Add GitHub Actions to publish helm chart (#257)

* Add chart workflows (#1) * Add chart workflows * Fix publishing step in CI Signed-off-by: David Young <davidy@funkypenguin.co.nz> * Update CI on push-to-master (#3) * Put helm installation step in the correct CI job Signed-off-by: David Young <davidy@funkypenguin.co.nz> * Put helm installation step in the correct CI job (#4) * Update on-push-master-publish-chart.yml * Remove references to certmanager dependency Signed-off-by: David Young <davidy@funkypenguin.co.nz> * Add ability to customize kube-rbac-proxy image Signed-off-by: David Young <davidy@funkypenguin.co.nz> * Only install cert-manager if we're going to spin up KinD Signed-off-by: David Young <davidy@funkypenguin.co.nz>
2025-12-20 06:56:51 +00:00 · 2021-01-24 19:37:01 +13:00
parent ace95d72ab
commit 1127c447c4
12 changed files with 275 additions and 5 deletions
--- a/charts/actions-runner-controller/Chart.yaml
+++ b/charts/actions-runner-controller/Chart.yaml
@@ -15,9 +15,22 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.1.2

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 0.11.2
+appVersion: 0.16.0
+
+home: https://github.com/summerwind/actions-runner-controller
+
+sources:
+    - https://github.com/summerwind/actions-runner-controller
+
+maintainers:
+    - name: summerwind
+      email: contact@summerwind.jp
+      url: https://github.com/summerwind
+    - name: funkypenguin
+      email: davidy@funkypenguin.co.nz
+      url: https://www.funkypenguin.co.nz
--- a/charts/actions-runner-controller/ci/ci-values.yaml
+++ b/charts/actions-runner-controller/ci/ci-values.yaml
@@ -0,0 +1,27 @@
+# This file sets some opinionated values for kube-score to use
+# when parsing the chart
+image:
+  pullPolicy: Always
+
+podSecurityContext:
+  fsGroup: 2000
+
+securityContext: 
+  capabilities:
+    drop:
+    - ALL
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 2000
+
+resources: 
+  limits:
+    cpu: 100m
+    memory: 128Mi
+  requests:
+    cpu: 100m
+    memory: 128Mi  
+
+# Set the following to true to create a dummy secret, allowing the manager pod to start
+# This is only useful in CI
+createDummySecret: true
--- a/charts/actions-runner-controller/templates/_helpers.tpl
+++ b/charts/actions-runner-controller/templates/_helpers.tpl
@@ -89,7 +89,7 @@ Create the name of the service account to use
 {{- end }}

 {{- define "actions-runner-controller.authProxyServiceName" -}}
-{{- include "actions-runner-controller.fullname" . }}-controller-manager-metrics-service
+{{- include "actions-runner-controller.fullname" . }}-metrics-service
 {{- end }}

 {{- define "actions-runner-controller.selfsignedIssuerName" -}}
--- a/charts/actions-runner-controller/templates/ci-secret.yaml
+++ b/charts/actions-runner-controller/templates/ci-secret.yaml
@@ -0,0 +1,10 @@
+# This template only exists to facilitate CI testing of the chart, since
+# a secret is expected to be found in the namespace by the controller manager
+{{ if .Values.createDummySecret -}}
+apiVersion: v1
+data:
+  github_token: dGVzdA==
+kind: Secret
+metadata:
+  name: controller-manager
+{{- end }}
--- a/charts/actions-runner-controller/templates/deployment.yaml
+++ b/charts/actions-runner-controller/templates/deployment.yaml
@@ -66,10 +66,14 @@ spec:
          protocol: TCP
        resources:
          {{- toYaml .Values.resources | nindent 12 }}
+        securityContext:
+          {{- toYaml .Values.securityContext | nindent 12 }}          
        volumeMounts:
        - mountPath: "/etc/actions-runner-controller"
          name: controller-manager
          readOnly: true
+        - mountPath: /tmp
+          name: tmp         
        - mountPath: /tmp/k8s-webhook-server/serving-certs
          name: cert
          readOnly: true
@@ -78,11 +82,16 @@ spec:
        - "--upstream=http://127.0.0.1:8080/"
        - "--logtostderr=true"
        - "--v=10"
-        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.1
+        image: "{{ .Values.kube_rbac_proxy.image.repository }}:{{ .Values.kube_rbac_proxy.image.tag }}"
        name: kube-rbac-proxy
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
        ports:
        - containerPort: 8443
          name: https
+        resources:
+          {{- toYaml .Values.resources | nindent 12 }}   
+        securityContext:
+          {{- toYaml .Values.securityContext | nindent 12 }}     
      terminationGracePeriodSeconds: 10
      volumes:
      - name: controller-manager
@@ -92,6 +101,8 @@ spec:
        secret:
          defaultMode: 420
          secretName: webhook-server-cert
+      - name: tmp
+        emptyDir: {}
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
--- a/charts/actions-runner-controller/values.yaml
+++ b/charts/actions-runner-controller/values.yaml
@@ -26,6 +26,11 @@ image:
  dindSidecarRepositoryAndTag: "docker:dind"
  pullPolicy: IfNotPresent

+kube_rbac_proxy:
+  image:
+    repository: gcr.io/kubebuilder/kube-rbac-proxy
+    tag: v0.4.1
+
 imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
@@ -97,4 +102,4 @@ affinity: {}
 # Leverage a PriorityClass to ensure your pods survive resource shortages
 # ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
 # PriorityClass: system-cluster-critical
-priorityClassName: ""
+priorityClassName: ""