rebased: Add Gitea Actions act runner #666
35
README.md
@ -45,6 +45,7 @@
|
||||
- [Persistence](#persistence-1)
|
||||
- [Init](#init)
|
||||
- [Signing](#signing)
|
||||
- [Gitea Actions](#gitea-actions)
|
||||
- [Gitea](#gitea)
|
||||
- [LivenessProbe](#livenessprobe)
|
||||
- [ReadinessProbe](#readinessprobe)
|
||||
@ -999,6 +1000,40 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
|
||||
| `signing.privateKey` | Inline private gpg key for signed internal Git activity | `""` |
|
||||
| `signing.existingSecret` | Use an existing secret to store the value of `signing.privateKey` | `""` |
|
||||
|
||||
### Gitea Actions
|
||||
|
||||
| Name | Description | Value |
|
||||
| ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ |
|
||||
| `actions.enabled` | Create an act runner StatefulSet. | `false` |
|
||||
| `actions.init.image.repository` | The image used for the init containers | `busybox` |
|
||||
| `actions.init.image.tag` | The image tag used for the init containers | `1.36.1` |
|
||||
| `actions.statefulset.annotations` | Act runner annotations | `{}` |
|
||||
| `actions.statefulset.labels` | Act runner labels | `{}` |
|
||||
| `actions.statefulset.resources` | Act runner resources | `{}` |
|
||||
| `actions.statefulset.nodeSelector` | NodeSelector for the statefulset | `{}` |
|
||||
| `actions.statefulset.tolerations` | Tolerations for the statefulset | `[]` |
|
||||
| `actions.statefulset.affinity` | Affinity for the statefulset | `{}` |
|
||||
| `actions.statefulset.actRunner.repository` | The Gitea act runner image | `gitea/act_runner` |
|
||||
| `actions.statefulset.actRunner.tag` | The Gitea act runner tag | `0.2.6` |
|
||||
| `actions.statefulset.actRunner.pullPolicy` | The Gitea act runner pullPolicy | `IfNotPresent` |
|
||||
| `actions.statefulset.actRunner.config` | Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details. | `Too complex. See values.yaml` |
|
||||
| `actions.statefulset.dind.repository` | The Docker-in-Docker image | `docker` |
|
||||
| `actions.statefulset.dind.tag` | The Docker-in-Docker image tag | `25.0.2-dind` |
|
||||
| `actions.statefulset.dind.pullPolicy` | The Docker-in-Docker pullPolicy | `IfNotPresent` |
|
||||
| `actions.provisioning.enabled` | Create a job that will create and save the token in a Kubernetes Secret | `false` |
|
||||
| `actions.provisioning.annotations` | Job's annotations | `{}` |
|
||||
| `actions.provisioning.labels` | Job's labels | `{}` |
|
||||
| `actions.provisioning.resources` | Job's resources | `{}` |
|
||||
| `actions.provisioning.nodeSelector` | NodeSelector for the job | `{}` |
|
||||
| `actions.provisioning.tolerations` | Tolerations for the job | `[]` |
|
||||
| `actions.provisioning.affinity` | Affinity for the job | `{}` |
|
||||
| `actions.provisioning.ttlSecondsAfterFinished` | ttl for the job after finished in order to allow helm to properly recognize that the job completed | `300` |
|
||||
| `actions.provisioning.publish.repository` | The image that can create the secret via kubectl | `bitnami/kubectl` |
|
||||
| `actions.provisioning.publish.tag` | The publish image tag that can create the secret | `1.29.0` |
|
||||
| `actions.provisioning.publish.pullPolicy` | The publish image pullPolicy that can create the secret | `IfNotPresent` |
|
||||
| `actions.existingSecret` | Secret that contains the token | `""` |
|
||||
| `actions.existingSecretKey` | Secret key | `""` |
|
||||
|
||||
### Gitea
|
||||
|
||||
| Name | Description | Value |
|
||||
|
34
readme-actions-dev.md
Normal file
@ -0,0 +1,34 @@
|
||||
# Gitea Actions
|
||||
|
||||
In order to use the Gitea Actions act-runner you must either:
|
||||
|
||||
- enable persistence (used for automatic deployment to be able to store the token in a place accessible for the Job)
|
||||
- create a secret containing the act runner token and reference it as a `existingSecret`
|
||||
|
||||
In order to use Gitea Actions, you must log on the server that's running Gitea and run the command:
|
||||
`gitea actions generate-runner-token`
|
||||
|
||||
This command will out a token that is needed by the act-runner to register with the Gitea backend.
