config-scripts.yaml create mode 100644 unittests/act_runner/job.yaml create mode 100644 unittests/act_runner/role-job.yaml create mode 100644 unittests/act_runner/rolebinding-job.yaml create mode 100644 unittests/act_runner/secret-token.yaml create mode 100644 unittests/act_runner/serviceaccount-job.yaml create mode 100644 unittests/act_runner/statefulset.yaml create mode 100644 unittests/config/actions-config.yaml diff --git a/README.md b/README.md index 2888fc7..a6f4c2b 100644 --- a/README.md +++ b/README.md @@ -45,6 +45,7 @@ - [Persistence](#persistence-1) - [Init](#init) - [Signing](#signing) + - [Gitea Actions](#gitea-actions) - [Gitea](#gitea) - [LivenessProbe](#livenessprobe) - [ReadinessProbe](#readinessprobe) @@ -1007,6 +1008,40 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo | `signing.privateKey` | Inline private gpg key for signed internal Git activity | `""` | | `signing.existingSecret` | Use an existing secret to store the value of `signing.privateKey` | `""` | +### Gitea Actions + +| Name | Description | Value | +| ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ | +| `actions.enabled` | Create an act runner StatefulSet. | `false` | +| `actions.init.image.repository` | The image used for the init containers | `busybox` | +| `actions.init.image.tag` | The image tag used for the init containers | `1.36.1` | +| `actions.statefulset.annotations` | Act runner annotations | `{}` | +| `actions.statefulset.labels` | Act runner labels | `{}` | +| `actions.statefulset.resources` | Act runner resources | `{}` | +| `actions.statefulset.nodeSelector` | NodeSelector for the statefulset | `{}` | +| `actions.statefulset.tolerations` | Tolerations for the statefulset | `[]` | +| `actions.statefulset.affinity` | Affinity for the statefulset | `{}` | +| `actions.statefulset.actRunner.repository` | The Gitea act runner image | `gitea/act_runner` | +| `actions.statefulset.actRunner.tag` | The Gitea act runner tag | `0.2.11` | +| `actions.statefulset.actRunner.pullPolicy` | The Gitea act runner pullPolicy | `IfNotPresent` | +| `actions.statefulset.actRunner.config` | Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details. | `Too complex. See values.yaml` | +| `actions.statefulset.dind.repository` | The Docker-in-Docker image | `docker` | +| `actions.statefulset.dind.tag` | The Docker-in-Docker image tag | `25.0.2-dind` | +| `actions.statefulset.dind.pullPolicy` | The Docker-in-Docker pullPolicy | `IfNotPresent` | +| `actions.provisioning.enabled` | Create a job that will create and save the token in a Kubernetes Secret | `false` | +| `actions.provisioning.annotations` | Job's annotations | `{}` | +| `actions.provisioning.labels` | Job's labels | `{}` | +| `actions.provisioning.resources` | Job's resources | `{}` | +| `actions.provisioning.nodeSelector` | NodeSelector for the job | `{}` | +| `actions.provisioning.tolerations` | Tolerations for the job | `[]` | +| `actions.provisioning.affinity` | Affinity for the job | `{}` | +| `actions.provisioning.ttlSecondsAfterFinished` | ttl for the job after finished in order to allow helm to properly recognize that the job completed | `300` | +| `actions.provisioning.publish.repository` | The image that can create the secret via kubectl | `bitnami/kubectl` | +| `actions.provisioning.publish.tag` | The publish image tag that can create the secret | `1.29.0` | +| `actions.provisioning.publish.pullPolicy` | The publish image pullPolicy that can create the secret | `IfNotPresent` | +| `actions.existingSecret` | Secret that contains the token | `""` | +| `actions.existingSecretKey` | Secret key | `""` | + ### Gitea | Name | Description | Value | diff --git a/readme-actions-dev.md b/readme-actions-dev.md new file mode 100644 index 0000000..a633ad3 --- /dev/null +++ b/readme-actions-dev.md @@ -0,0 +1,34 @@ +# Gitea Actions + +In order to use the Gitea Actions act-runner you must either: + +- enable persistence (used for automatic deployment to be able to store the token in a place accessible for the Job) +- create a secret containing the act runner token and reference it as a `existingSecret` + +In order to use Gitea Actions, you must log on the server that's running Gitea and run the command: + `gitea actions generate-runner-token` + +This command will out a token that is needed by the act-runner to register with the Gitea backend. + +Because this is a manual operation, we automated this using a Kubernetes Job using the following containers: + +1) `actions-token-create`: it uses the current `gitea-rootless` image, mounts the persistent directory to `/data/` then it saves the output from `gitea actions generate-runner-token` to `/data/actions/token` +2) `actions-token-upload`: it uses a `bitnami/kubectl` image, mounts the scripts directory (`/scripts`) and +the persistent directory (`/data/`), and using the script from `/scripts/token.sh` stores the token in a Kubernetes secret + +After the token is stored in a Kubernetes secret we can create the statefulset that contains the following containers: + +1) `act-runner`: authenticates with Gitea using the token that was stored in the secret +2) `dind`: DockerInDocker image that is used to run the actions + +If you are not using persistent volumes, you cannot use the Job to automatically generate the token. +In this case, you can use either the Web UI to generate the token or run a shell into a Gitea pod and invoke +the command `gitea actions generate-runner-token`. After generating the token, you must create a secret and use it via: + +```yaml +actions: + provisioning: + enabled: false + existingSecret: "secret-name" + existingSecretKey: "secret-key" +``` diff --git a/scripts/token.sh b/scripts/token.sh new file mode 100644 index 0000000..cbb2ebd --- /dev/null +++ b/scripts/token.sh @@ -0,0 +1,43 @@ +#!/bin/sh + +set -eu + +timeout_delay=15 + +check_token() { + set +e + + echo "Checking for existing token..." + token="$(kubectl get secret "$SECRET_NAME" -o jsonpath="{.data['token']}" 2> /dev/null)" + [ $? -ne 0 ] && return 1 + [ -z "$token" ] && return 2 + return 0 +} + +create_token() { + echo "Waiting for new token to be generated..." + begin=$(date +%s) + end=$((begin + timeout_delay)) + while true; do + [ -f /data/actions/token ] && return 0 + [ "$(date +%s)" -gt $end ] && return 1 + sleep 5 + done +} + +store_token() { + echo "Storing the token in Kubernetes secret..." + kubectl patch secret "$SECRET_NAME" -p "{\"data\":{\"token\":\"$(base64 /data/actions/token | tr -d '\n')\"}}" +} + +if check_token; then + echo "Key already in place, exiting." + exit +fi + +if ! create_token; then + echo "Checking for an existing act runner token in secret $SECRET_NAME timed out after $timeout_delay" + exit 1 +fi + +store_token diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 9e9c613..64a5efb 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -25,6 +25,13 @@ If release name contains chart name it will be used as a full name. {{- end -}} {{- end -}} +{{/* +Create a default worker name. +*/}} +{{- define "gitea.workername" -}} +{{- printf "%s-%s" .global.Release.Name .worker | trunc 63 | trimSuffix "-" -}} +{{- end -}} + {{/* Create chart name and version as used by the chart label. */}} @@ -92,6 +99,15 @@ version: {{ .Values.image.tag | default .Chart.AppVersion | quote }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end -}} +{{- define "gitea.labels.actRunner" -}} +helm.sh/chart: {{ include "gitea.chart" . }} +app: {{ include "gitea.name" . }}-act-runner +{{ include "gitea.selectorLabels.actRunner" . }} +app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }} +version: {{ .Values.image.tag | default .Chart.AppVersion | quote }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + {{/* Selector labels */}} @@ -100,6 +116,11 @@ app.kubernetes.io/name: {{ include "gitea.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end -}} +{{- define "gitea.selectorLabels.actRunner" -}} +app.kubernetes.io/name: {{ include "gitea.name" . }}-act-runner +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + {{- define "postgresql-ha.dns" -}} {{- if (index .Values "postgresql-ha").enabled -}} {{- printf "%s-postgresql-ha-pgpool.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "postgresql-ha" "service" "ports" "postgresql") -}} @@ -199,6 +220,15 @@ https {{- end -}} {{- end -}} +{{- define "gitea.act_runner.local_root_url" -}} +{{- if not .Values.gitea.config.server.LOCAL_ROOT_URL -}} + {{- printf "http://%s-http:%.0f" (include "gitea.fullname" .) .Values.service.http.port -}} +{{- else -}} + {{/* fallback for allowing to overwrite this value via inline config */}} + {{- .Values.gitea.config.server.LOCAL_ROOT_URL -}} +{{- end -}} +{{- end -}} + {{- define "gitea.inline_configuration" -}} {{- include "gitea.inline_configuration.init" . -}} {{- include "gitea.inline_configuration.defaults" . -}} @@ -263,6 +293,9 @@ https {{- if not (hasKey .Values.gitea.config "indexer") -}} {{- $_ := set .Values.gitea.config "indexer" dict -}} {{- end -}} + {{- if not (hasKey .Values.gitea.config "actions") -}} + {{- $_ := set .Values.gitea.config "actions" dict -}} + {{- end -}} {{- end -}} {{- define "gitea.inline_configuration.defaults" -}} @@ -309,6 +342,9 @@ https {{- if not .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE -}} {{- $_ := set .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE" "db" -}} {{- end -}} + {{- if not .Values.gitea.config.actions.ENABLED -}} + {{- $_ := set .Values.gitea.config.actions "ENABLED" (ternary "true" "false" .Values.actions.enabled) -}} + {{- end -}} {{- end -}} {{- define "gitea.inline_configuration.defaults.server" -}} @@ -328,6 +364,9 @@ https {{- if not .Values.gitea.config.server.ROOT_URL -}} {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" (include "gitea.public_protocol" .) .Values.gitea.config.server.DOMAIN) -}} {{- end -}} + {{- if .Values.actions.enabled -}} + {{- $_ := set .Values.gitea.config.server "LOCAL_ROOT_URL" (include "gitea.act_runner.local_root_url" .) -}} + {{- end -}} {{- if not .Values.gitea.config.server.SSH_DOMAIN -}} {{- $_ := set .Values.gitea.config.server "SSH_DOMAIN" .Values.gitea.config.server.DOMAIN -}} {{- end -}} diff --git a/templates/gitea/act_runner/01-consistency-checks.yaml b/templates/gitea/act_runner/01-consistency-checks.yaml new file mode 100644 index 0000000..25ae556 --- /dev/null +++ b/templates/gitea/act_runner/01-consistency-checks.yaml @@ -0,0 +1,15 @@ +{{- if .Values.actions.enabled -}} + {{- if .Values.actions.provisioning.enabled -}} + {{- if not (and .Values.persistence.enabled .Values.persistence.mount) -}} + {{- fail "persistence.enabled and persistence.mount are required when provisioning is enabled" -}} + {{- end -}} + {{- if and .Values.persistence.enabled .Values.persistence.mount -}} + {{- if .Values.actions.existingSecret -}} + {{- fail "Can't specify both actions.provisioning.enabled and actions.existingSecret" -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- if and (not .Values.actions.provisioning.enabled) (or (empty .Values.actions.existingSecret) (empty .Values.actions.existingSecretKey)) -}} + {{- fail "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled" -}} + {{- end -}} +{{- end -}} diff --git a/templates/gitea/act_runner/config-act-runner.yaml b/templates/gitea/act_runner/config-act-runner.yaml new file mode 100644 index 0000000..03961ae --- /dev/null +++ b/templates/gitea/act_runner/config-act-runner.yaml @@ -0,0 +1,14 @@ +{{- if .Values.actions.enabled }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "gitea.fullname" . }}-act-runner-config + labels: + {{- include "gitea.labels" . | nindent 4 }} +data: + config.yaml: | + {{- with .Values.actions.statefulset.actRunner.config -}} + {{ . | nindent 4}} + {{- end -}} +{{- end }} diff --git a/templates/gitea/act_runner/config-scripts.yaml b/templates/gitea/act_runner/config-scripts.yaml new file mode 100644 index 0000000..688bd20 --- /dev/null +++ b/templates/gitea/act_runner/config-scripts.yaml @@ -0,0 +1,13 @@ +{{- if .Values.actions.enabled }} +{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "gitea.fullname" . }}-scripts + labels: + {{- include "gitea.labels" . | nindent 4 }} +data: +{{ (.Files.Glob "scripts/*.sh").AsConfig | indent 2 }} +{{- end }} +{{- end }} diff --git a/templates/gitea/act_runner/job.yaml b/templates/gitea/act_runner/job.yaml new file mode 100644 index 0000000..032671f --- /dev/null +++ b/templates/gitea/act_runner/job.yaml @@ -0,0 +1,114 @@ +{{- if .Values.actions.enabled }} +{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} +{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} +{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ $name }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + {{- with .Values.actions.provisioning.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + app.kubernetes.io/component: token-job + annotations: + {{- with .Values.actions.provisioning.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ttlSecondsAfterFinished: {{ .Values.actions.provisioning.ttlSecondsAfterFinished }} + template: + metadata: + labels: + {{- include "gitea.labels" . | nindent 8 }} + {{- with .Values.actions.provisioning.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + app.kubernetes.io/component: token-job + spec: + initContainers: + - name: init-gitea + image: "{{ .Values.actions.init.image.repository }}:{{ .Values.actions.init.image.tag }}" + command: + - sh + - -c + - | + while ! nc -z {{ include "gitea.fullname" . }}-http {{ .Values.service.http.port }}; do + sleep 5 + done + containers: + - name: actions-token-create + image: "{{ include "gitea.image" . }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: GITEA_APP_INI + value: /data/gitea/conf/app.ini + command: + - sh + - -c + - | + echo "Generating act_runner token via 'gitea actions generate-runner-token'..." + mkdir -p /data/actions/ + gitea actions generate-runner-token | grep -E '^.{40}$' | tr -d '\n' > /data/actions/token + resources: + {{- toYaml .Values.actions.provisioning.resources | nindent 12 }} + volumeMounts: + - name: data + mountPath: /data + {{- if .Values.persistence.subPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + - name: actions-token-upload + image: "{{ .Values.actions.provisioning.publish.repository }}:{{ .Values.actions.provisioning.publish.tag }}" + imagePullPolicy: {{ .Values.actions.provisioning.publish.pullPolicy }} + env: + - name: SECRET_NAME + value: {{ $secretName }} + command: + - sh + - -c + - | + printf "Checking rights to update kubernetes act_runner secret..." + kubectl auth can-i update secret/${SECRET_NAME} + /scripts/token.sh + resources: + {{- toYaml .Values.actions.provisioning.resources | nindent 12 }} + volumeMounts: + - mountPath: /scripts + name: scripts + readOnly: true + - mountPath: /data + name: data + readOnly: true + {{- if .Values.persistence.subPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + {{- with .Values.actions.provisioning.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.actions.provisioning.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.actions.provisioning.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + restartPolicy: Never + serviceAccount: {{ $name }} + volumes: + - name: scripts + configMap: + name: {{ include "gitea.fullname" . }}-scripts + defaultMode: 0755 + - name: data + persistentVolumeClaim: + claimName: {{ .Values.persistence.claimName }} + parallelism: 1 + completions: 1 + backoffLimit: 1 +{{- end }} +{{- end }} diff --git a/templates/gitea/act_runner/role-job.yaml b/templates/gitea/act_runner/role-job.yaml new file mode 100644 index 0000000..b06c18d --- /dev/null +++ b/templates/gitea/act_runner/role-job.yaml @@ -0,0 +1,25 @@ +{{- if .Values.actions.enabled }} +{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} +{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} +{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ $name }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + app.kubernetes.io/component: token-job +rules: + - apiGroups: + - "" + resources: + - secrets + resourceNames: + - {{ $secretName }} + verbs: + - get + - update + - patch +{{- end }} +{{- end }} diff --git a/templates/gitea/act_runner/rolebinding-job.yaml b/templates/gitea/act_runner/rolebinding-job.yaml new file mode 100644 index 0000000..c80bd3e --- /dev/null +++ b/templates/gitea/act_runner/rolebinding-job.yaml @@ -0,0 +1,22 @@ +{{- if .Values.actions.enabled }} +{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} +{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} +{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $name }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + app.kubernetes.io/component: token-job +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $name }} +subjects: + - kind: ServiceAccount + name: {{ $name }} + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/templates/gitea/act_runner/secret-token.yaml b/templates/gitea/act_runner/secret-token.yaml new file mode 100644 index 0000000..e6ee325 --- /dev/null +++ b/templates/gitea/act_runner/secret-token.yaml @@ -0,0 +1,19 @@ +{{- if .Values.actions.enabled }} +{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} +{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} +{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + app.kubernetes.io/component: token-job +{{ $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}} +{{ if $secret -}} +data: + token: {{ (b64dec (index $secret.data "token")) | b64enc }} +{{ end -}} +{{- end }} +{{- end }} diff --git a/templates/gitea/act_runner/serviceaccount-job.yaml b/templates/gitea/act_runner/serviceaccount-job.yaml new file mode 100644 index 0000000..e2c0fb4 --- /dev/null +++ b/templates/gitea/act_runner/serviceaccount-job.yaml @@ -0,0 +1,13 @@ +{{- if .Values.actions.enabled }} +{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} +{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ $name }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + app.kubernetes.io/component: token-job +{{- end }} +{{- end }} diff --git a/templates/gitea/act_runner/statefulset.yaml b/templates/gitea/act_runner/statefulset.yaml new file mode 100644 index 0000000..7d5d096 --- /dev/null +++ b/templates/gitea/act_runner/statefulset.yaml @@ -0,0 +1,114 @@ +{{- if .Values.actions.enabled }} +{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + labels: + {{- include "gitea.labels.actRunner" . | nindent 4 }} + {{- with .Values.actions.statefulset.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + {{- with .Values.actions.statefulset.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "gitea.fullname" . }}-act-runner +spec: + selector: + matchLabels: + {{- include "gitea.selectorLabels.actRunner" . | nindent 6 }} + template: + metadata: + labels: + {{- include "gitea.labels.actRunner" . | nindent 8 }} + {{- with .Values.actions.statefulset.