diff --git a/charts/gha-runner-scale-set-dev/templates/kube_mode_role.yaml b/charts/gha-runner-scale-set-dev/templates/kube_mode_role.yaml index 2ea6cdc6..f9953edb 100644 --- a/charts/gha-runner-scale-set-dev/templates/kube_mode_role.yaml +++ b/charts/gha-runner-scale-set-dev/templates/kube_mode_role.yaml @@ -28,10 +28,10 @@ rules: - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list", "create", "delete"] - {{- with .Values.runner.kubernetesMode.extraRules }} + {{- with .Values.resource.kubernetesModeRole.extraRules }} {{- if not (empty .) }} {{- if not (kindIs "slice" .) -}} - {{- fail ".Values.runner.kubernetesMode.extraRules must be a list of RBAC policy rules" -}} + {{- fail ".Values.resource.kubernetesModeRole.extraRules must be a list of RBAC policy rules" -}} {{- end }} {{ toYaml . | nindent 2 }} {{- end }} diff --git a/charts/gha-runner-scale-set-dev/tests/kube_mode_role_binding_test.yaml b/charts/gha-runner-scale-set-dev/tests/kube_mode_role_binding_test.yaml new file mode 100644 index 00000000..1d915603 --- /dev/null +++ b/charts/gha-runner-scale-set-dev/tests/kube_mode_role_binding_test.yaml @@ -0,0 +1,182 @@ +suite: "Test Kubernetes Mode RoleBinding" +templates: + - kube_mode_role_binding.yaml +tests: + - it: should render base rolebinding metadata in kubernetes mode + set: + runner: + mode: "kubernetes" + kubernetesMode: + default: true + serviceAccountName: "" + release: + name: "test-name" + namespace: "test-namespace" + chart: + appVersion: "0.14.0" + asserts: + - equal: + path: apiVersion + value: "rbac.authorization.k8s.io/v1" + - equal: + path: kind + value: "RoleBinding" + - equal: + path: metadata.name + value: "test-name-kube-mode" + - equal: + path: metadata.namespace + value: "test-namespace" + - equal: + path: metadata.labels["app.kubernetes.io/component"] + value: "kube-mode-role-binding" + - equal: + path: metadata.labels["actions.github.com/scale-set-name"] + value: "test-name" + - equal: + path: metadata.labels["actions.github.com/scale-set-namespace"] + value: "test-namespace" + - equal: + path: metadata.finalizers[0] + value: "actions.github.com/cleanup-protection" + - equal: + path: roleRef.kind + value: "Role" + - equal: + path: roleRef.name + value: "test-name-kube-mode" + - equal: + path: subjects[0].kind + value: "ServiceAccount" + - equal: + path: subjects[0].name + value: "test-name-kube-mode" + - equal: + path: subjects[0].namespace + value: "test-namespace" + + - it: should not render when runner mode is not kubernetes + set: + runner: + mode: "dind" + release: + name: "test-name" + namespace: "test-namespace" + asserts: + - hasDocuments: + count: 0 + + - it: should not render when serviceAccountName is provided + set: + runner: + mode: "kubernetes" + kubernetesMode: + default: true + serviceAccountName: "custom-sa" + release: + name: "test-name" + namespace: "test-namespace" + asserts: + - hasDocuments: + count: 0 + + - it: should include global and resource labels + set: + runner: + mode: "kubernetes" + kubernetesMode: + default: true + serviceAccountName: "" + resource: + all: + metadata: + labels: + global-team: "platform" + kubernetesModeRoleBinding: + metadata: + labels: + rb-team: "arc" + release: + name: "test-name" + namespace: "test-namespace" + asserts: + - equal: + path: metadata.labels["global-team"] + value: "platform" + - equal: + path: metadata.labels["rb-team"] + value: "arc" + - equal: + path: metadata.labels["app.kubernetes.io/component"] + value: "kube-mode-role-binding" + + - it: should drop actions.github.com custom labels from config + set: + runner: + mode: "kubernetes" + kubernetesMode: + default: true + serviceAccountName: "" + resource: + all: + metadata: + labels: + owner: "devops" + actions.github.com/global-custom: "global-value" + kubernetesModeRoleBinding: + metadata: + labels: + actions.github.com/rb-custom: "rb-value" + release: + name: "test-name" + namespace: "test-namespace" + asserts: + - equal: + path: metadata.labels["owner"] + value: "devops" + - notExists: + path: metadata.labels["actions.github.com/global-custom"] + - notExists: + path: metadata.labels["actions.github.com/rb-custom"] + + - it: should not allow overriding reserved labels + set: + runner: + mode: "kubernetes" + kubernetesMode: + default: true + serviceAccountName: "" + resource: + all: + metadata: + labels: + helm.sh/chart: "bad" + app.kubernetes.io/name: "bad" + app.kubernetes.io/instance: "bad" + app.kubernetes.io/component: "bad" + actions.github.com/scale-set-name: "bad" + actions.github.com/scale-set-namespace: "bad" + release: + name: "test-name" + namespace: "test-namespace" + chart: + appVersion: "0.14.0" + asserts: + - equal: + path: metadata.labels["helm.sh/chart"] + value: "gha-rs-0.14.0" + - equal: + path: metadata.labels["app.kubernetes.io/name"] + value: "test-name" + - equal: + path: metadata.labels["app.kubernetes.io/instance"] + value: "test-name" + - equal: + path: metadata.labels["app.kubernetes.io/component"] + value: "kube-mode-role-binding" + - equal: + path: metadata.labels["actions.github.com/scale-set-name"] + value: "test-name" + - equal: + path: metadata.labels["actions.github.com/scale-set-namespace"] + value: "test-namespace" diff --git a/charts/gha-runner-scale-set-dev/tests/kube_mode_role_test.yaml b/charts/gha-runner-scale-set-dev/tests/kube_mode_role_test.yaml new file mode 100644 index 00000000..8657d5a5 --- /dev/null +++ b/charts/gha-runner-scale-set-dev/tests/kube_mode_role_test.yaml @@ -0,0 +1,117 @@ +suite: "Test Kubernetes Mode Role" +templates: + - kube_mode_role.yaml +tests: + - it: should render base role metadata in kubernetes mode + set: + runner: + mode: "kubernetes" + kubernetesMode: + default: true + serviceAccountName: "" + release: + name: "test-name" + namespace: "test-namespace" + chart: + appVersion: "0.14.0" + asserts: + - equal: + path: apiVersion + value: "rbac.authorization.k8s.io/v1" + - equal: + path: kind + value: "Role" + - equal: + path: metadata.name + value: "test-name-kube-mode" + - equal: + path: metadata.namespace + value: "test-namespace" + - equal: + path: metadata.labels["app.kubernetes.io/component"] + value: "kube-mode-role" + - equal: + path: metadata.labels["actions.github.com/scale-set-name"] + value: "test-name" + - equal: + path: metadata.labels["actions.github.com/scale-set-namespace"] + value: "test-namespace" + - equal: + path: metadata.finalizers[0] + value: "actions.github.com/cleanup-protection" + + - it: should append extra RBAC policy rules + set: + runner: + mode: "kubernetes" + kubernetesMode: + default: true + serviceAccountName: "" + resource: + kubernetesModeRole: + extraRules: + - apiGroups: + - "" + resources: + - "events" + verbs: + - "create" + - "patch" + release: + name: "test-name" + namespace: "test-namespace" + asserts: + - equal: + path: rules[5].apiGroups[0] + value: "" + - equal: + path: rules[5].resources[0] + value: "events" + - equal: + path: rules[5].verbs[0] + value: "create" + - equal: + path: rules[5].verbs[1] + value: "patch" + + - it: should fail when extraRules is not a list + set: + runner: + mode: "kubernetes" + kubernetesMode: + default: true + serviceAccountName: "" + resource: + kubernetesModeRole: + extraRules: "not-a-list" + release: + name: "test-name" + namespace: "test-namespace" + asserts: + - failedTemplate: + errorMessage: ".Values.resource.kubernetesModeRole.extraRules must be a list of RBAC policy rules" + + - it: should not render when runner mode is not kubernetes + set: + runner: + mode: "dind" + release: + name: "test-name" + namespace: "test-namespace" + asserts: + - hasDocuments: + count: 0 + + - it: should not render when serviceAccountName is provided + set: + runner: + mode: "kubernetes" + kubernetesMode: + default: true + serviceAccountName: "custom-sa" + release: + name: "test-name" + namespace: "test-namespace" + asserts: + - hasDocuments: + count: 0 diff --git a/charts/gha-runner-scale-set-dev/tests/kube_mode_serviceaccount_test.yaml b/charts/gha-runner-scale-set-dev/tests/kube_mode_serviceaccount_test.yaml new file mode 100644 index 00000000..8cf23d59 --- /dev/null +++ b/charts/gha-runner-scale-set-dev/tests/kube_mode_serviceaccount_test.yaml @@ -0,0 +1,167 @@ +suite: "Test Kubernetes Mode ServiceAccount" +templates: + - kube_mode_serviceaccount.yaml +tests: + - it: should render base serviceaccount metadata in kubernetes mode + set: + runner: + mode: "kubernetes" + kubernetesMode: + default: true + serviceAccountName: "" + release: + name: "test-name" + namespace: "test-namespace" + chart: + appVersion: "0.14.0" + asserts: + - equal: + path: apiVersion + value: "v1" + - equal: + path: kind + value: "ServiceAccount" + - equal: + path: metadata.name + value: "test-name-kube-mode" + - equal: + path: metadata.namespace + value: "test-namespace" + - equal: + path: metadata.labels["app.kubernetes.io/component"] + value: "kube-mode-serviceaccount" + - equal: + path: metadata.labels["actions.github.com/scale-set-name"] + value: "test-name" + - equal: + path: metadata.labels["actions.github.com/scale-set-namespace"] + value: "test-namespace" + - equal: + path: metadata.finalizers[0] + value: "actions.github.com/cleanup-protection" + + - it: should not render when runner mode is not kubernetes + set: + runner: + mode: "dind" + release: + name: "test-name" + namespace: "test-namespace" + asserts: + - hasDocuments: + count: 0 + + - it: should not render when serviceAccountName is provided + set: + runner: + mode: "kubernetes" + kubernetesMode: + default: true + serviceAccountName: "custom-sa" + release: + name: "test-name" + namespace: "test-namespace" + asserts: + - hasDocuments: + count: 0 + + - it: should include global and resource labels + set: + runner: + mode: "kubernetes" + kubernetesMode: + default: true + serviceAccountName: "" + resource: + all: + metadata: + labels: + global-team: "platform" + kubernetesModeServiceAccount: + metadata: + labels: + sa-team: "arc" + release: + name: "test-name" + namespace: "test-namespace" + asserts: + - equal: + path: metadata.labels["global-team"] + value: "platform" + - equal: + path: metadata.labels["sa-team"] + value: "arc" + - equal: + path: metadata.labels["app.kubernetes.io/component"] + value: "kube-mode-serviceaccount" + + - it: should drop actions.github.com custom labels from config + set: + runner: + mode: "kubernetes" + kubernetesMode: + default: true + serviceAccountName: "" + resource: + all: + metadata: + labels: + owner: "devops" + actions.github.com/global-custom: "global-value" + kubernetesModeServiceAccount: + metadata: + labels: + actions.github.com/sa-custom: "sa-value" + release: + name: "test-name" + namespace: "test-namespace" + asserts: + - equal: + path: metadata.labels["owner"] + value: "devops" + - notExists: + path: metadata.labels["actions.github.com/global-custom"] + - notExists: + path: metadata.labels["actions.github.com/sa-custom"] + + - it: should not allow overriding reserved labels + set: + runner: + mode: "kubernetes" + kubernetesMode: + default: true + serviceAccountName: "" + resource: + all: + metadata: + labels: + helm.sh/chart: "bad" + app.kubernetes.io/name: "bad" + app.kubernetes.io/instance: "bad" + app.kubernetes.io/component: "bad" + actions.github.com/scale-set-name: "bad" + actions.github.com/scale-set-namespace: "bad" + release: + name: "test-name" + namespace: "test-namespace" + chart: + appVersion: "0.14.0" + asserts: + - equal: + path: metadata.labels["helm.sh/chart"] + value: "gha-rs-0.14.0" + - equal: + path: metadata.labels["app.kubernetes.io/name"] + value: "test-name" + - equal: + path: metadata.labels["app.kubernetes.io/instance"] + value: "test-name" + - equal: + path: metadata.labels["app.kubernetes.io/component"] + value: "kube-mode-serviceaccount" + - equal: + path: metadata.labels["actions.github.com/scale-set-name"] + value: "test-name" + - equal: + path: metadata.labels["actions.github.com/scale-set-namespace"] + value: "test-namespace" diff --git a/charts/gha-runner-scale-set-dev/values.yaml b/charts/gha-runner-scale-set-dev/values.yaml index 41c59a56..8ac0290b 100644 --- a/charts/gha-runner-scale-set-dev/values.yaml +++ b/charts/gha-runner-scale-set-dev/values.yaml @@ -135,6 +135,7 @@ resource: metadata: labels: {} annotations: {} + extraRules: [] # Specifies metadata that will be applied to the kubernetes-mode ServiceAccount. kubernetesModeServiceAccount: @@ -165,7 +166,6 @@ runner: kubernetesMode: default: true serviceAccountName: "" - extraRules: [] extension: {} ## A self-signed CA certificate for communication with the GitHub server can be ## provided using a config map key selector. If `runnerMountPath` is set, for