diff --git a/README.md b/README.md index a0645da..bb31207 100644 --- a/README.md +++ b/README.md @@ -75,6 +75,7 @@ You should be good to go! | `statefulset.dind.extraVolumeMounts` | Allows mounting extra volumes in the Docker-in-Docker container | `[]` | | `statefulset.dind.extraEnvs` | Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY` | `[]` | | `statefulset.persistence.size` | Size for persistence to store act runner data | `1Gi` | +| `statefulset.securityContext` | Customize the SecurityContext | `{}` | | `existingSecret` | Secret that contains the token | `""` | | `existingSecretKey` | Secret key | `""` | | `giteaRootURL` | URL the act_runner registers and connect with | `""` | diff --git a/templates/statefulset.yaml b/templates/statefulset.yaml index 6635af3..a1b550d 100644 --- a/templates/statefulset.yaml +++ b/templates/statefulset.yaml @@ -30,6 +30,8 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: + securityContext: + {{- toYaml .Values.statefulset.securityContext | nindent 8 }} initContainers: - name: init-gitea image: "{{ include "gitea.actions.init.image" . }}" diff --git a/unittests/helm/statefulset.yaml b/unittests/helm/statefulset.yaml index ca38302..a16b1dc 100644 --- a/unittests/helm/statefulset.yaml +++ b/unittests/helm/statefulset.yaml @@ -162,6 +162,60 @@ tests: - matchRegex: path: spec.template.spec.containers[0].env[8].name pattern: "GITEA_RUNNER_NAME" + - it: Has fsGroup in securityContext + template: templates/statefulset.yaml + set: + enabled: true + existingSecret: "my-secret" + existingSecretKey: "my-secret-key" + statefulset.securityContext: + fsGroup: 1000 + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: StatefulSet + apiVersion: apps/v1 + name: gitea-unittests-actions-act-runner + - equal: + path: spec.template.spec.securityContext["fsGroup"] + value: 1000 + - it: Has fsGroupChangePolicy in securityContext + template: templates/statefulset.yaml + set: + enabled: true + existingSecret: "my-secret" + existingSecretKey: "my-secret-key" + statefulset.securityContext: + fsGroupChangePolicy: OnRootMismatch + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: StatefulSet + apiVersion: apps/v1 + name: gitea-unittests-actions-act-runner + - equal: + path: spec.template.spec.securityContext["fsGroupChangePolicy"] + value: "OnRootMismatch" + - it: Has Always in securityContext + template: templates/statefulset.yaml + set: + enabled: true + existingSecret: "my-secret" + existingSecretKey: "my-secret-key" + statefulset.securityContext: + fsGroupChangePolicy: Always + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: StatefulSet + apiVersion: apps/v1 + name: gitea-unittests-actions-act-runner + - equal: + path: spec.template.spec.securityContext["fsGroupChangePolicy"] + value: "Always" - it: doesn't renders a StatefulSet by default template: templates/statefulset.yaml asserts: diff --git a/values.yaml b/values.yaml index b90ad56..6e89f6d 100644 --- a/values.yaml +++ b/values.yaml @@ -31,6 +31,7 @@ ## @param statefulset.dind.extraVolumeMounts Allows mounting extra volumes in the Docker-in-Docker container ## @param statefulset.dind.extraEnvs Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY` ## @param statefulset.persistence.size Size for persistence to store act runner data +## @param statefulset.securityContext Customize the SecurityContext ## @param existingSecret Secret that contains the token ## @param existingSecretKey Secret key ## @param giteaRootURL URL the act_runner registers and connect with @@ -45,6 +46,7 @@ statefulset: tolerations: [] affinity: {} extraVolumes: [] + securityContext: {} actRunner: registry: "docker.gitea.com"