volker.raschek/helm-gitea
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor!: remove actions related files (#825)

Browse Source 
see #824

Co-authored-by: justusbunsi <justusbunsi@noreply.gitea.com>
Co-authored-by: justusbunsi <sk.bunsenbrenner@gmail.com>
Reviewed-on: https://gitea.com/gitea/helm-gitea/pulls/825
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com>
Reviewed-by: justusbunsi <justusbunsi@noreply.gitea.com>
Co-authored-by: pat-s <patrick.schratz@gmail.com>
Co-committed-by: pat-s <patrick.schratz@gmail.com>
This commit is contained in:
pat-s
2025-03-31 07:47:23 +00:00
committed by pat-s
parent 356dd6e710
commit 6c5b42c482
23 changed files with 10 additions and 1176 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
README.md
View File

@ -47,7 +47,6 @@
- [Persistence](#persistence-1) - [Persistence](#persistence-1)
- [Init](#init) - [Init](#init)
- [Signing](#signing) - [Signing](#signing)
- [Gitea Actions](#gitea-actions)
- [Gitea](#gitea) - [Gitea](#gitea)
- [LivenessProbe](#livenessprobe) - [LivenessProbe](#livenessprobe)
- [ReadinessProbe](#readinessprobe) - [ReadinessProbe](#readinessprobe)
@ -1069,44 +1068,6 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
| `signing.privateKey` | Inline private gpg key for signed internal Git activity | `""` | | `signing.privateKey` | Inline private gpg key for signed internal Git activity | `""` |
| `signing.existingSecret` | Use an existing secret to store the value of `signing.privateKey` | `""` | | `signing.existingSecret` | Use an existing secret to store the value of `signing.privateKey` | `""` |
### Gitea Actions
| Name | Description | Value |
| ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ |
| `actions.enabled` | Create an act runner StatefulSet. | `false` |
| `actions.init.image.repository` | The image used for the init containers | `busybox` |
| `actions.init.image.tag` | The image tag used for the init containers | `1.37.0` |
| `actions.statefulset.annotations` | Act runner annotations | `{}` |
| `actions.statefulset.labels` | Act runner labels | `{}` |
| `actions.statefulset.resources` | Act runner resources | `{}` |
| `actions.statefulset.nodeSelector` | NodeSelector for the statefulset | `{}` |
| `actions.statefulset.tolerations` | Tolerations for the statefulset | `[]` |
| `actions.statefulset.affinity` | Affinity for the statefulset | `{}` |
| `actions.statefulset.extraVolumes` | Extra volumes for the statefulset | `[]` |
| `actions.statefulset.actRunner.repository` | The Gitea act runner image | `gitea/act_runner` |
| `actions.statefulset.actRunner.tag` | The Gitea act runner tag | `0.2.11` |
| `actions.statefulset.actRunner.pullPolicy` | The Gitea act runner pullPolicy | `IfNotPresent` |
| `actions.statefulset.actRunner.extraVolumeMounts` | Allows mounting extra volumes in the act runner container | `[]` |
| `actions.statefulset.actRunner.config` | Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details. | `Too complex. See values.yaml` |
| `actions.statefulset.dind.repository` | The Docker-in-Docker image | `docker` |
| `actions.statefulset.dind.tag` | The Docker-in-Docker image tag | `25.0.2-dind` |
| `actions.statefulset.dind.pullPolicy` | The Docker-in-Docker pullPolicy | `IfNotPresent` |
| `actions.statefulset.dind.extraVolumeMounts` | Allows mounting extra volumes in the Docker-in-Docker container | `[]` |
| `actions.statefulset.dind.extraEnvs` | Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY` | `[]` |
| `actions.provisioning.enabled` | Create a job that will create and save the token in a Kubernetes Secret | `false` |
| `actions.provisioning.annotations` | Job's annotations | `{}` |
| `actions.provisioning.labels` | Job's labels | `{}` |
| `actions.provisioning.resources` | Job's resources | `{}` |
| `actions.provisioning.nodeSelector` | NodeSelector for the job | `{}` |
| `actions.provisioning.tolerations` | Tolerations for the job | `[]` |
| `actions.provisioning.affinity` | Affinity for the job | `{}` |
| `actions.provisioning.ttlSecondsAfterFinished` | ttl for the job after finished in order to allow helm to properly recognize that the job completed | `300` |
| `actions.provisioning.publish.repository` | The image that can create the secret via kubectl | `bitnami/kubectl` |
| `actions.provisioning.publish.tag` | The publish image tag that can create the secret | `1.29.0` |
| `actions.provisioning.publish.pullPolicy` | The publish image pullPolicy that can create the secret | `IfNotPresent` |
| `actions.existingSecret` | Secret that contains the token | `""` |
| `actions.existingSecretKey` | Secret key | `""` |
### Gitea ### Gitea
| Name | Description | Value | | Name | Description | Value |

