From 8c95dcd282ed60feb8bfba9a457044c3db9b9147 Mon Sep 17 00:00:00 2001 From: ChristopherHX Date: Wed, 13 Aug 2025 21:15:21 +0000 Subject: [PATCH] refactor!: remove actions runner token provisioning (#15) To be discussed. In https://gitea.com/gitea/helm-actions/issues/9#issuecomment-1002191 and https://gitea.com/gitea/helm-actions/pulls/13 I described that a migration of provisioning is currently not feasible due to - helm limitations - You are forced to repeat a lot of stuff for the default branch - helm-actions cannot read values of the helm-gitea chart to fix this - No agreement about making helm-gitea a optional dependency of helm-actions can be reached at the moment # Proposal - Create a new repository that includes both helm-gitea **and** helm-actions - Provisioning leaves this repository as well like it did in helm-gitea - Create that as gitea/helm-stack or whatever name - Provisioning code and tests moves to gitea/helm-stack We would need help with the repository creation Reviewed-on: https://gitea.com/gitea/helm-actions/pulls/15 Reviewed-by: DaanSelen Co-authored-by: ChristopherHX Co-committed-by: ChristopherHX --- README.md | 39 -------- templates/01-consistency-checks.yaml | 13 +-- templates/_helpers.tpl | 33 +------ templates/config-scripts.yaml | 14 --- templates/job.yaml | 115 ---------------------- templates/role-job.yaml | 26 ----- templates/rolebinding-job.yaml | 22 ----- templates/secret-token.yaml | 20 ---- templates/serviceaccount-job.yaml | 14 --- unittests/helm/01-consistency-checks.yaml | 38 ------- unittests/helm/config-scripts.yaml | 47 --------- unittests/helm/job.yaml | 88 ----------------- unittests/helm/role-job.yaml | 40 -------- unittests/helm/rolebinding-job.yaml | 40 -------- unittests/helm/secret-token.yaml | 40 -------- unittests/helm/serviceaccount-job.yaml | 40 -------- unittests/helm/statefulset.yaml | 2 +- values.yaml | 75 -------------- 18 files changed, 8 insertions(+), 698 deletions(-) delete mode 100644 templates/config-scripts.yaml delete mode 100644 templates/job.yaml delete mode 100644 templates/role-job.yaml delete mode 100644 templates/rolebinding-job.yaml delete mode 100644 templates/secret-token.yaml delete mode 100644 templates/serviceaccount-job.yaml delete mode 100644 unittests/helm/config-scripts.yaml delete mode 100644 unittests/helm/job.yaml delete mode 100644 unittests/helm/role-job.yaml delete mode 100644 unittests/helm/rolebinding-job.yaml delete mode 100644 unittests/helm/secret-token.yaml delete mode 100644 unittests/helm/serviceaccount-job.yaml diff --git a/README.md b/README.md index 1de205d..cc67cb6 100644 --- a/README.md +++ b/README.md @@ -34,49 +34,10 @@ If `.Values.image.rootless: true`, then the following will occur. In case you us | `statefulset.dind.extraVolumeMounts` | Allows mounting extra volumes in the Docker-in-Docker container | `[]` | | `statefulset.dind.extraEnvs` | Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY` | `[]` | | `statefulset.persistence.size` | Size for persistence to store act runner data | `1Gi` | -| `provisioning.enabled` | Create a job that will create and save the token in a Kubernetes Secret | `false` | -| `provisioning.annotations` | Job's annotations | `{}` | -| `provisioning.labels` | Job's labels | `{}` | -| `provisioning.resources` | Job's resources | `{}` | -| `provisioning.nodeSelector` | NodeSelector for the job | `{}` | -| `provisioning.tolerations` | Tolerations for the job | `[]` | -| `provisioning.affinity` | Affinity for the job | `{}` | -| `provisioning.ttlSecondsAfterFinished` | ttl for the job after finished in order to allow helm to properly recognize that the job completed | `300` | -| `provisioning.publish.repository` | The image that can create the secret via kubectl | `bitnami/kubectl` | -| `provisioning.publish.tag` | The publish image tag that can create the secret | `1.29.0` | -| `provisioning.publish.pullPolicy` | The publish image pullPolicy that can create the secret | `IfNotPresent` | | `existingSecret` | Secret that contains the token | `""` | | `existingSecretKey` | Secret key | `""` | | `giteaRootURL` | URL the act_runner registers and connect with | `""` | -### Persistence - -| Name | Description | Value | -| ------------------------------------------------- | ------------------------------------------------------------------------- | ---------------------- | -| `persistence.enabled` | Enable persistent storage | `true` | -| `persistence.create` | Whether to create the persistentVolumeClaim for shared storage | `true` | -| `persistence.mount` | Whether the persistentVolumeClaim should be mounted (even if not created) | `true` | -| `persistence.claimName` | Use an existing claim to store repository information | `gitea-shared-storage` | -| `persistence.size` | Size for persistence to store repo information | `10Gi` | -| `persistence.accessModes` | AccessMode for persistence | `["ReadWriteOnce"]` | -| `persistence.labels` | Labels for the persistence volume claim to be created | `{}` | -| `persistence.annotations.helm.sh/resource-policy` | Resource policy for the persistence volume claim | `keep` | -| `persistence.storageClass` | Name of the storage class to use | `nil` | -| `persistence.subPath` | Subdirectory of the volume to mount at | `nil` | -| `persistence.volumeName` | Name of persistent volume in PVC | `""` | - -### Image - -| Name | Description | Value | -| -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------ | -| `image.registry` | image registry, e.g. gcr.io,docker.io | `docker.gitea.com` | -| `image.repository` | Image to start for this pod | `gitea` | -| `image.tag` | Visit: [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated). Defaults to `appVersion` within Chart.yaml. | `""` | -| `image.digest` | Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest` | `""` | -| `image.pullPolicy` | Image pull policy | `IfNotPresent` | -| `image.rootless` | Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher | `true` | -| `image.fullOverride` | Completely overrides the image registry, path/image, tag and digest. **Adjust `image.rootless` accordingly and review [Rootless defaults](#rootless-defaults).** | `""` | - ### Global | Name | Description | Value | diff --git a/templates/01-consistency-checks.yaml b/templates/01-consistency-checks.yaml index 2168b12..d93de36 100644 --- a/templates/01-consistency-checks.yaml +++ b/templates/01-consistency-checks.yaml @@ -1,15 +1,6 @@ {{- if .Values.enabled -}} - {{- if .Values.provisioning.enabled -}} - {{- if not (and .Values.persistence.enabled .Values.persistence.mount) -}} - {{- fail "persistence.enabled and persistence.mount are required when provisioning is enabled" -}} - {{- end -}} - {{- if and .Values.persistence.enabled .Values.persistence.mount -}} - {{- if .Values.existingSecret -}} - {{- fail "Can't specify both actions.provisioning.enabled and actions.existingSecret" -}} - {{- end -}} - {{- end -}} - {{- end -}} - {{- if and (not .Values.provisioning.enabled) (or (empty .Values.existingSecret) (empty .Values.existingSecretKey)) -}} + + {{- if or (empty .Values.existingSecret) (empty .Values.existingSecretKey) -}} {{- fail "existingSecret and existingSecretKey are required when provisioning is disabled" -}} {{- end -}} {{- if not .Values.giteaRootURL -}} diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 2796136..2f3a52b 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -39,34 +39,11 @@ Create chart name and version as used by the chart label. {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} -{{/* -Create image name and tag used by the deployment. -*/}} -{{- define "gitea.actions.image" -}} -{{- $fullOverride := .Values.image.fullOverride | default "" -}} -{{- $registry := .Values.global.imageRegistry | default .Values.image.registry -}} -{{- $repository := .Values.image.repository -}} -{{- $separator := ":" -}} -{{- $tag := .Values.image.tag | default .Chart.AppVersion | toString -}} -{{- $rootless := ternary "-rootless" "" (.Values.image.rootless) -}} -{{- $digest := "" -}} -{{- if .Values.image.digest }} - {{- $digest = (printf "@%s" (.Values.image.digest | toString)) -}} -{{- end -}} -{{- if $fullOverride }} - {{- printf "%s" $fullOverride -}} -{{- else if $registry }} - {{- printf "%s/%s%s%s%s%s" $registry $repository $separator $tag $rootless $digest -}} -{{- else -}} - {{- printf "%s%s%s%s%s" $repository $separator $tag $rootless $digest -}} -{{- end -}} -{{- end -}} - {{/* Storage Class */}} {{- define "gitea.actions.persistence.storageClass" -}} -{{- $storageClass := (tpl ( default "" .Values.persistence.storageClass) .) | default (tpl ( default "" .Values.global.storageClass) .) }} +{{- $storageClass := default (tpl ( default "" .Values.global.storageClass) .) }} {{- if $storageClass }} storageClassName: {{ $storageClass | quote }} {{- end }} @@ -79,8 +56,8 @@ Common labels helm.sh/chart: {{ include "gitea.actions.chart" . }} app: {{ include "gitea.actions.name" . }} {{ include "gitea.actions.selectorLabels" . }} -app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }} -version: {{ .Values.image.tag | default .Chart.AppVersion | quote }} +app.kubernetes.io/version: {{ default .Chart.AppVersion | quote }} +version: {{ default .Chart.AppVersion | quote }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end -}} @@ -88,8 +65,8 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} helm.sh/chart: {{ include "gitea.actions.chart" . }} app: {{ include "gitea.actions.name" . }}-act-runner {{ include "gitea.actions.selectorLabels.actRunner" . }} -app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }} -version: {{ .Values.image.tag | default .Chart.AppVersion | quote }} +app.kubernetes.io/version: {{ default .Chart.AppVersion | quote }} +version: {{ default .Chart.AppVersion | quote }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end -}} diff --git a/templates/config-scripts.yaml b/templates/config-scripts.yaml deleted file mode 100644 index 008b8dd..0000000 --- a/templates/config-scripts.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if .Values.enabled }} -{{- if and (and .Values.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "gitea.actions.fullname" . }}-scripts - namespace: {{ .Values.namespace | default .Release.Namespace }} - labels: - {{- include "gitea.actions.labels" . | nindent 4 }} -data: -{{ (.Files.Glob "scripts/*.sh").AsConfig | indent 2 }} -{{- end }} -{{- end }} diff --git a/templates/job.yaml b/templates/job.yaml deleted file mode 100644 index 92afbc4..0000000 --- a/templates/job.yaml +++ /dev/null @@ -1,115 +0,0 @@ -{{- if .Values.enabled }} -{{- if and (and .Values.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} -{{- $name := include "gitea.actions.workername" (dict "global" . "worker" "actions-token-job") }} -{{- $secretName := include "gitea.actions.workername" (dict "global" . "worker" "actions-token") }} ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ $name }} - namespace: {{ .Values.namespace | default .Release.Namespace }} - labels: - {{- include "gitea.actions.labels" . | nindent 4 }} - {{- with .Values.provisioning.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - app.kubernetes.io/component: token-job - annotations: - {{- with .Values.provisioning.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ttlSecondsAfterFinished: {{ .Values.provisioning.ttlSecondsAfterFinished }} - template: - metadata: - labels: - {{- include "gitea.actions.labels" . | nindent 8 }} - {{- with .Values.provisioning.labels }} - {{- toYaml . | nindent 8 }} - {{- end }} - app.kubernetes.io/component: token-job - spec: - initContainers: - - name: init-gitea - image: "{{ .Values.init.image.repository }}:{{ .Values.init.image.tag }}" - command: - - sh - - -c - - | - while ! nc -z {{ include "gitea.actions.nc" . }}; do - sleep 5 - done - containers: - - name: actions-token-create - image: "{{ include "gitea.actions.image" . }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - env: - - name: GITEA_APP_INI - value: /data/gitea/conf/app.ini - command: - - sh - - -c - - | - echo "Generating act_runner token via 'gitea actions generate-runner-token'..." - mkdir -p /data/actions/ - gitea actions generate-runner-token | grep -E '^.{40}$' | tr -d '\n' > /data/actions/token - resources: - {{- toYaml .Values.provisioning.resources | nindent 12 }} - volumeMounts: - - name: data - mountPath: /data - {{- if .Values.persistence.subPath }} - subPath: {{ .Values.persistence.subPath }} - {{- end }} - - name: actions-token-upload - image: "{{ .Values.provisioning.publish.repository }}:{{ .Values.provisioning.publish.tag }}" - imagePullPolicy: {{ .Values.provisioning.publish.pullPolicy }} - env: - - name: SECRET_NAME - value: {{ $secretName }} - command: - - sh - - -c - - | - printf "Checking rights to update kubernetes act_runner secret..." - kubectl auth can-i update secret/${SECRET_NAME} - /scripts/token.sh - resources: - {{- toYaml .Values.provisioning.resources | nindent 12 }} - volumeMounts: - - mountPath: /scripts - name: scripts - readOnly: true - - mountPath: /data - name: data - readOnly: true - {{- if .Values.persistence.subPath }} - subPath: {{ .Values.persistence.subPath }} - {{- end }} - {{- range $key, $value := .Values.provisioning.nodeSelector }} - nodeSelector: - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- with .Values.provisioning.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.provisioning.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - restartPolicy: Never - serviceAccount: {{ $name }} - volumes: - - name: scripts - configMap: - name: {{ include "gitea.actions.fullname" . }}-scripts - defaultMode: 0755 - - name: data - persistentVolumeClaim: - claimName: {{ .Values.persistence.claimName }} - parallelism: 1 - completions: 1 - backoffLimit: 1 -{{- end }} -{{- end }} diff --git a/templates/role-job.yaml b/templates/role-job.yaml deleted file mode 100644 index 26aa8f8..0000000 --- a/templates/role-job.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if .Values.enabled }} -{{- if and (and .Values.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} -{{- $name := include "gitea.actions.workername" (dict "global" . "worker" "actions-token-job") }} -{{- $secretName := include "gitea.actions.workername" (dict "global" . "worker" "actions-token") }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ $name }} - namespace: {{ .Values.namespace | default .Release.Namespace }} - labels: - {{- include "gitea.actions.labels" . | nindent 4 }} - app.kubernetes.io/component: token-job -rules: - - apiGroups: - - "" - resources: - - secrets - resourceNames: - - {{ $secretName }} - verbs: - - get - - update - - patch -{{- end }} -{{- end }} diff --git a/templates/rolebinding-job.yaml b/templates/rolebinding-job.yaml deleted file mode 100644 index d21d12d..0000000 --- a/templates/rolebinding-job.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if .Values.enabled }} -{{- if and (and .Values.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} -{{- $name := include "gitea.actions.workername" (dict "global" . "worker" "actions-token-job") }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ $name }} - namespace: {{ .Values.namespace | default .Release.Namespace }} - labels: - {{- include "gitea.actions.labels" . | nindent 4 }} - app.kubernetes.io/component: token-job -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ $name }} -subjects: - - kind: ServiceAccount - name: {{ $name }} - namespace: {{ .Values.namespace | default .Release.Namespace }} -{{- end }} -{{- end }} diff --git a/templates/secret-token.yaml b/templates/secret-token.yaml deleted file mode 100644 index 5e6dcfe..0000000 --- a/templates/secret-token.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.enabled }} -{{- if and (and .Values.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} -{{- $name := include "gitea.actions.workername" (dict "global" . "worker" "actions-token-job") }} -{{- $secretName := include "gitea.actions.workername" (dict "global" . "worker" "actions-token") }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ $secretName }} - namespace: {{ .Values.namespace | default .Release.Namespace }} - labels: - {{- include "gitea.actions.labels" . | nindent 4 }} - app.kubernetes.io/component: token-job -{{ $secret := (lookup "v1" "Secret" (.Values.namespace | default .Release.Namespace) $secretName) -}} -{{ if $secret -}} -data: - token: {{ (b64dec (index $secret.data "token")) | b64enc }} -{{ end -}} -{{- end }} -{{- end }} diff --git a/templates/serviceaccount-job.yaml b/templates/serviceaccount-job.yaml deleted file mode 100644 index ed2ae88..0000000 --- a/templates/serviceaccount-job.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if .Values.enabled }} -{{- if and (and .Values.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} -{{- $name := include "gitea.actions.workername" (dict "global" . "worker" "actions-token-job") }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ $name }} - namespace: {{ .Values.namespace | default .Release.Namespace }} - labels: - {{- include "gitea.actions.labels" . | nindent 4 }} - app.kubernetes.io/component: token-job -{{- end }} -{{- end }} diff --git a/unittests/helm/01-consistency-checks.yaml b/unittests/helm/01-consistency-checks.yaml index a8fb9d8..86ad224 100644 --- a/unittests/helm/01-consistency-checks.yaml +++ b/unittests/helm/01-consistency-checks.yaml @@ -5,49 +5,15 @@ release: templates: - templates/01-consistency-checks.yaml tests: - - it: fails when provisioning is enabled BUT persistence is completely disabled - set: - persistence: - enabled: false - enabled: true - provisioning: - enabled: true - asserts: - - failedTemplate: - errorMessage: "persistence.enabled and persistence.mount are required when provisioning is enabled" - - it: fails when provisioning is enabled BUT mount is disabled, although persistence is enabled - set: - persistence: - enabled: true - mount: false - enabled: true - provisioning: - enabled: true - asserts: - - failedTemplate: - errorMessage: "persistence.enabled and persistence.mount are required when provisioning is enabled" - - it: fails when provisioning is enabled AND existingSecret is given - set: - enabled: true - provisioning: - enabled: true - existingSecret: "secret-reference" - asserts: - - failedTemplate: - errorMessage: "Can't specify both actions.provisioning.enabled and actions.existingSecret" - it: fails when provisioning is disabled BUT existingSecret and existingSecretKey are missing set: enabled: true - provisioning: - enabled: false asserts: - failedTemplate: errorMessage: "existingSecret and existingSecretKey are required when provisioning is disabled" - it: fails when provisioning is disabled BUT existingSecretKey is missing set: enabled: true - provisioning: - enabled: false existingSecret: "my-secret" asserts: - failedTemplate: @@ -55,8 +21,6 @@ tests: - it: fails when provisioning is disabled BUT existingSecret is missing set: enabled: true - provisioning: - enabled: false existingSecretKey: "my-secret-key" asserts: - failedTemplate: @@ -64,8 +28,6 @@ tests: - it: fails when LOCAL_ROOT_URL is missing set: enabled: true - provisioning: - enabled: false existingSecret: "my-secret" existingSecretKey: "my-secret-key" asserts: diff --git a/unittests/helm/config-scripts.yaml b/unittests/helm/config-scripts.yaml deleted file mode 100644 index 1b477ae..0000000 --- a/unittests/helm/config-scripts.yaml +++ /dev/null @@ -1,47 +0,0 @@ -suite: actions template | config-scripts -release: - name: gitea-unittests - namespace: testing -templates: - - templates/config-scripts.yaml -tests: - - it: renders a ConfigMap when all criteria are met - template: templates/config-scripts.yaml - set: - enabled: true - provisioning: - enabled: true - persistence: - enabled: true - mount: true - asserts: - - hasDocuments: - count: 1 - - containsDocument: - kind: ConfigMap - apiVersion: v1 - name: gitea-unittests-actions-scripts - - isNotNullOrEmpty: - path: data["token.sh"] - - it: doesn't renders a ConfigMap by default - template: templates/config-scripts.yaml - asserts: - - hasDocuments: - count: 0 - - it: doesn't renders a ConfigMap with disabled actions but enabled provisioning - template: templates/config-scripts.yaml - asserts: - - hasDocuments: - count: 0 - - it: doesn't renders a ConfigMap with disabled actions but otherwise met criteria - template: templates/config-scripts.yaml - set: - enabled: false - provisioning: - enabled: true - persistence: - enabled: true - mount: true - asserts: - - hasDocuments: - count: 0 diff --git a/unittests/helm/job.yaml b/unittests/helm/job.yaml deleted file mode 100644 index 476053b..0000000 --- a/unittests/helm/job.yaml +++ /dev/null @@ -1,88 +0,0 @@ -suite: actions template | job -release: - name: gitea-unittests - namespace: testing -chart: - # Override appVersion to have a pinned version for comparison - appVersion: 1.23.6 -templates: - - templates/job.yaml -tests: - - it: renders a Job - template: templates/job.yaml - set: - enabled: true - provisioning: - enabled: true - persistence: - enabled: true - mount: true - asserts: - - hasDocuments: - count: 1 - - containsDocument: - kind: Job - apiVersion: batch/v1 - name: gitea-unittests-actions-token-job - - equal: - path: spec.template.spec.containers[0].image - value: "docker.gitea.com/gitea:1.23.6-rootless" - - it: tag override - template: templates/job.yaml - set: - image.tag: "1.23.7" - enabled: true - provisioning: - enabled: true - publish: - tag: "1.29.0" - persistence: - enabled: true - mount: true - asserts: - - equal: - path: spec.template.spec.containers[0].image - value: "docker.gitea.com/gitea:1.23.7-rootless" - - equal: - path: spec.template.spec.containers[1].image - value: "bitnami/kubectl:1.29.0" - - it: doesn't renders a Job by default - template: templates/job.yaml - asserts: - - hasDocuments: - count: 0 - - it: doesn't renders a Job when provisioning is enabled BUT actions are not enabled - template: templates/job.yaml - set: - enabled: false - provisioning: - enabled: true - asserts: - - hasDocuments: - count: 0 - - it: renders a Job with correct nc command - template: templates/job.yaml - set: - enabled: true - giteaRootURL: "https://git.example.com:8443" - provisioning: - enabled: true - persistence: - enabled: true - mount: true - asserts: - - hasDocuments: - count: 1 - - containsDocument: - kind: Job - apiVersion: batch/v1 - name: gitea-unittests-actions-token-job - - equal: - path: spec.template.spec.containers[0].image - value: "docker.gitea.com/gitea:1.23.6-rootless" - - equal: - path: spec.template.spec.initContainers[0].command[2] - value: | - while ! nc -z git.example.com 8443; do - sleep 5 - done diff --git a/unittests/helm/role-job.yaml b/unittests/helm/role-job.yaml deleted file mode 100644 index e3688fb..0000000 --- a/unittests/helm/role-job.yaml +++ /dev/null @@ -1,40 +0,0 @@ -suite: actions template | role-job -release: - name: gitea-unittests - namespace: testing -templates: - - templates/role-job.yaml -tests: - - it: doesn't renders a Role by default - template: templates/role-job.yaml - asserts: - - hasDocuments: - count: 0 - - it: renders a Role - template: templates/role-job.yaml - set: - enabled: true - provisioning: - enabled: true - persistence: - enabled: true - mount: true - asserts: - - hasDocuments: - count: 1 - - containsDocument: - kind: Role - apiVersion: rbac.authorization.k8s.io/v1 - name: gitea-unittests-actions-token-job - - it: doesn't renders a Role when criteria met BUT actions are not enabled - template: templates/role-job.yaml - set: - enabled: false - provisioning: - enabled: true - persistence: - enabled: true - mount: true - asserts: - - hasDocuments: - count: 0 diff --git a/unittests/helm/rolebinding-job.yaml b/unittests/helm/rolebinding-job.yaml deleted file mode 100644 index 68c4eeb..0000000 --- a/unittests/helm/rolebinding-job.yaml +++ /dev/null @@ -1,40 +0,0 @@ -suite: actions template | rolebinding-job -release: - name: gitea-unittests - namespace: testing -templates: - - templates/rolebinding-job.yaml -tests: - - it: doesn't renders a RoleBinding by default - template: templates/rolebinding-job.yaml - asserts: - - hasDocuments: - count: 0 - - it: renders a RoleBinding - template: templates/rolebinding-job.yaml - set: - enabled: true - provisioning: - enabled: true - persistence: - enabled: true - mount: true - asserts: - - hasDocuments: - count: 1 - - containsDocument: - kind: RoleBinding - apiVersion: rbac.authorization.k8s.io/v1 - name: gitea-unittests-actions-token-job - - it: doesn't renders a RoleBinding when criteria met BUT actions are not enabled - template: templates/rolebinding-job.yaml - set: - enabled: false - provisioning: - enabled: true - persistence: - enabled: true - mount: true - asserts: - - hasDocuments: - count: 0 diff --git a/unittests/helm/secret-token.yaml b/unittests/helm/secret-token.yaml deleted file mode 100644 index 08dcc89..0000000 --- a/unittests/helm/secret-token.yaml +++ /dev/null @@ -1,40 +0,0 @@ -suite: actions template | secret-token -release: - name: gitea-unittests - namespace: testing -templates: - - templates/secret-token.yaml -tests: - - it: doesn't renders a Secret by default - template: templates/secret-token.yaml - asserts: - - hasDocuments: - count: 0 - - it: renders a Secret - template: templates/secret-token.yaml - set: - enabled: true - provisioning: - enabled: true - persistence: - enabled: true - mount: true - asserts: - - hasDocuments: - count: 1 - - containsDocument: - kind: Secret - apiVersion: v1 - name: gitea-unittests-actions-token - - it: doesn't renders a Secret when criteria met BUT actions are not enabled - template: templates/secret-token.yaml - set: - enabled: false - provisioning: - enabled: true - persistence: - enabled: true - mount: true - asserts: - - hasDocuments: - count: 0 diff --git a/unittests/helm/serviceaccount-job.yaml b/unittests/helm/serviceaccount-job.yaml deleted file mode 100644 index 77ca57f..0000000 --- a/unittests/helm/serviceaccount-job.yaml +++ /dev/null @@ -1,40 +0,0 @@ -suite: actions template | serviceaccount-job -release: - name: gitea-unittests - namespace: testing -templates: - - templates/serviceaccount-job.yaml -tests: - - it: doesn't renders a ServiceAccount by default - template: templates/serviceaccount-job.yaml - asserts: - - hasDocuments: - count: 0 - - it: renders a ServiceAccount - template: templates/serviceaccount-job.yaml - set: - enabled: true - provisioning: - enabled: true - persistence: - enabled: true - mount: true - asserts: - - hasDocuments: - count: 1 - - containsDocument: - kind: ServiceAccount - apiVersion: v1 - name: gitea-unittests-actions-token-job - - it: doesn't renders a ServiceAccount when criteria met BUT actions are not enabled - template: templates/serviceaccount-job.yaml - set: - enabled: false - provisioning: - enabled: true - persistence: - enabled: true - mount: true - asserts: - - hasDocuments: - count: 0 diff --git a/unittests/helm/statefulset.yaml b/unittests/helm/statefulset.yaml index 47ea4a3..e93f593 100644 --- a/unittests/helm/statefulset.yaml +++ b/unittests/helm/statefulset.yaml @@ -69,7 +69,7 @@ tests: name: gitea-unittests-actions-act-runner - equal: path: spec.template.metadata.annotations["checksum/config"] - value: "e01f6cc186c5b523cba245cbfc9d556df49a71f7f650c979c2dbfd2bf40b9098" + value: "7566d9c60261bf8cbff6a6936fc7aead96cec540d8c793d142a5ad4664c56ba5" - it: renders a StatefulSet http (with correct GITEA_INSTANCE_URL env from giteaRootURL) template: templates/statefulset.yaml set: diff --git a/values.yaml b/values.yaml index 687fdb8..b44517f 100644 --- a/values.yaml +++ b/values.yaml @@ -1,5 +1,4 @@ # Configure Gitea Actions -# - must enable persistence if the job is enabled ## @section Gitea Actions # ## @param enabled Create an act runner StatefulSet. @@ -24,17 +23,6 @@ ## @param statefulset.dind.extraVolumeMounts Allows mounting extra volumes in the Docker-in-Docker container ## @param statefulset.dind.extraEnvs Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY` ## @param statefulset.persistence.size Size for persistence to store act runner data -## @param provisioning.enabled Create a job that will create and save the token in a Kubernetes Secret -## @param provisioning.annotations Job's annotations -## @param provisioning.labels Job's labels -## @param provisioning.resources Job's resources -## @param provisioning.nodeSelector NodeSelector for the job -## @param provisioning.tolerations Tolerations for the job -## @param provisioning.affinity Affinity for the job -## @param provisioning.ttlSecondsAfterFinished ttl for the job after finished in order to allow helm to properly recognize that the job completed -## @param provisioning.publish.repository The image that can create the secret via kubectl -## @param provisioning.publish.tag The publish image tag that can create the secret -## @param provisioning.publish.pullPolicy The publish image pullPolicy that can create the secret ## @param existingSecret Secret that contains the token ## @param existingSecretKey Secret key ## @param giteaRootURL URL the act_runner registers and connect with @@ -84,23 +72,6 @@ init: # Overrides the image tag whose default is the chart appVersion. tag: "1.37.0" -provisioning: - enabled: false - - annotations: {} - labels: {} - resources: {} - nodeSelector: {} - tolerations: [] - affinity: {} - - publish: - repository: bitnami/kubectl - tag: 1.29.0 - pullPolicy: IfNotPresent - - ttlSecondsAfterFinished: 300 - ## Specify an existing token secret ## existingSecret: "" @@ -109,52 +80,6 @@ existingSecretKey: "" ## Specify the root URL of the Gitea instance giteaRootURL: "" -## @section Persistence -# -## @param persistence.enabled Enable persistent storage -## @param persistence.create Whether to create the persistentVolumeClaim for shared storage -## @param persistence.mount Whether the persistentVolumeClaim should be mounted (even if not created) -## @param persistence.claimName Use an existing claim to store repository information -## @param persistence.size Size for persistence to store repo information -## @param persistence.accessModes AccessMode for persistence -## @param persistence.labels Labels for the persistence volume claim to be created -## @param persistence.annotations.helm.sh/resource-policy Resource policy for the persistence volume claim -## @param persistence.storageClass Name of the storage class to use -## @param persistence.subPath Subdirectory of the volume to mount at -## @param persistence.volumeName Name of persistent volume in PVC -persistence: - enabled: true - create: true - mount: true - claimName: gitea-shared-storage - size: 10Gi - accessModes: - - ReadWriteOnce - labels: {} - storageClass: - subPath: - volumeName: "" - annotations: - helm.sh/resource-policy: keep - -## @section Image -## @param image.registry image registry, e.g. gcr.io,docker.io -## @param image.repository Image to start for this pod -## @param image.tag Visit: [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated). Defaults to `appVersion` within Chart.yaml. -## @param image.digest Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest` -## @param image.pullPolicy Image pull policy -## @param image.rootless Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher -## @param image.fullOverride Completely overrides the image registry, path/image, tag and digest. **Adjust `image.rootless` accordingly and review [Rootless defaults](#rootless-defaults).** -image: - registry: "docker.gitea.com" - repository: gitea - # Overrides the image tag whose default is the chart appVersion. - tag: "" - digest: "" - pullPolicy: IfNotPresent - rootless: true - fullOverride: "" - ## @section Global # ## @param global.imageRegistry global image registry override