mirror of
https://github.com/actions/actions-runner-controller.git
synced 2025-12-11 03:57:01 +00:00
Enhance support for multi-tenancy (#1371)
This enhances every ARC controller and the various K8s custom resources so that the user can now configure a custom GitHub API credentials (that is different from the default one configured per the ARC instance). Ref https://github.com/actions-runner-controller/actions-runner-controller/issues/1067#issuecomment-1043716646
This commit is contained in:
Yusuke Kuoka
59
README.md
59
README.md
@@ -40,6 +40,7 @@ ToC:
|
||||
- [Using IRSA (IAM Roles for Service Accounts) in EKS](#using-irsa-iam-roles-for-service-accounts-in-eks)
|
||||
- [Software Installed in the Runner Image](#software-installed-in-the-runner-image)
|
||||
- [Using without cert-manager](#using-without-cert-manager)
|
||||
- [Multitenancy](#multitenancy)
|
||||
- [Troubleshooting](#troubleshooting)
|
||||
- [Contributing](#contributing)
|
||||
|
||||
@@ -1741,6 +1742,64 @@ $ helm --upgrade install actions-runner-controller/actions-runner-controller \
|
||||
admissionWebHooks.caBundle=${CA_BUNDLE}
|
||||
```
|
||||
|
||||
### Multitenancy
|
||||
|
||||
> This feature requires controller version => [v0.26.0](https://github.com/actions-runner-controller/actions-runner-controller/releases/tag/v0.26.0)
|
||||
|
||||
In a large enterprise, there might be many GitHub organizations that requires self-hosted runners. Previously, the only way to provide ARC-managed self-hosted runners in such environment was [Deploying Multiple Controllers](#deploying-multiple-controllers), which incurs overhead due to it requires one ARC installation per GitHub organization.
|
||||
|
||||
With multitenancy, you can let ARC manage self-hosted runners across organizations. It's enabled by default and the only thing you need to start using it is to set the `spec.githubAPICredentialsFrom.secretRef.name` fields for the following resources:
|
||||
|
||||
- `HorizontalRunnerAutoscaler`
|
||||
- `RunnerSet`
|
||||
|
||||
Or `spec.template.spec.githubAPICredentialsFrom.secretRef.name` field for the following resource:
|
||||
|
||||
- `RunnerDeployment`
|
||||
|
||||
> Although not explained above, `spec.githubAPICredentialsFrom` fields do exist in `Runner` and `RunnerReplicaSet`. A comparable pod annotation exists for the runner pod, too.
|
||||
> However, note that `Runner`, `RunnerReplicaSet` and runner pods are implementation details and are managed by `RunnerDeployment` and ARC.
|
||||
> Usually you don't need to manually set the fields for those resources.
|
||||
|
||||
`githubAPICredentialsFrom.secretRef.name` should refer to the name of the Kubernetes secret that contains either PAT or GitHub App credentials that is used for GitHub API calls for the said resource.
|
||||
|
||||
Usually, you should have a set of GitHub App credentials per a GitHub organization and you would have a RunnerDeployment and a HorizontalRunnerAutoscaler per an organization runner group. So, you might end up having the following resources for each organization:
|
||||
|
||||
- 1 Kuernetes secret that contains GitHub App credentials
|
||||
- 1 RunnerDeployment/RunnerSet and 1 HorizontalRunnerAutoscaler per Runner Group
|
||||
|
||||
And the RunnerDeployment/RunnerSet and HorizontalRunnerAutoscaler should have the same value for `spec.githubAPICredentialsFrom.secretRef.name`, which refers to the name of the Kubernetes secret.
|
||||
|
||||
```yaml
|
||||
kind: Secret
|
||||
data:
|
||||
github_app_id: ...
|
||||
github_app_installation_id: ...
|
||||
github_app_private_key: ...
|
||||
---
|
||||
kind: RunnerDeployment
|
||||
metadata:
|
||||
namespace: org1-runners
|
||||
spec:
|
||||
githubAPICredentialsFrom:
|
||||
secretRef:
|
||||
name: org1-github-app
|
||||
---
|
||||
kind: HorizontalRunnerAutoscaler
|
||||
metadata:
|
||||
namespace: org1-runners
|
||||
spec:
|
||||
githubAPICredentialsFrom:
|
||||
secretRef:
|
||||
name: org1-github-app
|
||||
```
|
||||
|
||||
> Do note that, as shown in the above example, you usually set the same secret name to `githubAPICredentialsFrom.secretRef.name` fields of both `RunnerDeployment` and `HorizontalRunnerAutoscaler`, so that GitHub API calls for the same set of runners shares the specified credentials, regardless of
|
||||
when and which varying ARC component(`horizontalrunnerautoscaler-controller`, `runnerdeployment-controller`, `runnerreplicaset-controller`, `runner-controller` or `runnerpod-controller`) makes specific API calls.
|
||||
> Just don't be surprised you have to repeat `githubAPICredentialsFrom.secretRef.name` settings among two resources!
|
||||
|
||||
Please refer to [Deploying Using GitHub App Authentication](#deploying-using-github-app-authentication) for how you could create the Kubernetes secret containing GitHub App credentials.
|
||||
|
||||
# Troubleshooting
|
||||
|
||||
See [troubleshooting guide](TROUBLESHOOTING.md) for solutions to various problems people have run into consistently.
|
||||
|
||||
Reference in New Issue
Block a user