From 4f3f6636035d2631905576f3ddfb83650fa28754 Mon Sep 17 00:00:00 2001 From: Nikola Jokic Date: Fri, 16 Jan 2026 18:46:21 +0100 Subject: [PATCH] add manager role extra rules --- .../templates/_helpers.tpl | 37 ++++++++ .../templates/manager_role.yaml | 85 +++++++++++++++++++ .../tests/manager_role_extra_rules_test.yaml | 76 +++++++++++++++++ charts/gha-runner-scale-set-dev/values.yaml | 8 ++ 4 files changed, 206 insertions(+) create mode 100644 charts/gha-runner-scale-set-dev/templates/manager_role.yaml create mode 100644 charts/gha-runner-scale-set-dev/tests/manager_role_extra_rules_test.yaml diff --git a/charts/gha-runner-scale-set-dev/templates/_helpers.tpl b/charts/gha-runner-scale-set-dev/templates/_helpers.tpl index 6027e0b3..555bc8c4 100644 --- a/charts/gha-runner-scale-set-dev/templates/_helpers.tpl +++ b/charts/gha-runner-scale-set-dev/templates/_helpers.tpl @@ -11,6 +11,43 @@ {{- .Values.namespaceOverride | default .Release.Namespace -}} {{- end }} +{{/* +The name of the manager Role. +*/}} +{{- define "manager-role.name" -}} +{{- printf "%s-manager-role" (include "autoscaling-runner-set.name" .) -}} +{{- end }} + + +{{/* +Create the labels for the manager Role. +*/}} +{{- define "manager-role.labels" -}} +{{- $resourceLabels := dict "app.kubernetes.io/component" "manager-role" -}} +{{- $commonLabels := include "gha-common-labels" . | fromYaml -}} +{{- $userLabels := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.managerRole.metadata.labels | default (dict)) | fromYaml -}} +{{- $global := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.labels | default (dict)) | fromYaml -}} +{{- toYaml (mergeOverwrite $global $userLabels $resourceLabels $commonLabels) }} +{{- end }} + + +{{/* +Create the annotations for the manager Role. + +Order of precedence: +1) resource.all.metadata.annotations +2) resource.managerRole.metadata.annotations +Reserved annotations are excluded from both levels. +*/}} +{{- define "manager-role.annotations" -}} +{{- $global := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.annotations | default (dict))) | fromYaml -}} +{{- $resource := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.managerRole.metadata.annotations | default (dict))) | fromYaml -}} +{{- $annotations := mergeOverwrite $global $resource -}} +{{- if not (empty $annotations) -}} +{{- toYaml $annotations }} +{{- end }} +{{- end }} + {{/* The name of the GitHub secret used for authentication. */}} diff --git a/charts/gha-runner-scale-set-dev/templates/manager_role.yaml b/charts/gha-runner-scale-set-dev/templates/manager_role.yaml new file mode 100644 index 00000000..2990ccc4 --- /dev/null +++ b/charts/gha-runner-scale-set-dev/templates/manager_role.yaml @@ -0,0 +1,85 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "manager-role.name" . | quote }} + namespace: {{ include "autoscaling-runner-set.namespace" . | quote }} + labels: + {{- include "manager-role.labels" . | nindent 4 }} + annotations: + {{- include "manager-role.annotations" . | nindent 4 }} + finalizers: + - actions.github.com/cleanup-protection +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - create + - delete + - get +- apiGroups: + - "" + resources: + - pods/status + verbs: + - get +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - delete + - get + - list + - patch + - update +- apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + verbs: + - create + - delete + - get + - patch + - update +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + verbs: + - create + - delete + - get + - patch + - update +{{- if .Values.githubServerTLS }} +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get +{{- end }} + +{{- with .Values.resource.managerRole.extraRules }} + {{- if not (empty .) }} + {{- if not (kindIs "slice" .) -}} + {{- fail ".Values.resource.managerRole.extraRules must be a list of RBAC policy rules" -}} + {{- end }} +{{ toYaml . }} + {{- end }} +{{- end }} diff --git a/charts/gha-runner-scale-set-dev/tests/manager_role_extra_rules_test.yaml b/charts/gha-runner-scale-set-dev/tests/manager_role_extra_rules_test.yaml new file mode 100644 index 00000000..259563ae --- /dev/null +++ b/charts/gha-runner-scale-set-dev/tests/manager_role_extra_rules_test.yaml @@ -0,0 +1,76 @@ +suite: "Test Manager Role Extra Rules" +templates: + - manager_role.yaml +tests: + - it: should render base role metadata + release: + name: "test-name" + namespace: "test-namespace" + chart: + appVersion: "0.14.0" + asserts: + - equal: + path: apiVersion + value: "rbac.authorization.k8s.io/v1" + - equal: + path: kind + value: "Role" + - equal: + path: metadata.name + value: "test-name-manager-role" + - equal: + path: metadata.namespace + value: "test-namespace" + - equal: + path: metadata.labels["app.kubernetes.io/component"] + value: "manager-role" + - equal: + path: metadata.labels["actions.github.com/scale-set-name"] + value: "test-name" + - equal: + path: metadata.labels["actions.github.com/scale-set-namespace"] + value: "test-namespace" + - equal: + path: metadata.finalizers[0] + value: "actions.github.com/cleanup-protection" + + - it: should append extra RBAC policy rules + set: + resource: + managerRole: + extraRules: + - apiGroups: + - "" + resources: + - "events" + verbs: + - "create" + - "patch" + release: + name: "test-name" + namespace: "test-namespace" + asserts: + - equal: + path: rules[6].apiGroups[0] + value: "" + - equal: + path: rules[6].resources[0] + value: "events" + - equal: + path: rules[6].verbs[0] + value: "create" + - equal: + path: rules[6].verbs[1] + value: "patch" + + - it: should fail when extraRules is not a list + set: + resource: + managerRole: + extraRules: "not-a-list" + release: + name: "test-name" + namespace: "test-namespace" + asserts: + - failedTemplate: + errorMessage: ".Values.resource.managerRole.extraRules must be a list of RBAC policy rules" diff --git a/charts/gha-runner-scale-set-dev/values.yaml b/charts/gha-runner-scale-set-dev/values.yaml index 5f0fa7de..efba6960 100644 --- a/charts/gha-runner-scale-set-dev/values.yaml +++ b/charts/gha-runner-scale-set-dev/values.yaml @@ -102,6 +102,13 @@ resource: metadata: labels: {} annotations: {} + + # Specifies metadata that will be applied to the manager Role resource + managerRole: + metadata: + labels: {} + annotations: {} + extraRules: [] # TODO: Add more resource customizations when needed @@ -153,6 +160,7 @@ runner: controllerServiceAccount: namespace: "" name: "" + ## listenerMetrics are configurable metrics applied to the listener. ## In order to avoid helm merging these fields, we left the metrics commented out. ## When configuring metrics, please uncomment the listenerMetrics object below.