diff --git a/charts/gha-runner-scale-set-dev/templates/_helpers.tpl b/charts/gha-runner-scale-set-dev/templates/_helpers.tpl index 829bfbd6..6027e0b3 100644 --- a/charts/gha-runner-scale-set-dev/templates/_helpers.tpl +++ b/charts/gha-runner-scale-set-dev/templates/_helpers.tpl @@ -15,10 +15,35 @@ The name of the GitHub secret used for authentication. */}} {{- define "github-secret.name" -}} -{{- if not (empty .Values.auth.secretName) }} -{{- quote .Values.auth.secretName }} -{{- else }} +{{- if not (empty .Values.auth.secretName) -}} +{{- .Values.auth.secretName -}} +{{- else -}} {{- include "autoscaling-runner-set.name" . }}-github-secret +{{- end -}} +{{- end }} + + +{{/* +Create the labels for the GitHub auth secret. +*/}} +{{- define "github-secret.labels" -}} +{{- $resourceLabels := dict "app.kubernetes.io/component" "github-secret" -}} +{{- $commonLabels := include "gha-common-labels" . | fromYaml -}} +{{- $global := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.labels | default (dict)) | fromYaml -}} +{{- toYaml (mergeOverwrite $global $resourceLabels $commonLabels) }} +{{- end }} + + +{{/* +Create the annotations for the GitHub auth secret. + +Only global annotations are applied. +Reserved annotations are excluded. +*/}} +{{- define "github-secret.annotations" -}} +{{- $annotations := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.annotations | default (dict))) | fromYaml -}} +{{- if not (empty $annotations) -}} +{{- toYaml $annotations }} {{- end }} {{- end }} diff --git a/charts/gha-runner-scale-set-dev/templates/githubsecret.yaml b/charts/gha-runner-scale-set-dev/templates/githubsecret.yaml new file mode 100644 index 00000000..0630891e --- /dev/null +++ b/charts/gha-runner-scale-set-dev/templates/githubsecret.yaml @@ -0,0 +1,28 @@ +{{- $usesKubernetesSecrets := or (not .Values.secretResolution) (eq .Values.secretResolution.type "kubernetes") -}} + +{{- if and (not $usesKubernetesSecrets) (empty .Values.auth.secretName) -}} + {{- fail ".Values.auth.secretName is required when .Values.secretResolution.type is not \"kubernetes\"" -}} +{{- end -}} + +{{- if and $usesKubernetesSecrets (empty .Values.auth.secretName) -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "github-secret.name" . | quote }} + namespace: {{ include "autoscaling-runner-set.namespace" . | quote }} + labels: + {{- include "github-secret.labels" . | nindent 4 }} + annotations: + {{- include "github-secret.annotations" . | nindent 4 }} + finalizers: + - actions.github.com/cleanup-protection +type: Opaque +data: + {{- if not (empty .Values.auth.app.clientId) }} + github_app_id: {{ .Values.auth.app.clientId | toString | b64enc }} + github_app_installation_id: {{ required ".Values.auth.app.installationId is required when using GitHub App auth" .Values.auth.app.installationId | toString | b64enc }} + github_app_private_key: {{ required ".Values.auth.app.privateKey is required when using GitHub App auth" .Values.auth.app.privateKey | toString | b64enc }} + {{- else }} + github_token: {{ required ".Values.auth.githubToken is required when auth.secretName and auth.app.clientId are not set" .Values.auth.githubToken | toString | b64enc }} + {{- end }} +{{- end -}} diff --git a/charts/gha-runner-scale-set-dev/tests/autoscaling_runner_set_auth_test.yaml b/charts/gha-runner-scale-set-dev/tests/autoscaling_runner_set_auth_test.yaml index 981f106e..a0f6fbac 100644 --- a/charts/gha-runner-scale-set-dev/tests/autoscaling_runner_set_auth_test.yaml +++ b/charts/gha-runner-scale-set-dev/tests/autoscaling_runner_set_auth_test.yaml @@ -74,7 +74,7 @@ tests: asserts: - equal: path: spec.githubConfigSecret - value: '"custom-github-secret"' + value: "custom-github-secret" - it: should render default runnerGroup when not configured