Helm
Deploy Crow CI on Kubernetes using the official Helm chart.
Installation
Section titled “Installation”-
Add the Helm repository:
Terminal window helm repo add crowci https://codeberg.org/api/packages/crowci/helm -
Install the chart:
Terminal window helm install crow crowci/crow
Or use OCI directly:
helm install crow oci://codeberg.org/crowci/crowConfiguration
Section titled “Configuration”Agent Secret
Section titled “Agent Secret”By default, createAgentSecret: true creates a shared secret for server-agent authentication.
The default agents are automatically configured.
Workflow Volume Size
Section titled “Workflow Volume Size”Set CROW_BACKEND_K8S_VOLUME_SIZE for temporary workflow volumes:
server: env: CROW_BACKEND_K8S_VOLUME_SIZE: "2Gi"Crow will deploy a fresh “workflow” volume for each pipeline. It will last the duration of the pipeline and should be large enough to accommodate the workflow’s (temporary) data.
Sensitive Secrets
Section titled “Sensitive Secrets”Inject sensitive values from Kubernetes secrets:
extraSecretNamesForEnvFrom: - my-crow-secretsCommon sensitive values:
CROW_DATABASE_DATASOURCECROW_FORGEJO_SECRET(OAuth)CROW_AGENT_SECRET(if not using auto-generated)
External Agents
Section titled “External Agents”To allow external agents to register, enable TLS-secured GRPC ingress:
server: [...] env: CROW_GRPC_SECURE: "true"
ingress: [...] grpc: enabled: true annotations: cert-manager.io/cluster-issuer: "<letsencrypt-issuer>" hosts: - host: grpc.example.com paths: - path: / tls: - hosts: - grpc.example.com secretName: grpc-example-com-tlsAgent Affinity
Section titled “Agent Affinity”Spread agent pods across nodes:
affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: - key: app.kubernetes.io/name operator: In values: - crow-agent topologyKey: kubernetes.io/hostnameEncryption at Rest
Section titled “Encryption at Rest”Crow encrypts secrets using Google Tink.
-
Generate a keyset:
Terminal window tinkey create-keyset --key-template AES256_GCM --out-format json --out tink-keyset.json -
Create a Kubernetes secret:
Terminal window kubectl create secret generic crow-encryption-keyset \--from-file=tink-keyset.json=./tink-keyset.json -
Enable in values:
server:encryption:enabled: trueexistingSecret: crow-encryption-keysetkeysetKey: tink-keyset.json
Disabling Encryption
Section titled “Disabling Encryption”To decrypt existing data before disabling:
server: encryption: disable: true existingSecret: crow-encryption-keyset keysetKey: tink-keyset.jsonWait for decryption to complete (check logs), then remove the configuration.
Metrics
Section titled “Metrics”Enable Prometheus metrics:
metrics: enabled: true port: 9001
prometheus: podmonitor: enabled: true interval: 60sIf metrics aren’t collected, verify Prometheus namespace selectors:
podMonitorNamespaceSelector: matchLabels: {}podMonitorSelector: matchLabels: {}