Support custom envs for Action DinD container (#722)

Follow-up to https://gitea.com/gitea/helm-chart/pulls/666.

Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/722
Co-authored-by: justusbunsi <sk.bunsenbrenner@gmail.com>
Co-committed-by: justusbunsi <sk.bunsenbrenner@gmail.com>

Chart.yaml

@@ -4,7 +4,7 @@ description: Gitea Helm chart for Kubernetes
 type: application
 version: 0.0.0
 # renovate datasource=github-releases depName=go-gitea/gitea extractVersion=^v(?<version>.*)$
-appVersion: 1.22.2
+appVersion: 1.22.3
 icon: https://gitea.com/assets/img/logo.svg
 
 keywords:

README.md

@@ -45,6 +45,7 @@
   - [Persistence](#persistence-1)
   - [Init](#init)
   - [Signing](#signing)
+  - [Gitea Actions](#gitea-actions)
   - [Gitea](#gitea)
   - [LivenessProbe](#livenessprobe)
   - [ReadinessProbe](#readinessprobe)
@@ -420,6 +421,9 @@ gitea:
 
 postgresql:
   enabled: false
+
+postgresql-ha:
+  enabled: false
 ```
 
 ### Ports and external url
@@ -852,13 +856,14 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 
 ### Global
 
-| Name                      | Description                                                               | Value |
-| ------------------------- | ------------------------------------------------------------------------- | ----- |
-| `global.imageRegistry`    | global image registry override                                            | `""`  |
-| `global.imagePullSecrets` | global image pull secrets override; can be extended by `imagePullSecrets` | `[]`  |
-| `global.storageClass`     | global storage class override                                             | `""`  |
-| `global.hostAliases`      | global hostAliases which will be added to the pod's hosts files           | `[]`  |
-| `replicaCount`            | number of replicas for the deployment                                     | `1`   |
+| Name                      | Description                                                                                    | Value |
+| ------------------------- | ---------------------------------------------------------------------------------------------- | ----- |
+| `global.imageRegistry`    | global image registry override                                                                 | `""`  |
+| `global.imagePullSecrets` | global image pull secrets override; can be extended by `imagePullSecrets`                      | `[]`  |
+| `global.storageClass`     | global storage class override                                                                  | `""`  |
+| `global.hostAliases`      | global hostAliases which will be added to the pod's hosts files                                | `[]`  |
+| `namespace`               | An explicit namespace to deploy Gitea into. Defaults to the release namespace if not specified | `""`  |
+| `replicaCount`            | number of replicas for the deployment                                                          | `1`   |
 
 ### strategy
 
@@ -979,6 +984,7 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 | `persistence.storageClass`                        | Name of the storage class to use                                                                      | `nil`                  |
 | `persistence.subPath`                             | Subdirectory of the volume to mount at                                                                | `nil`                  |
 | `persistence.volumeName`                          | Name of persistent volume in PVC                                                                      | `""`                   |
+| `extraContainers`                                 | Additional sidecar containers to run in the pod                                                       | `[]`                   |
 | `extraVolumes`                                    | Additional volumes to mount to the Gitea deployment                                                   | `[]`                   |
 | `extraContainerVolumeMounts`                      | Mounts that are only mapped into the Gitea runtime/main container, to e.g. override custom templates. | `[]`                   |
 | `extraInitVolumeMounts`                           | Mounts that are only mapped into the init-containers. Can be used for additional preconfiguration.    | `[]`                   |
@@ -1002,6 +1008,41 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 | `signing.privateKey`     | Inline private gpg key for signed internal Git activity           | `""`               |
 | `signing.existingSecret` | Use an existing secret to store the value of `signing.privateKey` | `""`               |
 
+### Gitea Actions
+
+| Name                                           | Description                                                                                                                                 | Value                          |
+| ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ |
+| `actions.enabled`                              | Create an act runner StatefulSet.                                                                                                           | `false`                        |
+| `actions.init.image.repository`                | The image used for the init containers                                                                                                      | `busybox`                      |
+| `actions.init.image.tag`                       | The image tag used for the init containers                                                                                                  | `1.36.1`                       |
+| `actions.statefulset.annotations`              | Act runner annotations                                                                                                                      | `{}`                           |
+| `actions.statefulset.labels`                   | Act runner labels                                                                                                                           | `{}`                           |
+| `actions.statefulset.resources`                | Act runner resources                                                                                                                        | `{}`                           |
+| `actions.statefulset.nodeSelector`             | NodeSelector for the statefulset                                                                                                            | `{}`                           |
+| `actions.statefulset.tolerations`              | Tolerations for the statefulset                                                                                                             | `[]`                           |
+| `actions.statefulset.affinity`                 | Affinity for the statefulset                                                                                                                | `{}`                           |
+| `actions.statefulset.actRunner.repository`     | The Gitea act runner image                                                                                                                  | `gitea/act_runner`             |
+| `actions.statefulset.actRunner.tag`            | The Gitea act runner tag                                                                                                                    | `0.2.11`                       |
+| `actions.statefulset.actRunner.pullPolicy`     | The Gitea act runner pullPolicy                                                                                                             | `IfNotPresent`                 |
+| `actions.statefulset.actRunner.config`         | Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details. | `Too complex. See values.yaml` |
+| `actions.statefulset.dind.repository`          | The Docker-in-Docker image                                                                                                                  | `docker`                       |
+| `actions.statefulset.dind.tag`                 | The Docker-in-Docker image tag                                                                                                              | `25.0.2-dind`                  |
+| `actions.statefulset.dind.pullPolicy`          | The Docker-in-Docker pullPolicy                                                                                                             | `IfNotPresent`                 |
+| `actions.statefulset.dind.extraEnvs`           | Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY`                                                                | `[]`                           |
+| `actions.provisioning.enabled`                 | Create a job that will create and save the token in a Kubernetes Secret                                                                     | `false`                        |
+| `actions.provisioning.annotations`             | Job's annotations                                                                                                                           | `{}`                           |
+| `actions.provisioning.labels`                  | Job's labels                                                                                                                                | `{}`                           |
+| `actions.provisioning.resources`               | Job's resources                                                                                                                             | `{}`                           |
+| `actions.provisioning.nodeSelector`            | NodeSelector for the job                                                                                                                    | `{}`                           |
+| `actions.provisioning.tolerations`             | Tolerations for the job                                                                                                                     | `[]`                           |
+| `actions.provisioning.affinity`                | Affinity for the job                                                                                                                        | `{}`                           |
+| `actions.provisioning.ttlSecondsAfterFinished` | ttl for the job after finished in order to allow helm to properly recognize that the job completed                                          | `300`                          |
+| `actions.provisioning.publish.repository`      | The image that can create the secret via kubectl                                                                                            | `bitnami/kubectl`              |
+| `actions.provisioning.publish.tag`             | The publish image tag that can create the secret                                                                                            | `1.29.0`                       |
+| `actions.provisioning.publish.pullPolicy`      | The publish image pullPolicy that can create the secret                                                                                     | `IfNotPresent`                 |
+| `actions.existingSecret`                       | Secret that contains the token                                                                                                              | `""`                           |
+| `actions.existingSecretKey`                    | Secret key                                                                                                                                  | `""`                           |
+
 ### Gitea
 
 | Name                                         | Description                                                                                                                    | Value                |

readme-actions-dev.md

@@ -0,0 +1,34 @@
+# Gitea Actions
+
+In order to use the Gitea Actions act-runner you must either:
+
+- enable persistence (used for automatic deployment to be able to store the token in a place accessible for the Job)
+- create a secret containing the act runner token and reference it as a `existingSecret`
+
+In order to use Gitea Actions, you must log on the server that's running Gitea and run the command:
+    `gitea actions generate-runner-token`
+
+This command will out a token that is needed by the act-runner to register with the Gitea backend.