set: @@ -230,7 +230,7 @@ tests: value: "https://github.com/myorg" - equal: path: spec.githubConfigSecret - value: '"gh-token-secret"' + value: "gh-token-secret" - equal: path: spec.runnerGroup value: "prod-group" diff --git a/charts/gha-runner-scale-set-dev/tests/github_secret_labels_test.yaml b/charts/gha-runner-scale-set-dev/tests/github_secret_labels_test.yaml new file mode 100644 index 00000000..9e60a70c --- /dev/null +++ b/charts/gha-runner-scale-set-dev/tests/github_secret_labels_test.yaml @@ -0,0 +1,129 @@ +suite: "Test GitHub Secret Labels" +templates: + - githubsecret.yaml +tests: + - it: should render base labels + set: + scaleset.name: "test" + auth.url: "https://github.com/org" + auth.githubToken: "gh_token12345" + release: + name: "test-name" + namespace: "test-namespace" + chart: + appVersion: "0.14.0" + asserts: + - equal: + path: metadata.labels["helm.sh/chart"] + value: "gha-rs-0.14.0" + - equal: + path: metadata.labels["app.kubernetes.io/name"] + value: "test-name" + - equal: + path: metadata.labels["app.kubernetes.io/instance"] + value: "test-name" + - equal: + path: metadata.labels["app.kubernetes.io/component"] + value: "github-secret" + - equal: + path: metadata.labels["app.kubernetes.io/managed-by"] + value: "Helm" + - equal: + path: metadata.labels["app.kubernetes.io/part-of"] + value: "gha-rs" + - equal: + path: metadata.labels["app.kubernetes.io/version"] + value: "0.14.0" + - equal: + path: metadata.labels["actions.github.com/scale-set-name"] + value: "test-name" + - equal: + path: metadata.labels["actions.github.com/scale-set-namespace"] + value: "test-namespace" + + - it: should include global labels + set: + scaleset.name: "test" + auth.url: "https://github.com/org" + auth.githubToken: "gh_token12345" + resource: + all: + metadata: + labels: + global-team: "platform" + owner: "devops" + release: + name: "test-name" + namespace: "test-namespace" + asserts: + - equal: + path: metadata.labels["global-team"] + value: "platform" + - equal: + path: metadata.labels["owner"] + value: "devops" + - equal: + path: metadata.labels["app.kubernetes.io/component"] + value: "github-secret" + + - it: should drop actions.github.com custom labels from global config + set: + scaleset.name: "test" + auth.url: "https://github.com/org" + auth.githubToken: "gh_token12345" + resource: + all: + metadata: + labels: + owner: "devops" + actions.github.com/global-custom: "global-value" + release: + name: "test-name" + namespace: "test-namespace" + asserts: + - equal: + path: metadata.labels["owner"] + value: "devops" + - notExists: + path: metadata.labels["actions.github.com/global-custom"] + - equal: + path: metadata.labels["actions.github.com/scale-set-name"] + value: "test-name" + + - it: should not allow global labels to override reserved labels + set: + scaleset.name: "test" + auth.url: "https://github.com/org" + auth.githubToken: "gh_token12345" + resource: + all: + metadata: + labels: + helm.sh/chart: "bad" + app.kubernetes.io/name: "bad" + app.kubernetes.io/instance: "bad" + app.kubernetes.io/component: "bad" + actions.github.com/scale-set-name: "bad" + actions.github.com/scale-set-namespace: "bad" + release: + name: "test-name" + namespace: "test-namespace" + asserts: + - equal: + path: metadata.labels["helm.sh/chart"] + value: "gha-rs-0.14.0" + - equal: + path: metadata.labels["app.kubernetes.io/name"] + value: "test-name" + - equal: + path: metadata.labels["app.kubernetes.io/instance"] + value: "test-name" + - equal: + path: metadata.labels["app.kubernetes.io/component"] + value: "github-secret" + - equal: + path: metadata.labels["actions.github.com/scale-set-name"] + value: "test-name" + - equal: + path: metadata.labels["actions.github.com/scale-set-namespace"] + value: "test-namespace"