Helm

Deploy Crow CI on Kubernetes using the official Helm chart.

Installation

1. Add the Helm repository:

   helm repo add crowci https://codeberg.org/api/packages/crowci/helm

2. Install the chart:

   helm install crow crowci/crow

Or use OCI directly:

helm install crow oci://codefloe.com/crowci/crow

Configuration

Agent Secret

By default, createAgentSecret: true creates a shared secret for server-agent authentication. The default agents are automatically configured.

Note

This creates only the initial agent. If you need more agents, you must create them manually and deploy these agents standalone.

Workflow Volume Size

Set CROW_BACKEND_K8S_VOLUME_SIZE for temporary workflow volumes:

server:
  env:
    CROW_BACKEND_K8S_VOLUME_SIZE: "2Gi"

Crow will deploy a fresh “workflow” volume for each pipeline. It will last the duration of the pipeline and should be large enough to accommodate the workflow’s (temporary) data.

Tip

Use a storage class with reclaimPolicy: Delete so temporary volumes are cleaned up after workflows complete.

Sensitive Secrets

Inject sensitive values from Kubernetes secrets:

extraSecretNamesForEnvFrom:
  - my-crow-secrets

Common sensitive values:

• CROW_DATABASE_DATASOURCE
• CROW_FORGEJO_SECRET (OAuth)
• CROW_AGENT_SECRET (if not using auto-generated)

External Agents

To allow external agents to register, enable TLS-secured GRPC ingress:

server:
  [...]
  env:
    CROW_GRPC_SECURE: "true"

ingress:
  [...]
  grpc:
    enabled: true
    annotations:
      cert-manager.io/cluster-issuer: "<letsencrypt-issuer>"
    hosts:
      - host: grpc.example.com
        paths:
          - path: /
    tls:
      - hosts:
          - grpc.example.com
        secretName: grpc-example-com-tls

Agent Affinity

Spread agent pods across nodes:

affinity:
  podAntiAffinity:
    requiredDuringSchedulingIgnoredDuringExecution:
      - labelSelector:
          matchExpressions:
            - key: app.kubernetes.io/name
              operator: In
              values:
                - crow-agent
        topologyKey: kubernetes.io/hostname

Encryption at Rest

Crow encrypts secrets using Google Tink.

1. Generate a keyset:

   tinkey create-keyset --key-template AES256_GCM --out-format json --out tink-keyset.json

2. Create a Kubernetes secret:

   kubectl create secret generic crow-encryption-keyset \
     --from-file=tink-keyset.json=./tink-keyset.json

3. Enable in values:

   server:
     encryption:
       enabled: true
       existingSecret: crow-encryption-keyset
       keysetKey: tink-keyset.json

Caution

Keep your keyset secure. Lost keysets cannot decrypt existing data.

Disabling Encryption

To decrypt existing data before disabling:

server:
  encryption:
    disable: true
    existingSecret: crow-encryption-keyset
    keysetKey: tink-keyset.json

Wait for decryption to complete (check logs), then remove the configuration.

Security Context

The Helm chart configures security contexts for both server and agent components.

Server

The server uses fsGroup: 1000 to ensure the crow user can write to the persistent volume at /var/lib/crow.

Do not set runAsNonRoot for server

The server’s alpine image entrypoint must start as root to configure log rotation (cron/logrotate), then switches to the crow user (UID 1000) via su-exec.

If you set runAsNonRoot: true or runAsUser: 1000 in the server’s securityContext, you will see:

su-exec: setgroups: Operation not permitted

Only modify podSecurityContext.fsGroup, not the container securityContext.

Agent

The agent runs as non-root by default with runAsUser: 1000 and fsGroup: 1000.

Metrics

Enable Prometheus metrics:

metrics:
  enabled: true
  port: 9001

prometheus:
  podmonitor:
    enabled: true
    interval: 60s

If metrics aren’t collected, verify Prometheus namespace selectors:

podMonitorNamespaceSelector:
  matchLabels: {}
podMonitorSelector:
  matchLabels: {}