|
||||
|
||||
Because this is a manual operation, we automated this using a Kubernetes Job using the following containers:
|
||||
|
||||
1) `actions-token-create`: it uses the current `gitea-rootless` image, mounts the persistent directory to `/data/` then it saves the output from `gitea actions generate-runner-token` to `/data/actions/token`
|
||||
2) `actions-token-upload`: it uses a `bitnami/kubectl` image, mounts the scripts directory (`/scripts`) and
|
||||
the persistent directory (`/data/`), and using the script from `/scripts/token.sh` stores the token in a Kubernetes secret
|
||||
|
||||
After the token is stored in a Kubernetes secret we can create the statefulset that contains the following containers:
|
||||
|
||||
1) `act-runner`: authenticates with Gitea using the token that was stored in the secret
|
||||
2) `dind`: DockerInDocker image that is used to run the actions
|
||||
|
||||
If you are not using persistent volumes, you cannot use the Job to automatically generate the token.
|
||||
In this case, you can use either the Web UI to generate the token or run a shell into a Gitea pod and invoke
|
||||
the command `gitea actions generate-runner-token`. After generating the token, you must create a secret and use it via:
|
||||
|
||||
```yaml
|
||||
actions:
|
||||
provisioning:
|
||||
enabled: false
|
||||
existingSecret: "secret-name"
|
||||
existingSecretKey: "secret-key"
|
||||
```
|
43
scripts/token.sh
Normal file
@ -0,0 +1,43 @@
|
||||
#!/bin/sh
|
||||
|
||||
set -eu
|
||||
|
||||
timeout_delay=15
|
||||
|
||||
check_token() {
|
||||
set +e
|
||||
|
||||
echo "Checking for existing token..."
|
||||
token="$(kubectl get secret "$SECRET_NAME" -o jsonpath="{.data['token']}" 2> /dev/null)"
|
||||
[ $? -ne 0 ] && return 1
|
||||
[ -z "$token" ] && return 2
|
||||
return 0
|
||||
}
|
||||
|
||||
create_token() {
|
||||
echo "Waiting for new token to be generated..."
|
||||
begin=$(date +%s)
|
||||
end=$((begin + timeout_delay))
|
||||
while true; do
|
||||
[ -f /data/actions/token ] && return 0
|
||||
[ "$(date +%s)" -gt $end ] && return 1
|
||||
sleep 5
|
||||
done
|
||||
}
|
||||
|
||||
store_token() {
|
||||
echo "Storing the token in Kubernetes secret..."
|
||||
kubectl patch secret "$SECRET_NAME" -p "{\"data\":{\"token\":\"$(base64 /data/actions/token | tr -d '\n')\"}}"
|
||||
}
|
||||
|
||||
if check_token; then
|
||||
echo "Key already in place, exiting."
|
||||
exit
|
||||
fi
|
||||
|
||||
if ! create_token; then
|
||||
echo "Checking for an existing act runner token in secret $SECRET_NAME timed out after $timeout_delay"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
store_token
|
@ -25,6 +25,13 @@ If release name contains chart name it will be used as a full name.
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default worker name.
|
||||
*/}}
|
||||
{{- define "gitea.workername" -}}
|
||||
{{- printf "%s-%s" .global.Release.Name .worker | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create chart name and version as used by the chart label.