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + initContainers: + - name: init-gitea + image: "{{ .Values.actions.init.image.repository }}:{{ .Values.actions.init.image.tag }}" + command: + - sh + - -c + - | + while ! nc -z {{ include "gitea.fullname" . }}-http {{ .Values.service.http.port }}; do + sleep 5 + done + containers: + - name: act-runner + image: "{{ .Values.actions.statefulset.actRunner.repository }}:{{ .Values.actions.statefulset.actRunner.tag }}" + imagePullPolicy: {{ .Values.actions.statefulset.actRunner.pullPolicy }} + workingDir: /data + env: + - name: DOCKER_HOST + value: tcp://127.0.0.1:2376 + - name: DOCKER_TLS_VERIFY + value: "1" + - name: DOCKER_CERT_PATH + value: /certs/server + - name: GITEA_RUNNER_REGISTRATION_TOKEN + valueFrom: + secretKeyRef: + name: "{{ .Values.actions.existingSecret | default $secretName }}" + key: "{{ .Values.actions.existingSecretKey | default "token" }}" + - name: GITEA_INSTANCE_URL + value: {{ include "gitea.act_runner.local_root_url" . }} + - name: CONFIG_FILE + value: /actrunner/config.yaml + resources: + {{- toYaml .Values.actions.statefulset.resources | nindent 12 }} + volumeMounts: + - mountPath: /actrunner/config.yaml + name: act-runner-config + subPath: config.yaml + - mountPath: /certs/server + name: docker-certs + - mountPath: /data + name: data-act-runner + - name: dind + image: "{{ .Values.actions.statefulset.dind.repository }}:{{ .Values.actions.statefulset.dind.tag }}" + imagePullPolicy: {{ .Values.actions.statefulset.dind.pullPolicy }} + env: + - name: DOCKER_HOST + value: tcp://127.0.0.1:2376 + - name: DOCKER_TLS_VERIFY + value: "1" + - name: DOCKER_CERT_PATH + value: /certs/server + securityContext: + privileged: true + resources: + {{- toYaml .Values.actions.statefulset.resources | nindent 12 }} + volumeMounts: + - mountPath: /certs/server + name: docker-certs + {{- with .Values.actions.statefulset.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.actions.statefulset.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.actions.statefulset.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: act-runner-config + configMap: + name: {{ include "gitea.fullname" . }}-act-runner-config + - name: docker-certs + emptyDir: {} + volumeClaimTemplates: + - metadata: + name: data-act-runner + spec: + accessModes: [ "ReadWriteOnce" ] + {{- include "gitea.persistence.storageClass" . | nindent 8 }} + resources: + requests: + storage: 1Mi +{{- end }} diff --git a/unittests/act_runner/01-consistency-checks.yaml b/unittests/act_runner/01-consistency-checks.yaml new file mode 100644 index 0000000..1c30924 --- /dev/null +++ b/unittests/act_runner/01-consistency-checks.yaml @@ -0,0 +1,69 @@ +suite: actions template | consistency checks +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/act_runner/01-consistency-checks.yaml +tests: + - it: fails when provisioning is enabled BUT persistence is completely disabled + set: + persistence: + enabled: false + actions: + enabled: true + provisioning: + enabled: true + asserts: + - failedTemplate: + errorMessage: "persistence.enabled and persistence.mount are required when provisioning is enabled" + - it: fails when provisioning is enabled BUT mount is disabled, although persistence is enabled + set: + persistence: + enabled: true + mount: false + actions: + enabled: true + provisioning: + enabled: true + asserts: + - failedTemplate: + errorMessage: "persistence.enabled and persistence.mount are required when provisioning is enabled" + - it: fails when provisioning is enabled AND existingSecret is given + set: + actions: + enabled: true + provisioning: + enabled: true + existingSecret: "secret-reference" + asserts: + - failedTemplate: + errorMessage: "Can't specify both actions.provisioning.enabled and actions.existingSecret" + - it: fails when provisioning is disabled BUT existingSecret and existingSecretKey are missing + set: + actions: + enabled: true + provisioning: + enabled: false + asserts: + - failedTemplate: + errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled" + - it: fails when provisioning is disabled BUT existingSecretKey is missing + set: + actions: + enabled: true + provisioning: + enabled: false + existingSecret: "my-secret" + asserts: + - failedTemplate: + errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled" + - it: fails when provisioning is disabled BUT existingSecret is missing + set: + actions: + enabled: true + provisioning: + enabled: false + existingSecretKey: "my-secret-key" + asserts: + - failedTemplate: + errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled" diff --git a/unittests/act_runner/config-act-runner.yaml b/unittests/act_runner/config-act-runner.yaml new file mode 100644 index 0000000..2cba6bc --- /dev/null +++ b/unittests/act_runner/config-act-runner.yaml @@ -0,0 +1,45 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json +suite: actions template | config-act-runner +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/act_runner/config-act-runner.yaml +tests: + - it: doesn't renders a ConfigMap by default + template: templates/gitea/act_runner/config-act-runner.yaml + asserts: + - hasDocuments: + count: 0 + - it: renders a ConfigMap + template: templates/gitea/act_runner/config-act-runner.yaml + set: + actions: + enabled: true + statefulset: + actRunner: + config: | + log: + level: info + cache: + enabled: false + runner: + labels: + - "ubuntu-latest" + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: ConfigMap + apiVersion: v1 + name: gitea-unittests-act-runner-config + - equal: + path: data["config.yaml"] + value: | + log: + level: info + cache: + enabled: false + runner: + labels: + - "ubuntu-latest" diff --git a/unittests/act_runner/config-scripts.yaml b/unittests/act_runner/config-scripts.yaml new file mode 100644 index 0000000..da6d9aa --- /dev/null +++ b/unittests/act_runner/config-scripts.yaml @@ -0,0 +1,49 @@ +suite: actions template | config-scripts +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/act_runner/config-scripts.yaml +tests: + - it: renders a ConfigMap when all criteria are met + template: templates/gitea/act_runner/config-scripts.yaml + set: + actions: + enabled: true + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: ConfigMap + apiVersion: v1 + name: gitea-unittests-scripts + - isNotNullOrEmpty: + path: data["token.sh"] + - it: doesn't renders a ConfigMap by default + template: templates/gitea/act_runner/config-scripts.yaml + asserts: + - hasDocuments: + count: 0 + - it: doesn't renders a ConfigMap with disabled actions but enabled provisioning + template: templates/gitea/act_runner/config-scripts.yaml + asserts: + - hasDocuments: + count: 0 + - it: doesn't renders a ConfigMap with disabled actions but otherwise met criteria + template: templates/gitea/act_runner/config-scripts.yaml + set: + actions: + enabled: false + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 0 diff --git a/unittests/act_runner/job.yaml b/unittests/act_runner/job.yaml new file mode 100644 index 0000000..c1d32e2 --- /dev/null +++ b/unittests/act_runner/job.yaml @@ -0,0 +1,65 @@ +suite: actions template | job +release: + name: gitea-unittests + namespace: testing +chart: + # Override appVersion to have a pinned version for comparison + appVersion: 1.19.3 +templates: + - templates/gitea/act_runner/job.yaml +tests: + - it: renders a Job + template: templates/gitea/act_runner/job.yaml + set: + actions: + enabled: true + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: Job + apiVersion: batch/v1 + name: gitea-unittests-actions-token-job + - equal: + path: spec.template.spec.containers[0].image + value: "gitea/gitea:1.19.3-rootless" + - it: tag override + template: templates/gitea/act_runner/job.yaml + set: + image.tag: "1.19.4" + actions: + enabled: true + provisioning: + enabled: true + publish: + tag: "1.29.0" + persistence: + enabled: true + mount: true + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: "gitea/gitea:1.19.4-rootless" + - equal: + path: spec.template.spec.containers[1].image + value: "bitnami/kubectl:1.29.0" + - it: doesn't renders a Job by default + template: templates/gitea/act_runner/job.yaml + asserts: + - hasDocuments: + count: 0 + - it: doesn't renders a Job when provisioning is enabled BUT actions are not enabled + template: templates/gitea/act_runner/job.yaml + set: + actions: + enabled: false + provisioning: + enabled: true + asserts: + - hasDocuments: + count: 0 diff --git a/unittests/act_runner/role-job.yaml b/unittests/act_runner/role-job.yaml new file mode 100644 index 0000000..8c511d8 --- /dev/null +++ b/unittests/act_runner/role-job.yaml @@ -0,0 +1,42 @@ +suite: actions template | role-job +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/act_runner/role-job.yaml +tests: + - it: doesn't renders a Role by default + template: templates/gitea/act_runner/role-job.yaml + asserts: + - hasDocuments: + count: 0 + - it: renders a Role + template: templates/gitea/act_runner/role-job.yaml + set: + actions: + enabled: true + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: Role + apiVersion: rbac.authorization.k8s.io/v1 + name: gitea-unittests-actions-token-job + - it: doesn't renders a Role when criteria met BUT actions are not enabled + template: templates/gitea/act_runner/role-job.yaml + set: + actions: + enabled: false + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 0 diff --git a/unittests/act_runner/rolebinding-job.yaml b/unittests/act_runner/rolebinding-job.yaml new file mode 100644 index 0000000..2073bfc --- /dev/null +++ b/unittests/act_runner/rolebinding-job.yaml @@ -0,0 +1,42 @@ +suite: actions template | rolebinding-job +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/act_runner/rolebinding-job.yaml +tests: + - it: doesn't renders a RoleBinding by default + template: templates/gitea/act_runner/rolebinding-job.yaml + asserts: + - hasDocuments: + count: 0 + - it: renders a RoleBinding + template: templates/gitea/act_runner/rolebinding-job.yaml + set: + actions: + enabled: true + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: RoleBinding + apiVersion: rbac.authorization.k8s.io/v1 + name: gitea-unittests-actions-token-job + - it: doesn't renders a RoleBinding when criteria met BUT actions are not enabled + template: templates/gitea/act_runner/rolebinding-job.yaml + set: + actions: + enabled: false + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 0 diff --git a/unittests/act_runner/secret-token.yaml b/unittests/act_runner/secret-token.yaml new file mode 100644 index 0000000..b5054f3 --- /dev/null +++ b/unittests/act_runner/secret-token.yaml @@ -0,0 +1,42 @@ +suite: actions template | secret-token +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/act_runner/secret-token.yaml +tests: + - it: doesn't renders a Secret by default + template: templates/gitea/act_runner/secret-token.yaml + asserts: + - hasDocuments: + count: 0 + - it: renders a Secret + template: templates/gitea/act_runner/secret-token.yaml + set: + actions: + enabled: true + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: Secret + apiVersion: v1 + name: gitea-unittests-actions-token + - it: doesn't renders a Secret when criteria met BUT actions are not enabled + template: templates/gitea/act_runner/secret-token.yaml + set: + actions: + enabled: false + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 0 diff --git a/unittests/act_runner/serviceaccount-job.yaml b/unittests/act_runner/serviceaccount-job.yaml new file mode 100644 index 0000000..bf8f0c8 --- /dev/null +++ b/unittests/act_runner/serviceaccount-job.yaml @@ -0,0 +1,42 @@ +suite: actions template | serviceaccount-job +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/act_runner/serviceaccount-job.yaml +tests: + - it: doesn't renders a ServiceAccount by default + template: templates/gitea/act_runner/serviceaccount-job.yaml + asserts: + - hasDocuments: + count: 0 + - it: renders a ServiceAccount + template: templates/gitea/act_runner/serviceaccount-job.yaml + set: + actions: + enabled: true + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: ServiceAccount + apiVersion: v1 + name: gitea-unittests-actions-token-job + - it: doesn't renders a ServiceAccount when criteria met BUT actions are not enabled + template: templates/gitea/act_runner/serviceaccount-job.yaml + set: + actions: + enabled: false + provisioning: + enabled: true + persistence: + enabled: true + mount: true + asserts: + - hasDocuments: + count: 0 diff --git a/unittests/act_runner/statefulset.yaml b/unittests/act_runner/statefulset.yaml new file mode 100644 index 0000000..cc10157 --- /dev/null +++ b/unittests/act_runner/statefulset.yaml @@ -0,0 +1,95 @@ +suite: actions template | statefulset +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/act_runner/statefulset.yaml +tests: + - it: doesn't renders a StatefulSet by default + template: templates/gitea/act_runner/statefulset.yaml + asserts: + - hasDocuments: + count: 0 + - it: renders a StatefulSet (with given existingSecret/existingSecretKey) + template: templates/gitea/act_runner/statefulset.yaml + set: + actions: + enabled: true + existingSecret: "my-secret" + existingSecretKey: "my-secret-key" + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: StatefulSet + apiVersion: apps/v1 + name: gitea-unittests-act-runner + - equal: + path: spec.template.spec.containers[0].env[3] + value: + name: GITEA_RUNNER_REGISTRATION_TOKEN + valueFrom: + secretKeyRef: + name: "my-secret" + key: "my-secret-key" + - it: renders a StatefulSet (with secret reference defaults for enabled provisioning) + template: templates/gitea/act_runner/statefulset.yaml + set: + actions: + enabled: true + provisioning: + enabled: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: StatefulSet + apiVersion: apps/v1 + name: gitea-unittests-act-runner + - equal: + path: spec.template.spec.containers[0].env[3] + value: + name: GITEA_RUNNER_REGISTRATION_TOKEN + valueFrom: + secretKeyRef: + name: "gitea-unittests-actions-token" + key: "token" + - it: renders a StatefulSet (with correct GITEA_INSTANCE_URL env with default act-runner specific LOCAL_ROOT_URL) + template: templates/gitea/act_runner/statefulset.yaml + set: + actions: + enabled: true + existingSecret: "my-secret" + existingSecretKey: "my-secret-key" + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: StatefulSet + apiVersion: apps/v1 + name: gitea-unittests-act-runner + - equal: + path: spec.template.spec.containers[0].env[4] + value: + name: GITEA_INSTANCE_URL + value: "http://gitea-unittests-http:3000" + - it: renders a StatefulSet (with correct GITEA_INSTANCE_URL env from customized LOCAL_ROOT_URL) + template: templates/gitea/act_runner/statefulset.yaml + set: + gitea.config.server.LOCAL_ROOT_URL: "http://git.example.com" + actions: + enabled: true + existingSecret: "my-secret" + existingSecretKey: "my-secret-key" + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: StatefulSet + apiVersion: apps/v1 + name: gitea-unittests-act-runner + - equal: + path: spec.template.spec.containers[0].env[4] + value: + name: GITEA_INSTANCE_URL + value: "http://git.example.com" diff --git a/unittests/config/actions-config.yaml b/unittests/config/actions-config.yaml new file mode 100644 index 0000000..ada9694 --- /dev/null +++ b/unittests/config/actions-config.yaml @@ -0,0 +1,61 @@ +suite: config template | actions config +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/config.yaml +tests: + - it: "actions are not enabled by default" + template: templates/gitea/config.yaml + asserts: + - documentIndex: 0 + equal: + path: stringData.actions + value: |- + ENABLED=false + + - it: "actions can be enabled via inline config" + template: templates/gitea/config.yaml + set: + gitea.config.actions.ENABLED: true + asserts: + - documentIndex: 0 + equal: + path: stringData.actions + value: |- + ENABLED=true + + - it: "actions can be enabled via dedicated values object" + template: templates/gitea/config.yaml + set: + actions: + enabled: true + asserts: + - documentIndex: 0 + equal: + path: stringData.actions + value: |- + ENABLED=true + + - it: "defines LOCAL_ROOT_URL when actions are enabled" + template: templates/gitea/config.yaml + set: + actions: + enabled: true + asserts: + - documentIndex: 0 + matchRegex: + path: stringData.server + pattern: \nLOCAL_ROOT_URL=http://gitea-unittests-http:3000 + + - it: "respects custom LOCAL_ROOT_URL, even when actions are enabled" + template: templates/gitea/config.yaml + set: + actions: + enabled: true + gitea.config.server.LOCAL_ROOT_URL: "http://git.example.com" + asserts: + - documentIndex: 0 + matchRegex: + path: stringData.server + pattern: \nLOCAL_ROOT_URL=http://git.example.com diff --git a/values.yaml b/values.yaml index 2b7ad7d..31c1d21 100644 --- a/values.yaml +++ b/values.yaml @@ -348,6 +348,96 @@ signing: # -----END PGP PRIVATE KEY BLOCK----- existingSecret: "" +# Configure Gitea Actions +# - must enable persistence if the job is enabled +## @section Gitea Actions +# +## @param actions.enabled Create an act runner StatefulSet. +## @param actions.init.image.repository The image used for the init containers +## @param actions.init.image.tag The image tag used for the init containers +## @param actions.statefulset.annotations Act runner annotations +## @param actions.statefulset.labels Act runner labels +## @param actions.statefulset.resources Act runner resources +## @param actions.statefulset.nodeSelector NodeSelector for the statefulset +## @param actions.statefulset.tolerations Tolerations for the statefulset +## @param actions.statefulset.affinity Affinity for the statefulset +## @param actions.statefulset.actRunner.repository The Gitea act runner image +## @param actions.statefulset.actRunner.tag The Gitea act runner tag +## @param actions.statefulset.actRunner.pullPolicy The Gitea act runner pullPolicy +## @param actions.statefulset.actRunner.config [default: Too complex. See values.yaml] Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details. +## @param actions.statefulset.dind.repository The Docker-in-Docker image +## @param actions.statefulset.dind.tag The Docker-in-Docker image tag +## @param actions.statefulset.dind.pullPolicy The Docker-in-Docker pullPolicy +## @param actions.provisioning.enabled Create a job that will create and save the token in a Kubernetes Secret +## @param actions.provisioning.annotations Job's annotations +## @param actions.provisioning.labels Job's labels +## @param actions.provisioning.resources Job's resources +## @param actions.provisioning.nodeSelector NodeSelector for the job +## @param actions.provisioning.tolerations Tolerations for the job +## @param actions.provisioning.affinity Affinity for the job +## @param actions.provisioning.ttlSecondsAfterFinished ttl for the job after finished in order to allow helm to properly recognize that the job completed +## @param actions.provisioning.publish.repository The image that can create the secret via kubectl +## @param actions.provisioning.publish.tag The publish image tag that can create the secret +## @param actions.provisioning.publish.pullPolicy The publish image pullPolicy that can create the secret +## @param actions.existingSecret Secret that contains the token +## @param actions.existingSecretKey Secret key +actions: + enabled: false + statefulset: + annotations: {} + labels: {} + resources: {} + nodeSelector: {} + tolerations: [] + affinity: {} + + actRunner: + repository: gitea/act_runner + tag: 0.2.11 + pullPolicy: IfNotPresent + + config: | + log: + level: debug + cache: + enabled: false + runner: + labels: + - "ubuntu-latest" + + dind: + repository: docker + tag: 25.0.2-dind + pullPolicy: IfNotPresent + + init: + image: + repository: busybox + # Overrides the image tag whose default is the chart appVersion. + tag: "1.36.1" + + provisioning: + enabled: false + + annotations: {} + labels: {} + resources: {} + nodeSelector: {} + tolerations: [] + affinity: {} + + publish: + repository: bitnami/kubectl + tag: 1.29.0 + pullPolicy: IfNotPresent + + ttlSecondsAfterFinished: 300 + + ## Specify an existing token secret + ## + existingSecret: "" + existingSecretKey: "" + ## @section Gitea # gitea: -- 2.40.1 From 7b892431d6eb961f963dbd5ffca7cf6e28c33c0e Mon Sep 17 00:00:00 2001 From: justusbunsi Date: Sun, 10 Nov 2024 14:02:15 +0000 Subject: [PATCH 06/14] Support custom envs for Action DinD container (#722) Follow-up to https://gitea.com/gitea/helm-chart/pulls/666. Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/722 Co-authored-by: justusbunsi Co-committed-by: justusbunsi --- README.md | 1 + templates/gitea/act_runner/statefulset.yaml | 3 +++ unittests/act_runner/statefulset.yaml | 16 ++++++++++++++++ values.yaml | 6 ++++++ 4 files changed, 26 insertions(+) diff --git a/README.md b/README.md index a6f4c2b..ec41ac5 100644 --- a/README.md +++ b/README.md @@ -1028,6 +1028,7 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo | `actions.statefulset.dind.repository` | The Docker-in-Docker image | `docker` | | `actions.statefulset.dind.tag` | The Docker-in-Docker image tag | `25.0.2-dind` | | `actions.statefulset.dind.pullPolicy` | The Docker-in-Docker pullPolicy | `IfNotPresent` | +| `actions.statefulset.dind.extraEnvs` | Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY` | `[]` | | `actions.provisioning.enabled` | Create a job that will create and save the token in a Kubernetes Secret | `false` | | `actions.provisioning.annotations` | Job's annotations | `{}` | | `actions.provisioning.labels` | Job's labels | `{}` | diff --git a/templates/gitea/act_runner/statefulset.yaml b/templates/gitea/act_runner/statefulset.yaml index 7d5d096..58939d2 100644 --- a/templates/gitea/act_runner/statefulset.yaml +++ b/templates/gitea/act_runner/statefulset.yaml @@ -77,6 +77,9 @@ spec: value: "1" - name: DOCKER_CERT_PATH value: /certs/server + {{- if .Values.actions.statefulset.dind.extraEnvs }} + {{- toYaml .Values.actions.statefulset.dind.extraEnvs | nindent 12 }} + {{- end }} securityContext: privileged: true resources: diff --git a/unittests/act_runner/statefulset.yaml b/unittests/act_runner/statefulset.yaml index cc10157..cd350d9 100644 --- a/unittests/act_runner/statefulset.yaml +++ b/unittests/act_runner/statefulset.yaml @@ -93,3 +93,19 @@ tests: value: name: GITEA_INSTANCE_URL value: "http://git.example.com" + - it: allows adding custom environment variables to the docker-in-docker container + template: templates/gitea/act_runner/statefulset.yaml + set: + actions: + enabled: true + statefulset: + dind: + extraEnvs: + - name: "CUSTOM_ENV_NAME" + value: "custom env value" + asserts: + - equal: + path: spec.template.spec.containers[1].env[3] + value: + name: "CUSTOM_ENV_NAME" + value: "custom env value" diff --git a/values.yaml b/values.yaml index 31c1d21..f3998ec 100644 --- a/values.yaml +++ b/values.yaml @@ -368,6 +368,7 @@ signing: ## @param actions.statefulset.dind.repository The Docker-in-Docker image ## @param actions.statefulset.dind.tag The Docker-in-Docker image tag ## @param actions.statefulset.dind.pullPolicy The Docker-in-Docker pullPolicy +## @param actions.statefulset.dind.extraEnvs Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY` ## @param actions.provisioning.enabled Create a job that will create and save the token in a Kubernetes Secret ## @param actions.provisioning.annotations Job's annotations ## @param actions.provisioning.labels Job's labels @@ -409,6 +410,11 @@ actions: repository: docker tag: 25.0.2-dind pullPolicy: IfNotPresent + # If the container keeps crashing in your environment, you might have to add the `DOCKER_IPTABLES_LEGACY` environment variable. + # See https://github.com/docker-library/docker/issues/463#issuecomment-1881909456 + extraEnvs: [] + # - name: "DOCKER_IPTABLES_LEGACY" + # value: "1" init: image: -- 2.40.1 From 2be2e2a639edbc463b64ac1e4d755223def20a32 Mon Sep 17 00:00:00 2001 From: justusbunsi Date: Sun, 10 Nov 2024 20:15:46 +0000 Subject: [PATCH 07/14] Ensure dev-only files are not added to the tgz package (#723) Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/723 Reviewed-by: techknowlogick --- .helmignore | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.helmignore b/.helmignore index e608c23..c0341ca 100644 --- a/.helmignore +++ b/.helmignore @@ -31,3 +31,8 @@ Makefile .drone.yml CONTRIBUTING.md unittests/ +.editorconfig +.prettierignore +.yamllint +CODEOWNERS +renovate.json5 -- 2.40.1 From 3bacaaad84fdae1e81cbe5a73577d5872cf08fba Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 30 Nov 2024 02:09:16 +0000 Subject: [PATCH 08/14] chore(deps): update subcharts (minor & patch) (#733) Co-authored-by: Renovate Bot Co-committed-by: Renovate Bot --- Chart.lock | 8 ++++---- Chart.yaml | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Chart.lock b/Chart.lock index 5023ad2..17a14d8 100644 --- a/Chart.lock +++ b/Chart.lock @@ -1,15 +1,15 @@ dependencies: - name: postgresql repository: oci://registry-1.docker.io/bitnamicharts - version: 15.5.20 + version: 15.5.38 - name: postgresql-ha repository: oci://registry-1.docker.io/bitnamicharts - version: 14.2.16 + version: 14.3.10 - name: redis-cluster repository: oci://registry-1.docker.io/bitnamicharts version: 10.3.0 - name: redis repository: oci://registry-1.docker.io/bitnamicharts version: 19.6.4 -digest: sha256:a28c809273f313c482e3f803a0a002c3bb3a0d2090bf6b732d68ecc4710b4732 -generated: "2024-08-03T00:21:16.080925346Z" +digest: sha256:462d513ac8ef7abfe26030fd2ea93eb79df167a861ebe09d6c58c7dcd5601e85 +generated: "2024-11-30T00:41:29.178889496Z" diff --git a/Chart.yaml b/Chart.yaml index dbdcae0..6cf2c41 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -36,12 +36,12 @@ dependencies: # https://github.com/bitnami/charts/blob/main/bitnami/postgresql - name: postgresql repository: oci://registry-1.docker.io/bitnamicharts - version: 15.5.20 + version: 15.5.38 condition: postgresql.enabled # https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml - name: postgresql-ha repository: oci://registry-1.docker.io/bitnamicharts - version: 14.2.16 + version: 14.3.10 condition: postgresql-ha.enabled # https://github.com/bitnami/charts/blob/main/bitnami/redis-cluster/Chart.yaml - name: redis-cluster -- 2.40.1 From 389a8460e4d24b87d0644652cb5543a787333262 Mon Sep 17 00:00:00 2001 From: Hitesh Nayak Date: Sat, 30 Nov 2024 13:59:29 +0000 Subject: [PATCH 09/14] feat(service-monitor): support bearer token authentication on metrics endpoint (#719) ### Benefits Can protect metrics endpoint with `Bearer` token authentication provided by gitea. see PR #637 for previous discussion. ### Possible drawbacks No possible drawbacks ### Applicable issues - fixes #635 ### Additional information ``` gitea: metrics: enabled: true token: "somepassword" serviceMonitor: enabled: true ``` Using above configuration is sufficient to secure /metrics endpoint with bearer token and corresponding ServiceMonitor. ### Checklist - [x] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm) - [ ] ~~Breaking changes are documented in the `README.md`~~ Not applicable - [x] Templating unittests are added Signed-off-by: Hitesh Nayak Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/719 Reviewed-by: justusbunsi Co-authored-by: Hitesh Nayak Co-committed-by: Hitesh Nayak --- README.md | 17 +++++ templates/_helpers.tpl | 7 ++ templates/gitea/metrics-secret.yaml | 12 ++++ templates/gitea/servicemonitor.yaml | 8 +++ .../config/metrics-section_metrics-token.yaml | 58 +++++++++++++++ ...etrics-secret-servicemonitor-disabled.yaml | 23 ++++++ ...metrics-secret-servicemonitor-enabled.yaml | 33 +++++++++ .../servicemonitor-disabled.yaml | 23 ++++++ .../servicemonitor-enabled.yaml | 70 +++++++++++++++++++ values.yaml | 2 + 10 files changed, 253 insertions(+) create mode 100644 templates/gitea/metrics-secret.yaml create mode 100644 unittests/config/metrics-section_metrics-token.yaml create mode 100644 unittests/metric-secret/metrics-secret-servicemonitor-disabled.yaml create mode 100644 unittests/metric-secret/metrics-secret-servicemonitor-enabled.yaml create mode 100644 unittests/servicemonitor/servicemonitor-disabled.yaml create mode 100644 unittests/servicemonitor/servicemonitor-enabled.yaml diff --git a/README.md b/README.md index ec41ac5..d2dd0fd 100644 --- a/README.md +++ b/README.md @@ -30,6 +30,7 @@ - [OAuth2 Settings](#oauth2-settings) - [Configure commit signing](#configure-commit-signing) - [Metrics and profiling](#metrics-and-profiling) + - [Secure Metrics Endpoint](#secure-metrics-endpoint) - [Pod annotations](#pod-annotations) - [Themes](#themes) - [Renovate](#renovate) @@ -747,6 +748,21 @@ gitea: ENABLE_PPROF: true ``` +### Secure Metrics Endpoint + +Metrics endpoint `/metrics` can be secured by using `Bearer` token authentication. + +**Note:** Providing non-empty `TOKEN` value will also require authentication for `ServiceMonitor`. + +```yaml +gitea: + metrics: + token: "secure-token" + enabled: true + serviceMonitor: + enabled: true +``` + ## Pod annotations Annotations can be added to the Gitea pod. @@ -1053,6 +1069,7 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo | `gitea.admin.email` | Email for the Gitea admin user | `gitea@local.domain` | | `gitea.admin.passwordMode` | Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated | `keepUpdated` | | `gitea.metrics.enabled` | Enable Gitea metrics | `false` | +| `gitea.metrics.token` | used for `bearer` token authentication on metrics endpoint. If not specified or empty metrics endpoint is public. | `nil` | | `gitea.metrics.serviceMonitor.enabled` | Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally. | `false` | | `gitea.metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. | `""` | | `gitea.metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping. | `[]` | diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 64a5efb..1b7cf3b 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -311,6 +311,9 @@ https {{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}} {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}} {{- end -}} + {{- if and (not (hasKey .Values.gitea.config.metrics "TOKEN")) (.Values.gitea.metrics.token) (.Values.gitea.metrics.enabled) -}} + {{- $_ := set .Values.gitea.config.metrics "TOKEN" .Values.gitea.metrics.token -}} + {{- end -}} {{- /* redis queue */ -}} {{- if or ((index .Values "redis-cluster").enabled) ((index .Values "redis").enabled) -}} {{- $_ := set .Values.gitea.config.queue "TYPE" "redis" -}} @@ -465,3 +468,7 @@ https {{- end -}} {{- toYaml $probe -}} {{- end -}} + +{{- define "gitea.metrics-secret-name" -}} +{{ default (printf "%s-metrics-secret" (include "gitea.fullname" .)) }} +{{- end -}} \ No newline at end of file diff --git a/templates/gitea/metrics-secret.yaml b/templates/gitea/metrics-secret.yaml new file mode 100644 index 0000000..fe26596 --- /dev/null +++ b/templates/gitea/metrics-secret.yaml @@ -0,0 +1,12 @@ +{{- if and (.Values.gitea.metrics.enabled) (.Values.gitea.metrics.serviceMonitor.enabled) (.Values.gitea.metrics.token) -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "gitea.metrics-secret-name" . }} + namespace: {{ .Values.namespace | default .Release.Namespace }} + labels: + {{- include "gitea.labels" . | nindent 4 }} +type: Opaque +data: + token: {{ .Values.gitea.metrics.token | b64enc }} +{{- end }} \ No newline at end of file diff --git a/templates/gitea/servicemonitor.yaml b/templates/gitea/servicemonitor.yaml index 1774214..502a1a8 100644 --- a/templates/gitea/servicemonitor.yaml +++ b/templates/gitea/servicemonitor.yaml @@ -32,4 +32,12 @@ spec: tlsConfig: {{- . | toYaml | nindent 6 }} {{- end }} + {{- if .Values.gitea.metrics.token }} + authorization: + type: Bearer + credentials: + name: {{ include "gitea.metrics-secret-name" . }} + key: token + optional: false + {{- end }} {{- end -}} \ No newline at end of file diff --git a/unittests/config/metrics-section_metrics-token.yaml b/unittests/config/metrics-section_metrics-token.yaml new file mode 100644 index 0000000..b8115a1 --- /dev/null +++ b/unittests/config/metrics-section_metrics-token.yaml @@ -0,0 +1,58 @@ +suite: config template | metrics section (metrics token) +release: + name: gitea-unittests + namespace: testing +tests: + - it: metrics token is set + template: templates/gitea/config.yaml + set: + gitea: + metrics: + enabled: true + token: "somepassword" + asserts: + - documentIndex: 0 + equal: + path: stringData.metrics + value: |- + ENABLED=true + TOKEN=somepassword + - it: metrics token is empty + template: templates/gitea/config.yaml + set: + gitea: + metrics: + enabled: true + token: "" + asserts: + - documentIndex: 0 + equal: + path: stringData.metrics + value: |- + ENABLED=true + - it: metrics token is nil + template: templates/gitea/config.yaml + set: + gitea: + metrics: + enabled: true + token: + asserts: + - documentIndex: 0 + equal: + path: stringData.metrics + value: |- + ENABLED=true + - it: does not configures a token if metrics are disabled + template: templates/gitea/config.yaml + set: + gitea: + metrics: + enabled: false + token: "somepassword" + asserts: + - documentIndex: 0 + equal: + path: stringData.metrics + value: |- + ENABLED=false diff --git a/unittests/metric-secret/metrics-secret-servicemonitor-disabled.yaml b/unittests/metric-secret/metrics-secret-servicemonitor-disabled.yaml new file mode 100644 index 0000000..e3776ca --- /dev/null +++ b/unittests/metric-secret/metrics-secret-servicemonitor-disabled.yaml @@ -0,0 +1,23 @@ +suite: Metrics secret template (monitoring disabled) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/metrics-secret.yaml +tests: + - it: renders nothing if monitoring disabled and gitea.metrics.token empty + set: + gitea.metrics.enabled: false + gitea.metrics.serviceMonitor.enabled: false + gitea.metrics.token: "" + asserts: + - hasDocuments: + count: 0 + - it: renders nothing if monitoring disabled and gitea.metrics.token not empty + set: + gitea.metrics.enabled: false + gitea.metrics.serviceMonitor.enabled: false + gitea.metrics.token: "test-token" + asserts: + - hasDocuments: + count: 0 diff --git a/unittests/metric-secret/metrics-secret-servicemonitor-enabled.yaml b/unittests/metric-secret/metrics-secret-servicemonitor-enabled.yaml new file mode 100644 index 0000000..78e714a --- /dev/null +++ b/unittests/metric-secret/metrics-secret-servicemonitor-enabled.yaml @@ -0,0 +1,33 @@ +suite: Metrics secret template (monitoring enabled) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/metrics-secret.yaml +tests: + - it: renders nothing if monitoring enabled and gitea.metrics.token empty + set: + gitea.metrics.enabled: true + gitea.metrics.serviceMonitor.enabled: true + gitea.metrics.token: "" + asserts: + - hasDocuments: + count: 0 + - it: renders Secret if monitoring enabled and gitea.metrics.token not empty + set: + gitea.metrics.enabled: true + gitea.metrics.serviceMonitor.enabled: true + gitea.metrics.token: "test-token" + asserts: + - hasDocuments: + count: 1 + - documentIndex: 0 + containsDocument: + kind: Secret + apiVersion: v1 + name: gitea-unittests-metrics-secret + - isNotNullOrEmpty: + path: metadata.labels + - equal: + path: data.token + value: "dGVzdC10b2tlbg==" diff --git a/unittests/servicemonitor/servicemonitor-disabled.yaml b/unittests/servicemonitor/servicemonitor-disabled.yaml new file mode 100644 index 0000000..5b2de44 --- /dev/null +++ b/unittests/servicemonitor/servicemonitor-disabled.yaml @@ -0,0 +1,23 @@ +suite: ServiceMonitor template (monitoring disabled) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/servicemonitor.yaml +tests: + - it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.metrics.token empty + set: + gitea.metrics.enabled: false + gitea.metrics.token: "" + gitea.metrics.serviceMonitor.enabled: false + asserts: + - hasDocuments: + count: 0 + - it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.metrics.token not empty + set: + gitea.metrics.enabled: false + gitea.metrics.token: "test-token" + gitea.metrics.serviceMonitor.enabled: false + asserts: + - hasDocuments: + count: 0 diff --git a/unittests/servicemonitor/servicemonitor-enabled.yaml b/unittests/servicemonitor/servicemonitor-enabled.yaml new file mode 100644 index 0000000..29d83ca --- /dev/null +++ b/unittests/servicemonitor/servicemonitor-enabled.yaml @@ -0,0 +1,70 @@ +suite: ServiceMonitor template (monitoring enabled) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/servicemonitor.yaml +tests: + - it: renders unsecure ServiceMonitor if gitea.metrics.token nil + set: + gitea.metrics.enabled: true + gitea.metrics.token: + gitea.metrics.serviceMonitor.enabled: true + asserts: + - hasDocuments: + count: 1 + - documentIndex: 0 + containsDocument: + kind: ServiceMonitor + apiVersion: monitoring.coreos.com/v1 + name: gitea-unittests + - isNotNullOrEmpty: + path: metadata.labels + - equal: + path: spec.endpoints + value: + - port: http + - it: renders unsecure ServiceMonitor if gitea.metrics.token empty + set: + gitea.metrics.enabled: true + gitea.metrics.token: "" + gitea.metrics.serviceMonitor.enabled: true + asserts: + - hasDocuments: + count: 1 + - documentIndex: 0 + containsDocument: + kind: ServiceMonitor + apiVersion: monitoring.coreos.com/v1 + name: gitea-unittests + - isNotNullOrEmpty: + path: metadata.labels + - equal: + path: spec.endpoints + value: + - port: http + - it: renders secure ServiceMonitor if gitea.metrics.token not empty + set: + gitea.metrics.enabled: true + gitea.metrics.token: "test-token" + gitea.metrics.serviceMonitor.enabled: true + asserts: + - hasDocuments: + count: 1 + - documentIndex: 0 + containsDocument: + kind: ServiceMonitor + apiVersion: monitoring.coreos.com/v1 + name: gitea-unittests + - isNotNullOrEmpty: + path: metadata.labels + - equal: + path: spec.endpoints + value: + - port: http + authorization: + type: Bearer + credentials: + name: gitea-unittests-metrics-secret + key: token + optional: false diff --git a/values.yaml b/values.yaml index f3998ec..2dfb62d 100644 --- a/values.yaml +++ b/values.yaml @@ -461,6 +461,7 @@ gitea: passwordMode: keepUpdated ## @param gitea.metrics.enabled Enable Gitea metrics + ## @param gitea.metrics.token used for `bearer` token authentication on metrics endpoint. If not specified or empty metrics endpoint is public. ## @param gitea.metrics.serviceMonitor.enabled Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally. ## @param gitea.metrics.serviceMonitor.interval Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. ## @param gitea.metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping. @@ -469,6 +470,7 @@ gitea: ## @param gitea.metrics.serviceMonitor.tlsConfig TLS configuration to use when scraping the metric endpoint by Prometheus. metrics: enabled: false + token: serviceMonitor: enabled: false # additionalLabels: -- 2.40.1 From 5f7d35390127e523b64449631a55c88773f0ef90 Mon Sep 17 00:00:00 2001 From: justusbunsi Date: Sat, 30 Nov 2024 14:47:18 +0000 Subject: [PATCH 10/14] Prevent reoccurring namespace inconsistencies (#737) https://gitea.com/gitea/helm-chart/pulls/713 ensured that all resources contain a `namespace` field. When adding Gitea actions runner support in https://gitea.com/gitea/helm-chart/pulls/666, this was an oversight. Signed-off-by: justusbunsi Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/737 Co-authored-by: justusbunsi Co-committed-by: justusbunsi --- .gitea/PULL_REQUEST_TEMPLATE.md | 1 + templates/gitea/act_runner/config-act-runner.yaml | 1 + templates/gitea/act_runner/config-scripts.yaml | 1 + templates/gitea/act_runner/job.yaml | 1 + templates/gitea/act_runner/role-job.yaml | 1 + templates/gitea/act_runner/rolebinding-job.yaml | 1 + templates/gitea/act_runner/secret-token.yaml | 1 + templates/gitea/act_runner/serviceaccount-job.yaml | 1 + templates/gitea/act_runner/statefulset.yaml | 1 + 9 files changed, 9 insertions(+) diff --git a/.gitea/PULL_REQUEST_TEMPLATE.md b/.gitea/PULL_REQUEST_TEMPLATE.md index 01ad275..686d550 100644 --- a/.gitea/PULL_REQUEST_TEMPLATE.md +++ b/.gitea/PULL_REQUEST_TEMPLATE.md @@ -40,3 +40,4 @@ - [ ] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm) - [ ] Breaking changes are documented in the `README.md` - [ ] Templating unittests are added +- [ ] All added template resources MUST render a namespace in metadata diff --git a/templates/gitea/act_runner/config-act-runner.yaml b/templates/gitea/act_runner/config-act-runner.yaml index 03961ae..433fb69 100644 --- a/templates/gitea/act_runner/config-act-runner.yaml +++ b/templates/gitea/act_runner/config-act-runner.yaml @@ -4,6 +4,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ include "gitea.fullname" . }}-act-runner-config + namespace: {{ .Values.namespace | default .Release.Namespace }} labels: {{- include "gitea.labels" . | nindent 4 }} data: diff --git a/templates/gitea/act_runner/config-scripts.yaml b/templates/gitea/act_runner/config-scripts.yaml index 688bd20..31b926e 100644 --- a/templates/gitea/act_runner/config-scripts.yaml +++ b/templates/gitea/act_runner/config-scripts.yaml @@ -5,6 +5,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ include "gitea.fullname" . }}-scripts + namespace: {{ .Values.namespace | default .Release.Namespace }} labels: {{- include "gitea.labels" . | nindent 4 }} data: diff --git a/templates/gitea/act_runner/job.yaml b/templates/gitea/act_runner/job.yaml index 032671f..e8189d9 100644 --- a/templates/gitea/act_runner/job.yaml +++ b/templates/gitea/act_runner/job.yaml @@ -7,6 +7,7 @@ apiVersion: batch/v1 kind: Job metadata: name: {{ $name }} + namespace: {{ .Values.namespace | default .Release.Namespace }} labels: {{- include "gitea.labels" . | nindent 4 }} {{- with .Values.actions.provisioning.labels }} diff --git a/templates/gitea/act_runner/role-job.yaml b/templates/gitea/act_runner/role-job.yaml index b06c18d..c2afa57 100644 --- a/templates/gitea/act_runner/role-job.yaml +++ b/templates/gitea/act_runner/role-job.yaml @@ -7,6 +7,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ $name }} + namespace: {{ .Values.namespace | default .Release.Namespace }} labels: {{- include "gitea.labels" . | nindent 4 }} app.kubernetes.io/component: token-job diff --git a/templates/gitea/act_runner/rolebinding-job.yaml b/templates/gitea/act_runner/rolebinding-job.yaml index c80bd3e..1c67e84 100644 --- a/templates/gitea/act_runner/rolebinding-job.yaml +++ b/templates/gitea/act_runner/rolebinding-job.yaml @@ -7,6 +7,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ $name }} + namespace: {{ .Values.namespace | default .Release.Namespace }} labels: {{- include "gitea.labels" . | nindent 4 }} app.kubernetes.io/component: token-job diff --git a/templates/gitea/act_runner/secret-token.yaml b/templates/gitea/act_runner/secret-token.yaml index e6ee325..bc3416b 100644 --- a/templates/gitea/act_runner/secret-token.yaml +++ b/templates/gitea/act_runner/secret-token.yaml @@ -7,6 +7,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ $secretName }} + namespace: {{ .Values.namespace | default .Release.Namespace }} labels: {{- include "gitea.labels" . | nindent 4 }} app.kubernetes.io/component: token-job diff --git a/templates/gitea/act_runner/serviceaccount-job.yaml b/templates/gitea/act_runner/serviceaccount-job.yaml index e2c0fb4..dd39752 100644 --- a/templates/gitea/act_runner/serviceaccount-job.yaml +++ b/templates/gitea/act_runner/serviceaccount-job.yaml @@ -6,6 +6,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ $name }} + namespace: {{ .Values.namespace | default .Release.Namespace }} labels: {{- include "gitea.labels" . | nindent 4 }} app.kubernetes.io/component: token-job diff --git a/templates/gitea/act_runner/statefulset.yaml b/templates/gitea/act_runner/statefulset.yaml index 58939d2..46382bf 100644 --- a/templates/gitea/act_runner/statefulset.yaml +++ b/templates/gitea/act_runner/statefulset.yaml @@ -14,6 +14,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "gitea.fullname" . }}-act-runner + namespace: {{ .Values.namespace | default .Release.Namespace }} spec: selector: matchLabels: -- 2.40.1 From 52153021e33953d0861af4b86c78fe2cc393b135 Mon Sep 17 00:00:00 2001 From: justusbunsi Date: Sat, 30 Nov 2024 16:07:23 +0000 Subject: [PATCH 11/14] Finetune Renovate configuration (#738) `go-gitea/gitea` is no workflow dependency and therefore should not be grouped as such. It got automatically matched due to `custom.regex` manager in that rule. Since we now have image dependencies in our `values.yaml`, PR builds will fail when these changes are not represented in `README.md`. Using a [postUpgradeTask](https://docs.renovatebot.com/configuration-options/#postupgradetasks) allows customized Renovate behavior. Signed-off-by: justusbunsi Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/738 Co-authored-by: justusbunsi Co-committed-by: justusbunsi --- renovate.json5 | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/renovate.json5 b/renovate.json5 index d0a0ac6..7605fa7 100644 --- a/renovate.json5 +++ b/renovate.json5 @@ -63,6 +63,25 @@ 'patch', 'digest', ], + matchFileNames: [ + '!Chart.yaml', + ], + }, + { + description: 'Update README.md on changes in values.yaml', + matchManagers: [ + 'helm-values', + ], + postUpgradeTasks: { + commands: [ + 'install-tool node', + 'make readme', + ], + fileFilters: [ + 'README.md', + ], + executionMode: 'update', + }, }, { description: 'Override changelog url for Helm image, to have release notes in our PRs', -- 2.40.1 From 7cae9d3404a2b55b562c6cd546a1b042d7ef67de Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 30 Nov 2024 23:34:16 +0000 Subject: [PATCH 12/14] chore(deps): update busybox docker tag to v1.37.0 (#734) This PR contains the following updates: | Package | Update | Change | |---|---|---| | busybox | minor | `1.36.1` -> `1.37.0` | --- Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/734 Reviewed-by: techknowlogick Co-authored-by: Renovate Bot Co-committed-by: Renovate Bot --- README.md | 2 +- values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index d2dd0fd..2f9c9ba 100644 --- a/README.md +++ b/README.md @@ -1030,7 +1030,7 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo | ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ | | `actions.enabled` | Create an act runner StatefulSet. | `false` | | `actions.init.image.repository` | The image used for the init containers | `busybox` | -| `actions.init.image.tag` | The image tag used for the init containers | `1.36.1` | +| `actions.init.image.tag` | The image tag used for the init containers | `1.37.0` | | `actions.statefulset.annotations` | Act runner annotations | `{}` | | `actions.statefulset.labels` | Act runner labels | `{}` | | `actions.statefulset.resources` | Act runner resources | `{}` | diff --git a/values.yaml b/values.yaml index 2dfb62d..cf9308d 100644 --- a/values.yaml +++ b/values.yaml @@ -420,7 +420,7 @@ actions: image: repository: busybox # Overrides the image tag whose default is the chart appVersion. - tag: "1.36.1" + tag: "1.37.0" provisioning: enabled: false -- 2.40.1 From e3db83e22b923bbea7aec27c9c4dfc3e69675f35 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 30 Nov 2024 23:44:11 +0000 Subject: [PATCH 13/14] chore(deps): update dependency go-gitea/gitea to v1.22.4 (#740) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [go-gitea/gitea](https://github.com/go-gitea/gitea) | patch | `1.22.3` -> `1.22.4` | --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/740 Co-authored-by: Renovate Bot Co-committed-by: Renovate Bot --- Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Chart.yaml b/Chart.yaml index 6cf2c41..21a0e63 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -4,7 +4,7 @@ description: Gitea Helm chart for Kubernetes type: application version: 0.0.0 # renovate datasource=github-releases depName=go-gitea/gitea extractVersion=^v(?.*)$ -appVersion: 1.22.3 +appVersion: 1.22.4 icon: https://gitea.com/assets/img/logo.svg keywords: -- 2.40.1 From aec87c249050aca00e560e3d560dceaf13df8d0c Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 30 Nov 2024 23:47:49 +0000 Subject: [PATCH 14/14] chore(deps): update workflow dependencies (minor & patch) (#735) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [alpine/helm](https://github.com/alpine-docker/helm) ([changelog](https://github.com/helm/helm)) | | minor | `3.15.3` -> `3.16.3` | | [alpine/helm](https://github.com/alpine-docker/helm) ([changelog](https://github.com/helm/helm)) | container | minor | `3.15.3` -> `3.16.3` | | [helm-unittest/helm-unittest](https://github.com/helm-unittest/helm-unittest) | | minor | `v0.5.2` -> `v0.7.0` | | [markdownlint-cli](https://github.com/igorshubovych/markdownlint-cli) | devDependencies | minor | [`^0.41.0` -> `^0.43.0`](https://renovatebot.com/diffs/npm/markdownlint-cli/0.41.0/0.43.0) | --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/735 Co-authored-by: Renovate Bot Co-committed-by: Renovate Bot --- .gitea/workflows/release-version.yml | 2 +- .gitea/workflows/test-pr.yml | 4 +- .vscode/settings.json | 2 +- package-lock.json | 149 +++++++++++++-------------- package.json | 2 +- 5 files changed, 74 insertions(+), 85 deletions(-) diff --git a/.gitea/workflows/release-version.yml b/.gitea/workflows/release-version.yml index 994add0..3b95267 100644 --- a/.gitea/workflows/release-version.yml +++ b/.gitea/workflows/release-version.yml @@ -7,7 +7,7 @@ on: env: # renovate: datasource=docker depName=alpine/helm - HELM_VERSION: "3.15.3" + HELM_VERSION: "3.16.3" jobs: generate-chart-publish: diff --git a/.gitea/workflows/test-pr.yml b/.gitea/workflows/test-pr.yml index 78ed267..2797c75 100644 --- a/.gitea/workflows/test-pr.yml +++ b/.gitea/workflows/test-pr.yml @@ -11,12 +11,12 @@ on: env: # renovate: datasource=github-releases depName=helm-unittest/helm-unittest - HELM_UNITTEST_VERSION: "v0.5.2" + HELM_UNITTEST_VERSION: "v0.7.0" jobs: check-and-test: runs-on: ubuntu-latest - container: alpine/helm:3.15.3 + container: alpine/helm:3.16.3 steps: - name: install tools run: | diff --git a/.vscode/settings.json b/.vscode/settings.json index 5271d28..1b31698 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,6 +1,6 @@ { "yaml.schemas": { - "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.5.2/schema/helm-testsuite.json": [ + "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.7.0/schema/helm-testsuite.json": [ "/unittests/**/*.yaml" ] }, diff --git a/package-lock.json b/package-lock.json index c00c95e..3edacb1 