Configure listener pod with the secret instead of env (#2965)

Co-authored-by: Bassem Dghaidi <568794+Link-@users.noreply.github.com>
2025-12-11 12:06:57 +00:00 · 2023-10-19 12:29:32 +02:00
parent e1edb84abe
commit 2117fd1892
9 changed files with 401 additions and 321 deletions
--- a/cmd/githubrunnerscalesetlistener/autoScalerService.go
+++ b/cmd/githubrunnerscalesetlistener/autoScalerService.go
@@ -8,6 +8,7 @@ import (
 	"math"
 	"strings"

+	"github.com/actions/actions-runner-controller/cmd/githubrunnerscalesetlistener/config"
 	"github.com/actions/actions-runner-controller/github/actions"
 	"github.com/go-logr/logr"
 )
@@ -30,7 +31,7 @@ type Service struct {
 	errs               []error
 }

-func WithPrometheusMetrics(conf RunnerScaleSetListenerConfig) func(*Service) {
+func WithPrometheusMetrics(conf config.Config) func(*Service) {
 	return func(svc *Service) {
 		parsedURL, err := actions.ParseGitHubConfigFromURL(conf.ConfigureUrl)
 		if err != nil {
--- a/cmd/githubrunnerscalesetlistener/config/config.go
+++ b/cmd/githubrunnerscalesetlistener/config/config.go
@@ -0,0 +1,76 @@
+package config
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+)
+
+type Config struct {
+	ConfigureUrl                string `json:"configureUrl"`
+	AppID                       int64  `json:"appID"`
+	AppInstallationID           int64  `json:"appInstallationID"`
+	AppPrivateKey               string `json:"appPrivateKey"`
+	Token                       string `json:"token"`
+	EphemeralRunnerSetNamespace string `json:"ephemeralRunnerSetNamespace"`
+	EphemeralRunnerSetName      string `json:"ephemeralRunnerSetName"`
+	MaxRunners                  int    `json:"maxRunners"`
+	MinRunners                  int    `json:"minRunners"`
+	RunnerScaleSetId            int    `json:"runnerScaleSetId"`
+	RunnerScaleSetName          string `json:"runnerScaleSetName"`
+	ServerRootCA                string `json:"serverRootCA"`
+	LogLevel                    string `json:"logLevel"`
+	LogFormat                   string `json:"logFormat"`
+	MetricsAddr                 string `json:"metricsAddr"`
+	MetricsEndpoint             string `json:"metricsEndpoint"`
+}
+
+func Read(path string) (Config, error) {
+	f, err := os.Open(path)
+	if err != nil {
+		return Config{}, err
+	}
+	defer f.Close()
+
+	var config Config
+	if err := json.NewDecoder(f).Decode(&config); err != nil {
+		return Config{}, fmt.Errorf("failed to decode config: %w", err)
+	}
+
+	if err := config.validate(); err != nil {
+		return Config{}, fmt.Errorf("failed to validate config: %w", err)
+	}
+
+	return config, nil
+}
+
+func (c *Config) validate() error {
+	if len(c.ConfigureUrl) == 0 {
+		return fmt.Errorf("GitHubConfigUrl is not provided")
+	}
+
+	if len(c.EphemeralRunnerSetNamespace) == 0 || len(c.EphemeralRunnerSetName) == 0 {
+		return fmt.Errorf("EphemeralRunnerSetNamespace '%s' or EphemeralRunnerSetName '%s' is missing", c.EphemeralRunnerSetNamespace, c.EphemeralRunnerSetName)
+	}
+
+	if c.RunnerScaleSetId == 0 {
+		return fmt.Errorf("RunnerScaleSetId '%d' is missing", c.RunnerScaleSetId)
+	}
+
+	if c.MaxRunners < c.MinRunners {
+		return fmt.Errorf("MinRunners '%d' cannot be greater than MaxRunners '%d'", c.MinRunners, c.MaxRunners)
+	}
+
+	hasToken := len(c.Token) > 0
+	hasPrivateKeyConfig := c.AppID > 0 && c.AppPrivateKey != ""
+
+	if !hasToken && !hasPrivateKeyConfig {
+		return fmt.Errorf("GitHub auth credential is missing, token length: '%d', appId: '%d', installationId: '%d', private key length: '%d", len(c.Token), c.AppID, c.AppInstallationID, len(c.AppPrivateKey))
+	}
+
+	if hasToken && hasPrivateKeyConfig {
+		return fmt.Errorf("only one GitHub auth method supported at a time. Have both PAT and App auth: token length: '%d', appId: '%d', installationId: '%d', private key length: '%d", len(c.Token), c.AppID, c.AppInstallationID, len(c.AppPrivateKey))
+	}
+
+	return nil
+}
--- a/cmd/githubrunnerscalesetlistener/config/config_test.go
+++ b/cmd/githubrunnerscalesetlistener/config/config_test.go
@@ -0,0 +1,92 @@
+package config
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestConfigValidationMinMax(t *testing.T) {
+	config := &Config{
+		ConfigureUrl:                "github.com/some_org/some_repo",
+		EphemeralRunnerSetNamespace: "namespace",
+		EphemeralRunnerSetName:      "deployment",
+		RunnerScaleSetId:            1,
+		MinRunners:                  5,
+		MaxRunners:                  2,
+		Token:                       "token",
+	}
+	err := config.validate()
+	assert.ErrorContains(t, err, "MinRunners '5' cannot be greater than MaxRunners '2", "Expected error about MinRunners > MaxRunners")
+}
+
+func TestConfigValidationMissingToken(t *testing.T) {
+	config := &Config{
+		ConfigureUrl:                "github.com/some_org/some_repo",
+		EphemeralRunnerSetNamespace: "namespace",
+		EphemeralRunnerSetName:      "deployment",
+		RunnerScaleSetId:            1,
+	}
+	err := config.validate()
+	expectedError := fmt.Sprintf("GitHub auth credential is missing, token length: '%d', appId: '%d', installationId: '%d', private key length: '%d", len(config.Token), config.AppID, config.AppInstallationID, len(config.AppPrivateKey))
+	assert.ErrorContains(t, err, expectedError, "Expected error about missing auth")
+}
+
+func TestConfigValidationAppKey(t *testing.T) {
+	config := &Config{
+		AppID:                       1,
+		AppInstallationID:           10,
+		ConfigureUrl:                "github.com/some_org/some_repo",
+		EphemeralRunnerSetNamespace: "namespace",
+		EphemeralRunnerSetName:      "deployment",
+		RunnerScaleSetId:            1,
+	}
+	err := config.validate()
+	expectedError := fmt.Sprintf("GitHub auth credential is missing, token length: '%d', appId: '%d', installationId: '%d', private key length: '%d", len(config.Token), config.AppID, config.AppInstallationID, len(config.AppPrivateKey))
+	assert.ErrorContains(t, err, expectedError, "Expected error about missing auth")
+}
+
+func TestConfigValidationOnlyOneTypeOfCredentials(t *testing.T) {
+	config := &Config{
+		AppID:                       1,
+		AppInstallationID:           10,
+		AppPrivateKey:               "asdf",
+		Token:                       "asdf",
+		ConfigureUrl:                "github.com/some_org/some_repo",
+		EphemeralRunnerSetNamespace: "namespace",
+		EphemeralRunnerSetName:      "deployment",
+		RunnerScaleSetId:            1,
+	}
+	err := config.validate()
+	expectedError := fmt.Sprintf("only one GitHub auth method supported at a time. Have both PAT and App auth: token length: '%d', appId: '%d', installationId: '%d', private key length: '%d", len(config.Token), config.AppID, config.AppInstallationID, len(config.AppPrivateKey))
+	assert.ErrorContains(t, err, expectedError, "Expected error about missing auth")
+}
+
+func TestConfigValidation(t *testing.T) {
+	config := &Config{
+		ConfigureUrl:                "https://github.com/actions",
+		EphemeralRunnerSetNamespace: "namespace",
+		EphemeralRunnerSetName:      "deployment",
+		RunnerScaleSetId:            1,
+		MinRunners:                  1,
+		MaxRunners:                  5,
+		Token:                       "asdf",
+	}
+
+	err := config.validate()
+
+	assert.NoError(t, err, "Expected no error")
+}
+
+func TestConfigValidationConfigUrl(t *testing.T) {
+	config := &Config{
+		EphemeralRunnerSetNamespace: "namespace",
+		EphemeralRunnerSetName:      "deployment",
+		RunnerScaleSetId:            1,
+	}
+
+	err := config.validate()
+
+	assert.ErrorContains(t, err, "GitHubConfigUrl is not provided", "Expected error about missing ConfigureUrl")
+}
--- a/cmd/githubrunnerscalesetlistener/main.go
+++ b/cmd/githubrunnerscalesetlistener/main.go
@@ -28,39 +28,26 @@ import (
 	"time"

 	"github.com/actions/actions-runner-controller/build"
+	"github.com/actions/actions-runner-controller/cmd/githubrunnerscalesetlistener/config"
 	"github.com/actions/actions-runner-controller/github/actions"
 	"github.com/actions/actions-runner-controller/logging"
 	"github.com/go-logr/logr"
-	"github.com/kelseyhightower/envconfig"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	"golang.org/x/net/http/httpproxy"
 	"golang.org/x/sync/errgroup"
 )

-type RunnerScaleSetListenerConfig struct {
-	ConfigureUrl                string `split_words:"true"`
-	AppID                       int64  `split_words:"true"`
-	AppInstallationID           int64  `split_words:"true"`
-	AppPrivateKey               string `split_words:"true"`
-	Token                       string `split_words:"true"`
-	EphemeralRunnerSetNamespace string `split_words:"true"`
-	EphemeralRunnerSetName      string `split_words:"true"`
-	MaxRunners                  int    `split_words:"true"`
-	MinRunners                  int    `split_words:"true"`
-	RunnerScaleSetId            int    `split_words:"true"`
-	RunnerScaleSetName          string `split_words:"true"`
-	ServerRootCA                string `split_words:"true"`
-	LogLevel                    string `split_words:"true"`
-	LogFormat                   string `split_words:"true"`
-	MetricsAddr                 string `split_words:"true"`
-	MetricsEndpoint             string `split_words:"true"`
-}
-
 func main() {
-	var rc RunnerScaleSetListenerConfig
-	if err := envconfig.Process("github", &rc); err != nil {
-		fmt.Fprintf(os.Stderr, "Error: processing environment variables for RunnerScaleSetListenerConfig: %v\n", err)
+	configPath, ok := os.LookupEnv("LISTENER_CONFIG_PATH")
+	if !ok {
+		fmt.Fprintf(os.Stderr, "Error: LISTENER_CONFIG_PATH environment variable is not set\n")
+		os.Exit(1)
+	}
+
+	rc, err := config.Read(configPath)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Error: reading config from path(%q): %v\n", configPath, err)
 		os.Exit(1)
 	}

@@ -80,12 +67,6 @@ func main() {
 		os.Exit(1)
 	}

-	// Validate all inputs
-	if err := validateConfig(&rc); err != nil {
-		logger.Error(err, "Inputs validation failed")
-		os.Exit(1)
-	}
-
 	ctx, stop := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
 	defer stop()

@@ -123,7 +104,7 @@ func main() {
 }

 type metricsServer struct {
-	rc     RunnerScaleSetListenerConfig
+	rc     config.Config
 	logger logr.Logger
 	srv    *http.Server
 }
@@ -173,7 +154,7 @@ type runOptions struct {
 	serviceOptions []func(*Service)
 }

-func run(ctx context.Context, rc RunnerScaleSetListenerConfig, logger logr.Logger, opts runOptions) error {
+func run(ctx context.Context, rc config.Config, logger logr.Logger, opts runOptions) error {
 	// Create root context and hook with sigint and sigterm
 	creds := &actions.ActionsAuth{}
 	if rc.Token != "" {
@@ -232,38 +213,7 @@ func run(ctx context.Context, rc RunnerScaleSetListenerConfig, logger logr.Logge
 	return nil
 }

-func validateConfig(config *RunnerScaleSetListenerConfig) error {
-	if len(config.ConfigureUrl) == 0 {
-		return fmt.Errorf("GitHubConfigUrl is not provided")
-	}
-
-	if len(config.EphemeralRunnerSetNamespace) == 0 || len(config.EphemeralRunnerSetName) == 0 {
-		return fmt.Errorf("EphemeralRunnerSetNamespace '%s' or EphemeralRunnerSetName '%s' is missing", config.EphemeralRunnerSetNamespace, config.EphemeralRunnerSetName)
-	}
-
-	if config.RunnerScaleSetId == 0 {
-		return fmt.Errorf("RunnerScaleSetId '%d' is missing", config.RunnerScaleSetId)
-	}
-
-	if config.MaxRunners < config.MinRunners {
-		return fmt.Errorf("MinRunners '%d' cannot be greater than MaxRunners '%d'", config.MinRunners, config.MaxRunners)
-	}
-
-	hasToken := len(config.Token) > 0
-	hasPrivateKeyConfig := config.AppID > 0 && config.AppPrivateKey != ""
-
-	if !hasToken && !hasPrivateKeyConfig {
-		return fmt.Errorf("GitHub auth credential is missing, token length: '%d', appId: '%d', installationId: '%d', private key length: '%d", len(config.Token), config.AppID, config.AppInstallationID, len(config.AppPrivateKey))
-	}
-
-	if hasToken && hasPrivateKeyConfig {
-		return fmt.Errorf("only one GitHub auth method supported at a time. Have both PAT and App auth: token length: '%d', appId: '%d', installationId: '%d', private key length: '%d", len(config.Token), config.AppID, config.AppInstallationID, len(config.AppPrivateKey))
-	}
-
-	return nil
-}
-
-func newActionsClientFromConfig(config RunnerScaleSetListenerConfig, creds *actions.ActionsAuth, options ...actions.ClientOption) (*actions.Client, error) {
+func newActionsClientFromConfig(config config.Config, creds *actions.ActionsAuth, options ...actions.ClientOption) (*actions.Client, error) {
 	if config.ServerRootCA != "" {
 		systemPool, err := x509.SystemCertPool()
 		if err != nil {
--- a/cmd/githubrunnerscalesetlistener/main_test.go
+++ b/cmd/githubrunnerscalesetlistener/main_test.go
@@ -3,7 +3,6 @@ package main
 import (
 	"context"
 	"crypto/tls"
-	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"os"
@@ -13,94 +12,11 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

+	"github.com/actions/actions-runner-controller/cmd/githubrunnerscalesetlistener/config"
 	"github.com/actions/actions-runner-controller/github/actions"
 	"github.com/actions/actions-runner-controller/github/actions/testserver"
 )

-func TestConfigValidationMinMax(t *testing.T) {
-	config := &RunnerScaleSetListenerConfig{
-		ConfigureUrl:                "github.com/some_org/some_repo",
-		EphemeralRunnerSetNamespace: "namespace",
-		EphemeralRunnerSetName:      "deployment",
-		RunnerScaleSetId:            1,
-		MinRunners:                  5,
-		MaxRunners:                  2,
-		Token:                       "token",
-	}
-	err := validateConfig(config)
-	assert.ErrorContains(t, err, "MinRunners '5' cannot be greater than MaxRunners '2", "Expected error about MinRunners > MaxRunners")
-}
-
-func TestConfigValidationMissingToken(t *testing.T) {
-	config := &RunnerScaleSetListenerConfig{
-		ConfigureUrl:                "github.com/some_org/some_repo",
-		EphemeralRunnerSetNamespace: "namespace",
-		EphemeralRunnerSetName:      "deployment",
-		RunnerScaleSetId:            1,
-	}
-	err := validateConfig(config)
-	expectedError := fmt.Sprintf("GitHub auth credential is missing, token length: '%d', appId: '%d', installationId: '%d', private key length: '%d", len(config.Token), config.AppID, config.AppInstallationID, len(config.AppPrivateKey))
-	assert.ErrorContains(t, err, expectedError, "Expected error about missing auth")
-}
-
-func TestConfigValidationAppKey(t *testing.T) {
-	config := &RunnerScaleSetListenerConfig{
-		AppID:                       1,
-		AppInstallationID:           10,
-		ConfigureUrl:                "github.com/some_org/some_repo",
-		EphemeralRunnerSetNamespace: "namespace",
-		EphemeralRunnerSetName:      "deployment",
-		RunnerScaleSetId:            1,
-	}
-	err := validateConfig(config)
-	expectedError := fmt.Sprintf("GitHub auth credential is missing, token length: '%d', appId: '%d', installationId: '%d', private key length: '%d", len(config.Token), config.AppID, config.AppInstallationID, len(config.AppPrivateKey))
-	assert.ErrorContains(t, err, expectedError, "Expected error about missing auth")
-}
-
-func TestConfigValidationOnlyOneTypeOfCredentials(t *testing.T) {
-	config := &RunnerScaleSetListenerConfig{
-		AppID:                       1,
-		AppInstallationID:           10,
-		AppPrivateKey:               "asdf",
-		Token:                       "asdf",
-		ConfigureUrl:                "github.com/some_org/some_repo",
-		EphemeralRunnerSetNamespace: "namespace",
-		EphemeralRunnerSetName:      "deployment",
-		RunnerScaleSetId:            1,
-	}
-	err := validateConfig(config)
-	expectedError := fmt.Sprintf("only one GitHub auth method supported at a time. Have both PAT and App auth: token length: '%d', appId: '%d', installationId: '%d', private key length: '%d", len(config.Token), config.AppID, config.AppInstallationID, len(config.AppPrivateKey))
-	assert.ErrorContains(t, err, expectedError, "Expected error about missing auth")
-}
-
-func TestConfigValidation(t *testing.T) {
-	config := &RunnerScaleSetListenerConfig{
-		ConfigureUrl:                "https://github.com/actions",
-		EphemeralRunnerSetNamespace: "namespace",
-		EphemeralRunnerSetName:      "deployment",
-		RunnerScaleSetId:            1,
-		MinRunners:                  1,
-		MaxRunners:                  5,
-		Token:                       "asdf",
-	}
-
-	err := validateConfig(config)
-
-	assert.NoError(t, err, "Expected no error")
-}
-
-func TestConfigValidationConfigUrl(t *testing.T) {
-	config := &RunnerScaleSetListenerConfig{
-		EphemeralRunnerSetNamespace: "namespace",
-		EphemeralRunnerSetName:      "deployment",
-		RunnerScaleSetId:            1,
-	}
-
-	err := validateConfig(config)
-
-	assert.ErrorContains(t, err, "GitHubConfigUrl is not provided", "Expected error about missing ConfigureUrl")
-}
-
 func TestCustomerServerRootCA(t *testing.T) {
 	ctx := context.Background()
 	certsFolder := filepath.Join(
@@ -134,7 +50,7 @@ func TestCustomerServerRootCA(t *testing.T) {
 	require.NoError(t, err)
 	certsString = certsString + string(intermediate)

-	config := RunnerScaleSetListenerConfig{
+	config := config.Config{
 		ConfigureUrl: server.ConfigURLForOrg("myorg"),
 		ServerRootCA: certsString,
 	}
@@ -164,7 +80,7 @@ func TestProxySettings(t *testing.T) {
 		os.Setenv("http_proxy", proxy.URL)
 		defer os.Setenv("http_proxy", prevProxy)

-		config := RunnerScaleSetListenerConfig{
+		config := config.Config{
 			ConfigureUrl: "https://github.com/org/repo",
 		}
 		creds := &actions.ActionsAuth{
@@ -196,7 +112,7 @@ func TestProxySettings(t *testing.T) {
 		os.Setenv("https_proxy", proxy.URL)
 		defer os.Setenv("https_proxy", prevProxy)

-		config := RunnerScaleSetListenerConfig{
+		config := config.Config{
 			ConfigureUrl: "https://github.com/org/repo",
 		}
 		creds := &actions.ActionsAuth{
@@ -233,7 +149,7 @@ func TestProxySettings(t *testing.T) {
 		os.Setenv("no_proxy", "example.com")
 		defer os.Setenv("no_proxy", prevNoProxy)

-		config := RunnerScaleSetListenerConfig{
+		config := config.Config{
 			ConfigureUrl: "https://github.com/org/repo",
 		}
 		creds := &actions.ActionsAuth{