From d17d1fd865b58bc22e1fc1e84428f0c4fcf2ba1b Mon Sep 17 00:00:00 2001 From: thisisqasim Date: Mon, 3 Nov 2025 20:54:01 +0000 Subject: [PATCH] Simplify dind setup to allow for default docker config in workflows (#46) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ### Description of the change This switches the dind daemon to socket mode which allows default docker config in workflows. If also simplifies the statefulset by leveraging sidecar containers and probes to replace the inline bash script ### Benefits No need to override docker configs in workflows. Enable use of buildx ### Possible drawbacks EOL kubernetes versions i.e before 1.29 may not support sidecar containers ### Applicable issues - Fixes #40 - Fixes #27 ### ⚠ BREAKING Switches Docker client to socket mode instead of TCP. Any workflows that override the default docker client config will need to be updated. ### Checklist - [x] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm) - [x] Breaking changes are documented in the `README.md` - [x] Helm templating unittests are added (required when changing anything in `templates` folder) - [x] Bash unittests are added (required when changing anything in `scripts` folder) - [x] All added template resources MUST render a namespace in metadata Co-authored-by: ThisIsQasim <18313886+ThisIsQasim@users.noreply.github.com> Co-authored-by: ChristopherHX Reviewed-on: https://gitea.com/gitea/helm-actions/pulls/46 Reviewed-by: DaanSelen Reviewed-by: ChristopherHX Co-authored-by: thisisqasim Co-committed-by: thisisqasim --- templates/statefulset.yaml | 66 +++++++++++++++++---------------- unittests/helm/statefulset.yaml | 24 ++++++------ 2 files changed, 46 insertions(+), 44 deletions(-) diff --git a/templates/statefulset.yaml b/templates/statefulset.yaml index a1b550d..8cbcf3c 100644 --- a/templates/statefulset.yaml +++ b/templates/statefulset.yaml @@ -45,18 +45,42 @@ spec: echo "Trying again in 3 seconds..." done echo "Gitea has been reached!" + - name: dind + image: "{{ include "gitea.actions.dind.image" . }}" + imagePullPolicy: {{ .Values.statefulset.dind.pullPolicy }} + {{- if .Values.statefulset.dind.extraEnvs }} + env: + {{- toYaml .Values.statefulset.dind.extraEnvs | nindent 12 }} + {{- end }} + restartPolicy: Always + securityContext: + privileged: true + startupProbe: + exec: + command: + - /usr/bin/test + - -S + - /var/run/docker.sock + livenessProbe: + exec: + command: + - /usr/bin/test + - -S + - /var/run/docker.sock + resources: + {{- toYaml .Values.statefulset.resources | nindent 12 }} + volumeMounts: + - mountPath: /var/run/ + name: docker-socket + {{- with .Values.statefulset.dind.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} containers: - name: act-runner image: "{{ include "gitea.actions.actRunner.image" . }}" imagePullPolicy: {{ .Values.statefulset.actRunner.pullPolicy }} workingDir: /data env: - - name: DOCKER_HOST - value: tcp://127.0.0.1:2376 - - name: DOCKER_TLS_VERIFY - value: "1" - - name: DOCKER_CERT_PATH - value: /certs/client - name: GITEA_RUNNER_REGISTRATION_TOKEN valueFrom: secretKeyRef: @@ -77,36 +101,14 @@ spec: - mountPath: /actrunner/config.yaml name: act-runner-config subPath: config.yaml - - mountPath: /certs/client - name: docker-certs + - mountPath: /var/run/docker.sock + name: docker-socket + subPath: docker.sock - mountPath: /data name: data-act-runner {{- with .Values.statefulset.actRunner.extraVolumeMounts }} {{- toYaml . | nindent 12 }} {{- end }} - - name: dind - image: "{{ include "gitea.actions.dind.image" . }}" - imagePullPolicy: {{ .Values.statefulset.dind.pullPolicy }} - env: - - name: DOCKER_HOST - value: tcp://127.0.0.1:2376 - - name: DOCKER_TLS_VERIFY - value: "1" - - name: DOCKER_CERT_PATH - value: /certs/client - {{- if .Values.statefulset.dind.extraEnvs }} - {{- toYaml .Values.statefulset.dind.extraEnvs | nindent 12 }} - {{- end }} - securityContext: - privileged: true - resources: - {{- toYaml .Values.statefulset.resources | nindent 12 }} - volumeMounts: - - mountPath: /certs/client - name: docker-certs - {{- with .Values.statefulset.dind.extraVolumeMounts }} - {{- toYaml . | nindent 12 }} - {{- end }} {{- range $key, $value := .Values.statefulset.nodeSelector }} nodeSelector: {{ $key }}: {{ $value | quote }} @@ -123,7 +125,7 @@ spec: - name: act-runner-config configMap: name: {{ include "gitea.actions.fullname" . }}-act-runner-config - - name: docker-certs + - name: docker-socket emptyDir: {} {{- with .Values.statefulset.extraVolumes }} {{- toYaml . | nindent 8 }} diff --git a/unittests/helm/statefulset.yaml b/unittests/helm/statefulset.yaml index a16b1dc..948bfe8 100644 --- a/unittests/helm/statefulset.yaml +++ b/unittests/helm/statefulset.yaml @@ -74,7 +74,7 @@ tests: apiVersion: apps/v1 name: gitea-unittests-actions-act-runner - equal: - path: spec.template.spec.containers[1].image + path: spec.template.spec.initContainers[1].image value: test.io/dind:x.y.z - it: dind uses global.imageRegistry template: templates/statefulset.yaml @@ -92,7 +92,7 @@ tests: apiVersion: apps/v1 name: gitea-unittests-actions-act-runner - equal: - path: spec.template.spec.containers[1].image + path: spec.template.spec.initContainers[1].image value: test.io/docker:28.3.3-dind - it: init uses fullOverride template: templates/statefulset.yaml @@ -152,15 +152,15 @@ tests: apiVersion: apps/v1 name: gitea-unittests-actions-act-runner - equal: - path: spec.template.spec.containers[0].env[7] + path: spec.template.spec.containers[0].env[4] value: name: CUSTOM_ENV value: "1" - matchRegex: - path: spec.template.spec.containers[0].env[8].valueFrom.fieldRef.fieldPath + path: spec.template.spec.containers[0].env[5].valueFrom.fieldRef.fieldPath pattern: "metadata\\.name" - matchRegex: - path: spec.template.spec.containers[0].env[8].name + path: spec.template.spec.containers[0].env[5].name pattern: "GITEA_RUNNER_NAME" - it: Has fsGroup in securityContext template: templates/statefulset.yaml @@ -235,7 +235,7 @@ tests: apiVersion: apps/v1 name: gitea-unittests-actions-act-runner - equal: - path: spec.template.spec.containers[0].env[3] + path: spec.template.spec.containers[0].env[0] value: name: GITEA_RUNNER_REGISTRATION_TOKEN valueFrom: @@ -256,7 +256,7 @@ tests: apiVersion: apps/v1 name: gitea-unittests-actions-act-runner - equal: - path: spec.template.spec.containers[0].env[3] + path: spec.template.spec.containers[0].env[0] value: name: GITEA_RUNNER_REGISTRATION_TOKEN valueFrom: @@ -295,7 +295,7 @@ tests: apiVersion: apps/v1 name: gitea-unittests-actions-act-runner - equal: - path: spec.template.spec.containers[0].env[4] + path: spec.template.spec.containers[0].env[1] value: name: GITEA_INSTANCE_URL value: "http://git.example.com" @@ -323,7 +323,7 @@ tests: apiVersion: apps/v1 name: gitea-unittests-actions-act-runner - equal: - path: spec.template.spec.containers[0].env[4] + path: spec.template.spec.containers[0].env[1] value: name: GITEA_INSTANCE_URL value: "https://git.example.com" @@ -351,7 +351,7 @@ tests: apiVersion: apps/v1 name: gitea-unittests-actions-act-runner - equal: - path: spec.template.spec.containers[0].env[4] + path: spec.template.spec.containers[0].env[1] value: name: GITEA_INSTANCE_URL value: "https://git.example.com:8443" @@ -375,7 +375,7 @@ tests: value: "custom env value" asserts: - equal: - path: spec.template.spec.containers[1].env[3] + path: spec.template.spec.initContainers[1].env[0] value: name: "CUSTOM_ENV_NAME" value: "custom env value" @@ -425,7 +425,7 @@ tests: name: gitea-unittests-actions-act-runner - contains: any: true - path: spec.template.spec.containers[1].volumeMounts + path: spec.template.spec.initContainers[1].volumeMounts content: mountPath: /mnt name: my-dind-volume