100644 --- a/package-lock.json +++ b/package-lock.json @@ -8,7 +8,7 @@ "license": "MIT", "devDependencies": { "@bitnami/readme-generator-for-helm": "^2.5.0", - "markdownlint-cli": "^0.41.0" + "markdownlint-cli": "^0.43.0" }, "engines": { "node": ">=16.0.0", @@ -48,16 +48,6 @@ "node": ">=12" } }, - "node_modules/@pkgjs/parseargs": { - "version": "0.11.0", - "resolved": "https://registry.npmjs.org/@pkgjs/parseargs/-/parseargs-0.11.0.tgz", - "integrity": "sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg==", - "dev": true, - "optional": true, - "engines": { - "node": ">=14" - } - }, "node_modules/ansi-regex": { "version": "6.0.1", "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.0.1.tgz", @@ -228,18 +218,6 @@ "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==", "dev": true }, - "node_modules/get-stdin": { - "version": "9.0.0", - "resolved": "https://registry.npmjs.org/get-stdin/-/get-stdin-9.0.0.tgz", - "integrity": "sha512-dVKBjfWisLAicarI2Sf+JuBE/DghV4UzNAVe9yhEJuzeREd3JhOTE9cUaJTeSa77fsbQUK3pcOpJfM59+VKZaA==", - "dev": true, - "engines": { - "node": ">=12" - }, - "funding": { - "url": "https://github.com/sponsors/sindresorhus" - } - }, "node_modules/glob": { "version": "7.2.3", "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz", @@ -261,10 +239,11 @@ } }, "node_modules/ignore": { - "version": "5.3.1", - "resolved": "https://registry.npmjs.org/ignore/-/ignore-5.3.1.tgz", - "integrity": "sha512-5Fytz/IraMjqpwfd34ke28PTVMjZjJG2MPn5t7OE4eUCUNf8BAa7b5WUS9/Qvr6mwOQS7Mk6vdsMno5he+T8Xw==", + "version": "6.0.2", + "resolved": "https://registry.npmjs.org/ignore/-/ignore-6.0.2.tgz", + "integrity": "sha512-InwqeHHN2XpumIkMvpl/DCJVrAHgCsG5+cn1XlnLWGwtZBm8QJfSusItfrwx81CTp5agNZqpKU2J/ccC5nGT4A==", "dev": true, + "license": "MIT", "engines": { "node": ">= 4" } @@ -310,22 +289,19 @@ "dev": true }, "node_modules/jackspeak": { - "version": "3.1.2", - "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-3.1.2.tgz", - "integrity": "sha512-kWmLKn2tRtfYMF/BakihVVRzBKOxz4gJMiL2Rj91WnAB5TPZumSH99R/Yf1qE1u4uRimvCSJfm6hnxohXeEXjQ==", + "version": "4.0.2", + "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-4.0.2.tgz", + "integrity": "sha512-bZsjR/iRjl1Nk1UkjGpAzLNfQtzuijhn2g+pbZb98HQ1Gk8vM9hfbxeMBP+M2/UUdwj0RqGG3mlvk2MsAqwvEw==", "dev": true, "license": "BlueOak-1.0.0", "dependencies": { "@isaacs/cliui": "^8.0.2" }, "engines": { - "node": ">=14" + "node": "20 || >=22" }, "funding": { "url": "https://github.com/sponsors/isaacs" - }, - "optionalDependencies": { - "@pkgjs/parseargs": "^0.11.0" } }, "node_modules/js-yaml": { @@ -341,10 +317,11 @@ } }, "node_modules/jsonc-parser": { - "version": "3.2.1", - "resolved": "https://registry.npmjs.org/jsonc-parser/-/jsonc-parser-3.2.1.tgz", - "integrity": "sha512-AilxAyFOAcK5wA1+LeaySVBrHsGQvUFCDWXKpZjzaL0PqW+xfBOttn8GNtWKFWqneyMZj41MWF9Kl6iPWLwgOA==", - "dev": true + "version": "3.3.1", + "resolved": "https://registry.npmjs.org/jsonc-parser/-/jsonc-parser-3.3.1.tgz", + "integrity": "sha512-HUgH65KyejrUFPvHFPbqOY0rsFip3Bo5wb4ngvdi1EpCYWUQDC5V+Y7mZws+DLkr4M//zQJoanu1SP+87Dv1oQ==", + "dev": true, + "license": "MIT" }, "node_modules/jsonpointer": { "version": "5.0.1", @@ -371,12 +348,13 @@ "dev": true }, "node_modules/lru-cache": { - "version": "10.2.2", - "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.2.2.tgz", - "integrity": "sha512-9hp3Vp2/hFQUiIwKo8XCeFVnrg8Pk3TYNPIR7tJADKi5YfcF7vEaK7avFHTlSy3kOKYaJQaalfEo6YuXdceBOQ==", + "version": "11.0.2", + "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-11.0.2.tgz", + "integrity": "sha512-123qHRfJBmo2jXDbo/a5YOQrJoHF/GNQTLzQ5+IdK5pWpceK17yRc6ozlWd25FxvGKQbIUs91fDFkXmDHTKcyA==", "dev": true, + "license": "ISC", "engines": { - "node": "14 || >=16.14" + "node": "20 || >=22" } }, "node_modules/markdown-it": { @@ -410,13 +388,14 @@ } }, "node_modules/markdownlint": { - "version": "0.34.0", - "resolved": "https://registry.npmjs.org/markdownlint/-/markdownlint-0.34.0.tgz", - "integrity": "sha512-qwGyuyKwjkEMOJ10XN6OTKNOVYvOIi35RNvDLNxTof5s8UmyGHlCdpngRHoRGNvQVGuxO3BJ7uNSgdeX166WXw==", + "version": "0.36.1", + "resolved": "https://registry.npmjs.org/markdownlint/-/markdownlint-0.36.1.tgz", + "integrity": "sha512-s73fU2CQN7WCgjhaQUQ8wYESQNzGRNOKDd+3xgVqu8kuTEhmwepd/mxOv1LR2oV046ONrTLBFsM7IoKWNvmy5g==", "dev": true, + "license": "MIT", "dependencies": { "markdown-it": "14.1.0", - "markdownlint-micromark": "0.1.9" + "markdownlint-micromark": "0.1.12" }, "engines": { "node": ">=18" @@ -426,23 +405,22 @@ } }, "node_modules/markdownlint-cli": { - "version": "0.41.0", - "resolved": "https://registry.npmjs.org/markdownlint-cli/-/markdownlint-cli-0.41.0.tgz", - "integrity": "sha512-kp29tKrMKdn+xonfefjp3a/MsNzAd9c5ke0ydMEI9PR98bOjzglYN4nfMSaIs69msUf1DNkgevAIAPtK2SeX0Q==", + "version": "0.43.0", + "resolved": "https://registry.npmjs.org/markdownlint-cli/-/markdownlint-cli-0.43.0.tgz", + "integrity": "sha512-6vwurKK4B21eyYzwgX6ph13cZS7hE6LZfcS8QyD722CyxVD2RtAvbZK2p7k+FZbbKORulEuwl+hJaEq1l6/hoQ==", "dev": true, "license": "MIT", "dependencies": { "commander": "~12.1.0", - "get-stdin": "~9.0.0", - "glob": "~10.4.1", - "ignore": "~5.3.1", + "glob": "~11.0.0", + "ignore": "~6.0.2", "js-yaml": "^4.1.0", - "jsonc-parser": "~3.2.1", + "jsonc-parser": "~3.3.1", "jsonpointer": "5.0.1", - "markdownlint": "~0.34.0", - "minimatch": "~9.0.4", + "markdownlint": "~0.36.1", + "minimatch": "~10.0.1", "run-con": "~1.3.2", - "smol-toml": "~1.2.0" + "smol-toml": "~1.3.1" }, "bin": { "markdownlint": "markdownlint.js" @@ -472,49 +450,51 @@ } }, "node_modules/markdownlint-cli/node_modules/glob": { - "version": "10.4.1", - "resolved": "https://registry.npmjs.org/glob/-/glob-10.4.1.tgz", - "integrity": "sha512-2jelhlq3E4ho74ZyVLN03oKdAZVUa6UDZzFLVH1H7dnoax+y9qyaq8zBkfDIggjniU19z0wU18y16jMB2eyVIw==", + "version": "11.0.0", + "resolved": "https://registry.npmjs.org/glob/-/glob-11.0.0.tgz", + "integrity": "sha512-9UiX/Bl6J2yaBbxKoEBRm4Cipxgok8kQYcOPEhScPwebu2I0HoQOuYdIO6S3hLuWoZgpDpwQZMzTFxgpkyT76g==", "dev": true, "license": "ISC", "dependencies": { "foreground-child": "^3.1.0", - "jackspeak": "^3.1.2", - "minimatch": "^9.0.4", + "jackspeak": "^4.0.1", + "minimatch": "^10.0.0", "minipass": "^7.1.2", - "path-scurry": "^1.11.1" + "package-json-from-dist": "^1.0.0", + "path-scurry": "^2.0.0" }, "bin": { "glob": "dist/esm/bin.mjs" }, "engines": { - "node": ">=16 || 14 >=14.18" + "node": "20 || >=22" }, "funding": { "url": "https://github.com/sponsors/isaacs" } }, "node_modules/markdownlint-cli/node_modules/minimatch": { - "version": "9.0.4", - "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.4.tgz", - "integrity": "sha512-KqWh+VchfxcMNRAJjj2tnsSJdNbHsVgnkBhTNrW7AjVo6OvLtxw8zfT9oLw1JSohlFzJ8jCoTgaoXvJ+kHt6fw==", + "version": "10.0.1", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.0.1.tgz", + "integrity": "sha512-ethXTt3SGGR+95gudmqJ1eNhRO7eGEGIgYA9vnPatK4/etz2MEVDno5GMCibdMTuBMyElzIlgxMna3K94XDIDQ==", "dev": true, "license": "ISC", "dependencies": { "brace-expansion": "^2.0.1" }, "engines": { - "node": ">=16 || 14 >=14.17" + "node": "20 || >=22" }, "funding": { "url": "https://github.com/sponsors/isaacs" } }, "node_modules/markdownlint-micromark": { - "version": "0.1.9", - "resolved": "https://registry.npmjs.org/markdownlint-micromark/-/markdownlint-micromark-0.1.9.tgz", - "integrity": "sha512-5hVs/DzAFa8XqYosbEAEg6ok6MF2smDj89ztn9pKkCtdKHVdPQuGMH7frFfYL9mLkvfFe4pTyAMffLbjf3/EyA==", + "version": "0.1.12", + "resolved": "https://registry.npmjs.org/markdownlint-micromark/-/markdownlint-micromark-0.1.12.tgz", + "integrity": "sha512-RlB6EwMGgc0sxcIhOQ2+aq7Zw1V2fBnzbXKGgYK/mVWdT7cz34fteKSwfYeo4rL6+L/q2tyC9QtD/PgZbkdyJQ==", "dev": true, + "license": "MIT", "engines": { "node": ">=18" }, @@ -568,6 +548,13 @@ "wrappy": "1" } }, + "node_modules/package-json-from-dist": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/package-json-from-dist/-/package-json-from-dist-1.0.1.tgz", + "integrity": "sha512-UEZIS3/by4OC8vL3P2dTXRETpebLI2NiI5vIrjaD/5UtrkFX/tNbwjTSRAGC/+7CAo2pIcBaRgWmcBBHcsaCIw==", + "dev": true, + "license": "BlueOak-1.0.0" + }, "node_modules/path-is-absolute": { "version": "1.0.1", "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz", @@ -587,17 +574,17 @@ } }, "node_modules/path-scurry": { - "version": "1.11.1", - "resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-1.11.1.tgz", - "integrity": "sha512-Xa4Nw17FS9ApQFJ9umLiJS4orGjm7ZzwUrwamcGQuHSzDyth9boKDaycYdDcZDuqYATXw4HFXgaqWTctW/v1HA==", + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-2.0.0.tgz", + "integrity": "sha512-ypGJsmGtdXUOeM5u93TyeIEfEhM6s+ljAhrk5vAvSx8uyY/02OvrZnA0YNGUrPXfpJMgI1ODd3nwz8Npx4O4cg==", "dev": true, "license": "BlueOak-1.0.0", "dependencies": { - "lru-cache": "^10.2.0", - "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0" + "lru-cache": "^11.0.0", + "minipass": "^7.1.2" }, "engines": { - "node": ">=16 || 14 >=14.18" + "node": "20 || >=22" }, "funding": { "url": "https://github.com/sponsors/isaacs" @@ -670,14 +657,16 @@ } }, "node_modules/smol-toml": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/smol-toml/-/smol-toml-1.2.0.tgz", - "integrity": "sha512-KObxdQANC/xje3OoatMbSwQf2XAvJ0RbK+4nmQRszFNZptbNRnMWqbLF/zb4sMi9xJ6HNyhWXeuZ9zC/I/XY7w==", + "version": "1.3.1", + "resolved": "https://registry.npmjs.org/smol-toml/-/smol-toml-1.3.1.tgz", + "integrity": "sha512-tEYNll18pPKHroYSmLLrksq233j021G0giwW7P3D24jC54pQ5W5BXMsQ/Mvw1OJCmEYDgY+lrzT+3nNUtoNfXQ==", "dev": true, "license": "BSD-3-Clause", "engines": { - "node": ">= 18", - "pnpm": ">= 9" + "node": ">= 18" + }, + "funding": { + "url": "https://github.com/sponsors/cyyynthia" } }, "node_modules/string-width": { diff --git a/package.json b/package.json index 3cc3449..1b02f2a 100644 --- a/package.json +++ b/package.json @@ -14,6 +14,6 @@ }, "devDependencies": { "@bitnami/readme-generator-for-helm": "^2.5.0", - "markdownlint-cli": "^0.41.0" + "markdownlint-cli": "^0.43.0" } } -- 2.40.1