mirror of
https://github.com/woodpecker-ci/woodpecker.git
synced 2024-06-01 19:11:48 +00:00
e61f97f8ac
This PR fixes #1367 with the minimum needed (plus the basics of annotations and labels, since some clusters need those for extra verifications, OPA, Kyverno, etc.). The added role is the minimum access I could get away with (tested each verb and resource individually), since the Kubernetes go library seems to use list and get even when not strictly necessary. I've defaulted to inactive, setting the serviceAccount.rbac.create=true will create the Role and roleBinding. The changes only affect the woodpecker-agent chart, as the woodpecker-server chart currently does nothing directly # Tests - [x] non default namespace (roleBindung uses namespace in a not automatically rewritten position) - [x] rbac.create enabled and disabled (nothing changes for disabled, since the templates use a guard) - [x] custom serviceAccount name - [x] both roleBinding and role with no annotations, no lables, single a&l, multiple each - [x] helm deploy to Kubernetes, with all settings mentioned above # Documentation Added in the comments of the values.yaml. Taking it into the docs might be helpful, but the Kubernetes section in the next docs is fairly empty, possibly open a new issue and solve when the chart for next is mostly done.
98 lines
3 KiB
YAML
98 lines
3 KiB
YAML
replicaCount: 2
|
|
|
|
image:
|
|
registry: docker.io
|
|
repository: woodpeckerci/woodpecker-agent
|
|
pullPolicy: Always
|
|
# Overrides the image tag whose default is the chart appVersion.
|
|
tag: ""
|
|
|
|
env:
|
|
WOODPECKER_SERVER: "woodpecker-server.<namespace>.svc.cluster.local:9000"
|
|
WOODPECKER_BACKEND: kubernetes
|
|
WOODPECKER_BACKEND_K8S_NAMESPACE: woodpecker
|
|
WOODPECKER_BACKEND_K8S_STORAGE_CLASS: ""
|
|
WOODPECKER_BACKEND_K8S_VOLUME_SIZE: 10G
|
|
WOODPECKER_BACKEND_K8S_STORAGE_RWX: true
|
|
|
|
# Docker-in-Docker is normally not needed as Woodpecker natively supports Kubernetes
|
|
dind:
|
|
enabled: false
|
|
image: "docker:20.10.12-dind"
|
|
env:
|
|
DOCKER_DRIVER: "overlay2"
|
|
resources: {}
|
|
|
|
extraSecretNamesForEnvFrom:
|
|
- woodpecker-secret
|
|
|
|
imagePullSecrets: []
|
|
nameOverride: ""
|
|
fullnameOverride: ""
|
|
|
|
serviceAccount:
|
|
# Specifies whether a service account should be created (also see RBAC subsection)
|
|
create: true
|
|
# Annotations to add to the service account
|
|
annotations: {}
|
|
# The name of the service account to use.
|
|
# If not set and create is true, a name is generated using the fullname template
|
|
name: ""
|
|
rbac:
|
|
# If your cluster has RBAC enabled and you're using the Kubernetes agent-
|
|
# backend you'll need this. (this is true for almost all production clusters)
|
|
# only change this if you have a non CNCF compliant cluster, missing the RBAC endpoints
|
|
# the Role and RoleBinding are only created if serviceAccount.create is also true
|
|
create: true
|
|
# additional annotations and labels in role and roleBinding are only needed, if you
|
|
# are using additional tooling to manage / verify roles or roleBindings (OPA, etc.)
|
|
role:
|
|
annotations: {}
|
|
labels: {}
|
|
roleBinding:
|
|
annotations: {}
|
|
labels: {}
|
|
|
|
podAnnotations: {}
|
|
|
|
podSecurityContext: {}
|
|
# fsGroup: 2000
|
|
|
|
securityContext: {}
|
|
# capabilities:
|
|
# drop:
|
|
# - ALL
|
|
# readOnlyRootFilesystem: true
|
|
# runAsNonRoot: true
|
|
# runAsUser: 1000
|
|
|
|
resources: {}
|
|
# We usually recommend not to specify default resources and to leave this as a conscious
|
|
# choice for the user. This also increases chances charts run on environments with little
|
|
# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
|
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
|
# limits:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
# requests:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
|
|
nodeSelector: {}
|
|
|
|
tolerations: []
|
|
|
|
affinity: {}
|
|
|
|
## Using topology spread constraints, you can ensure that there is at least one agent
|
|
## pod for each topology zone, e.g. one per arch for for multi-architecture clusters
|
|
## or one for each region for geographically distributed cloud-hosted clusters.
|
|
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
|
|
topologySpreadConstraints: []
|
|
# - maxSkew: 1
|
|
# topologyKey: "beta.kubernetes.io/arch"
|
|
# whenUnsatisfiable: "DoNotSchedule"
|
|
# labelSelector:
|
|
# matchLabels:
|
|
# "app.kubernetes.io/name": woodpecker-agent
|