|
||||
*/}}
|
||||
@ -92,6 +99,15 @@ version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "gitea.labels.actRunner" -}}
|
||||
helm.sh/chart: {{ include "gitea.chart" . }}
|
||||
app: {{ include "gitea.name" . }}-act-runner
|
||||
{{ include "gitea.selectorLabels.actRunner" . }}
|
||||
app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
|
||||
version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Selector labels
|
||||
*/}}
|
||||
@ -100,6 +116,11 @@ app.kubernetes.io/name: {{ include "gitea.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "gitea.selectorLabels.actRunner" -}}
|
||||
app.kubernetes.io/name: {{ include "gitea.name" . }}-act-runner
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "postgresql-ha.dns" -}}
|
||||
{{- if (index .Values "postgresql-ha").enabled -}}
|
||||
{{- printf "%s-postgresql-ha-pgpool.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "postgresql-ha" "service" "ports" "postgresql") -}}
|
||||
@ -263,6 +284,9 @@ https
|
||||
{{- if not (hasKey .Values.gitea.config "indexer") -}}
|
||||
{{- $_ := set .Values.gitea.config "indexer" dict -}}
|
||||
{{- end -}}
|
||||
{{- if not (hasKey .Values.gitea.config "actions") -}}
|
||||
{{- $_ := set .Values.gitea.config "actions" dict -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "gitea.inline_configuration.defaults" -}}
|
||||
@ -309,6 +333,9 @@ https
|
||||
{{- if not .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE -}}
|
||||
{{- $_ := set .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE" "db" -}}
|
||||
{{- end -}}
|
||||
{{- if not .Values.gitea.config.actions.ENABLED -}}
|
||||
{{- $_ := set .Values.gitea.config.actions "ENABLED" "false" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "gitea.inline_configuration.defaults.server" -}}
|
||||
@ -328,6 +355,9 @@ https
|
||||
{{- if not .Values.gitea.config.server.ROOT_URL -}}
|
||||
{{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" (include "gitea.public_protocol" .) .Values.gitea.config.server.DOMAIN) -}}
|
||||
{{- end -}}
|
||||
{{- if not .Values.gitea.config.server.LOCAL_ROOT_URL -}}
|
||||
{{- $_ := set .Values.gitea.config.server "LOCAL_ROOT_URL" (printf "http://%s-http:%.0f" (include "gitea.fullname" .) .Values.service.http.port) -}}
|
||||
{{- end -}}
|
||||
{{- if not .Values.gitea.config.server.SSH_DOMAIN -}}
|
||||
{{- $_ := set .Values.gitea.config.server "SSH_DOMAIN" .Values.gitea.config.server.DOMAIN -}}
|
||||
{{- end -}}
|
||||
|
14
templates/gitea/act_runner/config-act-runner.yaml
Normal file
@ -0,0 +1,14 @@
|
||||
{{- if .Values.actions.enabled }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ include "gitea.fullname" . }}-act-runner-config
|
||||
labels:
|
||||
{{- include "gitea.labels" . | nindent 4 }}
|
||||
data:
|
||||
config.yaml: |
|
||||
{{- with .Values.actions.statefulset.actRunner.config -}}
|
||||
{{ . | nindent 4}}
|
||||
{{- end -}}
|
||||
{{- end }}
|
11
templates/gitea/act_runner/config-scripts.yaml
Normal file
@ -0,0 +1,11 @@
|
||||
{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ include "gitea.fullname" . }}-scripts
|
||||
labels:
|
||||
{{- include "gitea.labels" . | nindent 4 }}
|
||||
data:
|
||||
{{ (.Files.Glob "scripts/*.sh").AsConfig | indent 2 }}
|
||||
{{- end }}
|
115
templates/gitea/act_runner/job.yaml
Normal file
@ -0,0 +1,115 @@
|
||||
{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
|
||||
{{- if .Values.actions.existingSecret }}
|
||||
{{- fail "Can't specify both actions.provisioning.enabled and actions.existingSecret" }}
|
||||
{{- end }}
|
||||
{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
|
||||
{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: {{ $name }}
|
||||
labels:
|
||||
{{- include "gitea.labels" . | nindent 4 }}
|
||||
{{- with .Values.actions.provisioning.labels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
app.kubernetes.io/component: token-job
|
||||
annotations:
|
||||
{{- with .Values.actions.provisioning.annotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
ttlSecondsAfterFinished: {{ .Values.actions.provisioning.ttlSecondsAfterFinished }}
|
||||
vjm marked this conversation as resolved
Outdated
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "gitea.labels" . | nindent 8 }}
|
||||
{{- with .Values.actions.provisioning.labels }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
app.kubernetes.io/component: token-job
|
||||
spec:
|
||||
initContainers:
|
||||
- name: init-gitea
|
||||
image: "{{ .Values.actions.init.image.repository }}:{{ .Values.actions.init.image.tag }}"
|
||||
command:
|
||||
- sh
|
||||
- -c
|
||||
- |
|
||||
while ! nc -z {{ include "gitea.fullname" . }}-http {{ .Values.service.http.port }}; do
|
||||
sleep 5
|
||||
justusbunsi
commented
I am not fully sure, but are we able to wait with provisioning activity via Helm Chart hook mechanism? Instead of waiting for eternity? Or would that confuse tools like ArgoCD? I imagine a flow like below:
I am not fully sure, but are we able to wait with provisioning activity via Helm Chart hook mechanism? Instead of waiting for eternity? Or would that confuse tools like ArgoCD?