+
+Because this is a manual operation, we automated this using a Kubernetes Job using the following containers:
+
+1) `actions-token-create`: it uses the current `gitea-rootless` image, mounts the persistent directory to `/data/` then it saves the output from `gitea actions generate-runner-token` to `/data/actions/token`
+2) `actions-token-upload`: it uses a `bitnami/kubectl` image, mounts the scripts directory (`/scripts`) and
+the persistent directory (`/data/`), and using the script from `/scripts/token.sh` stores the token in a Kubernetes secret
+
+After the token is stored in a Kubernetes secret we can create the statefulset that contains the following containers:
+
+1) `act-runner`: authenticates with Gitea using the token that was stored in the secret
+2) `dind`: DockerInDocker image that is used to run the actions
+
+If you are not using persistent volumes, you cannot use the Job to automatically generate the token.
+In this case, you can use either the Web UI to generate the token or run a shell into a Gitea pod and invoke
+the command `gitea actions generate-runner-token`. After generating the token, you must create a secret and use it via:
+
+```yaml
+actions:
+  provisioning:
+    enabled: false
+  existingSecret: "secret-name"
+  existingSecretKey: "secret-key"
+```

scripts/token.sh

@@ -0,0 +1,43 @@
+#!/bin/sh
+
+set -eu
+
+timeout_delay=15
+
+check_token() {
+  set +e
+
+  echo "Checking for existing token..."
+  token="$(kubectl get secret "$SECRET_NAME" -o jsonpath="{.data['token']}" 2> /dev/null)"
+  [ $? -ne 0 ] && return 1
+  [ -z "$token" ] && return 2
+  return 0
+}
+
+create_token() {
+  echo "Waiting for new token to be generated..."
+  begin=$(date +%s)
+  end=$((begin + timeout_delay))
+  while true; do
+    [ -f /data/actions/token ] && return 0
+    [ "$(date +%s)" -gt $end ] && return 1
+    sleep 5
+  done
+}
+
+store_token() {
+  echo "Storing the token in Kubernetes secret..."
+  kubectl patch secret "$SECRET_NAME" -p "{\"data\":{\"token\":\"$(base64 /data/actions/token | tr -d '\n')\"}}"
+}
+
+if check_token; then
+  echo "Key already in place, exiting."
+  exit
+fi
+
+if ! create_token; then
+  echo "Checking for an existing act runner token in secret $SECRET_NAME timed out after $timeout_delay"
+  exit 1
+fi
+
+store_token

templates/_helpers.tpl

@@ -25,6 +25,13 @@ If release name contains chart name it will be used as a full name.
 {{- end -}}
 {{- end -}}
 
+{{/*
+Create a default worker name.
+*/}}
+{{- define "gitea.workername" -}}
+{{- printf "%s-%s" .global.Release.Name .worker | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
 {{/*
 Create chart name and version as used by the chart label.
 */}}
@@ -92,6 +99,15 @@ version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end -}}
 
+{{- define "gitea.labels.actRunner" -}}
+helm.sh/chart: {{ include "gitea.chart" . }}
+app: {{ include "gitea.name" . }}-act-runner
+{{ include "gitea.selectorLabels.actRunner" . }}
+app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
+version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
 {{/*
 Selector labels
 */}}
@@ -100,6 +116,11 @@ app.kubernetes.io/name: {{ include "gitea.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
+{{- define "gitea.selectorLabels.actRunner" -}}
+app.kubernetes.io/name: {{ include "gitea.name" . }}-act-runner
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
 {{- define "postgresql-ha.dns" -}}
 {{- if (index .Values "postgresql-ha").enabled -}}
 {{- printf "%s-postgresql-ha-pgpool.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "postgresql-ha" "service" "ports" "postgresql") -}}
@@ -199,6 +220,15 @@ https
 {{- end -}}
 {{- end -}}
 
+{{- define "gitea.act_runner.local_root_url" -}}
+{{- if not .Values.gitea.config.server.LOCAL_ROOT_URL -}}
+    {{- printf "http://%s-http:%.0f" (include "gitea.fullname" .) .Values.service.http.port -}}
+{{- else -}}
+  {{/* fallback for allowing to overwrite this value via inline config */}}
+  {{- .Values.gitea.config.server.LOCAL_ROOT_URL -}}
+{{- end -}}
+{{- end -}}
+
 {{- define "gitea.inline_configuration" -}}
   {{- include "gitea.inline_configuration.init" . -}}
   {{- include "gitea.inline_configuration.defaults" . -}}
@@ -263,6 +293,9 @@ https
   {{- if not (hasKey .Values.gitea.config "indexer") -}}
     {{- $_ := set .Values.gitea.config "indexer" dict -}}
   {{- end -}}
+  {{- if not (hasKey .Values.gitea.config "actions") -}}
+    {{- $_ := set .Values.gitea.config "actions" dict -}}
+  {{- end -}}
 {{- end -}}
 
 {{- define "gitea.inline_configuration.defaults" -}}
@@ -309,6 +342,9 @@ https
   {{- if not .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE -}}
      {{- $_ := set .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE" "db" -}}
   {{- end -}}
+  {{- if not .Values.gitea.config.actions.ENABLED -}}
+     {{- $_ := set .Values.gitea.config.actions "ENABLED" (ternary "true" "false" .Values.actions.enabled) -}}
+  {{- end -}}
 {{- end -}}
 
 {{- define "gitea.inline_configuration.defaults.server" -}}
@@ -328,6 +364,9 @@ https
   {{- if not .Values.gitea.config.server.ROOT_URL -}}
     {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" (include "gitea.public_protocol" .) .Values.gitea.config.server.DOMAIN) -}}
   {{- end -}}
+  {{- if .Values.actions.enabled -}}
+     {{- $_ := set .Values.gitea.config.server "LOCAL_ROOT_URL" (include "gitea.act_runner.local_root_url" .) -}}
+  {{- end -}}
   {{- if not .Values.gitea.config.server.SSH_DOMAIN -}}
     {{- $_ := set .Values.gitea.config.server "SSH_DOMAIN" .Values.gitea.config.server.DOMAIN -}}
   {{- end -}}
@@ -408,3 +447,21 @@ https
 {{ printf "gitea.admin.passwordMode must be set to one of 'keepUpdated', 'initialOnlyNoReset', or 'initialOnlyRequireReset'. Received: '%s'" .Values.gitea.admin.passwordMode | fail }}
 {{- end -}}
 {{- end -}}
+
+{{/* Create a functioning probe object for rendering. Given argument must be either a livenessProbe, readinessProbe, or startupProbe */}}
+{{- define "gitea.deployment.probe" -}}
+  {{- $probe := unset . "enabled" -}}
+  {{- $probeKeys := keys $probe -}}
+  {{- $containsCustomMethod := false -}}
+  {{- $chartDefaultMethod := "tcpSocket" -}}
+  {{- $nonChartDefaultMethods := list "exec" "httpGet" "grpc" -}}
+  {{- range $probeKeys -}}
+    {{- if has . $nonChartDefaultMethods -}}
+      {{- $containsCustomMethod = true -}}
+    {{- end -}}
+  {{- end -}}
+  {{- if $containsCustomMethod -}}
+    {{- $probe = unset . $chartDefaultMethod -}}
+  {{- end -}}
+  {{- toYaml $probe -}}
+{{- end -}}

templates/gitea/act_runner/01-consistency-checks.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.actions.enabled -}}
+    {{- if .Values.actions.provisioning.enabled -}}
+        {{- if not (and .Values.persistence.enabled .Values.persistence.mount) -}}
+            {{- fail "persistence.enabled and persistence.mount are required when provisioning is enabled" -}}
+        {{- end -}}
+        {{- if and .Values.persistence.enabled .Values.persistence.mount -}}
+            {{- if .Values.actions.existingSecret -}}
+                {{- fail "Can't specify both actions.provisioning.enabled and actions.existingSecret" -}}
+            {{- end -}}
+        {{- end -}}
+    {{- end -}}
+    {{- if and (not .Values.actions.provisioning.enabled) (or (empty .Values.actions.existingSecret) (empty .Values.actions.existingSecretKey)) -}}
+        {{- fail "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled" -}}
+    {{- end -}}
+{{- end -}}

templates/gitea/act_runner/config-act-runner.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.actions.enabled }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "gitea.fullname" . }}-act-runner-config
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+data:
+  config.yaml: |
+    {{- with .Values.actions.statefulset.actRunner.config -}}
+    {{ . | nindent 4}}
+    {{- end -}}
+{{- end }}

templates/gitea/act_runner/config-scripts.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.actions.enabled }}
+{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "gitea.fullname" . }}-scripts
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+data:
+{{ (.Files.Glob "scripts/*.sh").AsConfig | indent 2 }}
+{{- end }}
+{{- end }}

templates/gitea/act_runner/job.yaml

@@ -0,0 +1,114 @@
+{{- if .Values.actions.enabled }}
+{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
+{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
+{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ $name }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+    {{- with .Values.actions.provisioning.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    app.kubernetes.io/component: token-job
+  annotations:
+    {{- with .Values.actions.provisioning.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  ttlSecondsAfterFinished: {{ .Values.actions.provisioning.ttlSecondsAfterFinished }}
+  template:
+    metadata:
+      labels:
+        {{- include "gitea.labels" . | nindent 8 }}
+        {{- with .Values.actions.provisioning.labels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        app.kubernetes.io/component: token-job
+    spec:
+      initContainers:
+        - name: init-gitea
+          image: "{{ .Values.actions.init.image.repository }}:{{ .Values.actions.init.image.tag }}"
+          command:
+            - sh
+            - -c
+            - |
+              while ! nc -z {{ include "gitea.fullname" . }}-http {{ .Values.service.http.port }}; do
+                sleep 5
+              done
+      containers:
+        - name: actions-token-create
+          image: "{{ include "gitea.image" . }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          env:
+            - name: GITEA_APP_INI
+              value: /data/gitea/conf/app.ini
+          command:
+            - sh
+            - -c
+            - |
+              echo "Generating act_runner token via 'gitea actions generate-runner-token'..."
+              mkdir -p /data/actions/
+              gitea actions generate-runner-token | grep -E '^.{40}$' | tr -d '\n' > /data/actions/token
+          resources:
+            {{- toYaml .Values.actions.provisioning.resources | nindent 12 }}
+          volumeMounts:
+            - name: data
+              mountPath: /data
+              {{- if .Values.persistence.subPath }}
+              subPath: {{ .Values.persistence.subPath }}
+              {{- end }}
+        - name: actions-token-upload
+          image: "{{ .Values.actions.provisioning.publish.repository }}:{{ .Values.actions.provisioning.publish.tag }}"
+          imagePullPolicy: {{ .Values.actions.provisioning.publish.pullPolicy }}
+          env:
+            - name: SECRET_NAME
+              value: {{ $secretName }}
+          command:
+            - sh
+            - -c
+            - |
+              printf "Checking rights to update kubernetes act_runner secret..."
+              kubectl auth can-i update secret/${SECRET_NAME}
+              /scripts/token.sh
+          resources:
+            {{- toYaml .Values.actions.provisioning.resources | nindent 12 }}
+          volumeMounts:
+            - mountPath: /scripts
+              name: scripts
+              readOnly: true
+            - mountPath: /data
+              name: data
+              readOnly: true
+              {{- if .Values.persistence.subPath }}
+              subPath: {{ .Values.persistence.subPath }}
+              {{- end }}
+      {{- with .Values.actions.provisioning.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.actions.provisioning.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.actions.provisioning.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      restartPolicy: Never
+      serviceAccount: {{ $name }}
+      volumes:
+        - name: scripts
+          configMap:
+            name: {{ include "gitea.fullname" . }}-scripts
+            defaultMode: 0755
+        - name: data
+          persistentVolumeClaim:
+            claimName: {{ .Values.persistence.claimName }}
+  parallelism: 1
+  completions: 1
+  backoffLimit: 1
+{{- end }}
+{{- end }}

templates/gitea/act_runner/role-job.yaml

@@ -0,0 +1,25 @@
+{{- if .Values.actions.enabled }}
+{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
+{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
+{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $name }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+    app.kubernetes.io/component: token-job
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    resourceNames:
+      - {{ $secretName }}
+    verbs:
+      - get
+      - update
+      - patch
+{{- end }}
+{{- end }}

templates/gitea/act_runner/rolebinding-job.yaml

@@ -0,0 +1,22 @@
+{{- if .Values.actions.enabled }}
+{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
+{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
+{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $name }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+    app.kubernetes.io/component: token-job
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $name }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $name }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}
+{{- end }}

templates/gitea/act_runner/secret-token.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.actions.enabled }}
+{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
+{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
+{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+    app.kubernetes.io/component: token-job
+{{ $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}}
+{{ if $secret -}}
+data:
+  token: {{ (b64dec (index $secret.data "token")) | b64enc }}
+{{ end -}}
+{{- end }}
+{{- end }}

templates/gitea/act_runner/serviceaccount-job.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.actions.enabled }}
+{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
+{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $name }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+    app.kubernetes.io/component: token-job
+{{- end }}
+{{- end }}

templates/gitea/act_runner/statefulset.yaml

@@ -0,0 +1,117 @@
+{{- if .Values.actions.enabled }}
+{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  labels:
+    {{- include "gitea.labels.actRunner" . | nindent 4 }}
+    {{- with .Values.actions.statefulset.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- with .Values.actions.statefulset.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  name: {{ include "gitea.fullname" . }}-act-runner
+spec:
+  selector:
+    matchLabels:
+      {{- include "gitea.selectorLabels.actRunner" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "gitea.labels.actRunner" . | nindent 8 }}
+        {{- with .Values.actions.statefulset.labels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      initContainers:
+        - name: init-gitea
+          image: "{{ .Values.actions.init.image.repository }}:{{ .Values.actions.init.image.tag }}"
+          command:
+            - sh
+            - -c
+            - |
+              while ! nc -z {{ include "gitea.fullname" . }}-http {{ .Values.service.http.port }}; do
+                sleep 5
+              done
+      containers:
+        - name: act-runner
+          image: "{{ .Values.actions.statefulset.actRunner.repository }}:{{ .Values.actions.statefulset.actRunner.tag }}"
+          imagePullPolicy: {{ .Values.actions.statefulset.actRunner.pullPolicy }}
+          workingDir: /data
+          env:
+            - name: DOCKER_HOST
+              value: tcp://127.0.0.1:2376
+            - name: DOCKER_TLS_VERIFY
+              value: "1"
+            - name: DOCKER_CERT_PATH
+              value: /certs/server
+            - name: GITEA_RUNNER_REGISTRATION_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.actions.existingSecret | default $secretName }}"
+                  key: "{{ .Values.actions.existingSecretKey | default "token" }}"
+            - name: GITEA_INSTANCE_URL
+              value: {{ include "gitea.act_runner.local_root_url" . }}
+            - name: CONFIG_FILE
+              value: /actrunner/config.yaml
+          resources:
+            {{- toYaml .Values.actions.statefulset.resources | nindent 12 }}
+          volumeMounts:
+            - mountPath: /actrunner/config.yaml
+              name: act-runner-config
+              subPath: config.yaml
+            - mountPath: /certs/server
+              name: docker-certs
+            - mountPath: /data
+              name: data-act-runner
+        - name: dind
+          image: "{{ .Values.actions.statefulset.dind.repository }}:{{ .Values.actions.statefulset.dind.tag }}"
+          imagePullPolicy: {{ .Values.actions.statefulset.dind.pullPolicy }}
+          env:
+            - name: DOCKER_HOST
+              value: tcp://127.0.0.1:2376
+            - name: DOCKER_TLS_VERIFY
+              value: "1"
+            - name: DOCKER_CERT_PATH
+              value: /certs/server
+            {{- if .Values.actions.statefulset.dind.extraEnvs }}
+            {{- toYaml .Values.actions.statefulset.dind.extraEnvs | nindent 12 }}
+            {{- end }}
+          securityContext:
+            privileged: true
+          resources:
+            {{- toYaml .Values.actions.statefulset.resources | nindent 12 }}
+          volumeMounts:
+            - mountPath: /certs/server
+              name: docker-certs
+      {{- with .Values.actions.statefulset.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.actions.statefulset.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.actions.statefulset.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+        - name: act-runner-config
+          configMap:
+            name: {{ include "gitea.fullname" . }}-act-runner-config
+        - name: docker-certs
+          emptyDir: {}
+  volumeClaimTemplates:
+    - metadata:
+        name: data-act-runner
+      spec:
+        accessModes: [ "ReadWriteOnce" ]
+        {{- include "gitea.persistence.storageClass" . | nindent 8 }}
+        resources:
+          requests:
+            storage: 1Mi
+{{- end }}

templates/gitea/config.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "gitea.fullname" . }}-inline-config
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
@@ -12,6 +13,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "gitea.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque

templates/gitea/deployment.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "gitea.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   annotations:
     {{- if .Values.deployment.annotations }}
     {{- toYaml .Values.deployment.annotations | nindent 4 }}
@@ -311,15 +312,15 @@ spec:
             {{- end }}
           {{- if .Values.gitea.livenessProbe.enabled }}
           livenessProbe:
-            {{- toYaml (omit .Values.gitea.livenessProbe "enabled") | nindent 12 }}
+            {{- include "gitea.deployment.probe" .Values.gitea.livenessProbe | nindent 12 }}
           {{- end }}
           {{- if .Values.gitea.readinessProbe.enabled }}
           readinessProbe:
-            {{- toYaml (omit .Values.gitea.readinessProbe "enabled") | nindent 12 }}
+            {{- include "gitea.deployment.probe" .Values.gitea.readinessProbe | nindent 12 }}
           {{- end }}
           {{- if .Values.gitea.startupProbe.enabled }}
           startupProbe:
-            {{- toYaml (omit .Values.gitea.startupProbe "enabled") | nindent 12 }}
+            {{- include "gitea.deployment.probe" .Values.gitea.startupProbe | nindent 12 }}
           {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
@@ -339,6 +340,9 @@ spec:
               subPath: {{ .Values.persistence.subPath }}
               {{- end }}
             {{- include "gitea.container-additional-mounts" . | nindent 12 }}
+        {{- if .Values.extraContainers }}
+        {{- toYaml .Values.extraContainers | nindent 8 }}
+        {{- end }}
       {{- with .Values.global.hostAliases }}
       hostAliases:
         {{- toYaml . | nindent 8 }}
@@ -402,4 +406,4 @@ spec:
   {{- else if not .Values.persistence.enabled }}
         - name: data
           emptyDir: {}
-  {{- end }}
+  {{- end }}

templates/gitea/gpg-secret.yaml

@@ -7,6 +7,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "gitea.gpg-key-secret-name" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque

templates/gitea/http-svc.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "gitea.fullname" . }}-http
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
     {{- if .Values.service.http.labels }}

templates/gitea/ingress.yaml

@@ -13,6 +13,7 @@ apiVersion: {{ $apiVersion }}
 kind: Ingress
 metadata:
   name: {{ $fullName }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
   annotations:

templates/gitea/init.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "gitea.fullname" . }}-init
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque

templates/gitea/poddisruptionbudget.yaml

@@ -7,6 +7,7 @@ apiVersion: policy/v1beta1
 kind: PodDisruptionBudget
 metadata:
   name: {{ include "gitea.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
 spec:

templates/gitea/pvc.yaml

@@ -3,7 +3,7 @@ kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
   name: {{ .Values.persistence.claimName }}
-  namespace: {{ $.Release.Namespace }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   annotations:
 {{ .Values.persistence.annotations | toYaml | indent 4}}
   labels:

templates/gitea/serviceaccount.yaml

@@ -3,7 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "gitea.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
     {{- with .Values.serviceAccount.labels }}

templates/gitea/servicemonitor.yaml

@@ -3,6 +3,7 @@ apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
   name: {{ include "gitea.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
     {{- if .Values.gitea.metrics.serviceMonitor.additionalLabels }}

templates/gitea/ssh-svc.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "gitea.fullname" . }}-ssh
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
     {{- if .Values.service.ssh.labels }}

templates/tests/test-http-connection.yaml

@@ -3,6 +3,7 @@ apiVersion: v1
 kind: Pod
 metadata:
   name: "{{ include "gitea.fullname" . }}-test-connection"
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels:
 {{ include "gitea.labels" . | nindent 4 }}
   annotations:

unittests/act_runner/01-consistency-checks.yaml

@@ -0,0 +1,69 @@
+suite: actions template | consistency checks
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/01-consistency-checks.yaml
+tests:
+  - it: fails when provisioning is enabled BUT persistence is completely disabled
+    set:
+      persistence:
+        enabled: false
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+    asserts:
+      - failedTemplate:
+          errorMessage: "persistence.enabled and persistence.mount are required when provisioning is enabled"
+  - it: fails when provisioning is enabled BUT mount is disabled, although persistence is enabled
+    set:
+      persistence:
+        enabled: true
+        mount: false
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+    asserts:
+      - failedTemplate:
+          errorMessage: "persistence.enabled and persistence.mount are required when provisioning is enabled"
+  - it: fails when provisioning is enabled AND existingSecret is given
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+        existingSecret: "secret-reference"
+    asserts:
+      - failedTemplate:
+          errorMessage: "Can't specify both actions.provisioning.enabled and actions.existingSecret"
+  - it: fails when provisioning is disabled BUT existingSecret and existingSecretKey are missing
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: false
+    asserts:
+      - failedTemplate:
+          errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled"
+  - it: fails when provisioning is disabled BUT existingSecretKey is missing
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: false
+        existingSecret: "my-secret"
+    asserts:
+      - failedTemplate:
+          errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled"
+  - it: fails when provisioning is disabled BUT existingSecret is missing
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: false
+        existingSecretKey: "my-secret-key"
+    asserts:
+      - failedTemplate:
+          errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled"

unittests/act_runner/config-act-runner.yaml

@@ -0,0 +1,45 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
+suite: actions template | config-act-runner
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/config-act-runner.yaml
+tests:
+  - it: doesn't renders a ConfigMap by default
+    template: templates/gitea/act_runner/config-act-runner.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders a ConfigMap
+    template: templates/gitea/act_runner/config-act-runner.yaml
+    set:
+      actions:
+        enabled: true
+        statefulset:
+          actRunner:
+            config: |
+              log:
+                level: info
+              cache:
+                enabled: false
+              runner:
+                labels:
+                  - "ubuntu-latest"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: ConfigMap
+          apiVersion: v1
+          name: gitea-unittests-act-runner-config
+      - equal:
+          path: data["config.yaml"]
+          value: |
+            log:
+              level: info
+            cache:
+              enabled: false
+            runner:
+              labels:
+                - "ubuntu-latest"

unittests/act_runner/config-scripts.yaml

@@ -0,0 +1,49 @@
+suite: actions template | config-scripts
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/config-scripts.yaml
+tests:
+  - it: renders a ConfigMap when all criteria are met
+    template: templates/gitea/act_runner/config-scripts.yaml
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: ConfigMap
+          apiVersion: v1
+          name: gitea-unittests-scripts
+      - isNotNullOrEmpty:
+          path: data["token.sh"]
+  - it: doesn't renders a ConfigMap by default
+    template: templates/gitea/act_runner/config-scripts.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: doesn't renders a ConfigMap with disabled actions but enabled provisioning
+    template: templates/gitea/act_runner/config-scripts.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: doesn't renders a ConfigMap with disabled actions but otherwise met criteria
+    template: templates/gitea/act_runner/config-scripts.yaml
+    set:
+      actions:
+        enabled: false
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 0

unittests/act_runner/job.yaml

@@ -0,0 +1,65 @@
+suite: actions template | job
+release:
+  name: gitea-unittests
+  namespace: testing
+chart:
+  # Override appVersion to have a pinned version for comparison
+  appVersion: 1.19.3
+templates:
+  - templates/gitea/act_runner/job.yaml
+tests:
+  - it: renders a Job
+    template: templates/gitea/act_runner/job.yaml
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: Job
+          apiVersion: batch/v1
+          name: gitea-unittests-actions-token-job
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "gitea/gitea:1.19.3-rootless"
+  - it: tag override
+    template: templates/gitea/act_runner/job.yaml
+    set:
+      image.tag: "1.19.4"
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+          publish:
+            tag: "1.29.0"
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "gitea/gitea:1.19.4-rootless"
+      - equal:
+          path: spec.template.spec.containers[1].image
+          value: "bitnami/kubectl:1.29.0"
+  - it: doesn't renders a Job by default
+    template: templates/gitea/act_runner/job.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: doesn't renders a Job when provisioning is enabled BUT actions are not enabled
+    template: templates/gitea/act_runner/job.yaml
+    set:
+      actions:
+        enabled: false
+        provisioning:
+          enabled: true
+    asserts:
+      - hasDocuments:
+          count: 0

unittests/act_runner/role-job.yaml

@@ -0,0 +1,42 @@
+suite: actions template | role-job
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/role-job.yaml
+tests:
+  - it: doesn't renders a Role by default
+    template: templates/gitea/act_runner/role-job.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders a Role
+    template: templates/gitea/act_runner/role-job.yaml
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: Role
+          apiVersion: rbac.authorization.k8s.io/v1
+          name: gitea-unittests-actions-token-job
+  - it: doesn't renders a Role when criteria met BUT actions are not enabled
+    template: templates/gitea/act_runner/role-job.yaml
+    set:
+      actions:
+        enabled: false
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 0

unittests/act_runner/rolebinding-job.yaml

@@ -0,0 +1,42 @@
+suite: actions template | rolebinding-job
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/rolebinding-job.yaml
+tests:
+  - it: doesn't renders a RoleBinding by default
+    template: templates/gitea/act_runner/rolebinding-job.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders a RoleBinding
+    template: templates/gitea/act_runner/rolebinding-job.yaml
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: RoleBinding
+          apiVersion: rbac.authorization.k8s.io/v1
+          name: gitea-unittests-actions-token-job
+  - it: doesn't renders a RoleBinding when criteria met BUT actions are not enabled
+    template: templates/gitea/act_runner/rolebinding-job.yaml
+    set:
+      actions:
+        enabled: false
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 0

unittests/act_runner/secret-token.yaml

@@ -0,0 +1,42 @@
+suite: actions template | secret-token
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/secret-token.yaml
+tests:
+  - it: doesn't renders a Secret by default
+    template: templates/gitea/act_runner/secret-token.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders a Secret
+    template: templates/gitea/act_runner/secret-token.yaml
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: Secret
+          apiVersion: v1
+          name: gitea-unittests-actions-token
+  - it: doesn't renders a Secret when criteria met BUT actions are not enabled
+    template: templates/gitea/act_runner/secret-token.yaml
+    set:
+      actions:
+        enabled: false
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 0

unittests/act_runner/serviceaccount-job.yaml

@@ -0,0 +1,42 @@
+suite: actions template | serviceaccount-job
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/serviceaccount-job.yaml
+tests:
+  - it: doesn't renders a ServiceAccount by default
+    template: templates/gitea/act_runner/serviceaccount-job.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders a ServiceAccount
+    template: templates/gitea/act_runner/serviceaccount-job.yaml
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: ServiceAccount
+          apiVersion: v1
+          name: gitea-unittests-actions-token-job
+  - it: doesn't renders a ServiceAccount when criteria met BUT actions are not enabled
+    template: templates/gitea/act_runner/serviceaccount-job.yaml
+    set:
+      actions:
+        enabled: false
+        provisioning:
+          enabled: true
+      persistence:
+        enabled: true
+        mount: true
+    asserts:
+      - hasDocuments:
+          count: 0

unittests/act_runner/statefulset.yaml

@@ -0,0 +1,111 @@
+suite: actions template | statefulset
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/act_runner/statefulset.yaml
+tests:
+  - it: doesn't renders a StatefulSet by default
+    template: templates/gitea/act_runner/statefulset.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: renders a StatefulSet (with given existingSecret/existingSecretKey)
+    template: templates/gitea/act_runner/statefulset.yaml
+    set:
+      actions:
+        enabled: true
+        existingSecret: "my-secret"
+        existingSecretKey: "my-secret-key"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-act-runner
+      - equal:
+          path: spec.template.spec.containers[0].env[3]
+          value:
+            name: GITEA_RUNNER_REGISTRATION_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: "my-secret"
+                key: "my-secret-key"
+  - it: renders a StatefulSet (with secret reference defaults for enabled provisioning)
+    template: templates/gitea/act_runner/statefulset.yaml
+    set:
+      actions:
+        enabled: true
+        provisioning:
+          enabled: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-act-runner
+      - equal:
+          path: spec.template.spec.containers[0].env[3]
+          value:
+            name: GITEA_RUNNER_REGISTRATION_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: "gitea-unittests-actions-token"
+                key: "token"
+  - it: renders a StatefulSet (with correct GITEA_INSTANCE_URL env with default act-runner specific LOCAL_ROOT_URL)
+    template: templates/gitea/act_runner/statefulset.yaml
+    set:
+      actions:
+        enabled: true
+        existingSecret: "my-secret"
+        existingSecretKey: "my-secret-key"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-act-runner
+      - equal:
+          path: spec.template.spec.containers[0].env[4]
+          value:
+            name: GITEA_INSTANCE_URL
+            value: "http://gitea-unittests-http:3000"
+  - it: renders a StatefulSet (with correct GITEA_INSTANCE_URL env from customized LOCAL_ROOT_URL)
+    template: templates/gitea/act_runner/statefulset.yaml
+    set:
+      gitea.config.server.LOCAL_ROOT_URL: "http://git.example.com"
+      actions:
+        enabled: true
+        existingSecret: "my-secret"
+        existingSecretKey: "my-secret-key"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-act-runner
+      - equal:
+          path: spec.template.spec.containers[0].env[4]
+          value:
+            name: GITEA_INSTANCE_URL
+            value: "http://git.example.com"
+  - it: allows adding custom environment variables to the docker-in-docker container
+    template: templates/gitea/act_runner/statefulset.yaml
+    set:
+      actions:
+        enabled: true
+        statefulset:
+          dind:
+            extraEnvs:
+              - name: "CUSTOM_ENV_NAME"
+                value: "custom env value"
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[1].env[3]
+          value:
+            name: "CUSTOM_ENV_NAME"
+            value: "custom env value"

unittests/config/actions-config.yaml

@@ -0,0 +1,61 @@
+suite: config template | actions config
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/config.yaml
+tests:
+  - it: "actions are not enabled by default"
+    template: templates/gitea/config.yaml
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.actions
+          value: |-
+            ENABLED=false
+
+  - it: "actions can be enabled via inline config"
+    template: templates/gitea/config.yaml
+    set:
+      gitea.config.actions.ENABLED: true
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.actions
+          value: |-
+            ENABLED=true
+
+  - it: "actions can be enabled via dedicated values object"
+    template: templates/gitea/config.yaml
+    set:
+      actions:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.actions
+          value: |-
+            ENABLED=true
+
+  - it: "defines LOCAL_ROOT_URL when actions are enabled"
+    template: templates/gitea/config.yaml
+    set:
+      actions:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nLOCAL_ROOT_URL=http://gitea-unittests-http:3000
+
+  - it: "respects custom LOCAL_ROOT_URL, even when actions are enabled"
+    template: templates/gitea/config.yaml
+    set:
+      actions:
+        enabled: true
+      gitea.config.server.LOCAL_ROOT_URL: "http://git.example.com"
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: stringData.server
+          pattern: \nLOCAL_ROOT_URL=http://git.example.com

unittests/deployment/probes.yaml

@@ -0,0 +1,188 @@
+suite: deployment template (probes)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/deployment.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: renders default liveness probe
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].livenessProbe.enabled
+      - isSubset:
+          path: spec.template.spec.containers[0].livenessProbe
+          content:
+            failureThreshold: 10
+            initialDelaySeconds: 200
+            periodSeconds: 10
+            successThreshold: 1
+            tcpSocket:
+              port: http
+            timeoutSeconds: 1
+  - it: renders default readiness probe
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].readinessProbe.enabled
+      - isSubset:
+          path: spec.template.spec.containers[0].readinessProbe
+          content:
+            failureThreshold: 3
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            successThreshold: 1
+            tcpSocket:
+              port: http
+            timeoutSeconds: 1
+  - it: does not render a default startup probe
+    template: templates/gitea/deployment.yaml
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].startupProbe
+  - it: allows enabling a startup probe
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea.startupProbe.enabled: true
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].startupProbe.enabled
+      - isSubset:
+          path: spec.template.spec.containers[0].startupProbe
+          content:
+            failureThreshold: 10
+            initialDelaySeconds: 60
+            periodSeconds: 10
+            successThreshold: 1
+            tcpSocket:
+              port: http
+            timeoutSeconds: 1
+
+  - it: allows overwriting the default port of the liveness probe
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea:
+        livenessProbe:
+          tcpSocket:
+            port: my-port
+    asserts:
+      - isSubset:
+          path: spec.template.spec.containers[0].livenessProbe
+          content:
+            tcpSocket:
+              port: my-port
+
+  - it: allows overwriting the default port of the readiness probe
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea:
+        readinessProbe:
+          tcpSocket:
+            port: my-port
+    asserts:
+      - isSubset:
+          path: spec.template.spec.containers[0].readinessProbe
+          content:
+            tcpSocket:
+              port: my-port
+
+  - it: allows overwriting the default port of the startup probe
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea:
+        startupProbe:
+          enabled: true
+          tcpSocket:
+            port: my-port
+    asserts:
+      - isSubset:
+          path: spec.template.spec.containers[0].startupProbe
+          content:
+            tcpSocket:
+              port: my-port
+
+  - it: allows using a non-default method as liveness probe
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea:
+        livenessProbe:
+          httpGet:
+            path: /api/healthz
+            port: http
+          initialDelaySeconds: 13371
+          timeoutSeconds: 13372
+          periodSeconds: 13373
+          successThreshold: 13374
+          failureThreshold: 13375
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].livenessProbe.tcpSocket
+      - isSubset:
+          path: spec.template.spec.containers[0].livenessProbe
+          content:
+            failureThreshold: 13375
+            initialDelaySeconds: 13371
