rebased: Add Gitea Actions act runner #666

Open
vjm wants to merge 23 commits from vjm/helm-chart:gitea-actions into main
21 changed files with 789 additions and 0 deletions

@ -45,6 +45,7 @@
- [Persistence](#persistence-1)
- [Init](#init)
- [Signing](#signing)
- [Gitea Actions](#gitea-actions)
- [Gitea](#gitea)
- [LivenessProbe](#livenessprobe)
- [ReadinessProbe](#readinessprobe)
@ -999,6 +1000,40 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
| `signing.privateKey` | Inline private gpg key for signed internal Git activity | `""` |
| `signing.existingSecret` | Use an existing secret to store the value of `signing.privateKey` | `""` |
### Gitea Actions
| Name | Description | Value |
| ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ |
| `actions.enabled` | Create an act runner StatefulSet. | `false` |
| `actions.init.image.repository` | The image used for the init containers | `busybox` |
| `actions.init.image.tag` | The image tag used for the init containers | `1.36.1` |
| `actions.statefulset.annotations` | Act runner annotations | `{}` |
| `actions.statefulset.labels` | Act runner labels | `{}` |
| `actions.statefulset.resources` | Act runner resources | `{}` |
| `actions.statefulset.nodeSelector` | NodeSelector for the statefulset | `{}` |
| `actions.statefulset.tolerations` | Tolerations for the statefulset | `[]` |
| `actions.statefulset.affinity` | Affinity for the statefulset | `{}` |
| `actions.statefulset.actRunner.repository` | The Gitea act runner image | `gitea/act_runner` |
| `actions.statefulset.actRunner.tag` | The Gitea act runner tag | `0.2.6` |
| `actions.statefulset.actRunner.pullPolicy` | The Gitea act runner pullPolicy | `IfNotPresent` |
| `actions.statefulset.actRunner.config` | Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details. | `Too complex. See values.yaml` |
| `actions.statefulset.dind.repository` | The Docker-in-Docker image | `docker` |
| `actions.statefulset.dind.tag` | The Docker-in-Docker image tag | `25.0.2-dind` |
| `actions.statefulset.dind.pullPolicy` | The Docker-in-Docker pullPolicy | `IfNotPresent` |
| `actions.provisioning.enabled` | Create a job that will create and save the token in a Kubernetes Secret | `false` |
| `actions.provisioning.annotations` | Job's annotations | `{}` |
| `actions.provisioning.labels` | Job's labels | `{}` |
| `actions.provisioning.resources` | Job's resources | `{}` |
| `actions.provisioning.nodeSelector` | NodeSelector for the job | `{}` |
| `actions.provisioning.tolerations` | Tolerations for the job | `[]` |
| `actions.provisioning.affinity` | Affinity for the job | `{}` |
| `actions.provisioning.ttlSecondsAfterFinished` | ttl for the job after finished in order to allow helm to properly recognize that the job completed | `300` |
| `actions.provisioning.publish.repository` | The image that can create the secret via kubectl | `bitnami/kubectl` |
| `actions.provisioning.publish.tag` | The publish image tag that can create the secret | `1.29.0` |
| `actions.provisioning.publish.pullPolicy` | The publish image pullPolicy that can create the secret | `IfNotPresent` |
| `actions.existingSecret` | Secret that contains the token | `""` |
| `actions.existingSecretKey` | Secret key | `""` |
### Gitea
| Name | Description | Value |

34
readme-actions-dev.md Normal file

@ -0,0 +1,34 @@
# Gitea Actions
In order to use the Gitea Actions act-runner you must either:
- enable persistence (used for automatic deployment to be able to store the token in a place accessible for the Job)
- create a secret containing the act runner token and reference it as a `existingSecret`
In order to use Gitea Actions, you must log on the server that's running Gitea and run the command:
`gitea actions generate-runner-token`
This command will out a token that is needed by the act-runner to register with the Gitea backend.
Because this is a manual operation, we automated this using a Kubernetes Job using the following containers:
1) `actions-token-create`: it uses the current `gitea-rootless` image, mounts the persistent directory to `/data/` then it saves the output from `gitea actions generate-runner-token` to `/data/actions/token`
2) `actions-token-upload`: it uses a `bitnami/kubectl` image, mounts the scripts directory (`/scripts`) and
the persistent directory (`/data/`), and using the script from `/scripts/token.sh` stores the token in a Kubernetes secret
After the token is stored in a Kubernetes secret we can create the statefulset that contains the following containers:
1) `act-runner`: authenticates with Gitea using the token that was stored in the secret
2) `dind`: DockerInDocker image that is used to run the actions
If you are not using persistent volumes, you cannot use the Job to automatically generate the token.
In this case, you can use either the Web UI to generate the token or run a shell into a Gitea pod and invoke
the command `gitea actions generate-runner-token`. After generating the token, you must create a secret and use it via:
```yaml
actions:
provisioning:
enabled: false
existingSecret: "secret-name"
existingSecretKey: "secret-key"
```

