From 6c5b42c48217da64500abc4b401af5baba3e2710 Mon Sep 17 00:00:00 2001 From: pat-s Date: Mon, 31 Mar 2025 07:47:23 +0000 Subject: [PATCH] refactor!: remove actions related files (#825) see #824 Co-authored-by: justusbunsi Co-authored-by: justusbunsi Reviewed-on: https://gitea.com/gitea/helm-gitea/pulls/825 Reviewed-by: Lunny Xiao Reviewed-by: justusbunsi Co-authored-by: pat-s Co-committed-by: pat-s --- README.md | 39 ---- docs/actions-dev.md | 34 ---- templates/_helpers.tpl | 6 - .../act_runner/01-consistency-checks.yaml | 15 -- .../gitea/act_runner/config-act-runner.yaml | 15 -- .../gitea/act_runner/config-scripts.yaml | 14 -- templates/gitea/act_runner/job.yaml | 115 ----------- templates/gitea/act_runner/role-job.yaml | 26 --- .../gitea/act_runner/rolebinding-job.yaml | 23 --- templates/gitea/act_runner/secret-token.yaml | 20 -- .../gitea/act_runner/serviceaccount-job.yaml | 14 -- templates/gitea/act_runner/statefulset.yaml | 129 ------------- .../act_runner/01-consistency-checks.yaml | 69 ------- .../helm/act_runner/config-act-runner.yaml | 45 ----- unittests/helm/act_runner/config-scripts.yaml | 49 ----- unittests/helm/act_runner/job.yaml | 65 ------- unittests/helm/act_runner/role-job.yaml | 42 ---- .../helm/act_runner/rolebinding-job.yaml | 42 ---- unittests/helm/act_runner/secret-token.yaml | 42 ---- .../helm/act_runner/serviceaccount-job.yaml | 42 ---- unittests/helm/act_runner/statefulset.yaml | 182 ------------------ unittests/helm/config/actions-config.yaml | 57 +----- values.yaml | 101 ---------- 23 files changed, 10 insertions(+), 1176 deletions(-) delete mode 100644 docs/actions-dev.md delete mode 100644 templates/gitea/act_runner/01-consistency-checks.yaml delete mode 100644 templates/gitea/act_runner/config-act-runner.yaml delete mode 100644 templates/gitea/act_runner/config-scripts.yaml delete mode 100644 templates/gitea/act_runner/job.yaml delete mode 100644 templates/gitea/act_runner/role-job.yaml delete mode 100644 templates/gitea/act_runner/rolebinding-job.yaml delete mode 100644 templates/gitea/act_runner/secret-token.yaml delete mode 100644 templates/gitea/act_runner/serviceaccount-job.yaml delete mode 100644 templates/gitea/act_runner/statefulset.yaml delete mode 100644 unittests/helm/act_runner/01-consistency-checks.yaml delete mode 100644 unittests/helm/act_runner/config-act-runner.yaml delete mode 100644 unittests/helm/act_runner/config-scripts.yaml delete mode 100644 unittests/helm/act_runner/job.yaml delete mode 100644 unittests/helm/act_runner/role-job.yaml delete mode 100644 unittests/helm/act_runner/rolebinding-job.yaml delete mode 100644 unittests/helm/act_runner/secret-token.yaml delete mode 100644 unittests/helm/act_runner/serviceaccount-job.yaml delete mode 100644 unittests/helm/act_runner/statefulset.yaml diff --git a/README.md b/README.md index 10fc981..9b6932e 100644 --- a/README.md +++ b/README.md @@ -47,7 +47,6 @@ - [Persistence](#persistence-1) - [Init](#init) - [Signing](#signing) - - [Gitea Actions](#gitea-actions) - [Gitea](#gitea) - [LivenessProbe](#livenessprobe) - [ReadinessProbe](#readinessprobe) @@ -1069,44 +1068,6 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo | `signing.privateKey` | Inline private gpg key for signed internal Git activity | `""` | | `signing.existingSecret` | Use an existing secret to store the value of `signing.privateKey` | `""` | -### Gitea Actions - -| Name | Description | Value | -| ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ | -| `actions.enabled` | Create an act runner StatefulSet. | `false` | -| `actions.init.image.repository` | The image used for the init containers | `busybox` | -| `actions.init.image.tag` | The image tag used for the init containers | `1.37.0` | -| `actions.statefulset.annotations` | Act runner annotations | `{}` | -| `actions.statefulset.labels` | Act runner labels | `{}` | -| `actions.statefulset.resources` | Act runner resources | `{}` | -| `actions.statefulset.nodeSelector` | NodeSelector for the statefulset | `{}` | -| `actions.statefulset.tolerations` | Tolerations for the statefulset | `[]` | -| `actions.statefulset.affinity` | Affinity for the statefulset | `{}` | -| `actions.statefulset.extraVolumes` | Extra volumes for the statefulset | `[]` | -| `actions.statefulset.actRunner.repository` | The Gitea act runner image | `gitea/act_runner` | -| `actions.statefulset.actRunner.tag` | The Gitea act runner tag | `0.2.11` | -| `actions.statefulset.actRunner.pullPolicy` | The Gitea act runner pullPolicy | `IfNotPresent` | -| `actions.statefulset.actRunner.extraVolumeMounts` | Allows mounting extra volumes in the act runner container | `[]` | -| `actions.statefulset.actRunner.config` | Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details. | `Too complex. See values.yaml` | -| `actions.statefulset.dind.repository` | The Docker-in-Docker image | `docker` | -| `actions.statefulset.dind.tag` | The Docker-in-Docker image tag | `25.0.2-dind` | -| `actions.statefulset.dind.pullPolicy` | The Docker-in-Docker pullPolicy | `IfNotPresent` | -| `actions.statefulset.dind.extraVolumeMounts` | Allows mounting extra volumes in the Docker-in-Docker container | `[]` | -| `actions.statefulset.dind.extraEnvs` | Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY` | `[]` | -| `actions.provisioning.enabled` | Create a job that will create and save the token in a Kubernetes Secret | `false` | -| `actions.provisioning.annotations` | Job's annotations | `{}` | -| `actions.provisioning.labels` | Job's labels | `{}` | -| `actions.provisioning.resources` | Job's resources | `{}` | -| `actions.provisioning.nodeSelector` | NodeSelector for the job | `{}` | -| `actions.provisioning.tolerations` | Tolerations for the job | `[]` | -| `actions.provisioning.affinity` | Affinity for the job | `{}` | -| `actions.provisioning.ttlSecondsAfterFinished` | ttl for the job after finished in order to allow helm to properly recognize that the job completed | `300` | -| `actions.provisioning.publish.repository` | The image that can create the secret via kubectl | `bitnami/kubectl` | -| `actions.provisioning.publish.tag` | The publish image tag that can create the secret | `1.29.0` | -| `actions.provisioning.publish.pullPolicy` | The publish image pullPolicy that can create the secret | `IfNotPresent` | -| `actions.existingSecret` | Secret that contains the token | `""` | -| `actions.existingSecretKey` | Secret key | `""` | - ### Gitea | Name | Description | Value | diff --git a/docs/actions-dev.md b/docs/actions-dev.md deleted file mode 100644 index a633ad3..0000000 --- a/docs/actions-dev.md +++ /dev/null @@ -1,34 +0,0 @@ -# Gitea Actions - -In order to use the Gitea Actions act-runner you must either: - -- enable persistence (used for automatic deployment to be able to store the token in a place accessible for the Job) -- create a secret containing the act runner token and reference it as a `existingSecret` - -In order to use Gitea Actions, you must log on the server that's running Gitea and run the command: - `gitea actions generate-runner-token` - -This command will out a token that is needed by the act-runner to register with the Gitea backend. - -Because this is a manual operation, we automated this using a Kubernetes Job using the following containers: - -1) `actions-token-create`: it uses the current `gitea-rootless` image, mounts the persistent directory to `/data/` then it saves the output from `gitea actions generate-runner-token` to `/data/actions/token` -2) `actions-token-upload`: it uses a `bitnami/kubectl` image, mounts the scripts directory (`/scripts`) and -the persistent directory (`/data/`), and using the script from `/scripts/token.sh` stores the token in a Kubernetes secret - -After the token is stored in a Kubernetes secret we can create the statefulset that contains the following containers: - -1) `act-runner`: authenticates with Gitea using the token that was stored in the secret -2) `dind`: DockerInDocker image that is used to run the actions - -If you are not using persistent volumes, you cannot use the Job to automatically generate the token. -In this case, you can use either the Web UI to generate the token or run a shell into a Gitea pod and invoke -the command `gitea actions generate-runner-token`. After generating the token, you must create a secret and use it via: - -```yaml -actions: - provisioning: - enabled: false - existingSecret: "secret-name" - existingSecretKey: "secret-key" -``` diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 31e99bf..1bebf84 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -345,9 +345,6 @@ https {{- if not .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE -}} {{- $_ := set .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE" "db" -}} {{- end -}} - {{- if not .Values.gitea.config.actions.ENABLED -}} - {{- $_ := set .Values.gitea.config.actions "ENABLED" (ternary "true" "false" .Values.actions.enabled) -}} - {{- end -}} {{- end -}} {{- define "gitea.inline_configuration.defaults.server" -}} @@ -367,9 +364,6 @@ https {{- if not .Values.gitea.config.server.ROOT_URL -}} {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" (include "gitea.public_protocol" .) .Values.gitea.config.server.DOMAIN) -}} {{- end -}} - {{- if .Values.actions.enabled -}} - {{- $_ := set .Values.gitea.config.server "LOCAL_ROOT_URL" (include "gitea.act_runner.local_root_url" .) -}} - {{- end -}} {{- if not .Values.gitea.config.server.SSH_DOMAIN -}} {{- $_ := set .Values.gitea.config.server "SSH_DOMAIN" .Values.gitea.config.server.DOMAIN -}} {{- end -}} diff --git a/templates/gitea/act_runner/01-consistency-checks.yaml b/templates/gitea/act_runner/01-consistency-checks.yaml deleted file mode 100644 index 25ae556..0000000 --- a/templates/gitea/act_runner/01-consistency-checks.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.actions.enabled -}} - {{- if .Values.actions.provisioning.enabled -}} - {{- if not (and .Values.persistence.enabled .Values.persistence.mount) -}} - {{- fail "persistence.enabled and persistence.mount are required when provisioning is enabled" -}} - {{- end -}} - {{- if and .Values.persistence.enabled .Values.persistence.mount -}} - {{- if .Values.actions.existingSecret -}} - {{- fail "Can't specify both actions.provisioning.enabled and actions.existingSecret" -}} - {{- end -}} - {{- end -}} - {{- end -}} - {{- if and (not .Values.actions.provisioning.enabled) (or (empty .Values.actions.existingSecret) (empty .Values.actions.existingSecretKey)) -}} - {{- fail "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled" -}} - {{- end -}} -{{- end -}} diff --git a/templates/gitea/act_runner/config-act-runner.yaml b/templates/gitea/act_runner/config-act-runner.yaml deleted file mode 100644 index 433fb69..0000000 --- a/templates/gitea/act_runner/config-act-runner.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.actions.enabled }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "gitea.fullname" . }}-act-runner-config - namespace: {{ .Values.namespace | default .Release.Namespace }} - labels: - {{- include "gitea.labels" . | nindent 4 }} -data: - config.yaml: | - {{- with .Values.actions.statefulset.actRunner.config -}} - {{ . | nindent 4}} - {{- end -}} -{{- end }} diff --git a/templates/gitea/act_runner/config-scripts.yaml b/templates/gitea/act_runner/config-scripts.yaml deleted file mode 100644 index 5c47763..0000000 --- a/templates/gitea/act_runner/config-scripts.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if .Values.actions.enabled }} -{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "gitea.fullname" . }}-scripts - namespace: {{ .Values.namespace | default .Release.Namespace }} - labels: - {{- include "gitea.labels" . | nindent 4 }} -data: -{{ (.Files.Glob "scripts/act_runner/*.sh").AsConfig | indent 2 }} -{{- end }} -{{- end }} diff --git a/templates/gitea/act_runner/job.yaml b/templates/gitea/act_runner/job.yaml deleted file mode 100644 index 777eb77..0000000 --- a/templates/gitea/act_runner/job.yaml +++ /dev/null @@ -1,115 +0,0 @@ -{{- if .Values.actions.enabled }} -{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} -{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} -{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ $name }} - namespace: {{ .Values.namespace | default .Release.Namespace }} - labels: - {{- include "gitea.labels" . | nindent 4 }} - {{- with .Values.actions.provisioning.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - app.kubernetes.io/component: token-job - annotations: - {{- with .Values.actions.provisioning.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ttlSecondsAfterFinished: {{ .Values.actions.provisioning.ttlSecondsAfterFinished }} - template: - metadata: - labels: - {{- include "gitea.labels" . | nindent 8 }} - {{- with .Values.actions.provisioning.labels }} - {{- toYaml . | nindent 8 }} - {{- end }} - app.kubernetes.io/component: token-job - spec: - initContainers: - - name: init-gitea - image: "{{ .Values.actions.init.image.repository }}:{{ .Values.actions.init.image.tag }}" - command: - - sh - - -c - - | - while ! nc -z {{ include "gitea.fullname" . }}-http {{ .Values.service.http.port }}; do - sleep 5 - done - containers: - - name: actions-token-create - image: "{{ include "gitea.image" . }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - env: - - name: GITEA_APP_INI - value: /data/gitea/conf/app.ini - command: - - sh - - -c - - | - echo "Generating act_runner token via 'gitea actions generate-runner-token'..." - mkdir -p /data/actions/ - gitea actions generate-runner-token | grep -E '^.{40}$' | tr -d '\n' > /data/actions/token - resources: - {{- toYaml .Values.actions.provisioning.resources | nindent 12 }} - volumeMounts: - - name: data - mountPath: /data - {{- if .Values.persistence.subPath }} - subPath: {{ .Values.persistence.subPath }} - {{- end }} - - name: actions-token-upload - image: "{{ .Values.actions.provisioning.publish.repository }}:{{ .Values.actions.provisioning.publish.tag }}" - imagePullPolicy: {{ .Values.actions.provisioning.publish.pullPolicy }} - env: - - name: SECRET_NAME - value: {{ $secretName }} - command: - - sh - - -c - - | - printf "Checking rights to update kubernetes act_runner secret..." - kubectl auth can-i update secret/${SECRET_NAME} - /scripts/token.sh - resources: - {{- toYaml .Values.actions.provisioning.resources | nindent 12 }} - volumeMounts: - - mountPath: /scripts - name: scripts - readOnly: true - - mountPath: /data - name: data - readOnly: true - {{- if .Values.persistence.subPath }} - subPath: {{ .Values.persistence.subPath }} - {{- end }} - {{- range $key, $value := .Values.actions.provisioning.nodeSelector }} - nodeSelector: - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- with .Values.actions.provisioning.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.actions.provisioning.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - restartPolicy: Never - serviceAccount: {{ $name }} - volumes: - - name: scripts - configMap: - name: {{ include "gitea.fullname" . }}-scripts - defaultMode: 0755 - - name: data - persistentVolumeClaim: - claimName: {{ .Values.persistence.claimName }} - parallelism: 1 - completions: 1 - backoffLimit: 1 -{{- end }} -{{- end }} diff --git a/templates/gitea/act_runner/role-job.yaml b/templates/gitea/act_runner/role-job.yaml deleted file mode 100644 index c2afa57..0000000 --- a/templates/gitea/act_runner/role-job.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if .Values.actions.enabled }} -{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} -{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} -{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ $name }} - namespace: {{ .Values.namespace | default .Release.Namespace }} - labels: - {{- include "gitea.labels" . | nindent 4 }} - app.kubernetes.io/component: token-job -rules: - - apiGroups: - - "" - resources: - - secrets - resourceNames: - - {{ $secretName }} - verbs: - - get - - update - - patch -{{- end }} -{{- end }} diff --git a/templates/gitea/act_runner/rolebinding-job.yaml b/templates/gitea/act_runner/rolebinding-job.yaml deleted file mode 100644 index 1c67e84..0000000 --- a/templates/gitea/act_runner/rolebinding-job.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Values.actions.enabled }} -{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} -{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} -{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ $name }} - namespace: {{ .Values.namespace | default .Release.Namespace }} - labels: - {{- include "gitea.labels" . | nindent 4 }} - app.kubernetes.io/component: token-job -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ $name }} -subjects: - - kind: ServiceAccount - name: {{ $name }} - namespace: {{ .Release.Namespace }} -{{- end }} -{{- end }} diff --git a/templates/gitea/act_runner/secret-token.yaml b/templates/gitea/act_runner/secret-token.yaml deleted file mode 100644 index bc3416b..0000000 --- a/templates/gitea/act_runner/secret-token.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.actions.enabled }} -{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} -{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} -{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ $secretName }} - namespace: {{ .Values.namespace | default .Release.Namespace }} - labels: - {{- include "gitea.labels" . | nindent 4 }} - app.kubernetes.io/component: token-job -{{ $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}} -{{ if $secret -}} -data: - token: {{ (b64dec (index $secret.data "token")) | b64enc }} -{{ end -}} -{{- end }} -{{- end }} diff --git a/templates/gitea/act_runner/serviceaccount-job.yaml b/templates/gitea/act_runner/serviceaccount-job.yaml deleted file mode 100644 index dd39752..0000000 --- a/templates/gitea/act_runner/serviceaccount-job.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if .Values.actions.enabled }} -{{- if and (and .Values.actions.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }} -{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ $name }} - namespace: {{ .Values.namespace | default .Release.Namespace }} - labels: - {{- include "gitea.labels" . | nindent 4 }} - app.kubernetes.io/component: token-job -{{- end }} -{{- end }} diff --git a/templates/gitea/act_runner/statefulset.yaml b/templates/gitea/act_runner/statefulset.yaml deleted file mode 100644 index 72b4e19..0000000 --- a/templates/gitea/act_runner/statefulset.yaml +++ /dev/null @@ -1,129 +0,0 @@ -{{- if .Values.actions.enabled }} -{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - labels: - {{- include "gitea.labels.actRunner" . | nindent 4 }} - {{- with .Values.actions.statefulset.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - annotations: - {{- with .Values.actions.statefulset.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - name: {{ include "gitea.fullname" . }}-act-runner - namespace: {{ .Values.namespace | default .Release.Namespace }} -spec: - selector: - matchLabels: - {{- include "gitea.selectorLabels.actRunner" . | nindent 6 }} - template: - metadata: - annotations: - checksum/config: {{ include (print $.Template.BasePath "/gitea/act_runner/config-act-runner.yaml") . | sha256sum }} - labels: - {{- include "gitea.labels.actRunner" . | nindent 8 }} - {{- with .Values.actions.statefulset.labels }} - {{- toYaml . | nindent 8 }} - {{- end }} - spec: - initContainers: - - name: init-gitea - image: "{{ .Values.actions.init.image.repository }}:{{ .Values.actions.init.image.tag }}" - command: - - sh - - -c - - | - while ! nc -z {{ include "gitea.fullname" . }}-http {{ .Values.service.http.port }}; do - sleep 5 - done - containers: - - name: act-runner - image: "{{ .Values.actions.statefulset.actRunner.repository }}:{{ .Values.actions.statefulset.actRunner.tag }}" - imagePullPolicy: {{ .Values.actions.statefulset.actRunner.pullPolicy }} - workingDir: /data - env: - - name: DOCKER_HOST - value: tcp://127.0.0.1:2376 - - name: DOCKER_TLS_VERIFY - value: "1" - - name: DOCKER_CERT_PATH - value: /certs/server - - name: GITEA_RUNNER_REGISTRATION_TOKEN - valueFrom: - secretKeyRef: - name: "{{ .Values.actions.existingSecret | default $secretName }}" - key: "{{ .Values.actions.existingSecretKey | default "token" }}" - - name: GITEA_INSTANCE_URL - value: {{ include "gitea.act_runner.local_root_url" . }} - - name: CONFIG_FILE - value: /actrunner/config.yaml - resources: - {{- toYaml .Values.actions.statefulset.resources | nindent 12 }} - volumeMounts: - - mountPath: /actrunner/config.yaml - name: act-runner-config - subPath: config.yaml - - mountPath: /certs/server - name: docker-certs - - mountPath: /data - name: data-act-runner - {{- with .Values.actions.statefulset.actRunner.extraVolumeMounts }} - {{- toYaml . | nindent 12 }} - {{- end }} - - name: dind - image: "{{ .Values.actions.statefulset.dind.repository }}:{{ .Values.actions.statefulset.dind.tag }}" - imagePullPolicy: {{ .Values.actions.statefulset.dind.pullPolicy }} - env: - - name: DOCKER_HOST - value: tcp://127.0.0.1:2376 - - name: DOCKER_TLS_VERIFY - value: "1" - - name: DOCKER_CERT_PATH - value: /certs/server - {{- if .Values.actions.statefulset.dind.extraEnvs }} - {{- toYaml .Values.actions.statefulset.dind.extraEnvs | nindent 12 }} - {{- end }} - securityContext: - privileged: true - resources: - {{- toYaml .Values.actions.statefulset.resources | nindent 12 }} - volumeMounts: - - mountPath: /certs/server - name: docker-certs - {{- with .Values.actions.statefulset.dind.extraVolumeMounts }} - {{- toYaml . | nindent 12 }} - {{- end }} - {{- range $key, $value := .Values.actions.statefulset.nodeSelector }} - nodeSelector: - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- with .Values.actions.statefulset.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.actions.statefulset.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - volumes: - - name: act-runner-config - configMap: - name: {{ include "gitea.fullname" . }}-act-runner-config - - name: docker-certs - emptyDir: {} - {{- with .Values.actions.statefulset.extraVolumes }} - {{- toYaml . | nindent 8 }} - {{- end }} - volumeClaimTemplates: - - metadata: - name: data-act-runner - spec: - accessModes: [ "ReadWriteOnce" ] - {{- include "gitea.persistence.storageClass" . | nindent 8 }} - resources: - requests: - storage: 1Mi -{{- end }} diff --git a/unittests/helm/act_runner/01-consistency-checks.yaml b/unittests/helm/act_runner/01-consistency-checks.yaml deleted file mode 100644 index 1c30924..0000000 --- a/unittests/helm/act_runner/01-consistency-checks.yaml +++ /dev/null @@ -1,69 +0,0 @@ -suite: actions template | consistency checks -release: - name: gitea-unittests - namespace: testing -templates: - - templates/gitea/act_runner/01-consistency-checks.yaml -tests: - - it: fails when provisioning is enabled BUT persistence is completely disabled - set: - persistence: - enabled: false - actions: - enabled: true - provisioning: - enabled: true - asserts: - - failedTemplate: - errorMessage: "persistence.enabled and persistence.mount are required when provisioning is enabled" - - it: fails when provisioning is enabled BUT mount is disabled, although persistence is enabled - set: - persistence: - enabled: true - mount: false - actions: - enabled: true - provisioning: - enabled: true - asserts: - - failedTemplate: - errorMessage: "persistence.enabled and persistence.mount are required when provisioning is enabled" - - it: fails when provisioning is enabled AND existingSecret is given - set: - actions: - enabled: true - provisioning: - enabled: true - existingSecret: "secret-reference" - asserts: - - failedTemplate: - errorMessage: "Can't specify both actions.provisioning.enabled and actions.existingSecret" - - it: fails when provisioning is disabled BUT existingSecret and existingSecretKey are missing - set: - actions: - enabled: true - provisioning: - enabled: false - asserts: - - failedTemplate: - errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled" - - it: fails when provisioning is disabled BUT existingSecretKey is missing - set: - actions: - enabled: true - provisioning: - enabled: false - existingSecret: "my-secret" - asserts: - - failedTemplate: - errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled" - - it: fails when provisioning is disabled BUT existingSecret is missing - set: - actions: - enabled: true - provisioning: - enabled: false - existingSecretKey: "my-secret-key" - asserts: - - failedTemplate: - errorMessage: "actions.existingSecret and actions.existingSecretKey are required when provisioning is disabled" diff --git a/unittests/helm/act_runner/config-act-runner.yaml b/unittests/helm/act_runner/config-act-runner.yaml deleted file mode 100644 index 2cba6bc..0000000 --- a/unittests/helm/act_runner/config-act-runner.yaml +++ /dev/null @@ -1,45 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json -suite: actions template | config-act-runner -release: - name: gitea-unittests - namespace: testing -templates: - - templates/gitea/act_runner/config-act-runner.yaml -tests: - - it: doesn't renders a ConfigMap by default - template: templates/gitea/act_runner/config-act-runner.yaml - asserts: - - hasDocuments: - count: 0 - - it: renders a ConfigMap - template: templates/gitea/act_runner/config-act-runner.yaml - set: - actions: - enabled: true - statefulset: - actRunner: - config: | - log: - level: info - cache: - enabled: false - runner: - labels: - - "ubuntu-latest" - asserts: - - hasDocuments: - count: 1 - - containsDocument: - kind: ConfigMap - apiVersion: v1 - name: gitea-unittests-act-runner-config - - equal: - path: data["config.yaml"] - value: | - log: - level: info - cache: - enabled: false - runner: - labels: - - "ubuntu-latest" diff --git a/unittests/helm/act_runner/config-scripts.yaml b/unittests/helm/act_runner/config-scripts.yaml deleted file mode 100644 index da6d9aa..0000000 --- a/unittests/helm/act_runner/config-scripts.yaml +++ /dev/null @@ -1,49 +0,0 @@ -suite: actions template | config-scripts -release: - name: gitea-unittests - namespace: testing -templates: - - templates/gitea/act_runner/config-scripts.yaml -tests: - - it: renders a ConfigMap when all criteria are met - template: templates/gitea/act_runner/config-scripts.yaml - set: - actions: - enabled: true - provisioning: - enabled: true - persistence: - enabled: true - mount: true - asserts: - - hasDocuments: - count: 1 - - containsDocument: - kind: ConfigMap - apiVersion: v1 - name: gitea-unittests-scripts - - isNotNullOrEmpty: - path: data["token.sh"] - - it: doesn't renders a ConfigMap by default - template: templates/gitea/act_runner/config-scripts.yaml - asserts: - - hasDocuments: - count: 0 - - it: doesn't renders a ConfigMap with disabled actions but enabled provisioning - template: templates/gitea/act_runner/config-scripts.yaml - asserts: - - hasDocuments: - count: 0 - - it: doesn't renders a ConfigMap with disabled actions but otherwise met criteria - template: templates/gitea/act_runner/config-scripts.yaml - set: - actions: - enabled: false - provisioning: - enabled: true - persistence: - enabled: true - mount: true - asserts: - - hasDocuments: - count: 0 diff --git a/unittests/helm/act_runner/job.yaml b/unittests/helm/act_runner/job.yaml deleted file mode 100644 index a16d40d..0000000 --- a/unittests/helm/act_runner/job.yaml +++ /dev/null @@ -1,65 +0,0 @@ -suite: actions template | job -release: - name: gitea-unittests - namespace: testing -chart: - # Override appVersion to have a pinned version for comparison - appVersion: 1.19.3 -templates: - - templates/gitea/act_runner/job.yaml -tests: - - it: renders a Job - template: templates/gitea/act_runner/job.yaml - set: - actions: - enabled: true - provisioning: - enabled: true - persistence: - enabled: true - mount: true - asserts: - - hasDocuments: - count: 1 - - containsDocument: - kind: Job - apiVersion: batch/v1 - name: gitea-unittests-actions-token-job - - equal: - path: spec.template.spec.containers[0].image - value: "docker.gitea.com/gitea:1.19.3-rootless" - - it: tag override - template: templates/gitea/act_runner/job.yaml - set: - image.tag: "1.19.4" - actions: - enabled: true - provisioning: - enabled: true - publish: - tag: "1.29.0" - persistence: - enabled: true - mount: true - asserts: - - equal: - path: spec.template.spec.containers[0].image - value: "docker.gitea.com/gitea:1.19.4-rootless" - - equal: - path: spec.template.spec.containers[1].image - value: "bitnami/kubectl:1.29.0" - - it: doesn't renders a Job by default - template: templates/gitea/act_runner/job.yaml - asserts: - - hasDocuments: - count: 0 - - it: doesn't renders a Job when provisioning is enabled BUT actions are not enabled - template: templates/gitea/act_runner/job.yaml - set: - actions: - enabled: false - provisioning: - enabled: true - asserts: - - hasDocuments: - count: 0 diff --git a/unittests/helm/act_runner/role-job.yaml b/unittests/helm/act_runner/role-job.yaml deleted file mode 100644 index 8c511d8..0000000 --- a/unittests/helm/act_runner/role-job.yaml +++ /dev/null @@ -1,42 +0,0 @@ -suite: actions template | role-job -release: - name: gitea-unittests - namespace: testing -templates: - - templates/gitea/act_runner/role-job.yaml -tests: - - it: doesn't renders a Role by default - template: templates/gitea/act_runner/role-job.yaml - asserts: - - hasDocuments: - count: 0 - - it: renders a Role - template: templates/gitea/act_runner/role-job.yaml - set: - actions: - enabled: true - provisioning: - enabled: true - persistence: - enabled: true - mount: true - asserts: - - hasDocuments: - count: 1 - - containsDocument: - kind: Role - apiVersion: rbac.authorization.k8s.io/v1 - name: gitea-unittests-actions-token-job - - it: doesn't renders a Role when criteria met BUT actions are not enabled - template: templates/gitea/act_runner/role-job.yaml - set: - actions: - enabled: false - provisioning: - enabled: true - persistence: - enabled: true - mount: true - asserts: - - hasDocuments: - count: 0 diff --git a/unittests/helm/act_runner/rolebinding-job.yaml b/unittests/helm/act_runner/rolebinding-job.yaml deleted file mode 100644 index 2073bfc..0000000 --- a/unittests/helm/act_runner/rolebinding-job.yaml +++ /dev/null @@ -1,42 +0,0 @@ -suite: actions template | rolebinding-job -release: - name: gitea-unittests - namespace: testing -templates: - - templates/gitea/act_runner/rolebinding-job.yaml -tests: - - it: doesn't renders a RoleBinding by default - template: templates/gitea/act_runner/rolebinding-job.yaml - asserts: - - hasDocuments: - count: 0 - - it: renders a RoleBinding - template: templates/gitea/act_runner/rolebinding-job.yaml - set: - actions: - enabled: true - provisioning: - enabled: true - persistence: - enabled: true - mount: true - asserts: - - hasDocuments: - count: 1 - - containsDocument: - kind: RoleBinding - apiVersion: rbac.authorization.k8s.io/v1 - name: gitea-unittests-actions-token-job - - it: doesn't renders a RoleBinding when criteria met BUT actions are not enabled - template: templates/gitea/act_runner/rolebinding-job.yaml - set: - actions: - enabled: false - provisioning: - enabled: true - persistence: - enabled: true - mount: true - asserts: - - hasDocuments: - count: 0 diff --git a/unittests/helm/act_runner/secret-token.yaml b/unittests/helm/act_runner/secret-token.yaml deleted file mode 100644 index b5054f3..0000000 --- a/unittests/helm/act_runner/secret-token.yaml +++ /dev/null @@ -1,42 +0,0 @@ -suite: actions template | secret-token -release: - name: gitea-unittests - namespace: testing -templates: - - templates/gitea/act_runner/secret-token.yaml -tests: - - it: doesn't renders a Secret by default - template: templates/gitea/act_runner/secret-token.yaml - asserts: - - hasDocuments: - count: 0 - - it: renders a Secret - template: templates/gitea/act_runner/secret-token.yaml - set: - actions: - enabled: true - provisioning: - enabled: true - persistence: - enabled: true - mount: true - asserts: - - hasDocuments: - count: 1 - - containsDocument: - kind: Secret - apiVersion: v1 - name: gitea-unittests-actions-token - - it: doesn't renders a Secret when criteria met BUT actions are not enabled - template: templates/gitea/act_runner/secret-token.yaml - set: - actions: - enabled: false - provisioning: - enabled: true - persistence: - enabled: true - mount: true - asserts: - - hasDocuments: - count: 0 diff --git a/unittests/helm/act_runner/serviceaccount-job.yaml b/unittests/helm/act_runner/serviceaccount-job.yaml deleted file mode 100644 index bf8f0c8..0000000 --- a/unittests/helm/act_runner/serviceaccount-job.yaml +++ /dev/null @@ -1,42 +0,0 @@ -suite: actions template | serviceaccount-job -release: - name: gitea-unittests - namespace: testing -templates: - - templates/gitea/act_runner/serviceaccount-job.yaml -tests: - - it: doesn't renders a ServiceAccount by default - template: templates/gitea/act_runner/serviceaccount-job.yaml - asserts: - - hasDocuments: - count: 0 - - it: renders a ServiceAccount - template: templates/gitea/act_runner/serviceaccount-job.yaml - set: - actions: - enabled: true - provisioning: - enabled: true - persistence: - enabled: true - mount: true - asserts: - - hasDocuments: - count: 1 - - containsDocument: - kind: ServiceAccount - apiVersion: v1 - name: gitea-unittests-actions-token-job - - it: doesn't renders a ServiceAccount when criteria met BUT actions are not enabled - template: templates/gitea/act_runner/serviceaccount-job.yaml - set: - actions: - enabled: false - provisioning: - enabled: true - persistence: - enabled: true - mount: true - asserts: - - hasDocuments: - count: 0 diff --git a/unittests/helm/act_runner/statefulset.yaml b/unittests/helm/act_runner/statefulset.yaml deleted file mode 100644 index 323fef6..0000000 --- a/unittests/helm/act_runner/statefulset.yaml +++ /dev/null @@ -1,182 +0,0 @@ -suite: actions template | statefulset -release: - name: gitea-unittests - namespace: testing -templates: - - templates/gitea/act_runner/statefulset.yaml - - templates/gitea/act_runner/config-act-runner.yaml -tests: - - it: doesn't renders a StatefulSet by default - template: templates/gitea/act_runner/statefulset.yaml - asserts: - - hasDocuments: - count: 0 - - it: renders a StatefulSet (with given existingSecret/existingSecretKey) - template: templates/gitea/act_runner/statefulset.yaml - set: - actions: - enabled: true - existingSecret: "my-secret" - existingSecretKey: "my-secret-key" - asserts: - - hasDocuments: - count: 1 - - containsDocument: - kind: StatefulSet - apiVersion: apps/v1 - name: gitea-unittests-act-runner - - equal: - path: spec.template.spec.containers[0].env[3] - value: - name: GITEA_RUNNER_REGISTRATION_TOKEN - valueFrom: - secretKeyRef: - name: "my-secret" - key: "my-secret-key" - - it: renders a StatefulSet (with secret reference defaults for enabled provisioning) - template: templates/gitea/act_runner/statefulset.yaml - set: - actions: - enabled: true - provisioning: - enabled: true - asserts: - - hasDocuments: - count: 1 - - containsDocument: - kind: StatefulSet - apiVersion: apps/v1 - name: gitea-unittests-act-runner - - equal: - path: spec.template.spec.containers[0].env[3] - value: - name: GITEA_RUNNER_REGISTRATION_TOKEN - valueFrom: - secretKeyRef: - name: "gitea-unittests-actions-token" - key: "token" - - it: renders a StatefulSet (that tracks changes of the runner configuration as annotation) - template: templates/gitea/act_runner/statefulset.yaml - set: - image.tag: "1.22.3" # lock image tag to prevent test failures on future Gitea upgrades - actions: - enabled: true - existingSecret: "my-secret" - existingSecretKey: "my-secret-key" - asserts: - - hasDocuments: - count: 1 - - containsDocument: - kind: StatefulSet - apiVersion: apps/v1 - name: gitea-unittests-act-runner - - equal: - path: spec.template.metadata.annotations["checksum/config"] - value: "2a2200e80fc29111d18b675789c265cd3d5f917754850f946f1ce3c55dcd65f8" - - it: renders a StatefulSet (with correct GITEA_INSTANCE_URL env with default act-runner specific LOCAL_ROOT_URL) - template: templates/gitea/act_runner/statefulset.yaml - set: - actions: - enabled: true - existingSecret: "my-secret" - existingSecretKey: "my-secret-key" - asserts: - - hasDocuments: - count: 1 - - containsDocument: - kind: StatefulSet - apiVersion: apps/v1 - name: gitea-unittests-act-runner - - equal: - path: spec.template.spec.containers[0].env[4] - value: - name: GITEA_INSTANCE_URL - value: "http://gitea-unittests-http:3000" - - it: renders a StatefulSet (with correct GITEA_INSTANCE_URL env from customized LOCAL_ROOT_URL) - template: templates/gitea/act_runner/statefulset.yaml - set: - gitea.config.server.LOCAL_ROOT_URL: "http://git.example.com" - actions: - enabled: true - existingSecret: "my-secret" - existingSecretKey: "my-secret-key" - asserts: - - hasDocuments: - count: 1 - - containsDocument: - kind: StatefulSet - apiVersion: apps/v1 - name: gitea-unittests-act-runner - - equal: - path: spec.template.spec.containers[0].env[4] - value: - name: GITEA_INSTANCE_URL - value: "http://git.example.com" - - it: allows adding custom environment variables to the docker-in-docker container - template: templates/gitea/act_runner/statefulset.yaml - set: - actions: - enabled: true - statefulset: - dind: - extraEnvs: - - name: "CUSTOM_ENV_NAME" - value: "custom env value" - asserts: - - equal: - path: spec.template.spec.containers[1].env[3] - value: - name: "CUSTOM_ENV_NAME" - value: "custom env value" - - it: should mount an extra volume in the act runner container - template: templates/gitea/act_runner/statefulset.yaml - set: - actions: - enabled: true - statefulset: - extraVolumes: - - name: my-act-runner-volume - emptyDir: {} - actRunner: - extraVolumeMounts: - - mountPath: /mnt - name: my-act-runner-volume - asserts: - - hasDocuments: - count: 1 - - containsDocument: - kind: StatefulSet - apiVersion: apps/v1 - name: gitea-unittests-act-runner - - contains: - any: true - path: spec.template.spec.containers[0].volumeMounts - content: - mountPath: /mnt - name: my-act-runner-volume - - it: should mount an extra volume in the docker-in-docker container - template: templates/gitea/act_runner/statefulset.yaml - set: - actions: - enabled: true - statefulset: - extraVolumes: - - name: my-dind-volume - emptyDir: {} - dind: - extraVolumeMounts: - - mountPath: /mnt - name: my-dind-volume - asserts: - - hasDocuments: - count: 1 - - containsDocument: - kind: StatefulSet - apiVersion: apps/v1 - name: gitea-unittests-act-runner - - contains: - any: true - path: spec.template.spec.containers[1].volumeMounts - content: - mountPath: /mnt - name: my-dind-volume diff --git a/unittests/helm/config/actions-config.yaml b/unittests/helm/config/actions-config.yaml index ada9694..0b55280 100644 --- a/unittests/helm/config/actions-config.yaml +++ b/unittests/helm/config/actions-config.yaml @@ -5,57 +5,20 @@ release: templates: - templates/gitea/config.yaml tests: - - it: "actions are not enabled by default" + - it: "actions are enabled by default (based on vanilla Gitea behavior)" template: templates/gitea/config.yaml + asserts: + - documentIndex: 0 + notExists: + path: stringData.actions + + - it: "actions can be disabled via inline config" + template: templates/gitea/config.yaml + set: + gitea.config.actions.ENABLED: false asserts: - documentIndex: 0 equal: path: stringData.actions value: |- ENABLED=false - - - it: "actions can be enabled via inline config" - template: templates/gitea/config.yaml - set: - gitea.config.actions.ENABLED: true - asserts: - - documentIndex: 0 - equal: - path: stringData.actions - value: |- - ENABLED=true - - - it: "actions can be enabled via dedicated values object" - template: templates/gitea/config.yaml - set: - actions: - enabled: true - asserts: - - documentIndex: 0 - equal: - path: stringData.actions - value: |- - ENABLED=true - - - it: "defines LOCAL_ROOT_URL when actions are enabled" - template: templates/gitea/config.yaml - set: - actions: - enabled: true - asserts: - - documentIndex: 0 - matchRegex: - path: stringData.server - pattern: \nLOCAL_ROOT_URL=http://gitea-unittests-http:3000 - - - it: "respects custom LOCAL_ROOT_URL, even when actions are enabled" - template: templates/gitea/config.yaml - set: - actions: - enabled: true - gitea.config.server.LOCAL_ROOT_URL: "http://git.example.com" - asserts: - - documentIndex: 0 - matchRegex: - path: stringData.server - pattern: \nLOCAL_ROOT_URL=http://git.example.com diff --git a/values.yaml b/values.yaml index f5022d9..2a5c4d2 100644 --- a/values.yaml +++ b/values.yaml @@ -348,107 +348,6 @@ signing: # -----END PGP PRIVATE KEY BLOCK----- existingSecret: "" -# Configure Gitea Actions -# - must enable persistence if the job is enabled -## @section Gitea Actions -# -## @param actions.enabled Create an act runner StatefulSet. -## @param actions.init.image.repository The image used for the init containers -## @param actions.init.image.tag The image tag used for the init containers -## @param actions.statefulset.annotations Act runner annotations -## @param actions.statefulset.labels Act runner labels -## @param actions.statefulset.resources Act runner resources -## @param actions.statefulset.nodeSelector NodeSelector for the statefulset -## @param actions.statefulset.tolerations Tolerations for the statefulset -## @param actions.statefulset.affinity Affinity for the statefulset -## @param actions.statefulset.extraVolumes Extra volumes for the statefulset -## @param actions.statefulset.actRunner.repository The Gitea act runner image -## @param actions.statefulset.actRunner.tag The Gitea act runner tag -## @param actions.statefulset.actRunner.pullPolicy The Gitea act runner pullPolicy -## @param actions.statefulset.actRunner.extraVolumeMounts Allows mounting extra volumes in the act runner container -## @param actions.statefulset.actRunner.config [default: Too complex. See values.yaml] Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details. -## @param actions.statefulset.dind.repository The Docker-in-Docker image -## @param actions.statefulset.dind.tag The Docker-in-Docker image tag -## @param actions.statefulset.dind.pullPolicy The Docker-in-Docker pullPolicy -## @param actions.statefulset.dind.extraVolumeMounts Allows mounting extra volumes in the Docker-in-Docker container -## @param actions.statefulset.dind.extraEnvs Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY` -## @param actions.provisioning.enabled Create a job that will create and save the token in a Kubernetes Secret -## @param actions.provisioning.annotations Job's annotations -## @param actions.provisioning.labels Job's labels -## @param actions.provisioning.resources Job's resources -## @param actions.provisioning.nodeSelector NodeSelector for the job -## @param actions.provisioning.tolerations Tolerations for the job -## @param actions.provisioning.affinity Affinity for the job -## @param actions.provisioning.ttlSecondsAfterFinished ttl for the job after finished in order to allow helm to properly recognize that the job completed -## @param actions.provisioning.publish.repository The image that can create the secret via kubectl -## @param actions.provisioning.publish.tag The publish image tag that can create the secret -## @param actions.provisioning.publish.pullPolicy The publish image pullPolicy that can create the secret -## @param actions.existingSecret Secret that contains the token -## @param actions.existingSecretKey Secret key -actions: - enabled: false - statefulset: - annotations: {} - labels: {} - resources: {} - nodeSelector: {} - tolerations: [] - affinity: {} - extraVolumes: [] - - actRunner: - repository: gitea/act_runner - tag: 0.2.11 - pullPolicy: IfNotPresent - extraVolumeMounts: [] - - # See full example here: https://gitea.com/gitea/act_runner/src/branch/main/internal/pkg/config/config.example.yaml - config: | - log: - level: debug - cache: - enabled: false - - dind: - repository: docker - tag: 25.0.2-dind - pullPolicy: IfNotPresent - extraVolumeMounts: [] - - # If the container keeps crashing in your environment, you might have to add the `DOCKER_IPTABLES_LEGACY` environment variable. - # See https://github.com/docker-library/docker/issues/463#issuecomment-1881909456 - extraEnvs: [] - # - name: "DOCKER_IPTABLES_LEGACY" - # value: "1" - - init: - image: - repository: busybox - # Overrides the image tag whose default is the chart appVersion. - tag: "1.37.0" - - provisioning: - enabled: false - - annotations: {} - labels: {} - resources: {} - nodeSelector: {} - tolerations: [] - affinity: {} - - publish: - repository: bitnami/kubectl - tag: 1.29.0 - pullPolicy: IfNotPresent - - ttlSecondsAfterFinished: 300 - - ## Specify an existing token secret - ## - existingSecret: "" - existingSecretKey: "" - ## @section Gitea # gitea: