actions/actions-runner-controller
1
0
Fork 0
mirror of https://github.com/actions/actions-runner-controller.git synced 2026-01-17 17:28:29 +08:00
Code Issues Packages Projects Releases Wiki Activity

add manager role extra rules

Browse Source
This commit is contained in:
Nikola Jokic
2026-01-16 18:46:21 +01:00
parent d28d439597
commit 4f3f663603
4 changed files with 206 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
charts/gha-runner-scale-set-dev/templates/_helpers.tpl
View File

@@ -11,6 +11,43 @@
{{- .Values.namespaceOverride | default .Release.Namespace -}}
{{- end }}
{{/*
The name of the manager Role.
*/}}
{{- define "manager-role.name" -}}
{{- printf "%s-manager-role" (include "autoscaling-runner-set.name" .) -}}
{{- end }}
{{/*
Create the labels for the manager Role.
*/}}
{{- define "manager-role.labels" -}}
{{- $resourceLabels := dict "app.kubernetes.io/component" "manager-role" -}}
{{- $commonLabels := include "gha-common-labels" . | fromYaml -}}
{{- $userLabels := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.managerRole.metadata.labels | default (dict)) | fromYaml -}}
{{- $global := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.labels | default (dict)) | fromYaml -}}
{{- toYaml (mergeOverwrite $global $userLabels $resourceLabels $commonLabels) }}
{{- end }}
{{/*
Create the annotations for the manager Role.
Order of precedence:
1) resource.all.metadata.annotations
2) resource.managerRole.metadata.annotations
Reserved annotations are excluded from both levels.
*/}}
{{- define "manager-role.annotations" -}}
{{- $global := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.annotations | default (dict))) | fromYaml -}}
{{- $resource := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.managerRole.metadata.annotations | default (dict))) | fromYaml -}}
{{- $annotations := mergeOverwrite $global $resource -}}
{{- if not (empty $annotations) -}}
{{- toYaml $annotations }}
{{- end }}
{{- end }}
{{/*
The name of the GitHub secret used for authentication.
*/}}

85
charts/gha-runner-scale-set-dev/templates/manager_role.yaml Normal file
View File

@@ -0,0 +1,85 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "manager-role.name" . | quote }}
namespace: {{ include "autoscaling-runner-set.namespace" . | quote }}
labels:
{{- include "manager-role.labels" . | nindent 4 }}
annotations:
{{- include "manager-role.annotations" . | nindent 4 }}
finalizers:
- actions.github.com/cleanup-protection
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- create
- delete
- get
- apiGroups:
- ""
resources:
- pods/status
verbs:
- get
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- get
- list
- patch
- update
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- create
- delete
- get
- list
- patch
- update
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
verbs:
- create
- delete
- get
- patch
- update
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
verbs:
- create
- delete
- get
- patch
- update
{{- if .Values.githubServerTLS }}
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
{{- end }}
{{- with .Values.resource.managerRole.extraRules }}
{{- if not (empty .) }}
{{- if not (kindIs "slice" .) -}}
{{- fail ".Values.resource.managerRole.extraRules must be a list of RBAC policy rules" -}}
{{- end }}
{{ toYaml . }}
{{- end }}
{{- end }}

76
charts/gha-runner-scale-set-dev/tests/manager_role_extra_rules_test.yaml Normal file
View File

@@ -0,0 +1,76 @@
suite: "Test Manager Role Extra Rules"
templates:
- manager_role.yaml
tests:
- it: should render base role metadata
release:
name: "test-name"
namespace: "test-namespace"
chart:
appVersion: "0.14.0"
asserts:
- equal:
path: apiVersion
value: "rbac.authorization.k8s.io/v1"
- equal:
path: kind
value: "Role"
- equal:
path: metadata.name
value: "test-name-manager-role"
- equal:
path: metadata.namespace
value: "test-namespace"
- equal:
path: metadata.labels["app.kubernetes.io/component"]
value: "manager-role"
- equal:
path: metadata.labels["actions.github.com/scale-set-name"]
value: "test-name"
- equal:
path: metadata.labels["actions.github.com/scale-set-namespace"]
value: "test-namespace"
- equal:
path: metadata.finalizers[0]
value: "actions.github.com/cleanup-protection"
- it: should append extra RBAC policy rules
set:
resource:
managerRole:
extraRules:
- apiGroups:
- ""
resources:
- "events"
verbs:
- "create"
- "patch"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: rules[6].apiGroups[0]
value: ""
- equal:
path: rules[6].resources[0]
value: "events"
- equal:
path: rules[6].verbs[0]
value: "create"
- equal:
path: rules[6].verbs[1]
value: "patch"
- it: should fail when extraRules is not a list
set:
resource:
managerRole:
extraRules: "not-a-list"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- failedTemplate:
errorMessage: ".Values.resource.managerRole.extraRules must be a list of RBAC policy rules"

8
charts/gha-runner-scale-set-dev/values.yaml
View File

@@ -102,6 +102,13 @@ resource:
metadata:
labels: {}
annotations: {}
# Specifies metadata that will be applied to the manager Role resource
managerRole:
metadata:
labels: {}
annotations: {}
extraRules: []
# TODO: Add more resource customizations when needed
@@ -153,6 +160,7 @@ runner:
controllerServiceAccount:
namespace: ""
name: ""
## listenerMetrics are configurable metrics applied to the listener.
## In order to avoid helm merging these fields, we left the metrics commented out.
## When configuring metrics, please uncomment the listenerMetrics object below.