From f24a72dded94890e57400001ccc226f6832930d5 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Fri, 30 Aug 2024 23:38:07 +0000 Subject: [PATCH 01/10] chore(deps): update dependency helm-unittest to v0.6.0 (main) (#819) Co-authored-by: Renovate Bot Co-committed-by: Renovate Bot --- .forgejo/workflows/build.yml | 2 +- .vscode/settings.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/build.yml b/.forgejo/workflows/build.yml index 83bf095..d69d429 100644 --- a/.forgejo/workflows/build.yml +++ b/.forgejo/workflows/build.yml @@ -14,7 +14,7 @@ permissions: env: HELM_VERSION: v3.15.4 # renovate: datasource=github-releases depName=helm packageName=helm/helm - HELM_UNITTEST_VERSION: v0.5.2 # renovate: datasource=github-releases depName=helm-unittest packageName=helm-unittest/helm-unittest + HELM_UNITTEST_VERSION: v0.6.0 # renovate: datasource=github-releases depName=helm-unittest packageName=helm-unittest/helm-unittest HELM_CHART_TESTING_VERSION: v3.11.0 # renovate: datasource=github-releases depName=chart-testing packageName=helm/chart-testing KUBECTL_VERSION: v1.31.0 # renovate: datasource=github-releases depName=kubectl packageName=kubernetes/kubernetes CT_GITHUB_GROUPS: true diff --git a/.vscode/settings.json b/.vscode/settings.json index a570123..2169530 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -4,7 +4,7 @@ ".github/workflows/*", ".forgejo/workflows/*" ], - "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.5.2/schema/helm-testsuite.json": [ + "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.6.0/schema/helm-testsuite.json": [ "/unittests/**/*.yaml" ] }, From e733ed235ac086defb797382a497904bd6386f15 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 31 Aug 2024 00:07:34 +0000 Subject: [PATCH 02/10] fix(deps): update subcharts (main) (#821) Co-authored-by: Renovate Bot Co-committed-by: Renovate Bot --- Chart.lock | 8 ++++---- Chart.yaml | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Chart.lock b/Chart.lock index 4364abf..dfbaf6c 100644 --- a/Chart.lock +++ b/Chart.lock @@ -1,15 +1,15 @@ dependencies: - name: postgresql repository: oci://registry-1.docker.io/bitnamicharts - version: 15.5.26 + version: 15.5.27 - name: postgresql-ha repository: oci://registry-1.docker.io/bitnamicharts - version: 14.2.18 + version: 14.2.19 - name: redis-cluster repository: oci://registry-1.docker.io/bitnamicharts version: 11.0.3 - name: redis repository: oci://registry-1.docker.io/bitnamicharts version: 20.0.3 -digest: sha256:627fc1524eb938251ac9441031eb645acb81f5dca8dd21258388d4fc32c4eb72 -generated: "2024-08-28T00:01:22.591626715Z" +digest: sha256:a103e7aec74fd0340567416a92280e095f00349f2e9ac9ede9de7ba928f3e24b +generated: "2024-08-31T00:01:17.247742418Z" diff --git a/Chart.yaml b/Chart.yaml index b6f1294..a23e29c 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -29,12 +29,12 @@ dependencies: # https://github.com/bitnami/charts/blob/main/bitnami/postgresql/Chart.yaml - name: postgresql repository: oci://registry-1.docker.io/bitnamicharts - version: 15.5.26 + version: 15.5.27 condition: postgresql.enabled # https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml - name: postgresql-ha repository: oci://registry-1.docker.io/bitnamicharts - version: 14.2.18 + version: 14.2.19 condition: postgresql-ha.enabled # https://github.com/bitnami/charts/blob/main/bitnami/redis-cluster/Chart.yaml - name: redis-cluster From 8c3ff4c293920e05ccf53ecffc143c519dc6a592 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sun, 1 Sep 2024 14:43:37 +0000 Subject: [PATCH 03/10] chore(deps): update dependency lint-staged to v15.2.10 (main) (#823) Co-authored-by: Renovate Bot Co-committed-by: Renovate Bot --- package.json | 2 +- pnpm-lock.yaml | 18 +++++++++--------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/package.json b/package.json index 540fb56..a16fb0b 100644 --- a/package.json +++ b/package.json @@ -19,7 +19,7 @@ "conventional-changelog-conventionalcommits": "8.0.0", "conventional-changelog-core": "8.0.0", "husky": "9.1.5", - "lint-staged": "15.2.9", + "lint-staged": "15.2.10", "markdownlint-cli": "0.41.0", "prettier": "3.3.3" }, diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index b194e92..570522f 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -24,8 +24,8 @@ importers: specifier: 9.1.5 version: 9.1.5 lint-staged: - specifier: 15.2.9 - version: 15.2.9 + specifier: 15.2.10 + version: 15.2.10 markdownlint-cli: specifier: 0.41.0 version: 0.41.0 @@ -413,8 +413,8 @@ packages: linkify-it@5.0.0: resolution: {integrity: sha512-5aHCbzQRADcdP+ATqnDuhhJ/MRIqDkZX5pyjFHRRysS8vZ5AbqGEoFIb6pYHPZ+L/OC2Lc+xT8uHVVR5CAK/wQ==} - lint-staged@15.2.9: - resolution: {integrity: sha512-BZAt8Lk3sEnxw7tfxM7jeZlPRuT4M68O0/CwZhhaw6eeWu0Lz5eERE3m386InivXB64fp/mDID452h48tvKlRQ==} + lint-staged@15.2.10: + resolution: {integrity: sha512-5dY5t743e1byO19P9I4b3x8HJwalIznL5E1FWYnU6OWw33KxNBSLAc6Cy7F2PsFEO8FKnLwjwm5hx7aMF0jzZg==} engines: {node: '>=18.12.0'} hasBin: true @@ -467,8 +467,8 @@ packages: merge-stream@2.0.0: resolution: {integrity: sha512-abv/qOcuPfk3URPfDzmZU1LKmuw8kT+0nIHvKrKgFrwifol/doWcdA4ZqsWQ8ENrFKkd67Mfpo/LovbIUsbt3w==} - micromatch@4.0.7: - resolution: {integrity: sha512-LPP/3KorzCwBxfeUuZmaR6bG2kdeHSbe0P2tY3FLRU4vYrjYz5hI4QZwV0njUx3jeuKe67YukQ1LSPZBKDqO/Q==} + micromatch@4.0.8: + resolution: {integrity: sha512-PXwfBhYu0hBCPw8Dn0E+WDYb7af3dSLVWKi3HGv84IdF4TyFoC0ysxFd0Goxw7nSv4T/PzEJQxsYsEiFCKo2BA==} engines: {node: '>=8.6'} mimic-fn@4.0.0: @@ -1075,7 +1075,7 @@ snapshots: dependencies: uc.micro: 2.1.0 - lint-staged@15.2.9: + lint-staged@15.2.10: dependencies: chalk: 5.3.0 commander: 12.1.0 @@ -1083,7 +1083,7 @@ snapshots: execa: 8.0.1 lilconfig: 3.1.2 listr2: 8.2.4 - micromatch: 4.0.7 + micromatch: 4.0.8 pidtree: 0.6.0 string-argv: 0.3.2 yaml: 2.5.0 @@ -1155,7 +1155,7 @@ snapshots: merge-stream@2.0.0: {} - micromatch@4.0.7: + micromatch@4.0.8: dependencies: braces: 3.0.3 picomatch: 2.3.1 From c56114ef9fd84b91416c6386783ef183f0f4820e Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sun, 1 Sep 2024 22:37:07 +0000 Subject: [PATCH 04/10] chore(deps): update dependency helm-unittest to v0.6.1 (main) (#825) Co-authored-by: Renovate Bot Co-committed-by: Renovate Bot --- .forgejo/workflows/build.yml | 2 +- .vscode/settings.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/build.yml b/.forgejo/workflows/build.yml index d69d429..4eacccc 100644 --- a/.forgejo/workflows/build.yml +++ b/.forgejo/workflows/build.yml @@ -14,7 +14,7 @@ permissions: env: HELM_VERSION: v3.15.4 # renovate: datasource=github-releases depName=helm packageName=helm/helm - HELM_UNITTEST_VERSION: v0.6.0 # renovate: datasource=github-releases depName=helm-unittest packageName=helm-unittest/helm-unittest + HELM_UNITTEST_VERSION: v0.6.1 # renovate: datasource=github-releases depName=helm-unittest packageName=helm-unittest/helm-unittest HELM_CHART_TESTING_VERSION: v3.11.0 # renovate: datasource=github-releases depName=chart-testing packageName=helm/chart-testing KUBECTL_VERSION: v1.31.0 # renovate: datasource=github-releases depName=kubectl packageName=kubernetes/kubernetes CT_GITHUB_GROUPS: true diff --git a/.vscode/settings.json b/.vscode/settings.json index 2169530..8a41be7 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -4,7 +4,7 @@ ".github/workflows/*", ".forgejo/workflows/*" ], - "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.6.0/schema/helm-testsuite.json": [ + "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.6.1/schema/helm-testsuite.json": [ "/unittests/**/*.yaml" ] }, From f216d1137149945209bf34c60bbe4680a1015bc1 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Wed, 4 Sep 2024 00:12:12 +0000 Subject: [PATCH 05/10] fix(deps): update helm release postgresql-ha to v14.2.21 (main) (#831) Co-authored-by: Renovate Bot Co-committed-by: Renovate Bot --- Chart.lock | 6 +++--- Chart.yaml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Chart.lock b/Chart.lock index dfbaf6c..b86af4f 100644 --- a/Chart.lock +++ b/Chart.lock @@ -4,12 +4,12 @@ dependencies: version: 15.5.27 - name: postgresql-ha repository: oci://registry-1.docker.io/bitnamicharts - version: 14.2.19 + version: 14.2.21 - name: redis-cluster repository: oci://registry-1.docker.io/bitnamicharts version: 11.0.3 - name: redis repository: oci://registry-1.docker.io/bitnamicharts version: 20.0.3 -digest: sha256:a103e7aec74fd0340567416a92280e095f00349f2e9ac9ede9de7ba928f3e24b -generated: "2024-08-31T00:01:17.247742418Z" +digest: sha256:4f64d74bcb3d05446e9a678f88d9187e3017652276255204a15de037fa6a9dbf +generated: "2024-09-04T00:01:15.579688274Z" diff --git a/Chart.yaml b/Chart.yaml index a23e29c..6b3e4ab 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -34,7 +34,7 @@ dependencies: # https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml - name: postgresql-ha repository: oci://registry-1.docker.io/bitnamicharts - version: 14.2.19 + version: 14.2.21 condition: postgresql-ha.enabled # https://github.com/bitnami/charts/blob/main/bitnami/redis-cluster/Chart.yaml - name: redis-cluster From c5075858c7a3eb359cbbf024e0f54f2df0ffd5a4 Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Tue, 3 Sep 2024 14:36:49 +0200 Subject: [PATCH 06/10] WIP: add runner --- README.md | 38 +++++++++++- templates/_helpers.tpl | 49 ++++++++++++++++ templates/gitea/deployment.yaml | 42 ++++++++++++++ templates/gitea/init.yaml | 11 ++++ templates/gitea/runner-secret.yaml | 26 +++++++++ templates/gitea/runner.yaml | 92 ++++++++++++++++++++++++++++++ values.yaml | 20 +++++++ 7 files changed, 276 insertions(+), 2 deletions(-) create mode 100644 templates/gitea/runner-secret.yaml create mode 100644 templates/gitea/runner.yaml diff --git a/README.md b/README.md index 427db75..7f59190 100644 --- a/README.md +++ b/README.md @@ -46,16 +46,22 @@ - [Init](#init) - [Signing](#signing) - [Gitea](#gitea) + - [`app.ini` overrides](#appini-overrides) + - [Actions Runner](#actions-runner) + - [Registration Secret](#registration-secret) - [LivenessProbe](#livenessprobe) - [ReadinessProbe](#readinessprobe) - [StartupProbe](#startupprobe) - - [redis-cluster](#redis-cluster) - - [redis](#redis) + - [RedisĀ® Cluster](#redis-cluster) + - [RedisĀ®](#redis) - [PostgreSQL HA](#postgresql-ha) - [PostgreSQL](#postgresql) - [Advanced](#advanced) - [Contributing](#contributing) - [Upgrading](#upgrading) + - [To v8.0.0](#to-v800) + - [To v7.0.0](#to-v700) + - [To v6.0.0](#to-v600) [Forgejo](https://forgejo.org/) is a community managed lightweight code hosting solution written in Go. It is published under the MIT license. @@ -1076,6 +1082,34 @@ blocks, while the keys themselves remain in all caps. | `gitea.config.actions` | Configuration for [Forgejo Actions](https://forgejo.org/docs/latest/user/actions/) | `{}` | | `gitea.config.other` | Uncategorized configuration options | `{}` | +### Actions Runner + +The chart can deploy an [Actions Runner](https://forgejo.org/docs/latest/admin/actions/#forgejo-runner). + +**Note** You also need to set `gitea.config.actions.enabled=true` if you want to use runners. + +The available runner tags are listed here: + +| Name | Description | Value | +|-----------------------------------------------|------------------------------------------------------------|--------------------| +| `gitea.actions.runner.enabled` | Enable automatic deployment of a runner. | `false` | +| `gitea.actions.runner.image.pullPolicy` | Overrides the pull policy set globally for actions runners | | +| `gitea.actions.runner.image.registry` | Image registry, e.g. gcr.io,docker.io | `code.forgejo.org` | +| `gitea.actions.runner.image.repository` | Image to start for this pod | `forgejo/runner` | +| `gitea.actions.runner.image.tag` | Tag to deploy | | +| `gitea.actions.runner.registrationSecretName` | Name of secret containing the registration secret | ~ | +| `gitea.actions.runner.replicas` | Number of replicas to automatically deploy | 1 | +| `gitea.actions.runner.runnerLabels` | Forgejo Runner labels to assign to the runner | `["docker"]` | + +#### Registration Secret + +The Runner needs to register itself with Forgejo. The chart will use the +secret named by `gitea.actions.runner.registrationSecretName`, key +`runner-registration-secret` to both add a runner with that secret to +Forgejo at the application level, as well as register the runner when it +starts up. If `registrationSecretName` is not set, the chart will create +a secret for you. An existing secret will be reused. + ### LivenessProbe | Name | Description | Value | diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 234c839..8d2d47b 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -63,6 +63,20 @@ Create image name and tag used by the deployment. {{- end -}} {{- end -}} +{{/* +Create image name and tag used by the actions runner. +*/}} +{{- define "gitea.actions-image" -}} +{{- $registry := .Values.gitea.actions.runner.image.registry | default (.Values.global.imageRegistry | default .Values.image.registry) -}} +{{- $name := .Values.gitea.actions.runner.image.repository -}} +{{- $tag := .Values.gitea.actions.runner.image.tag -}} +{{- if $registry -}} + {{- printf "%s/%s:%s" $registry $name $tag -}} +{{- else -}} + {{- printf "%s:%s" $name $tag -}} +{{- end -}} +{{- end -}} + {{/* Docker Image Registry Secret Names evaluating values as templates */}} @@ -108,6 +122,26 @@ app.kubernetes.io/name: {{ include "gitea.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end -}} +{{/* +Actions runner labels +*/}} +{{- define "gitea.actions.runner.labels" -}} +helm.sh/chart: {{ include "gitea.chart" . }} +app: actions-runner +{{ include "gitea.actions.runner.selectorLabels" . }} +app.kubernetes.io/version: {{ .Values.gitea.actions.runner.image.tag | quote }} +version: {{ .Values.gitea.actions.runner.image.tag | quote }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Actions runner selector labels +*/}} +{{- define "gitea.actions.runner.selectorLabels" -}} +app.kubernetes.io/name: actions-runner +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + {{- define "postgresql-ha.dns" -}} {{- if (index .Values "postgresql-ha").enabled -}} {{- printf "%s-postgresql-ha-pgpool.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "postgresql-ha" "service" "ports" "postgresql") -}} @@ -247,6 +281,9 @@ https {{- if not (hasKey .Values.gitea.config "metrics") -}} {{- $_ := set .Values.gitea.config "metrics" dict -}} {{- end -}} + {{- if not (hasKey .Values.gitea.config "actions") -}} + {{- $_ := set .Values.gitea.config "actions" dict -}} + {{- end -}} {{- if not (hasKey .Values.gitea.config "database") -}} {{- $_ := set .Values.gitea.config "database" dict -}} {{- end -}} @@ -286,6 +323,9 @@ https {{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}} {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}} {{- end -}} + {{- if not (hasKey .Values.gitea.config.actions "ENABLED") -}} + {{- $_ := set .Values.gitea.config.actions "ENABLED" .Values.gitea.actions.enabled -}} + {{- end -}} {{- /* redis queue */ -}} {{- if or ((index .Values "redis-cluster").enabled) ((index .Values "redis").enabled) -}} {{- $_ := set .Values.gitea.config.queue "TYPE" "redis" -}} @@ -416,3 +456,12 @@ https {{ printf "gitea.admin.passwordMode must be set to one of 'keepUpdated', 'initialOnlyNoReset', or 'initialOnlyRequireReset'. Received: '%s'" .Values.gitea.admin.passwordMode | fail }} {{- end -}} {{- end -}} + +{{- define "gitea.randHex" -}} + {{- $result := "" }} + {{- range $i := until . }} + {{- $rand_hex_char := mod (randNumeric 4 | atoi) 16 | printf "%x" }} + {{- $result = print $result $rand_hex_char }} + {{- end }} + {{- $result }} +{{- end }} \ No newline at end of file diff --git a/templates/gitea/deployment.yaml b/templates/gitea/deployment.yaml index f321f22..0af19a1 100644 --- a/templates/gitea/deployment.yaml +++ b/templates/gitea/deployment.yaml @@ -261,6 +261,48 @@ spec: {{- include "gitea.init-additional-mounts" . | nindent 12 }} resources: {{- toYaml .Values.initContainers.resources | nindent 12 }} + - name: add-runner-secret + image: "{{ include "gitea.image" . }}" + command: ["/usr/sbin/add_runner_secret.sh"] + imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + {{- /* By default this container runs as user 1000 unless otherwise stated */ -}} + {{- $csc := deepCopy .Values.containerSecurityContext -}} + {{- if not (hasKey $csc "runAsUser") -}} + {{- $_ := set $csc "runAsUser" 1000 -}} + {{- end -}} + {{- toYaml $csc | nindent 12 }} + env: + - name: GITEA_APP_INI + value: /data/gitea/conf/app.ini + - name: GITEA_CUSTOM + value: /data/gitea + - name: GITEA_WORK_DIR + value: /data + - name: GITEA_TEMP + value: /tmp/gitea + {{- if .Values.image.rootless }} + - name: HOME + value: /data/gitea/git + {{- end }} + - name: RUNNER_SECRET + valueFrom: + secretKeyRef: + name: {{ include "gitea.fullname" . }}-runner-registration + key: runner-registration-secret + volumeMounts: + - name: init + mountPath: /usr/sbin + - name: temp + mountPath: /tmp + - name: data + mountPath: /data + {{- if .Values.persistence.subPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + {{- include "gitea.init-additional-mounts" . | nindent 12 }} + resources: + {{- toYaml .Values.initContainers.resources | nindent 12 }} terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }} containers: - name: {{ .Chart.Name }} diff --git a/templates/gitea/init.yaml b/templates/gitea/init.yaml index 434486a..bd065b5 100644 --- a/templates/gitea/init.yaml +++ b/templates/gitea/init.yaml @@ -224,3 +224,14 @@ stringData: configure_oauth echo '==== END GITEA CONFIGURATION ====' + + add_runner_secret.sh: |- + #!/usr/bin/env bash + + set -euo pipefail + + echo '==== BEGIN ADD RUNNER SECRET ====' + + forgejo forgejo-cli actions register --name "{{ include "gitea.fullname" . }}-runner" --secret "${RUNNER_SECRET}" + + echo '==== END ADD RUNNER SECRET ====' diff --git a/templates/gitea/runner-secret.yaml b/templates/gitea/runner-secret.yaml new file mode 100644 index 0000000..9f6bc16 --- /dev/null +++ b/templates/gitea/runner-secret.yaml @@ -0,0 +1,26 @@ +{{/* +Runner registration secret. Will only be created if it does not exist. + +https://forgejo.org/docs/latest/admin/actions/#registration + +The secret must be a 40-character long string of hexadecimal numbers. +The first 16 characters will be used as an identifier for the runner, +while the rest is the actual secret. It is possible to update the +secret of an existing runner by running the command again on the +Forgejo machine, with the last 24 characters updated. +*/}} +{{- if and (.Values.gitea.actions.runner.enabled) (not .Values.gitea.actions.runner.registrationSecretName) -}} +{{- $secretName := printf "%s-%s" (include "gitea.fullname" .) "runner-registration" -}} +{{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName -}} +{{- if not $secret }} +apiVersion: v1 +kind: Secret +metadata: + annotations: + helm.sh/resource-policy: keep + name: {{ $secretName }} +type: Opaque +data: + runner-registration-secret: {{ include "gitea.randHex" 40 | b64enc }} +{{- end }} +{{- end }} diff --git a/templates/gitea/runner.yaml b/templates/gitea/runner.yaml new file mode 100644 index 0000000..742e154 --- /dev/null +++ b/templates/gitea/runner.yaml @@ -0,0 +1,92 @@ +{{- if .Values.gitea.actions.runner.enabled -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "gitea.fullname" . }}-runner + labels: + {{- include "gitea.actions.runner.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.gitea.actions.runner.replicas }} + selector: + matchLabels: + {{- include "gitea.actions.runner.selectorLabels" . | nindent 6 }} + serviceName: {{ include "gitea.fullname" . }}-runner + template: + metadata: + labels: + {{- include "gitea.actions.runner.labels" . | nindent 8 }} + spec: + {{- if .Values.schedulerName }} + schedulerName: "{{ .Values.schedulerName }}" + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: "{{ .Values.priorityClassName }}" + {{- end }} + {{- include "gitea.images.pullSecrets" . | nindent 6 }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + initContainers: + - name: configure-runner + image: "{{ include "gitea.actions-image" . }}" + imagePullPolicy: {{ default .Values.image.pullPolicy .Values.gitea.actions.runner.image.pullPolicy }} + command: [ "forgejo-runner" ] + args: + - "create-runner-file" + - "--connect" + - "--secret-file" + - "/runner-secret/runner-registration-secret" + - "--instance" + - "http://{{ .Release.Name }}-http:{{ .Values.service.http.port }}" + - "--labels" + - "{{ join "," .Values.gitea.actions.runner.runnerLabels }}" + volumeMounts: + - name: data + mountPath: /data + - name: runner-secret + mountPath: /runner-secret + - name: temp + mountPath: /tmp + containers: + - name: {{ .Chart.Name }} + image: "{{ include "gitea.actions-image" . }}" + imagePullPolicy: {{ default .Values.image.pullPolicy .Values.gitea.actions.runner.image.pullPolicy }} + env: + - name: DOCKER_HOST + value: tcp://localhost:2376 + - name: DOCKER_CERT_PATH + value: /certs/client + - name: DOCKER_TLS_VERIFY + value: "1" + command: [ "forgejo-runner" ] + args: + - daemon + volumeMounts: + - name: certs + mountPath: /certs + - name: data + mountPath: /data + - name: temp + mountPath: /tmp + - name: daemon + image: docker:23.0.6-dind-rootless + env: + - name: DOCKER_TLS_CERTDIR + value: /certs + # NOTE: the container needs to run as root to configure dockerd, but + # dockerd itself is NOT run as root + securityContext: + privileged: true + volumeMounts: + - name: certs + mountPath: /certs + volumes: + - name: certs + emptyDir: {} + - name: data + emptyDir: {} + - name: temp + emptyDir: {} + - name: runner-secret + secret: + secretName: {{ include "gitea.fullname" . }}-runner-registration +{{- end }} diff --git a/values.yaml b/values.yaml index 7e67426..8990b37 100644 --- a/values.yaml +++ b/values.yaml @@ -355,6 +355,26 @@ gitea: email: 'gitea@local.domain' passwordMode: keepUpdated + ## @param gitea.actions.runner.enabled Enable automatic deployment of a runner. You also need to set gitea.config.actions.enabled + ## @param gitea.actions.runner.image.registry Image registry, e.g. gcr.io,docker.io + ## @param gitea.actions.runner.image.repository Image to start for this pod + ## @param gitea.actions.runner.image.tag Visit: [Image tag](https://code.forgejo.org/forgejo/-/packages/container/runner/versions). + ## @param gitea.actions.runner.image.pullPolicy Overrides the pull policy set globally for actions runners + ## @param gitea.actions.runner.registrationSecretName Name of secret containing the registration secret. If unset, the chart will create one + ## @param gitea.actions.runner.replicas Number of replicas to automatically deploy + ## @param gitea.actions.runner.runnerLabels Forgejo Runner labels to assign to the runner + actions: + runner: + enabled: false + image: + registry: "code.forgejo.org" + repository: forgejo/runner + tag: "3.5.1" + pullPolicy: IfNotPresent + registrationSecretName: ~ + replicas: 1 + runnerLabels: ["docker"] + ## @param gitea.metrics.enabled Enable Forgejo metrics ## @param gitea.metrics.serviceMonitor.enabled Enable Forgejo metrics service monitor metrics: From 137d0242e4410ada725e6e3b7ef6cffc85615195 Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Wed, 4 Sep 2024 08:47:14 +0200 Subject: [PATCH 07/10] Use a config map to configure the runner --- README.md | 17 ++++++++++++++++- templates/gitea/runner-config.yaml | 9 +++++++++ templates/gitea/runner.yaml | 10 ++++++++-- values.yaml | 5 ++++- 4 files changed, 37 insertions(+), 4 deletions(-) create mode 100644 templates/gitea/runner-config.yaml diff --git a/README.md b/README.md index 7f59190..58e0a6a 100644 --- a/README.md +++ b/README.md @@ -1090,8 +1090,24 @@ The chart can deploy an [Actions Runner](https://forgejo.org/docs/latest/admin/a The available runner tags are listed here: +The **Runner Configuration** `gitea.actions.runner.config` is simply the contents of the +[runner config file](https://forgejo.codeberg.page/docs/v1.20/admin/actions/#configuration). +Make sure to specify at least one label so that workflows can find the runner. + +Default runner config: + +```yaml +gitea: + actions: + config: + runner: + labels: + - docker:docker://node:16-bullseye + ``` + | Name | Description | Value | |-----------------------------------------------|------------------------------------------------------------|--------------------| +| `gitea.actions.runner.config` | Runner configuration map. | | | `gitea.actions.runner.enabled` | Enable automatic deployment of a runner. | `false` | | `gitea.actions.runner.image.pullPolicy` | Overrides the pull policy set globally for actions runners | | | `gitea.actions.runner.image.registry` | Image registry, e.g. gcr.io,docker.io | `code.forgejo.org` | @@ -1099,7 +1115,6 @@ The available runner tags are listed here: Date: Wed, 4 Sep 2024 09:07:40 +0200 Subject: [PATCH 08/10] gitea.config.actions.enabled is true by default --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index 58e0a6a..0d16610 100644 --- a/README.md +++ b/README.md @@ -1086,8 +1086,6 @@ blocks, while the keys themselves remain in all caps. The chart can deploy an [Actions Runner](https://forgejo.org/docs/latest/admin/actions/#forgejo-runner). -**Note** You also need to set `gitea.config.actions.enabled=true` if you want to use runners. - The available runner tags are listed here: The **Runner Configuration** `gitea.actions.runner.config` is simply the contents of the From 09315fd11505e713af43cd10f24d36f6d2ab47a8 Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Wed, 4 Sep 2024 09:07:50 +0200 Subject: [PATCH 09/10] fix style --- values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/values.yaml b/values.yaml index c239e95..5cc70ae 100644 --- a/values.yaml +++ b/values.yaml @@ -371,9 +371,9 @@ gitea: labels: - docker:docker://node:16-bullseye image: - registry: "code.forgejo.org" + registry: code.forgejo.org repository: forgejo/runner - tag: "3.5.1" + tag: 3.5.1 pullPolicy: IfNotPresent registrationSecretName: ~ replicas: 1 From 8cf27f3a90f6928c2dc00e44f2af8a619fc8d68b Mon Sep 17 00:00:00 2001 From: Stefan Bethke Date: Wed, 4 Sep 2024 09:10:31 +0200 Subject: [PATCH 10/10] temp volume is not needed --- templates/gitea/runner.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/templates/gitea/runner.yaml b/templates/gitea/runner.yaml index 93311dd..46099b6 100644 --- a/templates/gitea/runner.yaml +++ b/templates/gitea/runner.yaml @@ -42,8 +42,6 @@ spec: mountPath: /data - name: runner-secret mountPath: /runner-secret - - name: temp - mountPath: /tmp containers: - name: {{ .Chart.Name }} image: "{{ include "gitea.actions-image" . }}" @@ -68,8 +66,6 @@ spec: subPath: config.yaml - name: data mountPath: /data - - name: temp - mountPath: /tmp - name: daemon image: docker:23.0.6-dind-rootless env: @@ -90,8 +86,6 @@ spec: name: {{ include "gitea.fullname" . }}-runner - name: data emptyDir: {} - - name: temp - emptyDir: {} - name: runner-secret secret: secretName: {{ include "gitea.fullname" . }}-runner-registration