43
scripts/token.sh Normal file

@ -0,0 +1,43 @@
#!/bin/sh
set -eu
timeout_delay=15
check_token() {
set +e
echo "Checking for existing token..."
token="$(kubectl get secret "$SECRET_NAME" -o jsonpath="{.data['token']}" 2> /dev/null)"
[ $? -ne 0 ] && return 1
[ -z "$token" ] && return 2
return 0
}
create_token() {
echo "Waiting for new token to be generated..."
begin=$(date +%s)
end=$((begin + timeout_delay))
while true; do
[ -f /data/actions/token ] && return 0
[ "$(date +%s)" -gt $end ] && return 1
sleep 5
done
}
store_token() {
echo "Storing the token in Kubernetes secret..."
kubectl patch secret "$SECRET_NAME" -p "{\"data\":{\"token\":\"$(base64 /data/actions/token | tr -d '\n')\"}}"
}
if check_token; then
echo "Key already in place, exiting."
exit
fi
if ! create_token; then
echo "Checking for an existing act runner token in secret $SECRET_NAME timed out after $timeout_delay"
exit 1
fi
store_token

@ -25,6 +25,13 @@ If release name contains chart name it will be used as a full name.
{{- end -}}
{{- end -}}
{{/*
Create a default worker name.
*/}}
{{- define "gitea.workername" -}}
{{- printf "%s-%s" .global.Release.Name .worker | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
@ -92,6 +99,15 @@ version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{- define "gitea.labels.actRunner" -}}
helm.sh/chart: {{ include "gitea.chart" . }}
app: {{ include "gitea.name" . }}-act-runner
{{ include "gitea.selectorLabels.actRunner" . }}
app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Selector labels
*/}}
@ -100,6 +116,11 @@ app.kubernetes.io/name: {{ include "gitea.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
{{- define "gitea.selectorLabels.actRunner" -}}
app.kubernetes.io/name: {{ include "gitea.name" . }}-act-runner
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
{{- define "postgresql-ha.dns" -}}
{{- if (index .Values "postgresql-ha").enabled -}}
{{- printf "%s-postgresql-ha-pgpool.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "postgresql-ha" "service" "ports" "postgresql") -}}
@ -263,6 +284,9 @@ https
{{- if not (hasKey .Values.gitea.config "indexer") -}}
{{- $_ := set .Values.gitea.config "indexer" dict -}}
{{- end -}}
{{- if not (hasKey .Values.gitea.config "actions") -}}
{{- $_ := set .Values.gitea.config "actions" dict -}}
{{- end -}}
{{- end -}}
{{- define "gitea.inline_configuration.defaults" -}}
@ -309,6 +333,9 @@ https
{{- if not .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE -}}
{{- $_ := set .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE" "db" -}}
{{- end -}}
{{- if not .Values.gitea.config.actions.ENABLED -}}
{{- $_ := set .Values.gitea.config.actions "ENABLED" "false" -}}
{{- end -}}
{{- end -}}
{{- define "gitea.inline_configuration.defaults.server" -}}
@ -328,6 +355,9 @@ https
{{- if not .Values.gitea.config.server.ROOT_URL -}}
{{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" (include "gitea.public_protocol" .) .Values.gitea.config.server.DOMAIN) -}}
{{- end -}}
{{- if not .Values.gitea.config.server.LOCAL_ROOT_URL -}}
{{- $_ := set .Values.gitea.config.server "LOCAL_ROOT_URL" (printf "http://%s-http:%.0f" (include "gitea.fullname" .) .Values.service.http.port) -}}
{{- end -}}
{{- if not .Values.gitea.config.server.SSH_DOMAIN -}}
{{- $_ := set .Values.gitea.config.server "SSH_DOMAIN" .Values.gitea.config.server.DOMAIN -}}
{{- end -}}

@ -0,0 +1,14 @@
{{- if .Values.actions.enabled }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "gitea.fullname" . }}-act-runner-config
labels:
{{- include "gitea.labels" . | nindent 4 }}
data:
config.yaml: |
{{- with .Values.actions.statefulset.actRunner.config -}}
{{ . | nindent 4}}
{{- end -}}
{{- end }}

@ -0,0 +1,11 @@
{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "gitea.fullname" . }}-scripts
labels:
{{- include "gitea.labels" . | nindent 4 }}
data:
{{ (.Files.Glob "scripts/*.sh").AsConfig | indent 2 }}
{{- end }}

@ -0,0 +1,115 @@
{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
{{- if .Values.actions.existingSecret }}
{{- fail "Can't specify both actions.provisioning.enabled and actions.existingSecret" }}
{{- end }}
{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ $name }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
{{- with .Values.actions.provisioning.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
app.kubernetes.io/component: token-job
annotations:
{{- with .Values.actions.provisioning.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ttlSecondsAfterFinished: {{ .Values.actions.provisioning.ttlSecondsAfterFinished }}
vjm marked this conversation as resolved Outdated

We should allow customization via actions.provisioning.ttlSecondsAfterFinished

We should allow customization via `actions.provisioning.ttlSecondsAfterFinished`
Outdated
Review

done!

done!
template:
metadata:
labels:
{{- include "gitea.labels" . | nindent 8 }}
{{- with .Values.actions.provisioning.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
app.kubernetes.io/component: token-job
spec:
initContainers:
- name: init-gitea
image: "{{ .Values.actions.init.image.repository }}:{{ .Values.actions.init.image.tag }}"
command:
- sh
- -c
- |
while ! nc -z {{ include "gitea.fullname" . }}-http {{ .Values.service.http.port }}; do
sleep 5

I am not fully sure, but are we able to wait with provisioning activity via Helm Chart hook mechanism? Instead of waiting for eternity? Or would that confuse tools like ArgoCD?

I imagine a flow like below:

  • Deploy the Gitea application itself
  • Wait for the application itself being healthy and ready to accept connections
  • Apply the hook-based provisioning job and being able to immediately contact Gitea
I am not fully sure, but are we able to wait with provisioning activity via Helm Chart hook mechanism? Instead of waiting for eternity? Or would that confuse tools like ArgoCD? I imagine a flow like below: - Deploy the Gitea application itself - Wait for the application itself being healthy and ready to accept connections - Apply the hook-based provisioning job and being able to immediately contact Gitea
Outdated
Review

i just tried to test this out and i had some issues -- the post-install hook waited to be applied as expected, but the gitea application was still not ready, even though helm and kubernetes had marked it as ready -- this might still be possible but i'd prefer to push this to a separate PR if possible.

i just tried to test this out and i had some issues -- the post-install hook waited to be applied as expected, but the gitea application was still not ready, even though helm and kubernetes had marked it as ready -- this might still be possible but i'd prefer to push this to a separate PR if possible.
done
containers:
- name: actions-token-create
image: "{{ include "gitea.image" . }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
- name: GITEA_APP_INI
value: /data/gitea/conf/app.ini
command:
- sh
- -c
- |
echo "Generating act_runner token via 'gitea actions generate-runner-token'..."
mkdir -p /data/actions/
gitea actions generate-runner-token | grep -E '^.{40}$' | tr -d '\n' > /data/actions/token
resources:
{{- toYaml .Values.actions.provisioning.resources | nindent 12 }}
volumeMounts:
- name: data
mountPath: /data
{{- if .Values.persistence.subPath }}
subPath: {{ .Values.persistence.subPath }}
{{- end }}
- name: actions-token-upload
image: "{{ .Values.actions.provisioning.publish.repository }}:{{ .Values.actions.provisioning.publish.tag }}"
imagePullPolicy: {{ .Values.actions.provisioning.publish.pullPolicy }}
env:
- name: SECRET_NAME
value: {{ $secretName }}
command:
- sh
- -c
- |
printf "Checking rights to update kubernetes act_runner secret..."
kubectl auth can-i update secret/${SECRET_NAME}
/scripts/token.sh
resources:
{{- toYaml .Values.actions.provisioning.resources | nindent 12 }}
volumeMounts:
- mountPath: /scripts
name: scripts
readOnly: true
- mountPath: /data
name: data
readOnly: true
{{- if .Values.persistence.subPath }}
subPath: {{ .Values.persistence.subPath }}
{{- end }}
{{- with .Values.actions.provisioning.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.actions.provisioning.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.actions.provisioning.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
restartPolicy: Never
serviceAccount: {{ $name }}
volumes:
- name: scripts
configMap:
name: {{ include "gitea.fullname" . }}-scripts
defaultMode: 0755
- name: data
persistentVolumeClaim:
claimName: {{ .Values.persistence.claimName }}
parallelism: 1
completions: 1
backoffLimit: 1
{{- end }}

@ -0,0 +1,23 @@
{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ $name }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
app.kubernetes.io/component: token-job
rules:
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- {{ $secretName }}
verbs:
- get
- update
- patch
{{- end }}

@ -0,0 +1,20 @@
{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ $name }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
app.kubernetes.io/component: token-job
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ $name }}
subjects:
- kind: ServiceAccount
name: {{ $name }}
namespace: {{ .Release.Namespace }}
{{- end }}

@ -0,0 +1,17 @@
{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ $secretName }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
app.kubernetes.io/component: token-job
{{ $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}}
{{ if $secret -}}
data:
token: {{ (b64dec (index $secret.data "token")) | b64enc }}
{{ end -}}
{{- end }}

@ -0,0 +1,11 @@
{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ $name }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
app.kubernetes.io/component: token-job
{{- end }}

@ -0,0 +1,114 @@
{{- if .Values.actions.enabled }}
{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
labels:
{{- include "gitea.labels.actRunner" . | nindent 4 }}
{{- with .Values.actions.statefulset.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with .Values.actions.statefulset.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "gitea.fullname" . }}-act-runner
spec:
selector:
matchLabels:
{{- include "gitea.selectorLabels.actRunner" . | nindent 6 }}
template:
metadata:
labels:
{{- include "gitea.labels.actRunner" . | nindent 8 }}
{{- with .Values.actions.statefulset.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
initContainers:
- name: init-gitea
image: "{{ .Values.actions.init.image.repository }}:{{ .Values.actions.init.image.tag }}"
vjm marked this conversation as resolved Outdated

Please move this hard-coded image/tag reference into values.yaml. That way users can customize, and we can properly let Renovate update it.

Please move this hard-coded image/tag reference into `values.yaml`. That way users can customize, and we can properly let Renovate update it.
Outdated
Review

done!

done!
command:
- sh
- -c
- |
while ! nc -z {{ include "gitea.fullname" . }}-http {{ .Values.service.http.port }}; do
sleep 5
done
containers:
- name: act-runner
image: "{{ .Values.actions.statefulset.actRunner.repository }}:{{ .Values.actions.statefulset.actRunner.tag }}"
imagePullPolicy: {{ .Values.actions.statefulset.actRunner.pullPolicy }}
workingDir: /data
env:
- name: DOCKER_HOST
value: tcp://127.0.0.1:2376
- name: DOCKER_TLS_VERIFY
value: "1"
- name: DOCKER_CERT_PATH
value: /certs/server
- name: GITEA_RUNNER_REGISTRATION_TOKEN
valueFrom:
secretKeyRef:
name: "{{ .Values.actions.existingSecret | default $secretName }}"
key: "{{ .Values.actions.existingSecretKey | default "token" }}"
- name: GITEA_INSTANCE_URL
value: {{ .Values.gitea.config.server.LOCAL_ROOT_URL | quote }}
vjm marked this conversation as resolved Outdated

I guess we could reuse the already configured LOCAL_ROOT_URL from app.ini rendering above?

I guess we could reuse the already configured `LOCAL_ROOT_URL` from app.ini rendering above?
Outdated
Review

fixed!

fixed!
- name: CONFIG_FILE
value: /actrunner/config.yaml
resources:
{{- toYaml .Values.actions.statefulset.resources | nindent 12 }}
volumeMounts:
- mountPath: /actrunner/config.yaml
name: act-runner-config
subPath: config.yaml
- mountPath: /certs/server
name: docker-certs
- mountPath: /data
name: data-act-runner
- name: dind
image: "{{ .Values.actions.statefulset.dind.repository }}:{{ .Values.actions.statefulset.dind.tag }}"
imagePullPolicy: {{ .Values.actions.statefulset.dind.pullPolicy }}
env:
- name: DOCKER_HOST
value: tcp://127.0.0.1:2376
- name: DOCKER_TLS_VERIFY
value: "1"
- name: DOCKER_CERT_PATH
value: /certs/server
securityContext:
privileged: true
resources:
{{- toYaml .Values.actions.statefulset.resources | nindent 12 }}
volumeMounts:
- mountPath: /certs/server
name: docker-certs
{{- with .Values.actions.statefulset.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.actions.statefulset.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.actions.statefulset.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: act-runner-config
configMap:
name: {{ include "gitea.fullname" . }}-act-runner-config
- name: docker-certs
emptyDir: {}
volumeClaimTemplates:
- metadata:
name: data-act-runner
spec:
accessModes: [ "ReadWriteOnce" ]
{{- include "gitea.persistence.storageClass" . | nindent 8 }}
resources:
requests:
storage: 1Mi
{{- end }}

@ -0,0 +1,40 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
suite: actions template | config-act-runner
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/act_runner/config-act-runner.yaml
tests:
- it: renders a ConfigMap
template: templates/gitea/act_runner/config-act-runner.yaml
set:
actions:
enabled: true
statefulset:
actRunner:
config: |
log:
level: info
cache:
vjm marked this conversation as resolved Outdated

We should also ensure the content of the ConfigMap is correct.

We should also ensure the content of the ConfigMap is correct.
Outdated
Review

added unit tests!

added unit tests!
enabled: false
runner:
labels:
- "ubuntu-latest"
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: ConfigMap
apiVersion: v1
name: gitea-unittests-act-runner-config
- equal:
path: data["config.yaml"]
value: |
log:
level: info
cache:
enabled: false
runner:
labels:
- "ubuntu-latest"

@ -0,0 +1,25 @@
suite: actions template | config-scripts
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/act_runner/config-scripts.yaml
tests:
- it: renders a ConfigMap
template: templates/gitea/act_runner/config-scripts.yaml
set:
actions:
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: ConfigMap
apiVersion: v1
name: gitea-unittests-scripts
- isNotNullOrEmpty:
path: data["token.sh"]

@ -0,0 +1,48 @@
suite: actions template | job
release:
name: gitea-unittests
namespace: testing
chart:
# Override appVersion to be consistent with used digest :)
appVersion: 1.19.3
templates:
- templates/gitea/act_runner/job.yaml
tests:
- it: renders a Job
template: templates/gitea/act_runner/job.yaml
set:
actions:
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: Job
apiVersion: batch/v1
name: gitea-unittests-actions-token-job
- equal:
path: spec.template.spec.containers[0].image
value: "gitea/gitea:1.19.3-rootless"
- it: tag override
template: templates/gitea/act_runner/job.yaml
set:
image.tag: "1.19.4"
actions:
provisioning:
enabled: true
publish:
tag: "1.29.0"
persistence:
enabled: true
mount: true
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: "gitea/gitea:1.19.4-rootless"
- equal:
path: spec.template.spec.containers[1].image
value: "bitnami/kubectl:1.29.0"

@ -0,0 +1,23 @@
suite: actions template | role-job
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/act_runner/role-job.yaml
tests:
- it: renders a Role
template: templates/gitea/act_runner/role-job.yaml
set:
actions:
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
name: gitea-unittests-actions-token-job

@ -0,0 +1,23 @@
suite: actions template | rolebinding-job
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/act_runner/rolebinding-job.yaml
tests:
- it: renders a RoleBinding
template: templates/gitea/act_runner/rolebinding-job.yaml
set:
actions:
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
name: gitea-unittests-actions-token-job

@ -0,0 +1,23 @@
suite: actions template | secret-token
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/act_runner/secret-token.yaml
tests:
- it: renders a Secret
template: templates/gitea/act_runner/secret-token.yaml
set:
actions:
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: Secret
apiVersion: v1
name: gitea-unittests-actions-token

@ -0,0 +1,23 @@
suite: actions template | serviceaccount-job
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/act_runner/serviceaccount-job.yaml
tests:
- it: renders a ServiceAccount
template: templates/gitea/act_runner/serviceaccount-job.yaml
set:
actions:
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: ServiceAccount
apiVersion: v1
name: gitea-unittests-actions-token-job

@ -0,0 +1,27 @@
suite: actions template | statefulset
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/act_runner/statefulset.yaml
tests:
- it: renders a StatefulSet
template: templates/gitea/act_runner/statefulset.yaml
set:
actions:
enabled: true
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: StatefulSet
apiVersion: apps/v1
name: gitea-unittests-act-runner
- equal:
path: spec.template.spec.containers[0].env[3]
value:
name: GITEA_RUNNER_REGISTRATION_TOKEN
valueFrom:
secretKeyRef:
name: "gitea-unittests-actions-token"
key: "token"

@ -339,6 +339,96 @@ signing:
# -----END PGP PRIVATE KEY BLOCK-----
existingSecret: ""
# Configure Gitea Actions
# - must enable persistence if the job is enabled
## @section Gitea Actions
#
## @param actions.enabled Create an act runner StatefulSet.
## @param actions.init.image.repository The image used for the init containers
## @param actions.init.image.tag The image tag used for the init containers
## @param actions.statefulset.annotations Act runner annotations
## @param actions.statefulset.labels Act runner labels
## @param actions.statefulset.resources Act runner resources
## @param actions.statefulset.nodeSelector NodeSelector for the statefulset
## @param actions.statefulset.tolerations Tolerations for the statefulset
## @param actions.statefulset.affinity Affinity for the statefulset
## @param actions.statefulset.actRunner.repository The Gitea act runner image
## @param actions.statefulset.actRunner.tag The Gitea act runner tag
## @param actions.statefulset.actRunner.pullPolicy The Gitea act runner pullPolicy
## @param actions.statefulset.actRunner.config [default: Too complex. See values.yaml] Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details.
## @param actions.statefulset.dind.repository The Docker-in-Docker image
## @param actions.statefulset.dind.tag The Docker-in-Docker image tag
## @param actions.statefulset.dind.pullPolicy The Docker-in-Docker pullPolicy
## @param actions.provisioning.enabled Create a job that will create and save the token in a Kubernetes Secret
## @param actions.provisioning.annotations Job's annotations
## @param actions.provisioning.labels Job's labels
## @param actions.provisioning.resources Job's resources
## @param actions.provisioning.nodeSelector NodeSelector for the job
## @param actions.provisioning.tolerations Tolerations for the job
## @param actions.provisioning.affinity Affinity for the job
## @param actions.provisioning.ttlSecondsAfterFinished ttl for the job after finished in order to allow helm to properly recognize that the job completed
## @param actions.provisioning.publish.repository The image that can create the secret via kubectl
## @param actions.provisioning.publish.tag The publish image tag that can create the secret
## @param actions.provisioning.publish.pullPolicy The publish image pullPolicy that can create the secret
## @param actions.existingSecret Secret that contains the token
## @param actions.existingSecretKey Secret key
actions:
enabled: false
statefulset:
annotations: {}
labels: {}
resources: {}
nodeSelector: {}
tolerations: []
affinity: {}
actRunner:
repository: gitea/act_runner
tag: 0.2.6
pullPolicy: IfNotPresent
config: |
log:
level: debug
cache:
enabled: false
runner:
labels:
- "ubuntu-latest"
dind:
repository: docker
tag: 25.0.2-dind
pullPolicy: IfNotPresent
init:
image:
repository: busybox
# Overrides the image tag whose default is the chart appVersion.
tag: "1.36.1"
provisioning:
vjm marked this conversation as resolved Outdated

Do we really need the actions.provisioning.token object? Isn't the crafted image reference identical to what {{ include "gitea.image" . }} from _helpers.tpl would already provide?

Do we really need the `actions.provisioning.token` object? Isn't the crafted image reference identical to what `{{ include "gitea.image" . }}` from `_helpers.tpl` would already provide?
Outdated
Review

removed!

removed!
enabled: false
annotations: {}
labels: {}
resources: {}
nodeSelector: {}
tolerations: []
affinity: {}
publish:
repository: bitnami/kubectl
tag: 1.29.0
pullPolicy: IfNotPresent
ttlSecondsAfterFinished: 300
## Specify an existing token secret
##
existingSecret: ""
existingSecretKey: ""
## @section Gitea
#
gitea: