actions/actions-runner-controller
1
0
Fork 0
mirror of https://github.com/actions/actions-runner-controller.git synced 2026-01-20 19:31:29 +08:00
Code Issues Packages Projects Releases Wiki Activity

wip

Browse Source
This commit is contained in:
Nikola Jokic
2026-01-19 19:00:58 +01:00
parent d253b5b13a
commit 4056edbe9f
5 changed files with 469 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
charts/gha-runner-scale-set-dev/templates/kube_mode_role.yaml
View File

@@ -28,10 +28,10 @@ rules:
- apiGroups: [""] - apiGroups: [""]
resources: ["secrets"] resources: ["secrets"]
verbs: ["get", "list", "create", "delete"] verbs: ["get", "list", "create", "delete"]
{{- with .Values.runner.kubernetesMode.extraRules }} {{- with .Values.resource.kubernetesModeRole.extraRules }}
{{- if not (empty .) }} {{- if not (empty .) }}
{{- if not (kindIs "slice" .) -}} {{- if not (kindIs "slice" .) -}}
{{- fail ".Values.runner.kubernetesMode.extraRules must be a list of RBAC policy rules" -}} {{- fail ".Values.resource.kubernetesModeRole.extraRules must be a list of RBAC policy rules" -}}
{{- end }} {{- end }}
{{ toYaml . | nindent 2 }} {{ toYaml . | nindent 2 }}
{{- end }} {{- end }}

182
charts/gha-runner-scale-set-dev/tests/kube_mode_role_binding_test.yaml Normal file
View File

@@ -0,0 +1,182 @@
suite: "Test Kubernetes Mode RoleBinding"
templates:
- kube_mode_role_binding.yaml
tests:
- it: should render base rolebinding metadata in kubernetes mode
set:
runner:
mode: "kubernetes"
kubernetesMode:
default: true
serviceAccountName: ""
release:
name: "test-name"
namespace: "test-namespace"
chart:
appVersion: "0.14.0"
asserts:
- equal:
path: apiVersion
value: "rbac.authorization.k8s.io/v1"
- equal:
path: kind
value: "RoleBinding"
- equal:
path: metadata.name
value: "test-name-kube-mode"
- equal:
path: metadata.namespace
value: "test-namespace"
- equal:
path: metadata.labels["app.kubernetes.io/component"]
value: "kube-mode-role-binding"
- equal:
path: metadata.labels["actions.github.com/scale-set-name"]
value: "test-name"
- equal:
path: metadata.labels["actions.github.com/scale-set-namespace"]
value: "test-namespace"
- equal:
path: metadata.finalizers[0]
value: "actions.github.com/cleanup-protection"
- equal:
path: roleRef.kind
value: "Role"
- equal:
path: roleRef.name
value: "test-name-kube-mode"
- equal:
path: subjects[0].kind
value: "ServiceAccount"
- equal:
path: subjects[0].name
value: "test-name-kube-mode"
- equal:
path: subjects[0].namespace
value: "test-namespace"
- it: should not render when runner mode is not kubernetes
set:
runner:
mode: "dind"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- hasDocuments:
count: 0
- it: should not render when serviceAccountName is provided
set:
runner:
mode: "kubernetes"
kubernetesMode:
default: true
serviceAccountName: "custom-sa"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- hasDocuments:
count: 0
- it: should include global and resource labels
set:
runner:
mode: "kubernetes"
kubernetesMode:
default: true
serviceAccountName: ""
resource:
all:
metadata:
labels:
global-team: "platform"
kubernetesModeRoleBinding:
metadata:
labels:
rb-team: "arc"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: metadata.labels["global-team"]
value: "platform"
- equal:
path: metadata.labels["rb-team"]
value: "arc"
- equal:
path: metadata.labels["app.kubernetes.io/component"]
value: "kube-mode-role-binding"
- it: should drop actions.github.com custom labels from config
set:
runner:
mode: "kubernetes"
kubernetesMode:
default: true
serviceAccountName: ""
resource:
all:
metadata:
labels:
owner: "devops"
actions.github.com/global-custom: "global-value"
kubernetesModeRoleBinding:
metadata:
labels:
actions.github.com/rb-custom: "rb-value"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: metadata.labels["owner"]
value: "devops"
- notExists:
path: metadata.labels["actions.github.com/global-custom"]
- notExists:
path: metadata.labels["actions.github.com/rb-custom"]
- it: should not allow overriding reserved labels
set:
runner:
mode: "kubernetes"
kubernetesMode:
default: true
serviceAccountName: ""
resource:
all:
metadata:
labels:
helm.sh/chart: "bad"
app.kubernetes.io/name: "bad"
app.kubernetes.io/instance: "bad"
app.kubernetes.io/component: "bad"
actions.github.com/scale-set-name: "bad"
actions.github.com/scale-set-namespace: "bad"
release:
name: "test-name"
namespace: "test-namespace"
chart:
appVersion: "0.14.0"
asserts:
- equal:
path: metadata.labels["helm.sh/chart"]
value: "gha-rs-0.14.0"
- equal:
path: metadata.labels["app.kubernetes.io/name"]
value: "test-name"
- equal:
path: metadata.labels["app.kubernetes.io/instance"]
value: "test-name"
- equal:
path: metadata.labels["app.kubernetes.io/component"]
value: "kube-mode-role-binding"
- equal:
path: metadata.labels["actions.github.com/scale-set-name"]
value: "test-name"
- equal:
path: metadata.labels["actions.github.com/scale-set-namespace"]
value: "test-namespace"

117
charts/gha-runner-scale-set-dev/tests/kube_mode_role_test.yaml Normal file
View File

@@ -0,0 +1,117 @@
suite: "Test Kubernetes Mode Role"
templates:
- kube_mode_role.yaml
tests:
- it: should render base role metadata in kubernetes mode
set:
runner:
mode: "kubernetes"
kubernetesMode:
default: true
serviceAccountName: ""
release:
name: "test-name"
namespace: "test-namespace"
chart:
appVersion: "0.14.0"
asserts:
- equal:
path: apiVersion
value: "rbac.authorization.k8s.io/v1"
- equal:
path: kind
value: "Role"
- equal:
path: metadata.name
value: "test-name-kube-mode"
- equal:
path: metadata.namespace
value: "test-namespace"
- equal:
path: metadata.labels["app.kubernetes.io/component"]
value: "kube-mode-role"
- equal:
path: metadata.labels["actions.github.com/scale-set-name"]
value: "test-name"
- equal:
path: metadata.labels["actions.github.com/scale-set-namespace"]
value: "test-namespace"
- equal:
path: metadata.finalizers[0]
value: "actions.github.com/cleanup-protection"
- it: should append extra RBAC policy rules
set:
runner:
mode: "kubernetes"
kubernetesMode:
default: true
serviceAccountName: ""
resource:
kubernetesModeRole:
extraRules:
- apiGroups:
- ""
resources:
- "events"
verbs:
- "create"
- "patch"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: rules[5].apiGroups[0]
value: ""
- equal:
path: rules[5].resources[0]
value: "events"
- equal:
path: rules[5].verbs[0]
value: "create"
- equal:
path: rules[5].verbs[1]
value: "patch"
- it: should fail when extraRules is not a list
set:
runner:
mode: "kubernetes"
kubernetesMode:
default: true
serviceAccountName: ""
resource:
kubernetesModeRole:
extraRules: "not-a-list"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- failedTemplate:
errorMessage: ".Values.resource.kubernetesModeRole.extraRules must be a list of RBAC policy rules"
- it: should not render when runner mode is not kubernetes
set:
runner:
mode: "dind"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- hasDocuments:
count: 0
- it: should not render when serviceAccountName is provided
set:
runner:
mode: "kubernetes"
kubernetesMode:
default: true
serviceAccountName: "custom-sa"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- hasDocuments:
count: 0

167
charts/gha-runner-scale-set-dev/tests/kube_mode_serviceaccount_test.yaml Normal file
View File

@@ -0,0 +1,167 @@
suite: "Test Kubernetes Mode ServiceAccount"
templates:
- kube_mode_serviceaccount.yaml
tests:
- it: should render base serviceaccount metadata in kubernetes mode
set:
runner:
mode: "kubernetes"
kubernetesMode:
default: true
serviceAccountName: ""
release:
name: "test-name"
namespace: "test-namespace"
chart:
appVersion: "0.14.0"
asserts:
- equal:
path: apiVersion
value: "v1"
- equal:
path: kind
value: "ServiceAccount"
- equal:
path: metadata.name
value: "test-name-kube-mode"
- equal:
path: metadata.namespace
value: "test-namespace"
- equal:
path: metadata.labels["app.kubernetes.io/component"]
value: "kube-mode-serviceaccount"
- equal:
path: metadata.labels["actions.github.com/scale-set-name"]
value: "test-name"
- equal:
path: metadata.labels["actions.github.com/scale-set-namespace"]
value: "test-namespace"
- equal:
path: metadata.finalizers[0]
value: "actions.github.com/cleanup-protection"
- it: should not render when runner mode is not kubernetes
set:
runner:
mode: "dind"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- hasDocuments:
count: 0
- it: should not render when serviceAccountName is provided
set:
runner:
mode: "kubernetes"
kubernetesMode:
default: true
serviceAccountName: "custom-sa"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- hasDocuments:
count: 0
- it: should include global and resource labels
set:
runner:
mode: "kubernetes"
kubernetesMode:
default: true
serviceAccountName: ""
resource:
all:
metadata:
labels:
global-team: "platform"
kubernetesModeServiceAccount:
metadata:
labels:
sa-team: "arc"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: metadata.labels["global-team"]
value: "platform"
- equal:
path: metadata.labels["sa-team"]
value: "arc"
- equal:
path: metadata.labels["app.kubernetes.io/component"]
value: "kube-mode-serviceaccount"
- it: should drop actions.github.com custom labels from config
set:
runner:
mode: "kubernetes"
kubernetesMode:
default: true
serviceAccountName: ""
resource:
all:
metadata:
labels:
owner: "devops"
actions.github.com/global-custom: "global-value"
kubernetesModeServiceAccount:
metadata:
labels:
actions.github.com/sa-custom: "sa-value"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: metadata.labels["owner"]
value: "devops"
- notExists:
path: metadata.labels["actions.github.com/global-custom"]
- notExists:
path: metadata.labels["actions.github.com/sa-custom"]
- it: should not allow overriding reserved labels
set:
runner:
mode: "kubernetes"
kubernetesMode:
default: true
serviceAccountName: ""
resource:
all:
metadata:
labels:
helm.sh/chart: "bad"
app.kubernetes.io/name: "bad"
app.kubernetes.io/instance: "bad"
app.kubernetes.io/component: "bad"
actions.github.com/scale-set-name: "bad"
actions.github.com/scale-set-namespace: "bad"
release:
name: "test-name"
namespace: "test-namespace"
chart:
appVersion: "0.14.0"
asserts:
- equal:
path: metadata.labels["helm.sh/chart"]
value: "gha-rs-0.14.0"
- equal:
path: metadata.labels["app.kubernetes.io/name"]
value: "test-name"
- equal:
path: metadata.labels["app.kubernetes.io/instance"]
value: "test-name"
- equal:
path: metadata.labels["app.kubernetes.io/component"]
value: "kube-mode-serviceaccount"
- equal:
path: metadata.labels["actions.github.com/scale-set-name"]
value: "test-name"
- equal:
path: metadata.labels["actions.github.com/scale-set-namespace"]
value: "test-namespace"

2
charts/gha-runner-scale-set-dev/values.yaml
View File

@@ -135,6 +135,7 @@ resource:
metadata: metadata:
labels: {} labels: {}
annotations: {} annotations: {}
extraRules: []
# Specifies metadata that will be applied to the kubernetes-mode ServiceAccount. # Specifies metadata that will be applied to the kubernetes-mode ServiceAccount.
kubernetesModeServiceAccount: kubernetesModeServiceAccount:
@@ -165,7 +166,6 @@ runner:
kubernetesMode: kubernetesMode:
default: true default: true
serviceAccountName: "" serviceAccountName: ""
extraRules: []
extension: {} extension: {}
## A self-signed CA certificate for communication with the GitHub server can be ## A self-signed CA certificate for communication with the GitHub server can be
## provided using a config map key selector. If `runnerMountPath` is set, for ## provided using a config map key selector. If `runnerMountPath` is set, for