diff --git a/.github/workflows/gha-validate-chart.yaml b/.github/workflows/gha-validate-chart.yaml index 70a67de2..a33fd74e 100644 --- a/.github/workflows/gha-validate-chart.yaml +++ b/.github/workflows/gha-validate-chart.yaml @@ -18,7 +18,7 @@ on: workflow_dispatch: env: KUBE_SCORE_VERSION: 1.16.1 - HELM_VERSION: v3.8.0 + HELM_VERSION: v3.17.0 permissions: contents: read @@ -46,22 +46,6 @@ jobs: with: version: ${{ env.HELM_VERSION }} - - name: Set up kube-score - run: | - wget https://github.com/zegl/kube-score/releases/download/v${{ env.KUBE_SCORE_VERSION }}/kube-score_${{ env.KUBE_SCORE_VERSION }}_linux_amd64 -O kube-score - chmod 755 kube-score - - - name: Kube-score generated manifests - run: helm template --values charts/.ci/values-kube-score.yaml charts/* | ./kube-score score - - --ignore-test pod-networkpolicy - --ignore-test deployment-has-poddisruptionbudget - --ignore-test deployment-has-host-podantiaffinity - --ignore-test container-security-context - --ignore-test pod-probes - --ignore-test container-image-tag - --enable-optional-test container-security-context-privileged - --enable-optional-test container-security-context-readonlyrootfilesystem - # python is a requirement for the chart-testing action below (supports yamllint among other tests) - uses: actions/setup-python@v5 with: diff --git a/charts/gha-runner-scale-set/templates/autoscalingrunnerset.yaml b/charts/gha-runner-scale-set/templates/autoscalingrunnerset.yaml index 39ebfef8..c5ad2e38 100644 --- a/charts/gha-runner-scale-set/templates/autoscalingrunnerset.yaml +++ b/charts/gha-runner-scale-set/templates/autoscalingrunnerset.yaml @@ -1,3 +1,4 @@ +{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.autoscalingRunnerSet) }} apiVersion: actions.github.com/v1alpha1 kind: AutoscalingRunnerSet metadata: @@ -10,9 +11,25 @@ metadata: name: {{ include "gha-runner-scale-set.scale-set-name" . }} namespace: {{ .Release.Namespace }} labels: + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $hasCustomResourceMeta }} + {{- with .Values.resourceMeta.autoscalingRunnerSet.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} app.kubernetes.io/component: "autoscaling-runner-set" {{- include "gha-runner-scale-set.labels" . | nindent 4 }} annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $hasCustomResourceMeta }} + {{- with .Values.resourceMeta.autoscalingRunnerSet.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} actions.github.com/values-hash: {{ toJson .Values | sha256sum | trunc 63 }} {{- $containerMode := .Values.containerMode }} {{- if not (kindIs "string" .Values.githubConfigSecret) }} diff --git a/charts/gha-runner-scale-set/templates/githubsecret.yaml b/charts/gha-runner-scale-set/templates/githubsecret.yaml index 67282c18..4cee4669 100644 --- a/charts/gha-runner-scale-set/templates/githubsecret.yaml +++ b/charts/gha-runner-scale-set/templates/githubsecret.yaml @@ -1,11 +1,29 @@ {{- if not (kindIs "string" .Values.githubConfigSecret) }} +{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.githubConfigSecret) }} apiVersion: v1 kind: Secret metadata: name: {{ include "gha-runner-scale-set.githubsecret" . }} namespace: {{ .Release.Namespace }} labels: + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $hasCustomResourceMeta }} + {{- with .Values.resourceMeta.githubConfigSecret.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} {{- include "gha-runner-scale-set.labels" . | nindent 4 }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $hasCustomResourceMeta }} + {{- with .Values.resourceMeta.githubConfigSecret.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} finalizers: - actions.github.com/cleanup-protection data: diff --git a/charts/gha-runner-scale-set/templates/kube_mode_role.yaml b/charts/gha-runner-scale-set/templates/kube_mode_role.yaml index e82d7b77..1180546e 100644 --- a/charts/gha-runner-scale-set/templates/kube_mode_role.yaml +++ b/charts/gha-runner-scale-set/templates/kube_mode_role.yaml @@ -1,4 +1,5 @@ {{- $containerMode := .Values.containerMode }} +{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.kubernetesModeRole) }} {{- if and (eq $containerMode.type "kubernetes") (not .Values.template.spec.serviceAccountName) }} # default permission for runner pod service account in kubernetes mode (container hook) apiVersion: rbac.authorization.k8s.io/v1 @@ -6,6 +7,25 @@ kind: Role metadata: name: {{ include "gha-runner-scale-set.kubeModeRoleName" . }} namespace: {{ .Release.Namespace }} + labels: + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $hasCustomResourceMeta }} + {{- with .Values.resourceMeta.kubernetesModeRole.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- include "gha-runner-scale-set.labels" . | nindent 4 }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $hasCustomResourceMeta }} + {{- with .Values.resourceMeta.kubernetesModeRole.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} finalizers: - actions.github.com/cleanup-protection rules: diff --git a/charts/gha-runner-scale-set/templates/kube_mode_role_binding.yaml b/charts/gha-runner-scale-set/templates/kube_mode_role_binding.yaml index 060b9399..9c7f0f41 100644 --- a/charts/gha-runner-scale-set/templates/kube_mode_role_binding.yaml +++ b/charts/gha-runner-scale-set/templates/kube_mode_role_binding.yaml @@ -1,10 +1,31 @@ {{- $containerMode := .Values.containerMode }} +{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.kubernetesModeRoleBinding) }} {{- if and (eq $containerMode.type "kubernetes") (not .Values.template.spec.serviceAccountName) }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ include "gha-runner-scale-set.kubeModeRoleBindingName" . }} namespace: {{ .Release.Namespace }} + labels: + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $hasCustomResourceMeta }} + {{- with .Values.resourceMeta.kubernetesModeRoleBinding.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- include "gha-runner-scale-set.labels" . | nindent 4 }} + + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $hasCustomResourceMeta }} + {{- with .Values.resourceMeta.kubernetesModeRoleBinding.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} finalizers: - actions.github.com/cleanup-protection roleRef: diff --git a/charts/gha-runner-scale-set/templates/kube_mode_serviceaccount.yaml b/charts/gha-runner-scale-set/templates/kube_mode_serviceaccount.yaml index d0fa4b08..f68ce25b 100644 --- a/charts/gha-runner-scale-set/templates/kube_mode_serviceaccount.yaml +++ b/charts/gha-runner-scale-set/templates/kube_mode_serviceaccount.yaml @@ -1,18 +1,34 @@ {{- $containerMode := .Values.containerMode }} +{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.kubernetesModeServiceAccount) }} {{- if and (eq $containerMode.type "kubernetes") (not .Values.template.spec.serviceAccountName) }} apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "gha-runner-scale-set.kubeModeServiceAccountName" . }} namespace: {{ .Release.Namespace }} - {{- if .Values.containerMode.kubernetesModeServiceAccount }} - {{- with .Values.containerMode.kubernetesModeServiceAccount.annotations }} + + {{- if or .Values.annotations $hasCustomResourceMeta }} annotations: - {{- toYaml . | nindent 4 }} - {{- end }} + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $hasCustomResourceMeta }} + {{- with .Values.resourceMeta.kubernetesModeServiceAccount.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} {{- end }} + labels: + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $hasCustomResourceMeta }} + {{- with .Values.resourceMeta.kubernetesModeServiceAccount.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- include "gha-runner-scale-set.labels" . | nindent 4 }} + finalizers: - actions.github.com/cleanup-protection - labels: - {{- include "gha-runner-scale-set.labels" . | nindent 4 }} {{- end }} diff --git a/charts/gha-runner-scale-set/templates/manager_role.yaml b/charts/gha-runner-scale-set/templates/manager_role.yaml index f6a1e493..260e3c78 100644 --- a/charts/gha-runner-scale-set/templates/manager_role.yaml +++ b/charts/gha-runner-scale-set/templates/manager_role.yaml @@ -1,11 +1,29 @@ +{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.managerRole) }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ include "gha-runner-scale-set.managerRoleName" . }} namespace: {{ .Release.Namespace }} labels: + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $hasCustomResourceMeta }} + {{- with .Values.resourceMeta.managerRole.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} {{- include "gha-runner-scale-set.labels" . | nindent 4 }} app.kubernetes.io/component: manager-role + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $hasCustomResourceMeta }} + {{- with .Values.resourceMeta.managerRole.