+            periodSeconds: 13373
+            successThreshold: 13374
+            httpGet:
+              path: /api/healthz
+              port: http
+            timeoutSeconds: 13372
+
+  - it: allows using a non-default method as readiness probe
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea:
+        readinessProbe:
+          httpGet:
+            path: /api/healthz
+            port: http
+          initialDelaySeconds: 13371
+          timeoutSeconds: 13372
+          periodSeconds: 13373
+          successThreshold: 13374
+          failureThreshold: 13375
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].readinessProbe.tcpSocket
+      - isSubset:
+          path: spec.template.spec.containers[0].readinessProbe
+          content:
+            failureThreshold: 13375
+            initialDelaySeconds: 13371
+            periodSeconds: 13373
+            successThreshold: 13374
+            httpGet:
+              path: /api/healthz
+              port: http
+            timeoutSeconds: 13372
+
+  - it: allows using a non-default method as startup probe
+    template: templates/gitea/deployment.yaml
+    set:
+      gitea:
+        startupProbe:
+          enabled: true
+          httpGet:
+            path: /api/healthz
+            port: http
+          initialDelaySeconds: 13371
+          timeoutSeconds: 13372
+          periodSeconds: 13373
+          successThreshold: 13374
+          failureThreshold: 13375
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].startupProbe.tcpSocket
+      - isSubset:
+          path: spec.template.spec.containers[0].startupProbe
+          content:
+            failureThreshold: 13375
+            initialDelaySeconds: 13371
+            periodSeconds: 13373
+            successThreshold: 13374
+            httpGet:
+              path: /api/healthz
+              port: http
+            timeoutSeconds: 13372

unittests/deployment/sidecar-container.yaml

@@ -0,0 +1,21 @@
+suite: sidecar container
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/deployment.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: supports adding a sidecar container
+    template: templates/gitea/deployment.yaml
+    set:
+      extraContainers:
+        - name: sidecar-bob
+          image: busybox
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[1].name
+          value: "sidecar-bob"
+      - equal:
+          path: spec.template.spec.containers[1].image
+          value: "busybox"

values.yaml

@@ -20,6 +20,9 @@ global:
   #   hostnames:
   #   - example.com
 
+## @param namespace An explicit namespace to deploy gitea into. Defaults to the release namespace if not specified
+namespace: ""
+
 ## @param replicaCount number of replicas for the deployment
 replicaCount: 1
 
@@ -280,6 +283,12 @@ persistence:
   annotations:
     helm.sh/resource-policy: keep
 
+## @param extraContainers Additional sidecar containers to run in the pod
+extraContainers: []
+#  - name: sidecar-bob
+#    image: busybox
+#    command: [/bin/sh, -c, 'echo "Hello world"; sleep 86400']
+
 ## @param extraVolumes Additional volumes to mount to the Gitea deployment
 extraVolumes: []
 # - name: postgres-ssl-vol
@@ -339,6 +348,102 @@ signing:
   #   -----END PGP PRIVATE KEY BLOCK-----
   existingSecret: ""
 
+# Configure Gitea Actions
+# - must enable persistence if the job is enabled
+## @section Gitea Actions
+#
+## @param actions.enabled Create an act runner StatefulSet.
+## @param actions.init.image.repository The image used for the init containers
+## @param actions.init.image.tag The image tag used for the init containers
+## @param actions.statefulset.annotations Act runner annotations
+## @param actions.statefulset.labels Act runner labels
+## @param actions.statefulset.resources Act runner resources
+## @param actions.statefulset.nodeSelector NodeSelector for the statefulset
+## @param actions.statefulset.tolerations Tolerations for the statefulset
+## @param actions.statefulset.affinity Affinity for the statefulset
+## @param actions.statefulset.actRunner.repository The Gitea act runner image
+## @param actions.statefulset.actRunner.tag The Gitea act runner tag
+## @param actions.statefulset.actRunner.pullPolicy The Gitea act runner pullPolicy
+## @param actions.statefulset.actRunner.config [default: Too complex. See values.yaml] Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details.
+## @param actions.statefulset.dind.repository The Docker-in-Docker image
+## @param actions.statefulset.dind.tag The Docker-in-Docker image tag
+## @param actions.statefulset.dind.pullPolicy The Docker-in-Docker pullPolicy
+## @param actions.statefulset.dind.extraEnvs Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY`
+## @param actions.provisioning.enabled Create a job that will create and save the token in a Kubernetes Secret
+## @param actions.provisioning.annotations Job's annotations
+## @param actions.provisioning.labels Job's labels
+## @param actions.provisioning.resources Job's resources
+## @param actions.provisioning.nodeSelector NodeSelector for the job
+## @param actions.provisioning.tolerations Tolerations for the job
+## @param actions.provisioning.affinity Affinity for the job
+## @param actions.provisioning.ttlSecondsAfterFinished ttl for the job after finished in order to allow helm to properly recognize that the job completed
+## @param actions.provisioning.publish.repository The image that can create the secret via kubectl
+## @param actions.provisioning.publish.tag The publish image tag that can create the secret
+## @param actions.provisioning.publish.pullPolicy The publish image pullPolicy that can create the secret
+## @param actions.existingSecret Secret that contains the token
+## @param actions.existingSecretKey Secret key
+actions:
+  enabled: false
+  statefulset:
+    annotations: {}
+    labels: {}
+    resources: {}
+    nodeSelector: {}
+    tolerations: []
+    affinity: {}
+
+    actRunner:
+      repository: gitea/act_runner
+      tag: 0.2.11
+      pullPolicy: IfNotPresent
+
+      config: |
+        log:
+          level: debug
+        cache:
+          enabled: false
+        runner:
+          labels:
+            - "ubuntu-latest"
+
+    dind:
+      repository: docker
+      tag: 25.0.2-dind
+      pullPolicy: IfNotPresent
+      # If the container keeps crashing in your environment, you might have to add the `DOCKER_IPTABLES_LEGACY` environment variable.
+      # See https://github.com/docker-library/docker/issues/463#issuecomment-1881909456
+      extraEnvs: []
+        #  - name: "DOCKER_IPTABLES_LEGACY"
+        #    value: "1"
+
+  init:
+    image:
+      repository: busybox
+      # Overrides the image tag whose default is the chart appVersion.
+      tag: "1.36.1"
+
+  provisioning:
+    enabled: false
+
+    annotations: {}
+    labels: {}
+    resources: {}
+    nodeSelector: {}
+    tolerations: []
+    affinity: {}
+
+    publish:
+      repository: bitnami/kubectl
+      tag: 1.29.0
+      pullPolicy: IfNotPresent
+
+    ttlSecondsAfterFinished: 300
+
+  ## Specify an existing token secret
+  ##
+  existingSecret: ""
+  existingSecretKey: ""
+
 ## @section Gitea
 #
 gitea: