diff --git a/README.md b/README.md index 9e5c4d1..d3ca7d8 100644 --- a/README.md +++ b/README.md @@ -980,40 +980,40 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo | `signing.privateKey` | Inline private gpg key for signed Gitea actions | `""` | | `signing.existingSecret` | Use an existing secret to store the value of `signing.privateKey` | `""` | -### GiteaActions +### Gitea Actions -| Name | Description | Value | -| ----------------------------------------------- | --------------------------------------------------------------------------- | ------------------ | -| `actions.statefulset.enabled` | Create an act runner StatefulSet. | `false` | -| `actions.statefulset.annotations` | Act runner annotations | `{}` | -| `actions.statefulset.labels` | Act runner labels | `{}` | -| `actions.statefulset.resources` | Act runner resources | `{}` | -| `actions.statefulset.nodeSelector` | NodeSelector for the statefulset | `{}` | -| `actions.statefulset.tolerations` | Tolerations for the statefulset | `[]` | -| `actions.statefulset.affinity` | Affinity for the statefulset | `{}` | -| `actions.statefulset.config` | Act runner custom configuration. | `""` | -| `actions.statefulset.runnerLabels` | Act runner labels. | `""` | -| `actions.statefulset.actRunnerImage.repository` | The Gitea act runner image | `gitea/act_runner` | -| `actions.statefulset.actRunnerImage.tag` | The Gitea act runner tag | `0.2.6` | -| `actions.statefulset.actRunnerImage.pullPolicy` | The Gitea act runner pullPolicy | `IfNotPresent` | -| `actions.statefulset.dindImage.repository` | The Docker-in-Docker image | `docker` | -| `actions.statefulset.dindImage.tag` | The Docker-in-Docker image tag | `24.0.7-dind` | -| `actions.statefulset.dindImage.pullPolicy` | The Docker-in-Docker pullPolicy | `IfNotPresent` | -| `actions.job.enabled` | Create a job that will create and save the token in a Kubernetes Secret | `false` | -| `actions.job.annotations` | Job's annotations | `{}` | -| `actions.job.labels` | Job's labels | `{}` | -| `actions.job.resources` | Job's resources | `{}` | -| `actions.job.nodeSelector` | NodeSelector for the job | `{}` | -| `actions.job.tolerations` | Tolerations for the job | `[]` | -| `actions.job.affinity` | Affinity for the job | `{}` | -| `actions.job.tokenImage.repository` | The image that can create a token via `gitea actions generate-runner-token` | `gitea/gitea` | -| `actions.job.tokenImage.tag` | The token image tag that can create a token | `""` | -| `actions.job.tokenImage.pullPolicy` | The token image pullPolicy that can create a token | `IfNotPresent` | -| `actions.job.publishImage.repository` | The image that can create the secret via kubectl | `bitnami/kubectl` | -| `actions.job.publishImage.tag` | The publish image tag that can create the secret | `1.29.0` | -| `actions.job.publishImage.pullPolicy` | The publish image pullPolicy that can create the secret | `IfNotPresent` | -| `actions.existingSecret` | Secret that contains the token | `""` | -| `actions.existingSecretKey` | Secret key | `""` | +| Name | Description | Value | +| ------------------------------------------ | --------------------------------------------------------------------------- | ------------------ | +| `actions.enabled` | Create an act runner StatefulSet. | `false` | +| `actions.statefulset.annotations` | Act runner annotations | `{}` | +| `actions.statefulset.labels` | Act runner labels | `{}` | +| `actions.statefulset.resources` | Act runner resources | `{}` | +| `actions.statefulset.nodeSelector` | NodeSelector for the statefulset | `{}` | +| `actions.statefulset.tolerations` | Tolerations for the statefulset | `[]` | +| `actions.statefulset.affinity` | Affinity for the statefulset | `{}` | +| `actions.statefulset.config` | Act runner custom configuration. | `""` | +| `actions.statefulset.runnerLabels` | Act runner labels. | `""` | +| `actions.statefulset.actRunner.repository` | The Gitea act runner image | `gitea/act_runner` | +| `actions.statefulset.actRunner.tag` | The Gitea act runner tag | `0.2.6` | +| `actions.statefulset.actRunner.pullPolicy` | The Gitea act runner pullPolicy | `IfNotPresent` | +| `actions.statefulset.dind.repository` | The Docker-in-Docker image | `docker` | +| `actions.statefulset.dind.tag` | The Docker-in-Docker image tag | `25.0.2-dind` | +| `actions.statefulset.dind.pullPolicy` | The Docker-in-Docker pullPolicy | `IfNotPresent` | +| `actions.job.enabled` | Create a job that will create and save the token in a Kubernetes Secret | `false` | +| `actions.job.annotations` | Job's annotations | `{}` | +| `actions.job.labels` | Job's labels | `{}` | +| `actions.job.resources` | Job's resources | `{}` | +| `actions.job.nodeSelector` | NodeSelector for the job | `{}` | +| `actions.job.tolerations` | Tolerations for the job | `[]` | +| `actions.job.affinity` | Affinity for the job | `{}` | +| `actions.job.token.repository` | The image that can create a token via `gitea actions generate-runner-token` | `gitea/gitea` | +| `actions.job.token.tag` | The token image tag that can create a token | `""` | +| `actions.job.token.pullPolicy` | The token image pullPolicy that can create a token | `IfNotPresent` | +| `actions.job.publish.repository` | The image that can create the secret via kubectl | `bitnami/kubectl` | +| `actions.job.publish.tag` | The publish image tag that can create the secret | `1.29.0` | +| `actions.job.publish.pullPolicy` | The publish image pullPolicy that can create the secret | `IfNotPresent` | +| `actions.existingSecret` | Secret that contains the token | `""` | +| `actions.existingSecretKey` | Secret key | `""` | ### Gitea diff --git a/readme-actions-dev.md b/readme-actions-dev.md new file mode 100644 index 0000000..65a2719 --- /dev/null +++ b/readme-actions-dev.md @@ -0,0 +1,44 @@ +# Gitea Actions + +In order to use the Gitea Actions act-runner you must: + +- set the following environment variables to `deployment.env` (modify LOCAL_ROOT_URL if you used a different service name): + +```yaml +deployment: + env: + - name: GITEA__ACTIONS__ENABLED + value: 'true' + - name: GITEA__SERVER__LOCAL_ROOT_URL + value: http://gitea-http:3000 +``` + +- enable persistence (used for automatic deployment to be able to store the token in a place accessible for the Job) + +In order to use Gitea Actions, you must log on the server that's running Gitea and run the command: + `gitea actions generate-runner-token` + +This command will out a token that is needed by the act-runner to register with the Gitea backend. + +Because this is a manual operation, we automated this using a Kubernetes Job using the following containers: + +1) `actions-token-create`: it uses the current `gitea-rootless` image, mounts the persistent directory to `/data/` then it saves the output from `gitea actions generate-runner-token` to `/data/actions/token` +2) `actions-token-upload`: it uses a `bitnami/kubectl` image, mounts the scripts directory (`/scripts`) and +the persistent directory (`/data/`), and using the script from `/scripts/token.sh` stores the token in a Kubernetes secret + +After the token is stored in a Kubernetes secret we can create the statefulset that contains the following containers: + +1) `act-runner`: authenticates with Gitea using the token that was stored in the secret +2) `dind`: DockerInDocker image that is used to run the actions + +If you are not using persistent volumes, you cannot use the Job to automatically generate the token. +In this case, you can use either the Web UI to generate the token or run a shell into a Gitea pod and invoke +the command `gitea actions generate-runner-token`. After generating the token, you must create a secret and use it via: + +```yaml +actions: + job: + enabled: false + existingSecret: "secret-name" + existingSecretKey: "secret-key" +``` diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 86e55c3..c0af496 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -47,7 +47,6 @@ If release name contains chart name it will be used as a full name. {{/* Create a default worker name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). */}} {{- define "gitea.workername" -}} {{- printf "%s-%s" .global.Release.Name .worker | trunc 63 | trimSuffix "-" -}} diff --git a/templates/gitea/act_runner/config-act-runner.yaml b/templates/gitea/act_runner/config-act-runner.yaml index 091f200..42bd59b 100644 --- a/templates/gitea/act_runner/config-act-runner.yaml +++ b/templates/gitea/act_runner/config-act-runner.yaml @@ -1,4 +1,4 @@ -{{- if and (and .Values.actions.statefulset.enabled .Values.persistence.enabled) .Values.persistence.mount }} +{{- if .Values.actions.enabled }} --- apiVersion: v1 kind: ConfigMap diff --git a/templates/gitea/act_runner/job.yaml b/templates/gitea/act_runner/job.yaml index 61b6a8a..90aedae 100644 --- a/templates/gitea/act_runner/job.yaml +++ b/templates/gitea/act_runner/job.yaml @@ -42,8 +42,8 @@ spec: done containers: - name: actions-token-create - image: "{{ .Values.actions.job.tokenImage.repository }}:{{ .Values.actions.job.tokenImage.tag | default (printf "%s-rootless" .Chart.AppVersion) }}" - imagePullPolicy: {{ .Values.actions.job.tokenImage.pullPolicy }} + image: "{{ .Values.actions.job.token.repository }}:{{ .Values.actions.job.token.tag | default (printf "%s-rootless" .Chart.AppVersion) }}" + imagePullPolicy: {{ .Values.actions.job.token.pullPolicy }} env: - name: GITEA_APP_INI value: /data/gitea/conf/app.ini @@ -63,8 +63,8 @@ spec: subPath: {{ .Values.persistence.subPath }} {{- end }} - name: actions-token-upload - image: "{{ .Values.actions.job.publishImage.repository }}:{{ .Values.actions.job.publishImage.tag }}" - imagePullPolicy: {{ .Values.actions.job.publishImage.pullPolicy }} + image: "{{ .Values.actions.job.publish.repository }}:{{ .Values.actions.job.publish.tag }}" + imagePullPolicy: {{ .Values.actions.job.publish.pullPolicy }} env: - name: SECRET_NAME value: {{ $secretName }} diff --git a/templates/gitea/act_runner/statefulset.yaml b/templates/gitea/act_runner/statefulset.yaml index b778820..43d3e66 100644 --- a/templates/gitea/act_runner/statefulset.yaml +++ b/templates/gitea/act_runner/statefulset.yaml @@ -1,4 +1,4 @@ -{{- if and (and .Values.actions.statefulset.enabled .Values.persistence.enabled) .Values.persistence.mount }} +{{- if .Values.actions.enabled }} {{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }} --- apiVersion: apps/v1 @@ -38,8 +38,8 @@ spec: done containers: - name: act-runner - image: "{{ .Values.actions.statefulset.actRunnerImage.repository }}:{{ .Values.actions.statefulset.actRunnerImage.tag }}" - imagePullPolicy: {{ .Values.actions.statefulset.actRunnerImage.pullPolicy }} + image: "{{ .Values.actions.statefulset.actRunner.repository }}:{{ .Values.actions.statefulset.actRunner.tag }}" + imagePullPolicy: {{ .Values.actions.statefulset.actRunner.pullPolicy }} workingDir: /data env: - name: DOCKER_HOST @@ -52,7 +52,7 @@ spec: valueFrom: secretKeyRef: name: "{{ .Values.actions.existingSecret | default $secretName }}" - key: "{{ .Values.actions.existingSecret | default "token" }}" + key: "{{ .Values.actions.existingSecretKey | default "token" }}" - name: GITEA_INSTANCE_URL value: "http://{{ include "gitea.fullname" . }}-http:{{ .Values.service.http.port }}" - name: GITEA_RUNNER_LABELS @@ -70,8 +70,8 @@ spec: - mountPath: /data name: data-act-runner - name: dind - image: "{{ .Values.actions.statefulset.dindImage.repository }}:{{ .Values.actions.statefulset.dindImage.tag }}" - imagePullPolicy: {{ .Values.actions.statefulset.dindImage.pullPolicy }} + image: "{{ .Values.actions.statefulset.dind.repository }}:{{ .Values.actions.statefulset.dind.tag }}" + imagePullPolicy: {{ .Values.actions.statefulset.dind.pullPolicy }} env: - name: DOCKER_HOST value: tcp://127.0.0.1:2376 diff --git a/unittests/act_runner/config-act-runner.yaml b/unittests/act_runner/config-act-runner.yaml index a9a1a85..9230194 100644 --- a/unittests/act_runner/config-act-runner.yaml +++ b/unittests/act_runner/config-act-runner.yaml @@ -9,8 +9,7 @@ tests: template: templates/gitea/act_runner/config-act-runner.yaml set: actions: - statefulset: - enabled: true + enabled: true asserts: - hasDocuments: count: 1 diff --git a/unittests/act_runner/config-scripts.yaml b/unittests/act_runner/config-scripts.yaml index 93314db..6605c39 100644 --- a/unittests/act_runner/config-scripts.yaml +++ b/unittests/act_runner/config-scripts.yaml @@ -5,7 +5,7 @@ release: templates: - templates/gitea/act_runner/config-scripts.yaml tests: - - it: renders a deployment + - it: renders a ConfigMap template: templates/gitea/act_runner/config-scripts.yaml set: actions: diff --git a/unittests/act_runner/job.yaml b/unittests/act_runner/job.yaml index 6ba7e7f..55f195c 100644 --- a/unittests/act_runner/job.yaml +++ b/unittests/act_runner/job.yaml @@ -5,7 +5,7 @@ release: templates: - templates/gitea/act_runner/job.yaml tests: - - it: renders a deployment + - it: renders a Job template: templates/gitea/act_runner/job.yaml set: actions: diff --git a/unittests/act_runner/role-job.yaml b/unittests/act_runner/role-job.yaml index 217f45a..9c04ba4 100644 --- a/unittests/act_runner/role-job.yaml +++ b/unittests/act_runner/role-job.yaml @@ -5,7 +5,7 @@ release: templates: - templates/gitea/act_runner/role-job.yaml tests: - - it: renders a role + - it: renders a Role template: templates/gitea/act_runner/role-job.yaml set: actions: diff --git a/unittests/act_runner/rolebinding-job.yaml b/unittests/act_runner/rolebinding-job.yaml index 7c9d416..871364c 100644 --- a/unittests/act_runner/rolebinding-job.yaml +++ b/unittests/act_runner/rolebinding-job.yaml @@ -5,7 +5,7 @@ release: templates: - templates/gitea/act_runner/rolebinding-job.yaml tests: - - it: renders a deployment + - it: renders a RoleBinding template: templates/gitea/act_runner/rolebinding-job.yaml set: actions: diff --git a/unittests/act_runner/secret-token.yaml b/unittests/act_runner/secret-token.yaml index 9cae9b6..41458d9 100644 --- a/unittests/act_runner/secret-token.yaml +++ b/unittests/act_runner/secret-token.yaml @@ -5,7 +5,7 @@ release: templates: - templates/gitea/act_runner/secret-token.yaml tests: - - it: renders a deployment + - it: renders a Secret template: templates/gitea/act_runner/secret-token.yaml set: actions: diff --git a/unittests/act_runner/serviceaccount-job.yaml b/unittests/act_runner/serviceaccount-job.yaml index f0f82a9..753a421 100644 --- a/unittests/act_runner/serviceaccount-job.yaml +++ b/unittests/act_runner/serviceaccount-job.yaml @@ -5,7 +5,7 @@ release: templates: - templates/gitea/act_runner/serviceaccount-job.yaml tests: - - it: renders a deployment + - it: renders a ServiceAccount template: templates/gitea/act_runner/serviceaccount-job.yaml set: actions: diff --git a/unittests/act_runner/statefulset.yaml b/unittests/act_runner/statefulset.yaml index d94cb4a..f3bbe9a 100644 --- a/unittests/act_runner/statefulset.yaml +++ b/unittests/act_runner/statefulset.yaml @@ -5,12 +5,11 @@ release: templates: - templates/gitea/act_runner/statefulset.yaml tests: - - it: renders a deployment + - it: renders a StatefulSet template: templates/gitea/act_runner/statefulset.yaml set: actions: - statefulset: - enabled: true + enabled: true asserts: - hasDocuments: count: 1 diff --git a/values.yaml b/values.yaml index b44a91c..aa96ee1 100644 --- a/values.yaml +++ b/values.yaml @@ -332,11 +332,11 @@ signing: existingSecret: "" # Configure Gitea Actions -# - must enable persistence +# - must enable persistence if the job is enabled # - must define deployment.env.GITEA__ACTIONS__ENABLED and GITEA__SERVER__LOCAL_ROOT_URL -## @section GiteaActions +## @section Gitea Actions # -## @param actions.statefulset.enabled Create an act runner StatefulSet. +## @param actions.enabled Create an act runner StatefulSet. ## @param actions.statefulset.annotations Act runner annotations ## @param actions.statefulset.labels Act runner labels ## @param actions.statefulset.resources Act runner resources @@ -345,12 +345,12 @@ signing: ## @param actions.statefulset.affinity Affinity for the statefulset ## @param actions.statefulset.config Act runner custom configuration. ## @param actions.statefulset.runnerLabels Act runner labels. -## @param actions.statefulset.actRunnerImage.repository The Gitea act runner image -## @param actions.statefulset.actRunnerImage.tag The Gitea act runner tag -## @param actions.statefulset.actRunnerImage.pullPolicy The Gitea act runner pullPolicy -## @param actions.statefulset.dindImage.repository The Docker-in-Docker image -## @param actions.statefulset.dindImage.tag The Docker-in-Docker image tag -## @param actions.statefulset.dindImage.pullPolicy The Docker-in-Docker pullPolicy +## @param actions.statefulset.actRunner.repository The Gitea act runner image +## @param actions.statefulset.actRunner.tag The Gitea act runner tag +## @param actions.statefulset.actRunner.pullPolicy The Gitea act runner pullPolicy +## @param actions.statefulset.dind.repository The Docker-in-Docker image +## @param actions.statefulset.dind.tag The Docker-in-Docker image tag +## @param actions.statefulset.dind.pullPolicy The Docker-in-Docker pullPolicy ## @param actions.job.enabled Create a job that will create and save the token in a Kubernetes Secret ## @param actions.job.annotations Job's annotations ## @param actions.job.labels Job's labels @@ -358,18 +358,17 @@ signing: ## @param actions.job.nodeSelector NodeSelector for the job ## @param actions.job.tolerations Tolerations for the job ## @param actions.job.affinity Affinity for the job -## @param actions.job.tokenImage.repository The image that can create a token via `gitea actions generate-runner-token` -## @param actions.job.tokenImage.tag The token image tag that can create a token -## @param actions.job.tokenImage.pullPolicy The token image pullPolicy that can create a token -## @param actions.job.publishImage.repository The image that can create the secret via kubectl -## @param actions.job.publishImage.tag The publish image tag that can create the secret -## @param actions.job.publishImage.pullPolicy The publish image pullPolicy that can create the secret +## @param actions.job.token.repository The image that can create a token via `gitea actions generate-runner-token` +## @param actions.job.token.tag The token image tag that can create a token +## @param actions.job.token.pullPolicy The token image pullPolicy that can create a token +## @param actions.job.publish.repository The image that can create the secret via kubectl +## @param actions.job.publish.tag The publish image tag that can create the secret +## @param actions.job.publish.pullPolicy The publish image pullPolicy that can create the secret ## @param actions.existingSecret Secret that contains the token ## @param actions.existingSecretKey Secret key actions: + enabled: false statefulset: - enabled: false - annotations: {} labels: {} resources: {} @@ -380,14 +379,14 @@ actions: config: "" runnerLabels: "" - actRunnerImage: + actRunner: repository: gitea/act_runner tag: 0.2.6 pullPolicy: IfNotPresent - dindImage: + dind: repository: docker - tag: 24.0.7-dind + tag: 25.0.2-dind pullPolicy: IfNotPresent job: @@ -400,12 +399,12 @@ actions: tolerations: [] affinity: {} - tokenImage: + token: repository: gitea/gitea tag: "" pullPolicy: IfNotPresent - publishImage: + publish: repository: bitnami/kubectl tag: 1.29.0 pullPolicy: IfNotPresent