34
docs/actions-dev.md
View File

@ -1,34 +0,0 @@
# Gitea Actions
In order to use the Gitea Actions act-runner you must either:
- enable persistence (used for automatic deployment to be able to store the token in a place accessible for the Job)
- create a secret containing the act runner token and reference it as a `existingSecret`
In order to use Gitea Actions, you must log on the server that's running Gitea and run the command:
`gitea actions generate-runner-token`
This command will out a token that is needed by the act-runner to register with the Gitea backend.
Because this is a manual operation, we automated this using a Kubernetes Job using the following containers:
1) `actions-token-create`: it uses the current `gitea-rootless` image, mounts the persistent directory to `/data/` then it saves the output from `gitea actions generate-runner-token` to `/data/actions/token`
2) `actions-token-upload`: it uses a `bitnami/kubectl` image, mounts the scripts directory (`/scripts`) and
the persistent directory (`/data/`), and using the script from `/scripts/token.sh` stores the token in a Kubernetes secret
After the token is stored in a Kubernetes secret we can create the statefulset that contains the following containers:
1) `act-runner`: authenticates with Gitea using the token that was stored in the secret
2) `dind`: DockerInDocker image that is used to run the actions
If you are not using persistent volumes, you cannot use the Job to automatically generate the token.
In this case, you can use either the Web UI to generate the token or run a shell into a Gitea pod and invoke
the command `gitea actions generate-runner-token`. After generating the token, you must create a secret and use it via:
```yaml
actions:
provisioning:
enabled: false
existingSecret: "secret-name"
existingSecretKey: "secret-key"
```

6
templates/_helpers.tpl
View File

@ -345,9 +345,6 @@ https
{{- if not .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE -}} {{- if not .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE -}}
{{- $_ := set .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE" "db" -}} {{- $_ := set .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE" "db" -}}
{{- end -}} {{- end -}}
{{- if not .Values.gitea.config.actions.ENABLED -}}
{{- $_ := set .Values.gitea.config.actions "ENABLED" (ternary "true" "false" .Values.actions.enabled) -}}
{{- end -}}
{{- end -}} {{- end -}}
{{- define "gitea.inline_configuration.defaults.server" -}} {{- define "gitea.inline_configuration.defaults.server" -}}
@ -367,9 +364,6 @@ https
{{- if not .Values.gitea.config.server.ROOT_URL -}} {{- if not .Values.gitea.config.server.ROOT_URL -}}
{{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" (include "gitea.public_protocol" .) .Values.gitea.config.server.DOMAIN) -}} {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" (include "gitea.public_protocol" .) .Values.gitea.config.server.DOMAIN) -}}
{{- end -}} {{- end -}}
{{- if .Values.actions.enabled -}}
{{- $_ := set .Values.gitea.config.server "LOCAL_ROOT_URL" (include "gitea.act_runner.local_root_url" .) -}}
{{- end -}}
{{- if not .Values.gitea.config.server.SSH_DOMAIN -}} {{- if not .Values.gitea.config.server.SSH_DOMAIN -}}
{{- $_ := set .Values.gitea.config.server "SSH_DOMAIN" .Values.gitea.config.server.DOMAIN -}} {{- $_ := set .Values.gitea.config.server "SSH_DOMAIN" .Values.gitea.config.server.DOMAIN -}}
{{- end -}} {{- end -}}

15
templates/gitea/act_runner/01-consistency-checks.yaml
View File

@ -1,15 +0,0 @@
{{- if .Values.actions.enabled -}}
{{- if .Values.actions.provisioning.enabled -}}
{{- if not (and .Values.persistence.enabled .Values.persistence.mount) -}}
{{- fail "persistence.enabled and persistence.mount are required when provisioning is enabled" -}}
{{- end -}}
{{- if and .Values.persistence.enabled .Values.persistence.mount -}}
{{- if .Values.actions.existingSecret -}}
{{- fail "Can't specify both actions.provisioning.enabled and actions.existingSecret" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if and (not .Values.actions.provisioning.enabled) (or (empty .Values.actions.existingSecret) (empty .Values.actions.existingSecretKey)) -}}
{{- fail "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled" -}}
{{- end -}}
{{- end -}}

15
templates/gitea/act_runner/config-act-runner.yaml
View File

@ -1,15 +0,0 @@
{{- if .Values.actions.enabled }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "gitea.fullname" . }}-act-runner-config
namespace: {{ .Values.namespace | default .Release.Namespace }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
data:
config.yaml: |
{{- with .Values.actions.statefulset.actRunner.config -}}
{{ . | nindent 4}}
{{- end -}}
{{- end }}

14
templates/gitea/act_runner/config-scripts.yaml
View File

@ -1,14 +0,0 @@
{{- if .Values.actions.enabled }}
{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "gitea.fullname" . }}-scripts
namespace: {{ .Values.namespace | default .Release.Namespace }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
data:
{{ (.Files.Glob "scripts/act_runner/*.sh").AsConfig | indent 2 }}
{{- end }}
{{- end }}

115
templates/gitea/act_runner/job.yaml
View File

@ -1,115 +0,0 @@
{{- if .Values.actions.enabled }}
{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ $name }}
namespace: {{ .Values.namespace | default .Release.Namespace }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
{{- with .Values.actions.provisioning.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
app.kubernetes.io/component: token-job
annotations:
{{- with .Values.actions.provisioning.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ttlSecondsAfterFinished: {{ .Values.actions.provisioning.ttlSecondsAfterFinished }}
template:
metadata:
labels:
{{- include "gitea.labels" . | nindent 8 }}
{{- with .Values.actions.provisioning.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
app.kubernetes.io/component: token-job
spec:
initContainers:
- name: init-gitea
image: "{{ .Values.actions.init.image.repository }}:{{ .Values.actions.init.image.tag }}"
command:
- sh
- -c
- |
while ! nc -z {{ include "gitea.fullname" . }}-http {{ .Values.service.http.port }}; do
sleep 5
done
containers:
- name: actions-token-create
image: "{{ include "gitea.image" . }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
- name: GITEA_APP_INI
value: /data/gitea/conf/app.ini
command:
- sh
- -c
- |
echo "Generating act_runner token via 'gitea actions generate-runner-token'..."
mkdir -p /data/actions/
gitea actions generate-runner-token | grep -E '^.{40}$' | tr -d '\n' > /data/actions/token
resources:
{{- toYaml .Values.actions.provisioning.resources | nindent 12 }}
volumeMounts:
- name: data
mountPath: /data
{{- if .Values.persistence.subPath }}
subPath: {{ .Values.persistence.subPath }}
{{- end }}
- name: actions-token-upload
image: "{{ .Values.actions.provisioning.publish.repository }}:{{ .Values.actions.provisioning.publish.tag }}"
imagePullPolicy: {{ .Values.actions.provisioning.publish.pullPolicy }}
env:
- name: SECRET_NAME
value: {{ $secretName }}
command:
- sh
- -c
- |
printf "Checking rights to update kubernetes act_runner secret..."
kubectl auth can-i update secret/${SECRET_NAME}
/scripts/token.sh
resources:
{{- toYaml .Values.actions.provisioning.resources | nindent 12 }}
volumeMounts:
- mountPath: /scripts
name: scripts
readOnly: true
- mountPath: /data
name: data
readOnly: true
{{- if .Values.persistence.subPath }}
subPath: {{ .Values.persistence.subPath }}
{{- end }}
{{- range $key, $value := .Values.actions.provisioning.nodeSelector }}
nodeSelector:
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- with .Values.actions.provisioning.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.actions.provisioning.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
restartPolicy: Never
serviceAccount: {{ $name }}
volumes:
- name: scripts
configMap:
name: {{ include "gitea.fullname" . }}-scripts
defaultMode: 0755
- name: data
persistentVolumeClaim:
claimName: {{ .Values.persistence.claimName }}
parallelism: 1
completions: 1
backoffLimit: 1
{{- end }}
{{- end }}

26
templates/gitea/act_runner/role-job.yaml
View File

@ -1,26 +0,0 @@
{{- if .Values.actions.enabled }}
{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ $name }}
namespace: {{ .Values.namespace | default .Release.Namespace }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
app.kubernetes.io/component: token-job
rules:
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- {{ $secretName }}
verbs:
- get
- update
- patch
{{- end }}
{{- end }}

23
templates/gitea/act_runner/rolebinding-job.yaml
View File

@ -1,23 +0,0 @@
{{- if .Values.actions.enabled }}
{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ $name }}
namespace: {{ .Values.namespace | default .Release.Namespace }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
app.kubernetes.io/component: token-job
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ $name }}
subjects:
- kind: ServiceAccount
name: {{ $name }}
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}

20
templates/gitea/act_runner/secret-token.yaml
View File

@ -1,20 +0,0 @@
{{- if .Values.actions.enabled }}
{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ $secretName }}
namespace: {{ .Values.namespace | default .Release.Namespace }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
app.kubernetes.io/component: token-job
{{ $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}}
{{ if $secret -}}
data:
token: {{ (b64dec (index $secret.data "token")) | b64enc }}
{{ end -}}
{{- end }}
{{- end }}

14
templates/gitea/act_runner/serviceaccount-job.yaml
View File

@ -1,14 +0,0 @@
{{- if .Values.actions.enabled }}
{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ $name }}
namespace: {{ .Values.namespace | default .Release.Namespace }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
app.kubernetes.io/component: token-job
{{- end }}
{{- end }}

129
templates/gitea/act_runner/statefulset.yaml
View File

@ -1,129 +0,0 @@
{{- if .Values.actions.enabled }}
{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
labels:
{{- include "gitea.labels.actRunner" . | nindent 4 }}
{{- with .Values.actions.statefulset.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with .Values.actions.statefulset.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "gitea.fullname" . }}-act-runner
namespace: {{ .Values.namespace | default .Release.Namespace }}
spec:
selector:
matchLabels:
{{- include "gitea.selectorLabels.actRunner" . | nindent 6 }}
template:
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/gitea/act_runner/config-act-runner.yaml") . | sha256sum }}
labels:
{{- include "gitea.labels.actRunner" . | nindent 8 }}
{{- with .Values.actions.statefulset.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
initContainers:
- name: init-gitea
image: "{{ .Values.actions.init.image.repository }}:{{ .Values.actions.init.image.tag }}"
command:
- sh
- -c
- |
while ! nc -z {{ include "gitea.fullname" . }}-http {{ .Values.service.http.port }}; do
sleep 5
done
containers:
- name: act-runner
image: "{{ .Values.actions.statefulset.actRunner.repository }}:{{ .Values.actions.statefulset.actRunner.tag }}"
imagePullPolicy: {{ .Values.actions.statefulset.actRunner.pullPolicy }}
workingDir: /data
env:
- name: DOCKER_HOST
value: tcp://127.0.0.1:2376
- name: DOCKER_TLS_VERIFY
value: "1"
- name: DOCKER_CERT_PATH
value: /certs/server
- name: GITEA_RUNNER_REGISTRATION_TOKEN
valueFrom:
secretKeyRef:
name: "{{ .Values.actions.existingSecret | default $secretName }}"
key: "{{ .Values.actions.existingSecretKey | default "token" }}"
- name: GITEA_INSTANCE_URL
value: {{ include "gitea.act_runner.local_root_url" . }}
- name: CONFIG_FILE
value: /actrunner/config.yaml
resources:
{{- toYaml .Values.actions.statefulset.resources | nindent 12 }}
volumeMounts:
- mountPath: /actrunner/config.yaml
name: act-runner-config
subPath: config.yaml
- mountPath: /certs/server
name: docker-certs
- mountPath: /data
name: data-act-runner
{{- with .Values.actions.statefulset.actRunner.extraVolumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
- name: dind
image: "{{ .Values.actions.statefulset.dind.repository }}:{{ .Values.actions.statefulset.dind.tag }}"
imagePullPolicy: {{ .Values.actions.statefulset.dind.pullPolicy }}
env:
- name: DOCKER_HOST
value: tcp://127.0.0.1:2376
- name: DOCKER_TLS_VERIFY
value: "1"
- name: DOCKER_CERT_PATH
value: /certs/server
{{- if .Values.actions.statefulset.dind.extraEnvs }}
{{- toYaml .Values.actions.statefulset.dind.extraEnvs | nindent 12 }}
{{- end }}
securityContext:
privileged: true
resources:
{{- toYaml .Values.actions.statefulset.resources | nindent 12 }}
volumeMounts:
- mountPath: /certs/server
name: docker-certs
{{- with .Values.actions.statefulset.dind.extraVolumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- range $key, $value := .Values.actions.statefulset.nodeSelector }}
nodeSelector:
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- with .Values.actions.statefulset.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.actions.statefulset.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: act-runner-config
configMap:
name: {{ include "gitea.fullname" . }}-act-runner-config
- name: docker-certs
emptyDir: {}
{{- with .Values.actions.statefulset.extraVolumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
volumeClaimTemplates:
- metadata:
name: data-act-runner
spec:
accessModes: [ "ReadWriteOnce" ]
{{- include "gitea.persistence.storageClass" . | nindent 8 }}
resources:
requests:
storage: 1Mi
{{- end }}

69
unittests/helm/act_runner/01-consistency-checks.yaml
View File

@ -1,69 +0,0 @@
suite: actions template | consistency checks
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/act_runner/01-consistency-checks.yaml
tests:
- it: fails when provisioning is enabled BUT persistence is completely disabled
set:
persistence:
enabled: false
actions:
enabled: true
provisioning:
enabled: true
asserts:
- failedTemplate:
errorMessage: "persistence.enabled and persistence.mount are required when provisioning is enabled"
- it: fails when provisioning is enabled BUT mount is disabled, although persistence is enabled
set:
persistence:
enabled: true
mount: false
actions:
enabled: true
provisioning:
enabled: true
asserts:
- failedTemplate:
errorMessage: "persistence.enabled and persistence.mount are required when provisioning is enabled"
- it: fails when provisioning is enabled AND existingSecret is given
set:
actions:
enabled: true
provisioning:
enabled: true
existingSecret: "secret-reference"
asserts:
- failedTemplate:
errorMessage: "Can't specify both actions.provisioning.enabled and actions.existingSecret"
- it: fails when provisioning is disabled BUT existingSecret and existingSecretKey are missing
set:
actions:
enabled: true
provisioning:
enabled: false
asserts:
- failedTemplate:
errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled"
- it: fails when provisioning is disabled BUT existingSecretKey is missing
set:
actions:
enabled: true
provisioning:
enabled: false
existingSecret: "my-secret"
asserts:
- failedTemplate:
errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled"
- it: fails when provisioning is disabled BUT existingSecret is missing
set:
actions:
enabled: true
provisioning:
enabled: false
existingSecretKey: "my-secret-key"
asserts:
- failedTemplate:
errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled"

45
unittests/helm/act_runner/config-act-runner.yaml
View File

@ -1,45 +0,0 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
suite: actions template | config-act-runner
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/act_runner/config-act-runner.yaml
tests:
- it: doesn't renders a ConfigMap by default
template: templates/gitea/act_runner/config-act-runner.yaml
asserts:
- hasDocuments:
count: 0
- it: renders a ConfigMap
template: templates/gitea/act_runner/config-act-runner.yaml
set:
actions:
enabled: true
statefulset:
actRunner:
config: |
log:
level: info
cache:
enabled: false
runner:
labels:
- "ubuntu-latest"
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: ConfigMap
apiVersion: v1
name: gitea-unittests-act-runner-config
- equal:
path: data["config.yaml"]
value: |
log:
level: info
cache:
enabled: false
runner:
labels:
- "ubuntu-latest"

49
unittests/helm/act_runner/config-scripts.yaml
View File

@ -1,49 +0,0 @@
suite: actions template | config-scripts
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/act_runner/config-scripts.yaml
tests:
- it: renders a ConfigMap when all criteria are met
template: templates/gitea/act_runner/config-scripts.yaml
set:
actions:
enabled: true
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: ConfigMap
apiVersion: v1
name: gitea-unittests-scripts
- isNotNullOrEmpty:
path: data["token.sh"]
- it: doesn't renders a ConfigMap by default
template: templates/gitea/act_runner/config-scripts.yaml
asserts:
- hasDocuments:
count: 0
- it: doesn't renders a ConfigMap with disabled actions but enabled provisioning
template: templates/gitea/act_runner/config-scripts.yaml
asserts:
- hasDocuments:
count: 0
- it: doesn't renders a ConfigMap with disabled actions but otherwise met criteria
template: templates/gitea/act_runner/config-scripts.yaml
set:
actions:
enabled: false
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 0

65
unittests/helm/act_runner/job.yaml
View File

@ -1,65 +0,0 @@
suite: actions template | job
release:
name: gitea-unittests
namespace: testing
chart:
# Override appVersion to have a pinned version for comparison
appVersion: 1.19.3
templates:
- templates/gitea/act_runner/job.yaml
tests:
- it: renders a Job
template: templates/gitea/act_runner/job.yaml
set:
actions:
enabled: true
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: Job
apiVersion: batch/v1
name: gitea-unittests-actions-token-job
- equal:
path: spec.template.spec.containers[0].image
value: "docker.gitea.com/gitea:1.19.3-rootless"
- it: tag override
template: templates/gitea/act_runner/job.yaml
set:
image.tag: "1.19.4"
actions:
enabled: true
provisioning:
enabled: true
publish:
tag: "1.29.0"
persistence:
enabled: true
mount: true
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: "docker.gitea.com/gitea:1.19.4-rootless"
- equal:
path: spec.template.spec.containers[1].image
value: "bitnami/kubectl:1.29.0"
- it: doesn't renders a Job by default
template: templates/gitea/act_runner/job.yaml
asserts:
- hasDocuments:
count: 0
- it: doesn't renders a Job when provisioning is enabled BUT actions are not enabled
template: templates/gitea/act_runner/job.yaml
set:
actions:
enabled: false
provisioning:
enabled: true
asserts:
- hasDocuments:
count: 0

42
unittests/helm/act_runner/role-job.yaml
View File

@ -1,42 +0,0 @@
suite: actions template | role-job
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/act_runner/role-job.yaml
tests:
- it: doesn't renders a Role by default
template: templates/gitea/act_runner/role-job.yaml
asserts:
- hasDocuments:
count: 0
- it: renders a Role
template: templates/gitea/act_runner/role-job.yaml
set:
actions:
enabled: true
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
name: gitea-unittests-actions-token-job
- it: doesn't renders a Role when criteria met BUT actions are not enabled
template: templates/gitea/act_runner/role-job.yaml
set:
actions:
enabled: false
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 0

42
unittests/helm/act_runner/rolebinding-job.yaml
View File

@ -1,42 +0,0 @@
suite: actions template | rolebinding-job
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/act_runner/rolebinding-job.yaml
tests:
- it: doesn't renders a RoleBinding by default
template: templates/gitea/act_runner/rolebinding-job.yaml
asserts:
- hasDocuments:
count: 0
- it: renders a RoleBinding
template: templates/gitea/act_runner/rolebinding-job.yaml
set:
actions:
enabled: true
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
name: gitea-unittests-actions-token-job
- it: doesn't renders a RoleBinding when criteria met BUT actions are not enabled
template: templates/gitea/act_runner/rolebinding-job.yaml
set:
actions:
enabled: false
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 0

42
unittests/helm/act_runner/secret-token.yaml
View File

@ -1,42 +0,0 @@
suite: actions template | secret-token
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/act_runner/secret-token.yaml
tests:
- it: doesn't renders a Secret by default
template: templates/gitea/act_runner/secret-token.yaml
asserts:
- hasDocuments:
count: 0
- it: renders a Secret
template: templates/gitea/act_runner/secret-token.yaml
set:
actions:
enabled: true
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: Secret
apiVersion: v1
name: gitea-unittests-actions-token
- it: doesn't renders a Secret when criteria met BUT actions are not enabled
template: templates/gitea/act_runner/secret-token.yaml
set:
actions:
enabled: false
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 0

42
unittests/helm/act_runner/serviceaccount-job.yaml
View File

@ -1,42 +0,0 @@
suite: actions template | serviceaccount-job
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/act_runner/serviceaccount-job.yaml
tests:
- it: doesn't renders a ServiceAccount by default
template: templates/gitea/act_runner/serviceaccount-job.yaml
asserts:
- hasDocuments:
count: 0
- it: renders a ServiceAccount
template: templates/gitea/act_runner/serviceaccount-job.yaml
set:
actions:
enabled: true
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: ServiceAccount
apiVersion: v1
name: gitea-unittests-actions-token-job
- it: doesn't renders a ServiceAccount when criteria met BUT actions are not enabled
template: templates/gitea/act_runner/serviceaccount-job.yaml
set:
actions:
enabled: false
provisioning:
enabled: true
persistence:
enabled: true
mount: true
asserts:
- hasDocuments:
count: 0

182
unittests/helm/act_runner/statefulset.yaml
View File

@ -1,182 +0,0 @@
suite: actions template | statefulset
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/act_runner/statefulset.yaml
- templates/gitea/act_runner/config-act-runner.yaml
tests:
- it: doesn't renders a StatefulSet by default
template: templates/gitea/act_runner/statefulset.yaml
asserts:
- hasDocuments:
count: 0
- it: renders a StatefulSet (with given existingSecret/existingSecretKey)
template: templates/gitea/act_runner/statefulset.yaml
set:
actions:
enabled: true
existingSecret: "my-secret"
existingSecretKey: "my-secret-key"
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: StatefulSet
apiVersion: apps/v1
name: gitea-unittests-act-runner
- equal:
path: spec.template.spec.containers[0].env[3]
value:
name: GITEA_RUNNER_REGISTRATION_TOKEN
valueFrom:
secretKeyRef:
name: "my-secret"
key: "my-secret-key"
- it: renders a StatefulSet (with secret reference defaults for enabled provisioning)
template: templates/gitea/act_runner/statefulset.yaml
set:
actions:
enabled: true
provisioning:
enabled: true
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: StatefulSet
apiVersion: apps/v1
name: gitea-unittests-act-runner
- equal:
path: spec.template.spec.containers[0].env[3]
value:
name: GITEA_RUNNER_REGISTRATION_TOKEN
valueFrom:
secretKeyRef:
name: "gitea-unittests-actions-token"
key: "token"
- it: renders a StatefulSet (that tracks changes of the runner configuration as annotation)
template: templates/gitea/act_runner/statefulset.yaml
set:
image.tag: "1.22.3" # lock image tag to prevent test failures on future Gitea upgrades
actions:
enabled: true
existingSecret: "my-secret"
existingSecretKey: "my-secret-key"
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: StatefulSet
apiVersion: apps/v1
name: gitea-unittests-act-runner
- equal:
path: spec.template.metadata.annotations["checksum/config"]
value: "2a2200e80fc29111d18b675789c265cd3d5f917754850f946f1ce3c55dcd65f8"
- it: renders a StatefulSet (with correct GITEA_INSTANCE_URL env with default act-runner specific LOCAL_ROOT_URL)
template: templates/gitea/act_runner/statefulset.yaml
set:
actions:
enabled: true
existingSecret: "my-secret"
existingSecretKey: "my-secret-key"
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: StatefulSet
apiVersion: apps/v1
name: gitea-unittests-act-runner
- equal:
path: spec.template.spec.containers[0].env[4]
value:
name: GITEA_INSTANCE_URL
value: "http://gitea-unittests-http:3000"
- it: renders a StatefulSet (with correct GITEA_INSTANCE_URL env from customized LOCAL_ROOT_URL)
template: templates/gitea/act_runner/statefulset.yaml
set:
gitea.config.server.LOCAL_ROOT_URL: "http://git.example.com"
actions:
enabled: true
existingSecret: "my-secret"
existingSecretKey: "my-secret-key"
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: StatefulSet
apiVersion: apps/v1
name: gitea-unittests-act-runner
- equal:
path: spec.template.spec.containers[0].env[4]
value:
name: GITEA_INSTANCE_URL
value: "http://git.example.com"
- it: allows adding custom environment variables to the docker-in-docker container
template: templates/gitea/act_runner/statefulset.yaml
set:
actions:
enabled: true
statefulset:
dind:
extraEnvs:
- name: "CUSTOM_ENV_NAME"
value: "custom env value"
asserts:
- equal:
path: spec.template.spec.containers[1].env[3]
value:
name: "CUSTOM_ENV_NAME"
value: "custom env value"
- it: should mount an extra volume in the act runner container
template: templates/gitea/act_runner/statefulset.yaml
set:
actions:
enabled: true
statefulset:
extraVolumes:
- name: my-act-runner-volume
emptyDir: {}
actRunner:
extraVolumeMounts:
- mountPath: /mnt
name: my-act-runner-volume
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: StatefulSet
apiVersion: apps/v1
name: gitea-unittests-act-runner
- contains:
any: true
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /mnt
name: my-act-runner-volume
- it: should mount an extra volume in the docker-in-docker container
template: templates/gitea/act_runner/statefulset.yaml
set:
actions:
enabled: true
statefulset:
extraVolumes:
- name: my-dind-volume
emptyDir: {}
dind:
extraVolumeMounts:
- mountPath: /mnt
name: my-dind-volume
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: StatefulSet
apiVersion: apps/v1
name: gitea-unittests-act-runner
- contains:
any: true
path: spec.template.spec.containers[1].volumeMounts
content:
mountPath: /mnt
name: my-dind-volume

57
unittests/helm/config/actions-config.yaml
View File

@ -5,57 +5,20 @@ release:
templates: templates:
- templates/gitea/config.yaml - templates/gitea/config.yaml
tests: tests:
- it: "actions are not enabled by default" - it: "actions are enabled by default (based on vanilla Gitea behavior)"
template: templates/gitea/config.yaml template: templates/gitea/config.yaml
asserts:
- documentIndex: 0
notExists:
path: stringData.actions
- it: "actions can be disabled via inline config"
template: templates/gitea/config.yaml
set:
gitea.config.actions.ENABLED: false
asserts: asserts:
- documentIndex: 0 - documentIndex: 0
equal: equal:
path: stringData.actions path: stringData.actions
value: |- value: |-
ENABLED=false ENABLED=false
- it: "actions can be enabled via inline config"
template: templates/gitea/config.yaml
set:
gitea.config.actions.ENABLED: true
asserts:
- documentIndex: 0
equal:
path: stringData.actions
value: |-
ENABLED=true
- it: "actions can be enabled via dedicated values object"
template: templates/gitea/config.yaml
set:
actions:
enabled: true
asserts:
- documentIndex: 0
equal:
path: stringData.actions
value: |-
ENABLED=true
- it: "defines LOCAL_ROOT_URL when actions are enabled"
template: templates/gitea/config.yaml
set:
actions:
enabled: true
asserts:
- documentIndex: 0
matchRegex:
path: stringData.server
pattern: \nLOCAL_ROOT_URL=http://gitea-unittests-http:3000
- it: "respects custom LOCAL_ROOT_URL, even when actions are enabled"
template: templates/gitea/config.yaml
set:
actions:
enabled: true
gitea.config.server.LOCAL_ROOT_URL: "http://git.example.com"
asserts:
- documentIndex: 0
matchRegex:
path: stringData.server
pattern: \nLOCAL_ROOT_URL=http://git.example.com

101
values.yaml
View File

@ -348,107 +348,6 @@ signing:
# -----END PGP PRIVATE KEY BLOCK----- # -----END PGP PRIVATE KEY BLOCK-----
existingSecret: "" existingSecret: ""
# Configure Gitea Actions
# - must enable persistence if the job is enabled
## @section Gitea Actions
#
## @param actions.enabled Create an act runner StatefulSet.
## @param actions.init.image.repository The image used for the init containers
## @param actions.init.image.tag The image tag used for the init containers
## @param actions.statefulset.annotations Act runner annotations
## @param actions.statefulset.labels Act runner labels
## @param actions.statefulset.resources Act runner resources
## @param actions.statefulset.nodeSelector NodeSelector for the statefulset
## @param actions.statefulset.tolerations Tolerations for the statefulset
## @param actions.statefulset.affinity Affinity for the statefulset
## @param actions.statefulset.extraVolumes Extra volumes for the statefulset
## @param actions.statefulset.actRunner.repository The Gitea act runner image
## @param actions.statefulset.actRunner.tag The Gitea act runner tag
## @param actions.statefulset.actRunner.pullPolicy The Gitea act runner pullPolicy
## @param actions.statefulset.actRunner.extraVolumeMounts Allows mounting extra volumes in the act runner container
## @param actions.statefulset.actRunner.config [default: Too complex. See values.yaml] Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details.
## @param actions.statefulset.dind.repository The Docker-in-Docker image
## @param actions.statefulset.dind.tag The Docker-in-Docker image tag
## @param actions.statefulset.dind.pullPolicy The Docker-in-Docker pullPolicy
## @param actions.statefulset.dind.extraVolumeMounts Allows mounting extra volumes in the Docker-in-Docker container
## @param actions.statefulset.dind.extraEnvs Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY`
## @param actions.provisioning.enabled Create a job that will create and save the token in a Kubernetes Secret
## @param actions.provisioning.annotations Job's annotations
## @param actions.provisioning.labels Job's labels
## @param actions.provisioning.resources Job's resources
## @param actions.provisioning.nodeSelector NodeSelector for the job
## @param actions.provisioning.tolerations Tolerations for the job
## @param actions.provisioning.affinity Affinity for the job
## @param actions.provisioning.ttlSecondsAfterFinished ttl for the job after finished in order to allow helm to properly recognize that the job completed
## @param actions.provisioning.publish.repository The image that can create the secret via kubectl
## @param actions.provisioning.publish.tag The publish image tag that can create the secret
## @param actions.provisioning.publish.pullPolicy The publish image pullPolicy that can create the secret
## @param actions.existingSecret Secret that contains the token
## @param actions.existingSecretKey Secret key
actions:
enabled: false
statefulset:
annotations: {}
labels: {}
resources: {}
nodeSelector: {}
tolerations: []
affinity: {}
extraVolumes: []
actRunner:
repository: gitea/act_runner
tag: 0.2.11
pullPolicy: IfNotPresent
extraVolumeMounts: []
# See full example here: https://gitea.com/gitea/act_runner/src/branch/main/internal/pkg/config/config.example.yaml
config: |
log:
level: debug
cache:
enabled: false
dind:
repository: docker
tag: 25.0.2-dind
pullPolicy: IfNotPresent
extraVolumeMounts: []
# If the container keeps crashing in your environment, you might have to add the `DOCKER_IPTABLES_LEGACY` environment variable.
# See https://github.com/docker-library/docker/issues/463#issuecomment-1881909456
extraEnvs: []
# - name: "DOCKER_IPTABLES_LEGACY"
# value: "1"
init:
image:
repository: busybox
# Overrides the image tag whose default is the chart appVersion.
tag: "1.37.0"
provisioning:
enabled: false
annotations: {}
labels: {}
resources: {}
nodeSelector: {}
tolerations: []
affinity: {}
publish:
repository: bitnami/kubectl
tag: 1.29.0
pullPolicy: IfNotPresent
ttlSecondsAfterFinished: 300
## Specify an existing token secret
##
existingSecret: ""
existingSecretKey: ""
## @section Gitea ## @section Gitea
# #
gitea: gitea: