volker.raschek/helm-actions
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases Wiki Activity

refactor!: remove actions runner token provisioning (#15)

Browse Source 
To be discussed. In https://gitea.com/gitea/helm-actions/issues/9#issuecomment-1002191 and https://gitea.com/gitea/helm-actions/pulls/13 I described that a migration of provisioning is currently not feasible due to
- helm limitations
  - You are forced to repeat a lot of stuff for the default branch
  -  helm-actions cannot read values of the helm-gitea chart to fix this
- No agreement about making helm-gitea a optional dependency of helm-actions can be reached at the moment

# Proposal

- Create a new repository that includes both helm-gitea **and** helm-actions
- Provisioning leaves this repository as well like it did in helm-gitea
- Create that as gitea/helm-stack or whatever name
- Provisioning code and tests moves to gitea/helm-stack

We would need help with the repository creation

Reviewed-on: https://gitea.com/gitea/helm-actions/pulls/15
Reviewed-by: DaanSelen <daanselen@noreply.gitea.com>
Co-authored-by: ChristopherHX <christopherhx@noreply.gitea.com>
Co-committed-by: ChristopherHX <christopherhx@noreply.gitea.com>
This commit is contained in:
ChristopherHX
2025-08-13 21:15:21 +00:00
committed by DaanSelen
parent 7ad8e12e45
commit 8c95dcd282
18 changed files with 8 additions and 698 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
README.md
View File

@ -34,49 +34,10 @@ If `.Values.image.rootless: true`, then the following will occur. In case you us
| `statefulset.dind.extraVolumeMounts` | Allows mounting extra volumes in the Docker-in-Docker container | `[]` | | `statefulset.dind.extraVolumeMounts` | Allows mounting extra volumes in the Docker-in-Docker container | `[]` |
| `statefulset.dind.extraEnvs` | Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY` | `[]` | | `statefulset.dind.extraEnvs` | Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY` | `[]` |
| `statefulset.persistence.size` | Size for persistence to store act runner data | `1Gi` | | `statefulset.persistence.size` | Size for persistence to store act runner data | `1Gi` |
| `provisioning.enabled` | Create a job that will create and save the token in a Kubernetes Secret | `false` |
| `provisioning.annotations` | Job's annotations | `{}` |
| `provisioning.labels` | Job's labels | `{}` |
| `provisioning.resources` | Job's resources | `{}` |
| `provisioning.nodeSelector` | NodeSelector for the job | `{}` |
| `provisioning.tolerations` | Tolerations for the job | `[]` |
| `provisioning.affinity` | Affinity for the job | `{}` |
| `provisioning.ttlSecondsAfterFinished` | ttl for the job after finished in order to allow helm to properly recognize that the job completed | `300` |
| `provisioning.publish.repository` | The image that can create the secret via kubectl | `bitnami/kubectl` |
| `provisioning.publish.tag` | The publish image tag that can create the secret | `1.29.0` |
| `provisioning.publish.pullPolicy` | The publish image pullPolicy that can create the secret | `IfNotPresent` |
| `existingSecret` | Secret that contains the token | `""` | | `existingSecret` | Secret that contains the token | `""` |
| `existingSecretKey` | Secret key | `""` | | `existingSecretKey` | Secret key | `""` |
| `giteaRootURL` | URL the act_runner registers and connect with | `""` | | `giteaRootURL` | URL the act_runner registers and connect with | `""` |
### Persistence
| Name | Description | Value |
| ------------------------------------------------- | ------------------------------------------------------------------------- | ---------------------- |
| `persistence.enabled` | Enable persistent storage | `true` |
| `persistence.create` | Whether to create the persistentVolumeClaim for shared storage | `true` |
| `persistence.mount` | Whether the persistentVolumeClaim should be mounted (even if not created) | `true` |
| `persistence.claimName` | Use an existing claim to store repository information | `gitea-shared-storage` |
| `persistence.size` | Size for persistence to store repo information | `10Gi` |
| `persistence.accessModes` | AccessMode for persistence | `["ReadWriteOnce"]` |
| `persistence.labels` | Labels for the persistence volume claim to be created | `{}` |
| `persistence.annotations.helm.sh/resource-policy` | Resource policy for the persistence volume claim | `keep` |
| `persistence.storageClass` | Name of the storage class to use | `nil` |
| `persistence.subPath` | Subdirectory of the volume to mount at | `nil` |
| `persistence.volumeName` | Name of persistent volume in PVC | `""` |
### Image
| Name | Description | Value |
| -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------ |
| `image.registry` | image registry, e.g. gcr.io,docker.io | `docker.gitea.com` |
| `image.repository` | Image to start for this pod | `gitea` |
| `image.tag` | Visit: [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated). Defaults to `appVersion` within Chart.yaml. | `""` |
| `image.digest` | Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest` | `""` |
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
| `image.rootless` | Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher | `true` |
| `image.fullOverride` | Completely overrides the image registry, path/image, tag and digest. **Adjust `image.rootless` accordingly and review [Rootless defaults](#rootless-defaults).** | `""` |
### Global ### Global
| Name | Description | Value | | Name | Description | Value |

