actions/actions-runner-controller
1
0
Fork 0
mirror of https://github.com/actions/actions-runner-controller.git synced 2026-01-20 19:31:29 +08:00
Code Issues Packages Projects Releases Wiki Activity

noperm

Browse Source
This commit is contained in:
Nikola Jokic
2026-01-19 14:33:48 +01:00
parent 832ac138b0
commit 5b7873ee9a
4 changed files with 86 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
charts/gha-runner-scale-set-dev/templates/_helpers.tpl
View File

@@ -2,7 +2,7 @@
{{- define "autoscaling-runner-set.name" -}} {{- define "autoscaling-runner-set.name" -}}
{{- $name := .Values.runnerScaleSetName | default .Release.Name | replace "_" "-" | trimSuffix "-" }} {{- $name := .Values.runnerScaleSetName | default .Release.Name | replace "_" "-" | trimSuffix "-" }}
{{- if or (empty $name) (gt (len $name) 45) }} {{- if or (empty $name) (gt (len $name) 45) }}
{{ fail "Autoscaling runner set name must have up to 45 characters" }} {{ fail "Autoscaling runner set name must have up to 45 characters" }}
{{- end }} {{- end }}
{{- $name }} {{- $name }}
{{- end }} {{- end }}
@@ -44,7 +44,7 @@ Reserved annotations are excluded from both levels.
{{- $resource := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.managerRole.metadata.annotations | default (dict))) | fromYaml -}} {{- $resource := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.managerRole.metadata.annotations | default (dict))) | fromYaml -}}
{{- $annotations := mergeOverwrite $global $resource -}} {{- $annotations := mergeOverwrite $global $resource -}}
{{- if not (empty $annotations) -}} {{- if not (empty $annotations) -}}
{{- toYaml $annotations }} {{- toYaml $annotations }}
{{- end }} {{- end }}
{{- end }} {{- end }}
@@ -85,7 +85,7 @@ Reserved annotations are excluded from both levels.
{{- $resource := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.managerRoleBinding.metadata.annotations | default (dict))) | fromYaml -}} {{- $resource := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.managerRoleBinding.metadata.annotations | default (dict))) | fromYaml -}}
{{- $annotations := mergeOverwrite $global $resource -}} {{- $annotations := mergeOverwrite $global $resource -}}
{{- if not (empty $annotations) -}} {{- if not (empty $annotations) -}}
{{- toYaml $annotations }} {{- toYaml $annotations }}
{{- end }} {{- end }}
{{- end }} {{- end }}
@@ -95,9 +95,9 @@ The name of the GitHub secret used for authentication.
*/}} */}}
{{- define "github-secret.name" -}} {{- define "github-secret.name" -}}
{{- if not (empty .Values.auth.secretName) -}} {{- if not (empty .Values.auth.secretName) -}}
{{- .Values.auth.secretName -}} {{- .Values.auth.secretName -}}
{{- else -}} {{- else -}}
{{- include "autoscaling-runner-set.name" . }}-github-secret {{- include "autoscaling-runner-set.name" . }}-github-secret
{{- end -}} {{- end -}}
{{- end }} {{- end }}
@@ -122,7 +122,48 @@ Reserved annotations are excluded.
{{- define "github-secret.annotations" -}} {{- define "github-secret.annotations" -}}
{{- $annotations := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.annotations | default (dict))) | fromYaml -}} {{- $annotations := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.annotations | default (dict))) | fromYaml -}}
{{- if not (empty $annotations) -}} {{- if not (empty $annotations) -}}
{{- toYaml $annotations }} {{- toYaml $annotations }}
{{- end }}
{{- end }}
{{/*
The name of the no-permission ServiceAccount.
This ServiceAccount is intended for non-kubernetes runner modes when the user
has not specified an explicit ServiceAccount.
*/}}
{{- define "no-permission-serviceaccount.name" -}}
{{- printf "%s-no-permission" (include "autoscaling-runner-set.name" .) -}}
{{- end }}
{{/*
Create the labels for the no-permission ServiceAccount.
*/}}
{{- define "no-permission-serviceaccount.labels" -}}
{{- $resourceLabels := dict "app.kubernetes.io/component" "no-permission-serviceaccount" -}}
{{- $commonLabels := include "gha-common-labels" . | fromYaml -}}
{{- $userLabels := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.noPermissionServiceAccount.metadata.labels | default (dict)) | fromYaml -}}
{{- $global := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.labels | default (dict)) | fromYaml -}}
{{- toYaml (mergeOverwrite $global $userLabels $resourceLabels $commonLabels) }}
{{- end }}
{{/*
Create the annotations for the no-permission ServiceAccount.
Order of precedence:
1) resource.all.metadata.annotations
2) resource.noPermissionServiceAccount.metadata.annotations
Reserved annotations are excluded from both levels.
*/}}
{{- define "no-permission-serviceaccount.annotations" -}}
{{- $global := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.annotations | default (dict))) | fromYaml -}}
{{- $resource := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.noPermissionServiceAccount.metadata.annotations | default (dict))) | fromYaml -}}
{{- $annotations := mergeOverwrite $global $resource -}}
{{- if not (empty $annotations) -}}
{{- toYaml $annotations }}
{{- end }} {{- end }}
{{- end }} {{- end }}
@@ -182,7 +223,7 @@ Reserved annotations are excluded from both levels.
{{- $resource := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.autoscalingRunnerSet.metadata.annotations | default (dict))) | fromYaml -}} {{- $resource := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.autoscalingRunnerSet.metadata.annotations | default (dict))) | fromYaml -}}
{{- $annotations := mergeOverwrite $global $resource -}} {{- $annotations := mergeOverwrite $global $resource -}}
{{- if not (empty $annotations) -}} {{- if not (empty $annotations) -}}
{{- toYaml $annotations }} {{- toYaml $annotations }}
{{- end }} {{- end }}
{{- end }} {{- end }}
@@ -199,7 +240,7 @@ Container spec that is expanded for the runner container
{{- define "container-spec.runner" -}} {{- define "container-spec.runner" -}}
{{- if not .Values.runner.container }} {{- if not .Values.runner.container }}
{{ fail "You must provide a runner container specification in values.runner.container" }} {{ fail "You must provide a runner container specification in values.runner.container" }}
{{- end }} {{- end }}
{{- $tlsConfig := (default (dict) .Values.githubServerTLS) -}} {{- $tlsConfig := (default (dict) .Values.githubServerTLS) -}}

16
charts/gha-runner-scale-set-dev/templates/autoscalingrunnserset.yaml
View File

@@ -8,6 +8,16 @@ metadata:
annotations: annotations:
{{- include "autoscaling-runner-set.annotations" . | nindent 4 }} {{- include "autoscaling-runner-set.annotations" . | nindent 4 }}
actions.github.com/values-hash: {{ toJson .Values | sha256sum | trunc 63 }} actions.github.com/values-hash: {{ toJson .Values | sha256sum | trunc 63 }}
{{- $runnerMode := (.Values.runner.mode | default "") }}
{{- $usesKubernetesSecrets := or (not .Values.secretResolution) (eq .Values.secretResolution.type "kubernetes") }}
{{- if and $usesKubernetesSecrets (empty .Values.auth.secretName) }}
actions.github.com/cleanup-github-secret-name: {{ include "github-secret.name" . | quote }}
{{- end }}
actions.github.com/cleanup-manager-role-binding: {{ include "manager-role-binding.name" . | quote }}
actions.github.com/cleanup-manager-role-name: {{ include "manager-role.name" . | quote }}
{{- if ne $runnerMode "kubernetes" }}
actions.github.com/cleanup-no-permission-service-account-name: {{ include "no-permission-serviceaccount.name" . | quote }}
{{- end }}
spec: spec:
githubConfigUrl: {{ required ".Values.auth.url is required" (trimSuffix "/" .Values.auth.url) | quote }} githubConfigUrl: {{ required ".Values.auth.url is required" (trimSuffix "/" .Values.auth.url) | quote }}
@@ -96,6 +106,12 @@ spec:
template: template:
spec: spec:
{{- $runnerMode := (.Values.runner.mode | default "") -}}
{{- if ne $runnerMode "kubernetes" }}
serviceAccountName: {{ include "no-permission-serviceaccount.name" . | quote }}
{{- else if not (empty .Values.runner.kubernetesMode.serviceAccountName) }}
serviceAccountName: {{ .Values.runner.kubernetesMode.serviceAccountName | quote }}
{{- end }}
containers: containers:
- name: runner - name: runner
image: {{ .Values.runner.container.image | default "ghcr.io/actions/actions-runner:latest" | quote }} image: {{ .Values.runner.container.image | default "ghcr.io/actions/actions-runner:latest" | quote }}

14
charts/gha-runner-scale-set-dev/templates/no_permission_serviceaccount.yaml Normal file
View File

@@ -0,0 +1,14 @@
{{- $runnerMode := (.Values.runner.mode | default "") -}}
{{- if ne $runnerMode "kubernetes" -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "no-permission-serviceaccount.name" . | quote }}
namespace: {{ include "autoscaling-runner-set.namespace" . | quote }}
labels:
{{- include "no-permission-serviceaccount.labels" . | nindent 4 }}
annotations:
{{- include "no-permission-serviceaccount.annotations" . | nindent 4 }}
finalizers:
- actions.github.com/cleanup-protection
{{- end }}

7
charts/gha-runner-scale-set-dev/values.yaml
View File

@@ -116,6 +116,13 @@ resource:
labels: {} labels: {}
annotations: {} annotations: {}
# Specifies metadata that will be applied to the no-permission ServiceAccount
# (created for non-kubernetes runner modes).
noPermissionServiceAccount:
metadata:
labels: {}
annotations: {}
# TODO: Add more resource customizations when needed # TODO: Add more resource customizations when needed
# Template applied for the runner container # Template applied for the runner container