Add support for proxy (#2286)

Co-authored-by: Nikola Jokic <jokicnikola07@gmail.com>
Co-authored-by: Tingluo Huang <tingluohuang@github.com>
Co-authored-by: Ferenc Hammerl <fhammerl@github.com>

controllers/actions.github.com/ephemeralrunnerset_controller_test.go

@@ -2,7 +2,11 @@ package actionsgithubcom
 
 import (
 	"context"
+	"encoding/base64"
 	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"strings"
 	"time"
 
 	corev1 "k8s.io/api/core/v1"
@@ -11,11 +15,14 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 
+	"github.com/go-logr/logr"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	actionsv1alpha1 "github.com/actions/actions-runner-controller/apis/actions.github.com/v1alpha1"
+	v1alpha1 "github.com/actions/actions-runner-controller/apis/actions.github.com/v1alpha1"
+	"github.com/actions/actions-runner-controller/github/actions"
 	"github.com/actions/actions-runner-controller/github/actions/fake"
 )
 
@@ -585,3 +592,315 @@ var _ = Describe("Test EphemeralRunnerSet controller", func() {
 		})
 	})
 })
+
+var _ = Describe("Test EphemeralRunnerSet controller with proxy settings", func() {
+	var ctx context.Context
+	var cancel context.CancelFunc
+	autoscalingNS := new(corev1.Namespace)
+	ephemeralRunnerSet := new(actionsv1alpha1.EphemeralRunnerSet)
+	configSecret := new(corev1.Secret)
+
+	BeforeEach(func() {
+		ctx, cancel = context.WithCancel(context.TODO())
+		autoscalingNS = &corev1.Namespace{
+			ObjectMeta: metav1.ObjectMeta{Name: "testns-autoscaling-runnerset" + RandStringRunes(5)},
+		}
+
+		err := k8sClient.Create(ctx, autoscalingNS)
+		Expect(err).NotTo(HaveOccurred(), "failed to create test namespace for EphemeralRunnerSet")
+
+		configSecret = &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "github-config-secret",
+				Namespace: autoscalingNS.Name,
+			},
+			Data: map[string][]byte{
+				"github_token": []byte(ephemeralRunnerSetTestGitHubToken),
+			},
+		}
+
+		err = k8sClient.Create(ctx, configSecret)
+		Expect(err).NotTo(HaveOccurred(), "failed to create config secret")
+
+		mgr, err := ctrl.NewManager(cfg, ctrl.Options{
+			Namespace:          autoscalingNS.Name,
+			MetricsBindAddress: "0",
+		})
+		Expect(err).NotTo(HaveOccurred(), "failed to create manager")
+
+		controller := &EphemeralRunnerSetReconciler{
+			Client:        mgr.GetClient(),
+			Scheme:        mgr.GetScheme(),
+			Log:           logf.Log,
+			ActionsClient: actions.NewMultiClient("test", logr.Discard()),
+		}
+		err = controller.SetupWithManager(mgr)
+		Expect(err).NotTo(HaveOccurred(), "failed to setup controller")
+
+		go func() {
+			defer GinkgoRecover()
+
+			err := mgr.Start(ctx)
+			Expect(err).NotTo(HaveOccurred(), "failed to start manager")
+		}()
+	})
+
+	AfterEach(func() {
+		defer cancel()
+
+		err := k8sClient.Delete(ctx, autoscalingNS)
+		Expect(err).NotTo(HaveOccurred(), "failed to delete test namespace for EphemeralRunnerSet")
+	})
+
+	It("should create a proxy secret and delete the proxy secreat after the runner-set is deleted", func() {
+		secretCredentials := &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "proxy-credentials",
+				Namespace: autoscalingNS.Name,
+			},
+			Data: map[string][]byte{
+				"username": []byte("username"),
+				"password": []byte("password"),
+			},
+		}
+
+		err := k8sClient.Create(ctx, secretCredentials)
+		Expect(err).NotTo(HaveOccurred(), "failed to create secret credentials")
+
+		ephemeralRunnerSet = &actionsv1alpha1.EphemeralRunnerSet{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "test-asrs",
+				Namespace: autoscalingNS.Name,
+			},
+			Spec: actionsv1alpha1.EphemeralRunnerSetSpec{
+				Replicas: 1,
+				EphemeralRunnerSpec: actionsv1alpha1.EphemeralRunnerSpec{
+					GitHubConfigUrl:    "http://example.com/owner/repo",
+					GitHubConfigSecret: configSecret.Name,
+					RunnerScaleSetId:   100,
+					Proxy: &v1alpha1.ProxyConfig{
+						HTTP: &v1alpha1.ProxyServerConfig{
+							Url:                 "http://proxy.example.com",
