bp99/helm-actions
1
0
Fork 0
mirror of https://gitea.com/gitea/helm-actions.git synced 2026-04-05 09:10:46 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
Files
v0.0.2
helm-actions/templates/statefulset.yaml
Stephen Sullivan b91d297e32 feat(chart): Make the securityContext for the StatefulSet configurable (#62) 
<!--
 Before you open the request please review the following guidelines and tips to help it be more easily integrated:

 - Describe the scope of your change - i.e. what the change does.
 - Describe any known limitations with your change.
 - Please run any tests or examples that can exercise your modified code.

 Thank you for contributing! We will try to review, test and integrate the change as soon as we can.
 -->

### Description of the change

<!-- Describe the scope of your change - i.e. what the change does. -->

This patch adds the ability to **customize the `SecurityContext`** for the `statefulset` of the Gitea Actions `act_runner`.
This allows users to configure pod-level security settings, such as `fsGroup` and `fsGroupChangePolicy`.
The patch introduces `statefulset.podSecurityContext` as a new configurable parameter.

### Benefits

<!-- What benefits will be realized by the code change? -->
This change makes the chart more configurable for different kinds of deployment scenarios.

### Possible drawbacks

<!-- Describe any known limitations with your change -->

### Applicable issues

<!-- Enter any applicable Issues here (You can reference an issue using #). Please remove this section if there is no referenced issue. -->
- Fixes #

### Additional information

<!-- If there's anything else that's important and relevant to your pull request, mention that information here. Please remove this section if it remains empty. -->

  * The patch only adds the ability to customize the `podSecurityContext` for the `statefulset`. It does not modify any other security settings or introduce new features beyond this customization.
  * The default value for `statefulset.podSecurityContext` is an empty object `{}`, meaning no security context is applied unless the user explicitly defines it.

### ⚠ BREAKING

<!-- If there's a breaking change, please shortly describe in which way users are affected and how they can mitigate it. If there are no breakings, please remove this section. -->

### Checklist

<!-- [Place an '[X]' (no spaces) in all applicable fields. Please remove unrelated fields.] -->

- [X] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm)
- [X] Helm templating unittests are added (required when changing anything in `templates` folder)
- [X] All added template resources MUST render a namespace in metadata

Reviewed-on: https://gitea.com/gitea/helm-actions/pulls/62
Reviewed-by: DaanSelen <daanselen@noreply.gitea.com>
Co-authored-by: Stephen Sullivan <sjsullivan7@gmail.com>
Co-committed-by: Stephen Sullivan <sjsullivan7@gmail.com>
2025-11-03 17:43:27 +00:00

141 lines
5.2 KiB
YAML
Raw Permalink Blame History

{{- if .Values.enabled }}
{{- $secretName := include "gitea.actions.workername" (dict "global" . "worker" "actions-token") }}
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
labels:
{{- include "gitea.actions.labels.actRunner" . | nindent 4 }}
{{- with .Values.statefulset.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with .Values.statefulset.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "gitea.actions.fullname" . }}-act-runner
namespace: {{ .Values.namespace | default .Release.Namespace }}
spec:
replicas: {{ .Values.statefulset.replicas | default 1 }}
selector:
matchLabels:
{{- include "gitea.actions.selectorLabels.actRunner" . | nindent 6 }}
template:
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/config-act-runner.yaml") . | sha256sum }}
labels:
{{- include "gitea.actions.labels.actRunner" . | nindent 8 }}
{{- with .Values.statefulset.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
securityContext:
{{- toYaml .Values.statefulset.securityContext | nindent 8 }}
initContainers:
- name: init-gitea
image: "{{ include "gitea.actions.init.image" . }}"
command:
- sh
- -c
- |
echo 'Trying to reach Gitea on {{ include "gitea.actions.local_root_url" . }}'
until timeout 10 wget --no-check-certificate --spider {{ include "gitea.actions.local_root_url" . }}; do
sleep 3
echo "Trying again in 3 seconds..."
done
echo "Gitea has been reached!"
containers:
- name: act-runner
image: "{{ include "gitea.actions.actRunner.image" . }}"
imagePullPolicy: {{ .Values.statefulset.actRunner.pullPolicy }}
workingDir: /data
env:
- name: DOCKER_HOST
value: tcp://127.0.0.1:2376
- name: DOCKER_TLS_VERIFY
value: "1"
- name: DOCKER_CERT_PATH
value: /certs/client
- name: GITEA_RUNNER_REGISTRATION_TOKEN
valueFrom:
secretKeyRef:
name: "{{ .Values.existingSecret | default $secretName }}"
key: "{{ .Values.existingSecretKey | default "token" }}"
- name: GITEA_INSTANCE_URL
value: {{ include "gitea.actions.local_root_url" . }}
- name: CONFIG_FILE
value: /actrunner/config.yaml
- name: TZ
value: {{ .Values.statefulset.timezone | default "Etc/UTC" }}
{{- if .Values.statefulset.actRunner.extraEnvs }}
{{- toYaml .Values.statefulset.actRunner.extraEnvs | nindent 12 }}
{{- end }}
resources:
{{- toYaml .Values.statefulset.resources | nindent 12 }}
volumeMounts:
- mountPath: /actrunner/config.yaml
name: act-runner-config
subPath: config.yaml
- mountPath: /certs/client
name: docker-certs
- mountPath: /data
name: data-act-runner
{{- with .Values.statefulset.actRunner.extraVolumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
- name: dind
image: "{{ include "gitea.actions.dind.image" . }}"
imagePullPolicy: {{ .Values.statefulset.dind.pullPolicy }}
env:
- name: DOCKER_HOST
value: tcp://127.0.0.1:2376
- name: DOCKER_TLS_VERIFY
value: "1"
- name: DOCKER_CERT_PATH
value: /certs/client
{{- if .Values.statefulset.dind.extraEnvs }}
{{- toYaml .Values.statefulset.dind.extraEnvs | nindent 12 }}
{{- end }}
securityContext:
privileged: true
resources:
{{- toYaml .Values.statefulset.resources | nindent 12 }}
volumeMounts:
- mountPath: /certs/client
name: docker-certs
{{- with .Values.statefulset.dind.extraVolumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- range $key, $value := .Values.statefulset.nodeSelector }}
nodeSelector:
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- with .Values.statefulset.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.statefulset.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: act-runner-config
configMap:
name: {{ include "gitea.actions.fullname" . }}-act-runner-config
- name: docker-certs
emptyDir: {}
{{- with .Values.statefulset.extraVolumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
volumeClaimTemplates:
- metadata:
name: data-act-runner
spec:
accessModes: [ "ReadWriteOnce" ]
{{- include "gitea.actions.persistence.storageClass" . | nindent 8 }}
resources:
requests:
storage: {{ .Values.statefulset.persistence.size }}
{{- end }}
Reference in New Issue View Git Blame Copy Permalink