13
templates/01-consistency-checks.yaml
View File

@ -1,15 +1,6 @@
{{- if .Values.enabled -}} {{- if .Values.enabled -}}
{{- if .Values.provisioning.enabled -}}
{{- if not (and .Values.persistence.enabled .Values.persistence.mount) -}} {{- if or (empty .Values.existingSecret) (empty .Values.existingSecretKey) -}}
{{- fail "persistence.enabled and persistence.mount are required when provisioning is enabled" -}}
{{- end -}}
{{- if and .Values.persistence.enabled .Values.persistence.mount -}}
{{- if .Values.existingSecret -}}
{{- fail "Can't specify both actions.provisioning.enabled and actions.existingSecret" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if and (not .Values.provisioning.enabled) (or (empty .Values.existingSecret) (empty .Values.existingSecretKey)) -}}
{{- fail "existingSecret and existingSecretKey are required when provisioning is disabled" -}} {{- fail "existingSecret and existingSecretKey are required when provisioning is disabled" -}}
{{- end -}} {{- end -}}
{{- if not .Values.giteaRootURL -}} {{- if not .Values.giteaRootURL -}}

33
templates/_helpers.tpl
View File

@ -39,34 +39,11 @@ Create chart name and version as used by the chart label.
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}} {{- end -}}
{{/*
Create image name and tag used by the deployment.
*/}}
{{- define "gitea.actions.image" -}}
{{- $fullOverride := .Values.image.fullOverride | default "" -}}
{{- $registry := .Values.global.imageRegistry | default .Values.image.registry -}}
{{- $repository := .Values.image.repository -}}
{{- $separator := ":" -}}
{{- $tag := .Values.image.tag | default .Chart.AppVersion | toString -}}
{{- $rootless := ternary "-rootless" "" (.Values.image.rootless) -}}
{{- $digest := "" -}}
{{- if .Values.image.digest }}
{{- $digest = (printf "@%s" (.Values.image.digest | toString)) -}}
{{- end -}}
{{- if $fullOverride }}
{{- printf "%s" $fullOverride -}}
{{- else if $registry }}
{{- printf "%s/%s%s%s%s%s" $registry $repository $separator $tag $rootless $digest -}}
{{- else -}}
{{- printf "%s%s%s%s%s" $repository $separator $tag $rootless $digest -}}
{{- end -}}
{{- end -}}
{{/* {{/*
Storage Class Storage Class
*/}} */}}
{{- define "gitea.actions.persistence.storageClass" -}} {{- define "gitea.actions.persistence.storageClass" -}}
{{- $storageClass := (tpl ( default "" .Values.persistence.storageClass) .) | default (tpl ( default "" .Values.global.storageClass) .) }} {{- $storageClass := default (tpl ( default "" .Values.global.storageClass) .) }}
{{- if $storageClass }} {{- if $storageClass }}
storageClassName: {{ $storageClass | quote }} storageClassName: {{ $storageClass | quote }}
{{- end }} {{- end }}
@ -79,8 +56,8 @@ Common labels
helm.sh/chart: {{ include "gitea.actions.chart" . }} helm.sh/chart: {{ include "gitea.actions.chart" . }}
app: {{ include "gitea.actions.name" . }} app: {{ include "gitea.actions.name" . }}
{{ include "gitea.actions.selectorLabels" . }} {{ include "gitea.actions.selectorLabels" . }}
app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }} app.kubernetes.io/version: {{ default .Chart.AppVersion | quote }}
version: {{ .Values.image.tag | default .Chart.AppVersion | quote }} version: {{ default .Chart.AppVersion | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}} {{- end -}}
@ -88,8 +65,8 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
helm.sh/chart: {{ include "gitea.actions.chart" . }} helm.sh/chart: {{ include "gitea.actions.chart" . }}
app: {{ include "gitea.actions.name" . }}-act-runner app: {{ include "gitea.actions.name" . }}-act-runner
{{ include "gitea.actions.selectorLabels.actRunner" . }} {{ include "gitea.actions.selectorLabels.actRunner" . }}
app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }} app.kubernetes.io/version: {{ default .Chart.AppVersion | quote }}
version: {{ .Values.image.tag | default .Chart.AppVersion | quote }} version: {{ default .Chart.AppVersion | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}} {{- end -}}

14
templates/config-scripts.yaml
View File

@ -1,14 +0,0 @@
{{- if .Values.enabled }}
{{- if and (and .Values.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "gitea.actions.fullname" . }}-scripts
namespace: {{ .Values.namespace | default .Release.Namespace }}
labels:
{{- include "gitea.actions.labels" . | nindent 4 }}
data:
{{ (.Files.Glob "scripts/*.sh").AsConfig | indent 2 }}
{{- end }}
{{- end }}

115
templates/job.yaml
View File

@ -1,115 +0,0 @@
{{- if .Values.enabled }}
{{- if and (and .Values.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
{{- $name := include "gitea.actions.workername" (dict "global" . "worker" "actions-token-job") }}
{{- $secretName := include "gitea.actions.workername" (dict "global" . "worker" "actions-token") }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ $name }}
namespace: {{ .Values.namespace | default .Release.Namespace }}
labels:
{{- include "gitea.actions.labels" . | nindent 4 }}
{{- with .Values.provisioning.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
app.kubernetes.io/component: token-job
annotations:
{{- with .Values.provisioning.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ttlSecondsAfterFinished: {{ .Values.provisioning.ttlSecondsAfterFinished }}
template:
metadata:
labels:
{{- include "gitea.actions.labels" . | nindent 8 }}
{{- with .Values.provisioning.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
app.kubernetes.io/component: token-job
spec:
initContainers:
- name: init-gitea
image: "{{ .Values.init.image.repository }}:{{ .Values.init.image.tag }}"
command:
- sh
- -c
- |
while ! nc -z {{ include "gitea.actions.nc" . }}; do
sleep 5
done
containers:
- name: actions-token-create
image: "{{ include "gitea.actions.image" . }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
- name: GITEA_APP_INI
value: /data/gitea/conf/app.ini
command:
- sh
- -c
- |
echo "Generating act_runner token via 'gitea actions generate-runner-token'..."
mkdir -p /data/actions/
gitea actions generate-runner-token | grep -E '^.{40}$' | tr -d '\n' > /data/actions/token
resources:
{{- toYaml .Values.provisioning.resources | nindent 12 }}
volumeMounts:
- name: data
mountPath: /data
{{- if .Values.persistence.subPath }}
subPath: {{ .Values.persistence.subPath }}
{{- end }}
- name: actions-token-upload
image: "{{ .Values.provisioning.publish.repository }}:{{ .Values.provisioning.publish.tag }}"
imagePullPolicy: {{ .Values.provisioning.publish.pullPolicy }}
env:
- name: SECRET_NAME
value: {{ $secretName }}
command:
- sh
- -c
- |
printf "Checking rights to update kubernetes act_runner secret..."
kubectl auth can-i update secret/${SECRET_NAME}
/scripts/token.sh
resources:
{{- toYaml .Values.provisioning.resources | nindent 12 }}
volumeMounts:
- mountPath: /scripts
name: scripts
readOnly: true
- mountPath: /data
name: data
readOnly: true
{{- if .Values.persistence.subPath }}
subPath: {{ .Values.persistence.subPath }}
{{- end }}
{{- range $key, $value := .Values.provisioning.nodeSelector }}
nodeSelector:
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- with .Values.provisioning.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.provisioning.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
restartPolicy: Never
serviceAccount: {{ $name }}
volumes:
- name: scripts
configMap:
name: {{ include "gitea.actions.fullname" . }}-scripts
defaultMode: 0755
- name: data
persistentVolumeClaim:
claimName: {{ .Values.persistence.claimName }}
parallelism: 1
completions: 1
backoffLimit: 1
{{- end }}
{{- end }}

26
templates/role-job.yaml
View File

@ -1,26 +0,0 @@
{{- if .Values.enabled }}
{{- if and (and .Values.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
{{- $name := include "gitea.actions.workername" (dict "global" . "worker" "actions-token-job") }}
{{- $secretName := include "gitea.actions.workername" (dict "global" . "worker" "actions-token") }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ $name }}
namespace: {{ .Values.namespace | default .Release.Namespace }}
labels:
{{- include "gitea.actions.labels" . | nindent 4 }}
app.kubernetes.io/component: token-job
rules:
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- {{ $secretName }}
verbs:
- get
- update
- patch
{{- end }}
{{- end }}

22
templates/rolebinding-job.yaml
View File

@ -1,22 +0,0 @@
{{- if .Values.enabled }}
{{- if and (and .Values.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
{{- $name := include "gitea.actions.workername" (dict "global" . "worker" "actions-token-job") }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ $name }}
namespace: {{ .Values.namespace | default .Release.Namespace }}
labels:
{{- include "gitea.actions.labels" . | nindent 4 }}
app.kubernetes.io/component: token-job
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ $name }}
subjects:
- kind: ServiceAccount
name: {{ $name }}
namespace: {{ .Values.namespace | default .Release.Namespace }}
{{- end }}
{{- end }}

20
templates/secret-token.yaml
View File

@ -1,20 +0,0 @@
{{- if .Values.enabled }}
{{- if and (and .Values.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
{{- $name := include "gitea.actions.workername" (dict "global" . "worker" "actions-token-job") }}
{{- $secretName := include "gitea.actions.workername" (dict "global" . "worker" "actions-token") }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ $secretName }}
namespace: {{ .Values.namespace | default .Release.Namespace }}
labels:
{{- include "gitea.actions.labels" . | nindent 4 }}
app.kubernetes.io/component: token-job
{{ $secret := (lookup "v1" "Secret" (.Values.namespace | default .Release.Namespace) $secretName) -}}
{{ if $secret -}}
data:
token: {{ (b64dec (index $secret.data "token")) | b64enc }}
{{ end -}}
{{- end }}
{{- end }}

14
templates/serviceaccount-job.yaml
View File

@ -1,14 +0,0 @@
{{- if .Values.enabled }}
{{- if and (and .Values.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
{{- $name := include "gitea.actions.workername" (dict "global" . "worker" "actions-token-job") }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ $name }}
namespace: {{ .Values.namespace | default .Release.Namespace }}
labels:
{{- include "gitea.actions.labels" . | nindent 4 }}
app.kubernetes.io/component: token-job
{{- end }}
{{- end }}

38
unittests/helm/01-consistency-checks.yaml
View File

@ -5,49 +5,15 @@ release:
templates: templates:
- templates/01-consistency-checks.yaml - templates/01-consistency-checks.yaml
tests: tests:
- it: fails when provisioning is enabled BUT persistence is completely disabled
set:
persistence:
enabled: false
enabled: true
provisioning:
enabled: true
asserts:
- failedTemplate:
errorMessage: "persistence.enabled and persistence.mount are required when provisioning is enabled"
- it: fails when provisioning is enabled BUT mount is disabled, although persistence is enabled
set:
persistence:
enabled: true
mount: false
enabled: true
provisioning:
enabled: true
asserts:
- failedTemplate:
errorMessage: "persistence.enabled and persistence.mount are required when provisioning is enabled"
- it: fails when provisioning is enabled AND existingSecret is given
set:
enabled: true
provisioning:
enabled: true
existingSecret: "secret-reference"
asserts:
- failedTemplate:
errorMessage: "Can't specify both actions.provisioning.enabled and actions.existingSecret"
- it: fails when provisioning is disabled BUT existingSecret and existingSecretKey are missing - it: fails when provisioning is disabled BUT existingSecret and existingSecretKey are missing
set: set:
enabled: true enabled: true
provisioning:
enabled: false
asserts: asserts:
- failedTemplate: - failedTemplate:
errorMessage: "existingSecret and existingSecretKey are required when provisioning is disabled" errorMessage: "existingSecret and existingSecretKey are required when provisioning is disabled"
- it: fails when provisioning is disabled BUT existingSecretKey is missing - it: fails when provisioning is disabled BUT existingSecretKey is missing
set: set:
enabled: true enabled: true
provisioning:
enabled: false
existingSecret: "my-secret" existingSecret: "my-secret"
asserts: asserts:
- failedTemplate: - failedTemplate:
@ -55,8 +21,6 @@ tests:
- it: fails when provisioning is disabled BUT existingSecret is missing - it: fails when provisioning is disabled BUT existingSecret is missing
set: set:
enabled: true enabled: true
provisioning:
enabled: false
existingSecretKey: "my-secret-key" existingSecretKey: "my-secret-key"
asserts: asserts:
- failedTemplate: - failedTemplate:
@ -64,8 +28,6 @@ tests:
- it: fails when LOCAL_ROOT_URL is missing - it: fails when LOCAL_ROOT_URL is missing
set: set:
enabled: true enabled: true
provisioning:
enabled: false
existingSecret: "my-secret" existingSecret: "my-secret"
existingSecretKey: "my-secret-key" existingSecretKey: "my-secret-key"
asserts: asserts:

47
unittests/helm/config-scripts.yaml
View File

@ -1,47 +0,0 @@
suite: actions template | config-scripts
release:
name: gitea-unittests
namespace: testing
templates:
- templates/config-scripts.yaml
tests:
- it: renders a ConfigMap when all criteria are met
template: templates/config-scripts.yaml
set:
enabled: true
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: ConfigMap
apiVersion: v1
name: gitea-unittests-actions-scripts
- isNotNullOrEmpty:
path: data["token.sh"]
- it: doesn't renders a ConfigMap by default
template: templates/config-scripts.yaml
asserts:
- hasDocuments:
count: 0
- it: doesn't renders a ConfigMap with disabled actions but enabled provisioning
template: templates/config-scripts.yaml
asserts:
- hasDocuments:
count: 0
- it: doesn't renders a ConfigMap with disabled actions but otherwise met criteria
template: templates/config-scripts.yaml
set:
enabled: false
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 0

88
unittests/helm/job.yaml
View File

@ -1,88 +0,0 @@
suite: actions template | job
release:
name: gitea-unittests
namespace: testing
chart:
# Override appVersion to have a pinned version for comparison
appVersion: 1.23.6
templates:
- templates/job.yaml
tests:
- it: renders a Job
template: templates/job.yaml
set:
enabled: true
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: Job
apiVersion: batch/v1
name: gitea-unittests-actions-token-job
- equal:
path: spec.template.spec.containers[0].image
value: "docker.gitea.com/gitea:1.23.6-rootless"
- it: tag override
template: templates/job.yaml
set:
image.tag: "1.23.7"
enabled: true
provisioning:
enabled: true
publish:
tag: "1.29.0"
persistence:
enabled: true
mount: true
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: "docker.gitea.com/gitea:1.23.7-rootless"
- equal:
path: spec.template.spec.containers[1].image
value: "bitnami/kubectl:1.29.0"
- it: doesn't renders a Job by default
template: templates/job.yaml
asserts:
- hasDocuments:
count: 0
- it: doesn't renders a Job when provisioning is enabled BUT actions are not enabled
template: templates/job.yaml
set:
enabled: false
provisioning:
enabled: true
asserts:
- hasDocuments:
count: 0
- it: renders a Job with correct nc command
template: templates/job.yaml
set:
enabled: true
giteaRootURL: "https://git.example.com:8443"
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: Job
apiVersion: batch/v1
name: gitea-unittests-actions-token-job
- equal:
path: spec.template.spec.containers[0].image
value: "docker.gitea.com/gitea:1.23.6-rootless"
- equal:
path: spec.template.spec.initContainers[0].command[2]
value: |
while ! nc -z git.example.com 8443; do
sleep 5
done

40
unittests/helm/role-job.yaml
View File

@ -1,40 +0,0 @@
suite: actions template | role-job
release:
name: gitea-unittests
namespace: testing
templates:
- templates/role-job.yaml
tests:
- it: doesn't renders a Role by default
template: templates/role-job.yaml
asserts:
- hasDocuments:
count: 0
- it: renders a Role
template: templates/role-job.yaml
set:
enabled: true
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
name: gitea-unittests-actions-token-job
- it: doesn't renders a Role when criteria met BUT actions are not enabled
template: templates/role-job.yaml
set:
enabled: false
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 0

40
unittests/helm/rolebinding-job.yaml
View File

@ -1,40 +0,0 @@
suite: actions template | rolebinding-job
release:
name: gitea-unittests
namespace: testing
templates:
- templates/rolebinding-job.yaml
tests:
- it: doesn't renders a RoleBinding by default
template: templates/rolebinding-job.yaml
asserts:
- hasDocuments:
count: 0
- it: renders a RoleBinding
template: templates/rolebinding-job.yaml
set:
enabled: true
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
name: gitea-unittests-actions-token-job
- it: doesn't renders a RoleBinding when criteria met BUT actions are not enabled
template: templates/rolebinding-job.yaml
set:
enabled: false
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 0

40
unittests/helm/secret-token.yaml
View File

@ -1,40 +0,0 @@
suite: actions template | secret-token
release:
name: gitea-unittests
namespace: testing
templates:
- templates/secret-token.yaml
tests:
- it: doesn't renders a Secret by default
template: templates/secret-token.yaml
asserts:
- hasDocuments:
count: 0
- it: renders a Secret
template: templates/secret-token.yaml
set:
enabled: true
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: Secret
apiVersion: v1
name: gitea-unittests-actions-token
- it: doesn't renders a Secret when criteria met BUT actions are not enabled
template: templates/secret-token.yaml
set:
enabled: false
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 0

40
unittests/helm/serviceaccount-job.yaml
View File

@ -1,40 +0,0 @@
suite: actions template | serviceaccount-job
release:
name: gitea-unittests
namespace: testing
templates:
- templates/serviceaccount-job.yaml
tests:
- it: doesn't renders a ServiceAccount by default
template: templates/serviceaccount-job.yaml
asserts:
- hasDocuments:
count: 0
- it: renders a ServiceAccount
template: templates/serviceaccount-job.yaml
set:
enabled: true
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: ServiceAccount
apiVersion: v1
name: gitea-unittests-actions-token-job
- it: doesn't renders a ServiceAccount when criteria met BUT actions are not enabled
template: templates/serviceaccount-job.yaml
set:
enabled: false
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 0

2
unittests/helm/statefulset.yaml
View File

@ -69,7 +69,7 @@ tests:
name: gitea-unittests-actions-act-runner name: gitea-unittests-actions-act-runner
- equal: - equal:
path: spec.template.metadata.annotations["checksum/config"] path: spec.template.metadata.annotations["checksum/config"]
value: "e01f6cc186c5b523cba245cbfc9d556df49a71f7f650c979c2dbfd2bf40b9098" value: "7566d9c60261bf8cbff6a6936fc7aead96cec540d8c793d142a5ad4664c56ba5"
- it: renders a StatefulSet http (with correct GITEA_INSTANCE_URL env from giteaRootURL) - it: renders a StatefulSet http (with correct GITEA_INSTANCE_URL env from giteaRootURL)
template: templates/statefulset.yaml template: templates/statefulset.yaml
set: set:

75
values.yaml
View File

@ -1,5 +1,4 @@
# Configure Gitea Actions # Configure Gitea Actions
# - must enable persistence if the job is enabled
## @section Gitea Actions ## @section Gitea Actions
# #
## @param enabled Create an act runner StatefulSet. ## @param enabled Create an act runner StatefulSet.
@ -24,17 +23,6 @@
## @param statefulset.dind.extraVolumeMounts Allows mounting extra volumes in the Docker-in-Docker container ## @param statefulset.dind.extraVolumeMounts Allows mounting extra volumes in the Docker-in-Docker container
## @param statefulset.dind.extraEnvs Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY` ## @param statefulset.dind.extraEnvs Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY`
## @param statefulset.persistence.size Size for persistence to store act runner data ## @param statefulset.persistence.size Size for persistence to store act runner data
## @param provisioning.enabled Create a job that will create and save the token in a Kubernetes Secret
## @param provisioning.annotations Job's annotations
## @param provisioning.labels Job's labels
## @param provisioning.resources Job's resources
## @param provisioning.nodeSelector NodeSelector for the job
## @param provisioning.tolerations Tolerations for the job
## @param provisioning.affinity Affinity for the job
## @param provisioning.ttlSecondsAfterFinished ttl for the job after finished in order to allow helm to properly recognize that the job completed
## @param provisioning.publish.repository The image that can create the secret via kubectl
## @param provisioning.publish.tag The publish image tag that can create the secret
## @param provisioning.publish.pullPolicy The publish image pullPolicy that can create the secret
## @param existingSecret Secret that contains the token ## @param existingSecret Secret that contains the token
## @param existingSecretKey Secret key ## @param existingSecretKey Secret key
## @param giteaRootURL URL the act_runner registers and connect with ## @param giteaRootURL URL the act_runner registers and connect with
@ -84,23 +72,6 @@ init:
# Overrides the image tag whose default is the chart appVersion. # Overrides the image tag whose default is the chart appVersion.
tag: "1.37.0" tag: "1.37.0"
provisioning:
enabled: false
annotations: {}
labels: {}
resources: {}
nodeSelector: {}
tolerations: []
affinity: {}
publish:
repository: bitnami/kubectl
tag: 1.29.0
pullPolicy: IfNotPresent
ttlSecondsAfterFinished: 300
## Specify an existing token secret ## Specify an existing token secret
## ##
existingSecret: "" existingSecret: ""
@ -109,52 +80,6 @@ existingSecretKey: ""
## Specify the root URL of the Gitea instance ## Specify the root URL of the Gitea instance
giteaRootURL: "" giteaRootURL: ""
## @section Persistence
#
## @param persistence.enabled Enable persistent storage
## @param persistence.create Whether to create the persistentVolumeClaim for shared storage
## @param persistence.mount Whether the persistentVolumeClaim should be mounted (even if not created)
## @param persistence.claimName Use an existing claim to store repository information
## @param persistence.size Size for persistence to store repo information
## @param persistence.accessModes AccessMode for persistence
## @param persistence.labels Labels for the persistence volume claim to be created
## @param persistence.annotations.helm.sh/resource-policy Resource policy for the persistence volume claim
## @param persistence.storageClass Name of the storage class to use
## @param persistence.subPath Subdirectory of the volume to mount at
## @param persistence.volumeName Name of persistent volume in PVC
persistence:
enabled: true
create: true
mount: true
claimName: gitea-shared-storage
size: 10Gi
accessModes:
- ReadWriteOnce
labels: {}
storageClass:
subPath:
volumeName: ""
annotations:
helm.sh/resource-policy: keep
## @section Image
## @param image.registry image registry, e.g. gcr.io,docker.io
## @param image.repository Image to start for this pod
## @param image.tag Visit: [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated). Defaults to `appVersion` within Chart.yaml.
## @param image.digest Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest`
## @param image.pullPolicy Image pull policy
## @param image.rootless Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher
## @param image.fullOverride Completely overrides the image registry, path/image, tag and digest. **Adjust `image.rootless` accordingly and review [Rootless defaults](#rootless-defaults).**
image:
registry: "docker.gitea.com"
repository: gitea
# Overrides the image tag whose default is the chart appVersion.
tag: ""
digest: ""
pullPolicy: IfNotPresent
rootless: true
fullOverride: ""
## @section Global ## @section Global
# #
## @param global.imageRegistry global image registry override ## @param global.imageRegistry global image registry override