I imagine a flow like below:
- Deploy the Gitea application itself
- Wait for the application itself being healthy and ready to accept connections
- Apply the hook-based provisioning job and being able to immediately contact Gitea
vjm
commented
i just tried to test this out and i had some issues -- the post-install hook waited to be applied as expected, but the gitea application was still not ready, even though helm and kubernetes had marked it as ready -- this might still be possible but i'd prefer to push this to a separate PR if possible. i just tried to test this out and i had some issues -- the post-install hook waited to be applied as expected, but the gitea application was still not ready, even though helm and kubernetes had marked it as ready -- this might still be possible but i'd prefer to push this to a separate PR if possible.
|
||||
done
|
||||
containers:
|
||||
- name: actions-token-create
|
||||
image: "{{ include "gitea.image" . }}"
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
env:
|
||||
- name: GITEA_APP_INI
|
||||
value: /data/gitea/conf/app.ini
|
||||
command:
|
||||
- sh
|
||||
- -c
|
||||
- |
|
||||
echo "Generating act_runner token via 'gitea actions generate-runner-token'..."
|
||||
mkdir -p /data/actions/
|
||||
gitea actions generate-runner-token | grep -E '^.{40}$' | tr -d '\n' > /data/actions/token
|
||||
resources:
|
||||
{{- toYaml .Values.actions.provisioning.resources | nindent 12 }}
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: /data
|
||||
{{- if .Values.persistence.subPath }}
|
||||
subPath: {{ .Values.persistence.subPath }}
|
||||
{{- end }}
|
||||
- name: actions-token-upload
|
||||
image: "{{ .Values.actions.provisioning.publish.repository }}:{{ .Values.actions.provisioning.publish.tag }}"
|
||||
imagePullPolicy: {{ .Values.actions.provisioning.publish.pullPolicy }}
|
||||
env:
|
||||
- name: SECRET_NAME
|
||||
value: {{ $secretName }}
|
||||
command:
|
||||
- sh
|
||||
- -c
|
||||
- |
|
||||
printf "Checking rights to update kubernetes act_runner secret..."
|
||||
kubectl auth can-i update secret/${SECRET_NAME}
|
||||
/scripts/token.sh
|
||||
resources:
|
||||
{{- toYaml .Values.actions.provisioning.resources | nindent 12 }}
|
||||
volumeMounts:
|
||||
- mountPath: /scripts
|
||||
name: scripts
|
||||
readOnly: true
|
||||
- mountPath: /data
|
||||
name: data
|
||||
readOnly: true
|
||||
{{- if .Values.persistence.subPath }}
|
||||
subPath: {{ .Values.persistence.subPath }}
|
||||
{{- end }}
|
||||
{{- with .Values.actions.provisioning.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.actions.provisioning.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.actions.provisioning.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
restartPolicy: Never
|
||||
serviceAccount: {{ $name }}
|
||||
volumes:
|
||||
- name: scripts
|
||||
configMap:
|
||||
name: {{ include "gitea.fullname" . }}-scripts
|
||||
defaultMode: 0755
|
||||
- name: data
|
||||
persistentVolumeClaim:
|
||||
claimName: {{ .Values.persistence.claimName }}
|
||||
parallelism: 1
|
||||
completions: 1
|
||||
backoffLimit: 1
|
||||
{{- end }}
|
23
templates/gitea/act_runner/role-job.yaml
Normal file
@ -0,0 +1,23 @@
|
||||
{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
|
||||
{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
|
||||
{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ $name }}
|
||||
labels:
|
||||
{{- include "gitea.labels" . | nindent 4 }}
|
||||
app.kubernetes.io/component: token-job
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
resourceNames:
|
||||
- {{ $secretName }}
|
||||
verbs:
|
||||
- get
|
||||
- update
|
||||
- patch
|
||||
{{- end }}
|
20
templates/gitea/act_runner/rolebinding-job.yaml
Normal file
@ -0,0 +1,20 @@
|
||||
{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
|
||||
{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
|
||||
{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ $name }}
|
||||
labels:
|
||||
{{- include "gitea.labels" . | nindent 4 }}
|
||||
app.kubernetes.io/component: token-job