+							CredentialSecretRef: secretCredentials.Name,
+						},
+						HTTPS: &v1alpha1.ProxyServerConfig{
+							Url:                 "https://proxy.example.com",
+							CredentialSecretRef: secretCredentials.Name,
+						},
+						NoProxy: []string{"example.com", "example.org"},
+					},
+					PodTemplateSpec: corev1.PodTemplateSpec{
+						Spec: corev1.PodSpec{
+							Containers: []corev1.Container{
+								{
+									Name:  "runner",
+									Image: "ghcr.io/actions/runner",
+								},
+							},
+						},
+					},
+				},
+			},
+		}
+
+		err = k8sClient.Create(ctx, ephemeralRunnerSet)
+		Expect(err).NotTo(HaveOccurred(), "failed to create EphemeralRunnerSet")
+
+		Eventually(func(g Gomega) {
+			// Compiled / flattened proxy secret should exist at this point
+			actualProxySecret := &corev1.Secret{}
+			err = k8sClient.Get(ctx, client.ObjectKey{
+				Namespace: autoscalingNS.Name,
+				Name:      proxyEphemeralRunnerSetSecretName(ephemeralRunnerSet),
+			}, actualProxySecret)
+			g.Expect(err).NotTo(HaveOccurred(), "failed to get compiled / flattened proxy secret")
+
+			secretFetcher := func(name string) (*corev1.Secret, error) {
+				secret := &corev1.Secret{}
+				err = k8sClient.Get(ctx, client.ObjectKey{
+					Namespace: autoscalingNS.Name,
+					Name:      name,
+				}, secret)
+				return secret, err
+			}
+
+			// Assert that the proxy secret is created with the correct values
+			expectedData, err := ephemeralRunnerSet.Spec.EphemeralRunnerSpec.Proxy.ToSecretData(secretFetcher)
+			g.Expect(err).NotTo(HaveOccurred(), "failed to get proxy secret data")
+			g.Expect(actualProxySecret.Data).To(Equal(expectedData))
+		},
+			ephemeralRunnerSetTestTimeout,
+			ephemeralRunnerSetTestInterval,
+		).Should(Succeed(), "compiled / flattened proxy secret should exist")
+
+		Eventually(func(g Gomega) {
+			runnerList := new(actionsv1alpha1.EphemeralRunnerList)
+			err := k8sClient.List(ctx, runnerList, client.InNamespace(ephemeralRunnerSet.Namespace))
+			g.Expect(err).NotTo(HaveOccurred(), "failed to list EphemeralRunners")
+
+			for _, runner := range runnerList.Items {
+				g.Expect(runner.Spec.ProxySecretRef).To(Equal(proxyEphemeralRunnerSetSecretName(ephemeralRunnerSet)))
+			}
+		}, ephemeralRunnerSetTestTimeout, ephemeralRunnerSetTestInterval).Should(Succeed(), "EphemeralRunners should have a reference to the proxy secret")
+
+		// patch ephemeral runner set to have 0 replicas
+		patch := client.MergeFrom(ephemeralRunnerSet.DeepCopy())
+		ephemeralRunnerSet.Spec.Replicas = 0
+		err = k8sClient.Patch(ctx, ephemeralRunnerSet, patch)
+		Expect(err).NotTo(HaveOccurred(), "failed to patch EphemeralRunnerSet")
+
+		// Set pods to PodSucceeded to simulate an actual EphemeralRunner stopping
+		Eventually(
+			func(g Gomega) (int, error) {
+				runnerList := new(actionsv1alpha1.EphemeralRunnerList)
+				err := k8sClient.List(ctx, runnerList, client.InNamespace(ephemeralRunnerSet.Namespace))
+				if err != nil {
+					return -1, err
+				}
+
+				// Set status to simulate a configured EphemeralRunner
+				refetch := false
+				for i, runner := range runnerList.Items {
+					if runner.Status.RunnerId == 0 {
+						updatedRunner := runner.DeepCopy()
+						updatedRunner.Status.Phase = corev1.PodSucceeded
+						updatedRunner.Status.RunnerId = i + 100
+						err = k8sClient.Status().Patch(ctx, updatedRunner, client.MergeFrom(&runner))
+						Expect(err).NotTo(HaveOccurred(), "failed to update EphemeralRunner")
+						refetch = true
+					}
+				}
+
+				if refetch {
+					err := k8sClient.List(ctx, runnerList, client.InNamespace(ephemeralRunnerSet.Namespace))
+					if err != nil {
+						return -1, err
+					}
+				}
+
+				return len(runnerList.Items), nil
+			},
+			ephemeralRunnerSetTestTimeout,
+			ephemeralRunnerSetTestInterval).Should(BeEquivalentTo(1), "1 EphemeralRunner should exist")
+
+		// Delete the EphemeralRunnerSet
+		err = k8sClient.Delete(ctx, ephemeralRunnerSet)
+		Expect(err).NotTo(HaveOccurred(), "failed to delete EphemeralRunnerSet")
+
+		// Assert that the proxy secret is deleted
+		Eventually(func(g Gomega) {
+			proxySecret := &corev1.Secret{}
+			err = k8sClient.Get(ctx, client.ObjectKey{
+				Namespace: autoscalingNS.Name,
+				Name:      proxyEphemeralRunnerSetSecretName(ephemeralRunnerSet),
+			}, proxySecret)
+			g.Expect(err).To(HaveOccurred(), "proxy secret should be deleted")
+			g.Expect(kerrors.IsNotFound(err)).To(BeTrue(), "proxy secret should be deleted")
+		},
+			ephemeralRunnerSetTestTimeout,
+			ephemeralRunnerSetTestInterval,
+		).Should(Succeed(), "proxy secret should be deleted")
+	})
+
+	It("should configure the actions client to use proxy details", func() {
+		secretCredentials := &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "proxy-credentials",
+				Namespace: autoscalingNS.Name,
+			},
+			Data: map[string][]byte{
+				"username": []byte("test"),
+				"password": []byte("password"),
+			},
+		}
+
+		err := k8sClient.Create(ctx, secretCredentials)
+		Expect(err).NotTo(HaveOccurred(), "failed to create secret credentials")
+
+		proxySuccessfulllyCalled := false
+		proxy := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			header := r.Header.Get("Proxy-Authorization")
+			Expect(header).NotTo(BeEmpty())
+
+			header = strings.TrimPrefix(header, "Basic ")
+			decoded, err := base64.StdEncoding.DecodeString(header)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(string(decoded)).To(Equal("test:password"))
+
+			proxySuccessfulllyCalled = true
+			w.WriteHeader(http.StatusOK)
+		}))
+		GinkgoT().Cleanup(func() {
+			proxy.Close()
+		})
+
+		ephemeralRunnerSet = &actionsv1alpha1.EphemeralRunnerSet{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "test-asrs",
+				Namespace: autoscalingNS.Name,
+			},
+			Spec: actionsv1alpha1.EphemeralRunnerSetSpec{
+				Replicas: 1,
+				EphemeralRunnerSpec: actionsv1alpha1.EphemeralRunnerSpec{
+					GitHubConfigUrl:    "http://example.com/owner/repo",
+					GitHubConfigSecret: configSecret.Name,
+					RunnerScaleSetId:   100,
+					Proxy: &v1alpha1.ProxyConfig{
+						HTTP: &v1alpha1.ProxyServerConfig{
+							Url:                 proxy.URL,
+							CredentialSecretRef: "proxy-credentials",
+						},
+					},
+					PodTemplateSpec: corev1.PodTemplateSpec{
+						Spec: corev1.PodSpec{
+							Containers: []corev1.Container{
+								{
+									Name:  "runner",
+									Image: "ghcr.io/actions/runner",
+								},
+							},
+						},
+					},
+				},
+			},
+		}
+
+		err = k8sClient.Create(ctx, ephemeralRunnerSet)
+		Expect(err).NotTo(HaveOccurred(), "failed to create EphemeralRunnerSet")
+
+		runnerList := new(actionsv1alpha1.EphemeralRunnerList)
+		Eventually(func() (int, error) {
+			err := k8sClient.List(ctx, runnerList, client.InNamespace(ephemeralRunnerSet.Namespace))
+			if err != nil {
+				return -1, err
+			}
+
+			return len(runnerList.Items), nil
+		},
+			ephemeralRunnerSetTestTimeout,
+			ephemeralRunnerSetTestInterval,
+		).Should(BeEquivalentTo(1), "failed to create ephemeral runner")
+
+		runner := runnerList.Items[0].DeepCopy()
+		runner.Status.Phase = corev1.PodRunning
+		runner.Status.RunnerId = 100
+		err = k8sClient.Status().Patch(ctx, runner, client.MergeFrom(&runnerList.Items[0]))
+		Expect(err).NotTo(HaveOccurred(), "failed to update ephemeral runner status")
+
+		updatedRunnerSet := new(actionsv1alpha1.EphemeralRunnerSet)
+		err = k8sClient.Get(ctx, client.ObjectKey{Namespace: ephemeralRunnerSet.Namespace, Name: ephemeralRunnerSet.Name}, updatedRunnerSet)
+		Expect(err).NotTo(HaveOccurred(), "failed to get EphemeralRunnerSet")
+
+		updatedRunnerSet.Spec.Replicas = 0
+		err = k8sClient.Update(ctx, updatedRunnerSet)
+		Expect(err).NotTo(HaveOccurred(), "failed to update EphemeralRunnerSet")
+
+		Eventually(
+			func() bool {
+				return proxySuccessfulllyCalled
+			},
+			2*time.Second,
+			interval,
+		).Should(BeEquivalentTo(true))
+	})
+})