actions/actions-runner-controller
1
0
Fork 0
mirror of https://github.com/actions/actions-runner-controller.git synced 2026-01-17 17:28:29 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix charts and start implementing githubsecret.yaml

Browse Source
This commit is contained in:
Nikola Jokic
2026-01-16 18:02:11 +01:00
parent 600b45b598
commit 69767cca51
4 changed files with 187 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
charts/gha-runner-scale-set-dev/templates/_helpers.tpl
View File

@@ -15,10 +15,35 @@
The name of the GitHub secret used for authentication. The name of the GitHub secret used for authentication.
*/}} */}}
{{- define "github-secret.name" -}} {{- define "github-secret.name" -}}
{{- if not (empty .Values.auth.secretName) }} {{- if not (empty .Values.auth.secretName) -}}
{{- quote .Values.auth.secretName }} {{- .Values.auth.secretName -}}
{{- else }} {{- else -}}
{{- include "autoscaling-runner-set.name" . }}-github-secret {{- include "autoscaling-runner-set.name" . }}-github-secret
{{- end -}}
{{- end }}
{{/*
Create the labels for the GitHub auth secret.
*/}}
{{- define "github-secret.labels" -}}
{{- $resourceLabels := dict "app.kubernetes.io/component" "github-secret" -}}
{{- $commonLabels := include "gha-common-labels" . | fromYaml -}}
{{- $global := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.labels | default (dict)) | fromYaml -}}
{{- toYaml (mergeOverwrite $global $resourceLabels $commonLabels) }}
{{- end }}
{{/*
Create the annotations for the GitHub auth secret.
Only global annotations are applied.
Reserved annotations are excluded.
*/}}
{{- define "github-secret.annotations" -}}
{{- $annotations := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.annotations | default (dict))) | fromYaml -}}
{{- if not (empty $annotations) -}}
{{- toYaml $annotations }}
{{- end }} {{- end }}
{{- end }} {{- end }}

28
charts/gha-runner-scale-set-dev/templates/githubsecret.yaml Normal file
View File

@@ -0,0 +1,28 @@
{{- $usesKubernetesSecrets := or (not .Values.secretResolution) (eq .Values.secretResolution.type "kubernetes") -}}
{{- if and (not $usesKubernetesSecrets) (empty .Values.auth.secretName) -}}
{{- fail ".Values.auth.secretName is required when .Values.secretResolution.type is not \"kubernetes\"" -}}
{{- end -}}
{{- if and $usesKubernetesSecrets (empty .Values.auth.secretName) -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "github-secret.name" . | quote }}
namespace: {{ include "autoscaling-runner-set.namespace" . | quote }}
labels:
{{- include "github-secret.labels" . | nindent 4 }}
annotations:
{{- include "github-secret.annotations" . | nindent 4 }}
finalizers:
- actions.github.com/cleanup-protection
type: Opaque
data:
{{- if not (empty .Values.auth.app.clientId) }}
github_app_id: {{ .Values.auth.app.clientId | toString | b64enc }}
github_app_installation_id: {{ required ".Values.auth.app.installationId is required when using GitHub App auth" .Values.auth.app.installationId | toString | b64enc }}
github_app_private_key: {{ required ".Values.auth.app.privateKey is required when using GitHub App auth" .Values.auth.app.privateKey | toString | b64enc }}
{{- else }}
github_token: {{ required ".Values.auth.githubToken is required when auth.secretName and auth.app.clientId are not set" .Values.auth.githubToken | toString | b64enc }}
{{- end }}
{{- end -}}

4
charts/gha-runner-scale-set-dev/tests/autoscaling_runner_set_auth_test.yaml
View File

@@ -74,7 +74,7 @@ tests:
asserts: asserts:
- equal: - equal:
path: spec.githubConfigSecret path: spec.githubConfigSecret
value: '"custom-github-secret"' value: "custom-github-secret"
- it: should render default runnerGroup when not configured - it: should render default runnerGroup when not configured
set: set:
@@ -230,7 +230,7 @@ tests:
value: "https://github.com/myorg" value: "https://github.com/myorg"
- equal: - equal:
path: spec.githubConfigSecret path: spec.githubConfigSecret
value: '"gh-token-secret"' value: "gh-token-secret"
- equal: - equal:
path: spec.runnerGroup path: spec.runnerGroup
value: "prod-group" value: "prod-group"

129
charts/gha-runner-scale-set-dev/tests/github_secret_labels_test.yaml Normal file
View File

@@ -0,0 +1,129 @@
suite: "Test GitHub Secret Labels"
templates:
- githubsecret.yaml
tests:
- it: should render base labels
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
release:
name: "test-name"
namespace: "test-namespace"
chart:
appVersion: "0.14.0"
asserts:
- equal:
path: metadata.labels["helm.sh/chart"]
value: "gha-rs-0.14.0"
- equal:
path: metadata.labels["app.kubernetes.io/name"]
value: "test-name"
- equal:
path: metadata.labels["app.kubernetes.io/instance"]
value: "test-name"
- equal:
path: metadata.labels["app.kubernetes.io/component"]
value: "github-secret"
- equal:
path: metadata.labels["app.kubernetes.io/managed-by"]
value: "Helm"
- equal:
path: metadata.labels["app.kubernetes.io/part-of"]
value: "gha-rs"
- equal:
path: metadata.labels["app.kubernetes.io/version"]
value: "0.14.0"
- equal:
path: metadata.labels["actions.github.com/scale-set-name"]
value: "test-name"
- equal:
path: metadata.labels["actions.github.com/scale-set-namespace"]
value: "test-namespace"
- it: should include global labels
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
resource:
all:
metadata:
labels:
global-team: "platform"
owner: "devops"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: metadata.labels["global-team"]
value: "platform"
- equal:
path: metadata.labels["owner"]
value: "devops"
- equal:
path: metadata.labels["app.kubernetes.io/component"]
value: "github-secret"
- it: should drop actions.github.com custom labels from global config
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
resource:
all:
metadata:
labels:
owner: "devops"
actions.github.com/global-custom: "global-value"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: metadata.labels["owner"]
value: "devops"
- notExists:
path: metadata.labels["actions.github.com/global-custom"]
- equal:
path: metadata.labels["actions.github.com/scale-set-name"]
value: "test-name"
- it: should not allow global labels to override reserved labels
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
resource:
all:
metadata:
labels:
helm.sh/chart: "bad"
app.kubernetes.io/name: "bad"
app.kubernetes.io/instance: "bad"
app.kubernetes.io/component: "bad"
actions.github.com/scale-set-name: "bad"
actions.github.com/scale-set-namespace: "bad"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: metadata.labels["helm.sh/chart"]
value: "gha-rs-0.14.0"
- equal:
path: metadata.labels["app.kubernetes.io/name"]
value: "test-name"
- equal:
path: metadata.labels["app.kubernetes.io/instance"]
value: "test-name"
- equal:
path: metadata.labels["app.kubernetes.io/component"]
value: "github-secret"
- equal:
path: metadata.labels["actions.github.com/scale-set-name"]
value: "test-name"
- equal:
path: metadata.labels["actions.github.com/scale-set-namespace"]
value: "test-namespace"