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ $name }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ $name }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- end }}
|
17
templates/gitea/act_runner/secret-token.yaml
Normal file
@ -0,0 +1,17 @@
|
||||
{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
|
||||
{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
|
||||
{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ $secretName }}
|
||||
labels:
|
||||
{{- include "gitea.labels" . | nindent 4 }}
|
||||
app.kubernetes.io/component: token-job
|
||||
{{ $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}}
|
||||
{{ if $secret -}}
|
||||
data:
|
||||
token: {{ (b64dec (index $secret.data "token")) | b64enc }}
|
||||
{{ end -}}
|
||||
{{- end }}
|
11
templates/gitea/act_runner/serviceaccount-job.yaml
Normal file
@ -0,0 +1,11 @@
|
||||
{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
|
||||
{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ $name }}
|
||||
labels:
|
||||
{{- include "gitea.labels" . | nindent 4 }}
|
||||
app.kubernetes.io/component: token-job
|
||||
{{- end }}
|
114
templates/gitea/act_runner/statefulset.yaml
Normal file
@ -0,0 +1,114 @@
|
||||
{{- if .Values.actions.enabled }}
|
||||
{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "gitea.labels.actRunner" . | nindent 4 }}
|
||||
{{- with .Values.actions.statefulset.labels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{- with .Values.actions.statefulset.annotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
name: {{ include "gitea.fullname" . }}-act-runner
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "gitea.selectorLabels.actRunner" . | nindent 6 }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "gitea.labels.actRunner" . | nindent 8 }}
|
||||
{{- with .Values.actions.statefulset.labels }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
initContainers:
|
||||
- name: init-gitea
|
||||
image: "{{ .Values.actions.init.image.repository }}:{{ .Values.actions.init.image.tag }}"
|
||||
vjm marked this conversation as resolved
Outdated
justusbunsi
commented
Please move this hard-coded image/tag reference into Please move this hard-coded image/tag reference into `values.yaml`. That way users can customize, and we can properly let Renovate update it.
vjm
commented
done! done!
|
||||
command:
|
||||
- sh
|
||||
- -c
|
||||
- |
|
||||
while ! nc -z {{ include "gitea.fullname" . }}-http {{ .Values.service.http.port }}; do
|
||||
sleep 5
|
||||
done
|
||||
containers:
|
||||
- name: act-runner
|
||||
image: "{{ .Values.actions.statefulset.actRunner.repository }}:{{ .Values.actions.statefulset.actRunner.tag }}"
|
||||
imagePullPolicy: {{ .Values.actions.statefulset.actRunner.pullPolicy }}
|
||||
workingDir: /data
|
||||
env:
|
||||
- name: DOCKER_HOST
|
||||
value: tcp://127.0.0.1:2376
|
||||
- name: DOCKER_TLS_VERIFY
|
||||
value: "1"
|
||||
- name: DOCKER_CERT_PATH
|
||||
value: /certs/server
|
||||
- name: GITEA_RUNNER_REGISTRATION_TOKEN
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: "{{ .Values.actions.existingSecret | default $secretName }}"
|
||||
key: "{{ .Values.actions.existingSecretKey | default "token" }}"
|
||||
- name: GITEA_INSTANCE_URL
|
||||
value: {{ .Values.gitea.config.server.LOCAL_ROOT_URL | quote }}
|
||||
vjm marked this conversation as resolved
Outdated
justusbunsi
commented
I guess we could reuse the already configured I guess we could reuse the already configured `LOCAL_ROOT_URL` from app.ini rendering above?
vjm
commented
fixed! fixed!
|
||||
- name: CONFIG_FILE
|
||||
value: /actrunner/config.yaml
|
||||
resources:
|
||||
{{- toYaml .Values.actions.statefulset.resources | nindent 12 }}
|
||||
volumeMounts:
|
||||
- mountPath: /actrunner/config.yaml
|
||||
name: act-runner-config
|
||||
subPath: config.yaml
|
||||
- mountPath: /certs/server
|
||||
name: docker-certs
|
||||
- mountPath: /data
|
||||
name: data-act-runner
|
||||
- name: dind
|
||||
image: "{{ .Values.actions.statefulset.dind.repository }}:{{ .Values.actions.statefulset.dind.tag }}"
|
||||
imagePullPolicy: {{ .Values.actions.statefulset.dind.pullPolicy }}
|
||||
env:
|
||||
- name: DOCKER_HOST
|
||||
value: tcp://127.0.0.1:2376
|
||||
- name: DOCKER_TLS_VERIFY
|
||||
value: "1"
|
||||
- name: DOCKER_CERT_PATH
|
||||
value: /certs/server
|
||||
securityContext:
|
||||
privileged: true
|
||||
resources:
|
||||
{{- toYaml .Values.actions.statefulset.resources | nindent 12 }}
|
||||
volumeMounts:
|
||||
- mountPath: /certs/server
|
||||
name: docker-certs
|
||||
{{- with .Values.actions.statefulset.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.actions.statefulset.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.actions.statefulset.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: act-runner-config
|
||||
configMap:
|
||||
name: {{ include "gitea.fullname" . }}-act-runner-config
|
||||
- name: docker-certs
|
||||
emptyDir: {}
|
||||
volumeClaimTemplates:
|
||||
- metadata:
|
||||
name: data-act-runner
|
||||
spec:
|
||||
accessModes: [ "ReadWriteOnce" ]
|
||||
{{- include "gitea.persistence.storageClass" . | nindent 8 }}
|
||||
resources:
|
||||
requests:
|
||||
storage: 1Mi
|
||||
{{- end }}
|
40
unittests/act_runner/config-act-runner.yaml
Normal file
@ -0,0 +1,40 @@
|
||||
# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
|
||||
suite: actions template | config-act-runner
|
||||
release:
|
||||
name: gitea-unittests
|
||||
namespace: testing
|
||||
templates:
|
||||
- templates/gitea/act_runner/config-act-runner.yaml
|
||||
tests:
|
||||
- it: renders a ConfigMap
|
||||
template: templates/gitea/act_runner/config-act-runner.yaml
|
||||
set:
|
||||
actions:
|
||||
enabled: true
|
||||
statefulset:
|
||||
actRunner:
|
||||
config: |
|
||||
log:
|
||||
level: info
|
||||
cache:
|
||||
vjm marked this conversation as resolved
Outdated
justusbunsi
commented
We should also ensure the content of the ConfigMap is correct. We should also ensure the content of the ConfigMap is correct.
vjm
commented
added unit tests! added unit tests!
|
||||
enabled: false
|
||||
runner:
|
||||
labels:
|
||||
- "ubuntu-latest"
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 1
|
||||
- containsDocument:
|
||||
kind: ConfigMap
|
||||
apiVersion: v1
|
||||
name: gitea-unittests-act-runner-config
|
||||
- equal:
|
||||
path: data["config.yaml"]
|
||||
value: |
|
||||
log:
|
||||
level: info
|
||||
cache:
|
||||
enabled: false
|
||||
runner:
|
||||
labels:
|
||||
- "ubuntu-latest"
|
25
unittests/act_runner/config-scripts.yaml
Normal file
@ -0,0 +1,25 @@
|
||||
suite: actions template | config-scripts
|
||||
release:
|
||||
name: gitea-unittests
|
||||
namespace: testing
|
||||
templates:
|
||||
- templates/gitea/act_runner/config-scripts.yaml
|
||||
tests:
|
||||
- it: renders a ConfigMap
|
||||
template: templates/gitea/act_runner/config-scripts.yaml
|
||||
set:
|
||||
actions:
|
||||
provisioning:
|
||||
enabled: true
|
||||
persistence:
|
||||
enabled: true
|
||||
mount: true
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 1
|
||||
- containsDocument:
|
||||
kind: ConfigMap
|
||||
apiVersion: v1
|
||||
name: gitea-unittests-scripts
|
||||
- isNotNullOrEmpty:
|
||||
path: data["token.sh"]
|
48
unittests/act_runner/job.yaml
Normal file
@ -0,0 +1,48 @@
|
||||
suite: actions template | job
|
||||
release:
|
||||
name: gitea-unittests
|
||||
namespace: testing
|
||||
chart:
|
||||
# Override appVersion to be consistent with used digest :)
|
||||
appVersion: 1.19.3
|
||||
templates:
|
||||
- templates/gitea/act_runner/job.yaml
|
||||
tests:
|
||||
- it: renders a Job
|
||||
template: templates/gitea/act_runner/job.yaml
|
||||
set:
|
||||
actions:
|
||||
provisioning:
|
||||
enabled: true
|
||||
persistence:
|
||||
enabled: true
|
||||
mount: true
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 1
|
||||
- containsDocument:
|
||||
kind: Job
|
||||
apiVersion: batch/v1
|
||||
name: gitea-unittests-actions-token-job
|
||||
- equal:
|
||||
path: spec.template.spec.containers[0].image
|
||||
value: "gitea/gitea:1.19.3-rootless"
|
||||
- it: tag override
|
||||
template: templates/gitea/act_runner/job.yaml
|
||||
set:
|
||||
image.tag: "1.19.4"
|
||||
actions:
|
||||
provisioning:
|
||||
enabled: true
|
||||
publish:
|
||||
tag: "1.29.0"
|
||||
persistence:
|
||||
enabled: true
|
||||
mount: true
|
||||
asserts:
|
||||
- equal:
|
||||
path: spec.template.spec.containers[0].image
|
||||
value: "gitea/gitea:1.19.4-rootless"
|
||||
- equal:
|
||||
path: spec.template.spec.containers[1].image
|
||||
value: "bitnami/kubectl:1.29.0"
|
23
unittests/act_runner/role-job.yaml
Normal file
@ -0,0 +1,23 @@
|
||||
suite: actions template | role-job
|
||||
release:
|
||||
name: gitea-unittests
|
||||
namespace: testing
|
||||
templates:
|
||||
- templates/gitea/act_runner/role-job.yaml
|
||||
tests:
|
||||
- it: renders a Role
|
||||
template: templates/gitea/act_runner/role-job.yaml
|
||||
set:
|
||||
actions:
|
||||
provisioning:
|
||||
enabled: true
|
||||
persistence:
|
||||
enabled: true
|
||||
mount: true
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 1
|
||||
- containsDocument:
|
||||
kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
name: gitea-unittests-actions-token-job
|
23
unittests/act_runner/rolebinding-job.yaml
Normal file
@ -0,0 +1,23 @@
|
||||
suite: actions template | rolebinding-job
|
||||
release:
|
||||
name: gitea-unittests
|
||||
namespace: testing
|
||||
templates:
|
||||
- templates/gitea/act_runner/rolebinding-job.yaml
|
||||
tests:
|
||||
- it: renders a RoleBinding
|
||||
template: templates/gitea/act_runner/rolebinding-job.yaml
|
||||
set:
|
||||
actions:
|
||||
provisioning:
|
||||
enabled: true
|
||||
persistence:
|
||||
enabled: true
|
||||
mount: true
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 1
|
||||
- containsDocument:
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
name: gitea-unittests-actions-token-job
|
23
unittests/act_runner/secret-token.yaml
Normal file
@ -0,0 +1,23 @@
|
||||
suite: actions template | secret-token
|
||||
release:
|
||||
name: gitea-unittests
|
||||
namespace: testing
|
||||
templates:
|
||||
- templates/gitea/act_runner/secret-token.yaml
|
||||
tests:
|
||||
- it: renders a Secret
|
||||
template: templates/gitea/act_runner/secret-token.yaml
|
||||
set:
|
||||
actions:
|
||||
provisioning:
|
||||
enabled: true
|
||||
persistence:
|
||||
enabled: true
|
||||
mount: true
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 1
|
||||
- containsDocument:
|
||||
kind: Secret
|
||||
apiVersion: v1
|
||||
name: gitea-unittests-actions-token
|
23
unittests/act_runner/serviceaccount-job.yaml
Normal file
@ -0,0 +1,23 @@
|
||||
suite: actions template | serviceaccount-job
|
||||
release:
|
||||
name: gitea-unittests
|
||||
namespace: testing
|
||||
templates:
|
||||
- templates/gitea/act_runner/serviceaccount-job.yaml
|
||||
tests:
|
||||
- it: renders a ServiceAccount
|
||||
template: templates/gitea/act_runner/serviceaccount-job.yaml
|
||||
set:
|
||||
actions:
|
||||
provisioning:
|
||||
enabled: true
|
||||
persistence:
|
||||
enabled: true
|
||||
mount: true
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 1
|
||||
- containsDocument:
|
||||
kind: ServiceAccount
|
||||
apiVersion: v1
|
||||
name: gitea-unittests-actions-token-job
|
27
unittests/act_runner/statefulset.yaml
Normal file
@ -0,0 +1,27 @@
|
||||
suite: actions template | statefulset
|
||||
release:
|
||||
name: gitea-unittests
|
||||
namespace: testing
|
||||
templates:
|
||||
- templates/gitea/act_runner/statefulset.yaml
|
||||
tests:
|
||||
- it: renders a StatefulSet
|
||||
template: templates/gitea/act_runner/statefulset.yaml
|
||||
set:
|
||||
actions:
|
||||
enabled: true
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 1
|
||||
- containsDocument:
|
||||
kind: StatefulSet
|
||||
apiVersion: apps/v1
|
||||
name: gitea-unittests-act-runner
|
||||
- equal:
|
||||
path: spec.template.spec.containers[0].env[3]
|
||||
value:
|
||||
name: GITEA_RUNNER_REGISTRATION_TOKEN
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: "gitea-unittests-actions-token"
|
||||
key: "token"
|
90
values.yaml
@ -339,6 +339,96 @@ signing:
|
||||
# -----END PGP PRIVATE KEY BLOCK-----
|
||||
existingSecret: ""
|
||||
|
||||
# Configure Gitea Actions
|
||||
# - must enable persistence if the job is enabled
|
||||
## @section Gitea Actions
|
||||
#
|
||||
## @param actions.enabled Create an act runner StatefulSet.
|
||||
## @param actions.init.image.repository The image used for the init containers
|
||||
## @param actions.init.image.tag The image tag used for the init containers
|
||||
## @param actions.statefulset.annotations Act runner annotations
|
||||
## @param actions.statefulset.labels Act runner labels
|
||||
## @param actions.statefulset.resources Act runner resources
|
||||
## @param actions.statefulset.nodeSelector NodeSelector for the statefulset
|
||||
## @param actions.statefulset.tolerations Tolerations for the statefulset
|
||||
## @param actions.statefulset.affinity Affinity for the statefulset
|
||||
## @param actions.statefulset.actRunner.repository The Gitea act runner image
|
||||
## @param actions.statefulset.actRunner.tag The Gitea act runner tag
|
||||
## @param actions.statefulset.actRunner.pullPolicy The Gitea act runner pullPolicy
|
||||
## @param actions.statefulset.actRunner.config [default: Too complex. See values.yaml] Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details.
|
||||
## @param actions.statefulset.dind.repository The Docker-in-Docker image
|
||||
## @param actions.statefulset.dind.tag The Docker-in-Docker image tag
|
||||
## @param actions.statefulset.dind.pullPolicy The Docker-in-Docker pullPolicy
|
||||
## @param actions.provisioning.enabled Create a job that will create and save the token in a Kubernetes Secret
|
||||
## @param actions.provisioning.annotations Job's annotations
|
||||
## @param actions.provisioning.labels Job's labels
|
||||
## @param actions.provisioning.resources Job's resources
|
||||
## @param actions.provisioning.nodeSelector NodeSelector for the job
|
||||
## @param actions.provisioning.tolerations Tolerations for the job
|
||||
## @param actions.provisioning.affinity Affinity for the job
|
||||
## @param actions.provisioning.ttlSecondsAfterFinished ttl for the job after finished in order to allow helm to properly recognize that the job completed
|
||||
## @param actions.provisioning.publish.repository The image that can create the secret via kubectl
|
||||
## @param actions.provisioning.publish.tag The publish image tag that can create the secret
|
||||
## @param actions.provisioning.publish.pullPolicy The publish image pullPolicy that can create the secret
|
||||
## @param actions.existingSecret Secret that contains the token
|
||||
## @param actions.existingSecretKey Secret key
|
||||
actions:
|
||||
enabled: false
|
||||
statefulset:
|
||||
annotations: {}
|
||||
labels: {}
|
||||
resources: {}
|
||||
nodeSelector: {}
|
||||
tolerations: []
|
||||
affinity: {}
|
||||
|
||||
actRunner:
|
||||
repository: gitea/act_runner
|
||||
tag: 0.2.6
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
config: |
|
||||
log:
|
||||
level: debug
|
||||
cache:
|
||||
enabled: false
|
||||
runner:
|
||||
labels:
|
||||
- "ubuntu-latest"
|
||||
|
||||
dind:
|
||||
repository: docker
|
||||
tag: 25.0.2-dind
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
init:
|
||||
image:
|
||||
repository: busybox
|
||||
# Overrides the image tag whose default is the chart appVersion.
|
||||
tag: "1.36.1"
|
||||
|
||||
provisioning:
|
||||
vjm marked this conversation as resolved
Outdated
justusbunsi
commented
Do we really need the Do we really need the `actions.provisioning.token` object? Isn't the crafted image reference identical to what `{{ include "gitea.image" . }}` from `_helpers.tpl` would already provide?
vjm
commented
removed! removed!
|
||||
enabled: false
|
||||
|
||||
annotations: {}
|
||||
labels: {}
|
||||
resources: {}
|
||||
nodeSelector: {}
|
||||
tolerations: []
|
||||
affinity: {}
|
||||
|
||||
publish:
|
||||
repository: bitnami/kubectl
|
||||
tag: 1.29.0
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
ttlSecondsAfterFinished: 300
|
||||
|
||||
## Specify an existing token secret
|
||||
##
|
||||
existingSecret: ""
|
||||
existingSecretKey: ""
|
||||
|
||||
## @section Gitea
|
||||
#
|
||||
gitea:
|
||||
|
We should allow customization via
actions.provisioning.ttlSecondsAfterFinished
done!