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} finalizers: - actions.github.com/cleanup-protection rules: diff --git a/charts/gha-runner-scale-set/templates/manager_role_binding.yaml b/charts/gha-runner-scale-set/templates/manager_role_binding.yaml index ce212f77..7b69cde1 100644 --- a/charts/gha-runner-scale-set/templates/manager_role_binding.yaml +++ b/charts/gha-runner-scale-set/templates/manager_role_binding.yaml @@ -1,11 +1,29 @@ +{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.managerRoleBinding) }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ include "gha-runner-scale-set.managerRoleBindingName" . }} namespace: {{ .Release.Namespace }} labels: + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $hasCustomResourceMeta }} + {{- with .Values.resourceMeta.managerRoleBinding.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} {{- include "gha-runner-scale-set.labels" . | nindent 4 }} app.kubernetes.io/component: manager-role-binding + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $hasCustomResourceMeta }} + {{- with .Values.resourceMeta.managerRoleBinding.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} finalizers: - actions.github.com/cleanup-protection roleRef: diff --git a/charts/gha-runner-scale-set/templates/no_permission_serviceaccount.yaml b/charts/gha-runner-scale-set/templates/no_permission_serviceaccount.yaml index f7c9700f..06d4a1cb 100644 --- a/charts/gha-runner-scale-set/templates/no_permission_serviceaccount.yaml +++ b/charts/gha-runner-scale-set/templates/no_permission_serviceaccount.yaml @@ -1,3 +1,4 @@ +{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.noPermissionServiceAccount) }} {{- $containerMode := .Values.containerMode }} {{- if and (ne $containerMode.type "kubernetes") (not .Values.template.spec.serviceAccountName) }} apiVersion: v1 @@ -6,7 +7,24 @@ metadata: name: {{ include "gha-runner-scale-set.noPermissionServiceAccountName" . }} namespace: {{ .Release.Namespace }} labels: + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $hasCustomResourceMeta }} + {{- with .Values.resourceMeta.noPermissionServiceAccount.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} {{- include "gha-runner-scale-set.labels" . | nindent 4 }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $hasCustomResourceMeta }} + {{- with .Values.resourceMeta.noPermissionServiceAccount.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} finalizers: - actions.github.com/cleanup-protection {{- end }} diff --git a/charts/gha-runner-scale-set/tests/template_test.go b/charts/gha-runner-scale-set/tests/template_test.go index 8f5a833e..d7363511 100644 --- a/charts/gha-runner-scale-set/tests/template_test.go +++ b/charts/gha-runner-scale-set/tests/template_test.go @@ -742,37 +742,6 @@ func TestTemplateRenderedAutoScalingRunnerSet_DinD_ExtraInitContainers(t *testin assert.Equal(t, "ls", ars.Spec.Template.Spec.InitContainers[2].Command[0], "InitContainers[2] Command[0] should be ls") } -func TestTemplateRenderedKubernetesModeServiceAccountAnnotations(t *testing.T) { - t.Parallel() - - // Path to the helm chart we will test - helmChartPath, err := filepath.Abs("../../gha-runner-scale-set") - require.NoError(t, err) - - testValuesPath, err := filepath.Abs("../tests/values_kubernetes_mode_service_account_annotations.yaml") - require.NoError(t, err) - - releaseName := "test-runners" - namespaceName := "test-" + strings.ToLower(random.UniqueId()) - - options := &helm.Options{ - Logger: logger.Discard, - SetValues: map[string]string{ - "controllerServiceAccount.name": "arc", - "controllerServiceAccount.namespace": "arc-system", - }, - ValuesFiles: []string{testValuesPath}, - KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName), - } - - output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/kube_mode_serviceaccount.yaml"}) - - var sa corev1.ServiceAccount - helm.UnmarshalK8SYaml(t, output, &sa) - - assert.Equal(t, "arn:aws:iam::123456789012:role/sample-role", sa.Annotations["eks.amazonaws.com/role-arn"], "Annotations should be arn:aws:iam::123456789012:role/sample-role") -} - func TestTemplateRenderedAutoScalingRunnerSet_DinD_ExtraVolumes(t *testing.T) { t.Parallel() @@ -2143,3 +2112,206 @@ func TestAutoscalingRunnerSetAnnotationValuesHash(t *testing.T) { assert.NotEqual(t, firstHash, secondHash) assert.LessOrEqual(t, len(secondHash), 63) } + +func TestCustomLabels(t *testing.T) { + t.Parallel() + + // Path to the helm chart we will test + helmChartPath, err := filepath.Abs("../../gha-runner-scale-set") + require.NoError(t, err) + + releaseName := "test-runners" + namespaceName := "test-" + strings.ToLower(random.UniqueId()) + + options := &helm.Options{ + Logger: logger.Discard, + SetValues: map[string]string{ + "githubConfigUrl": "https://github.com/actions", + "githubConfigSecret.github_token": "gh_token12345", + "controllerServiceAccount.name": "arc", + "containerMode.type": "kubernetes", + "controllerServiceAccount.namespace": "arc-system", + `labels.argocd\.argoproj\.io/sync-wave`: `"1"`, + `labels.app\.kubernetes\.io/part-of`: "no-override", // this shouldn't be overwritten + "resourceMeta.autoscalingRunnerSet.labels.ars-custom": "ars-custom-value", + "resourceMeta.githubConfigSecret.labels.gh-custom": "gh-custom-value", + "resourceMeta.kubernetesModeRole.labels.kmr-custom": "kmr-custom-value", + "resourceMeta.kubernetesModeRoleBinding.labels.kmrb-custom": "kmrb-custom-value", + "resourceMeta.kubernetesModeServiceAccount.labels.kmsa-custom": "kmsa-custom-value", + "resourceMeta.managerRole.labels.mr-custom": "mr-custom-value", + "resourceMeta.managerRoleBinding.labels.mrb-custom": "mrb-custom-value", + }, + KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName), + } + + output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/githubsecret.yaml"}) + + const targetLabel = "argocd.argoproj.io/sync-wave" + const wantCustomValue = `"1"` + const reservedLabel = "app.kubernetes.io/part-of" + const wantReservedValue = "gha-rs" + + var githubSecret corev1.Secret + helm.UnmarshalK8SYaml(t, output, &githubSecret) + assert.Equal(t, wantCustomValue, githubSecret.Labels[targetLabel]) + assert.Equal(t, wantReservedValue, githubSecret.Labels[reservedLabel]) + assert.Equal(t, "gh-custom-value", githubSecret.Labels["gh-custom"]) + + output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/kube_mode_role.yaml"}) + var role rbacv1.Role + helm.UnmarshalK8SYaml(t, output, &role) + assert.Equal(t, wantCustomValue, role.Labels[targetLabel]) + assert.Equal(t, wantReservedValue, role.Labels[reservedLabel]) + assert.Equal(t, "kmr-custom-value", role.Labels["kmr-custom"]) + + output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/kube_mode_role_binding.yaml"}) + var roleBinding rbacv1.RoleBinding + helm.UnmarshalK8SYaml(t, output, &roleBinding) + assert.Equal(t, wantCustomValue, roleBinding.Labels[targetLabel]) + assert.Equal(t, wantReservedValue, roleBinding.Labels[reservedLabel]) + assert.Equal(t, "kmrb-custom-value", roleBinding.Labels["kmrb-custom"]) + + output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/autoscalingrunnerset.yaml"}) + var ars v1alpha1.AutoscalingRunnerSet + helm.UnmarshalK8SYaml(t, output, &ars) + assert.Equal(t, wantCustomValue, ars.Labels[targetLabel]) + assert.Equal(t, wantReservedValue, ars.Labels[reservedLabel]) + assert.Equal(t, "ars-custom-value", ars.Labels["ars-custom"]) + + output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/kube_mode_serviceaccount.yaml"}) + var serviceAccount corev1.ServiceAccount + helm.UnmarshalK8SYaml(t, output, &serviceAccount) + assert.Equal(t, wantCustomValue, serviceAccount.Labels[targetLabel]) + assert.Equal(t, wantReservedValue, serviceAccount.Labels[reservedLabel]) + assert.Equal(t, "kmsa-custom-value", serviceAccount.Labels["kmsa-custom"]) + + output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/manager_role.yaml"}) + var managerRole rbacv1.Role + helm.UnmarshalK8SYaml(t, output, &managerRole) + assert.Equal(t, wantCustomValue, managerRole.Labels[targetLabel]) + assert.Equal(t, wantReservedValue, managerRole.Labels[reservedLabel]) + assert.Equal(t, "mr-custom-value", managerRole.Labels["mr-custom"]) + + output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/manager_role_binding.yaml"}) + var managerRoleBinding rbacv1.RoleBinding + helm.UnmarshalK8SYaml(t, output, &managerRoleBinding) + assert.Equal(t, wantCustomValue, managerRoleBinding.Labels[targetLabel]) + assert.Equal(t, wantReservedValue, managerRoleBinding.Labels[reservedLabel]) + assert.Equal(t, "mrb-custom-value", managerRoleBinding.Labels["mrb-custom"]) + + options = &helm.Options{ + Logger: logger.Discard, + SetValues: map[string]string{ + "githubConfigUrl": "https://github.com/actions", + "githubConfigSecret.github_token": "gh_token12345", + "controllerServiceAccount.name": "arc", + "controllerServiceAccount.namespace": "arc-system", + `labels.argocd\.argoproj\.io/sync-wave`: `"1"`, + "resourceMeta.noPermissionServiceAccount.labels.npsa-custom": "npsa-custom-value", + }, + KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName), + } + + output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/no_permission_serviceaccount.yaml"}) + var noPermissionServiceAccount corev1.ServiceAccount + helm.UnmarshalK8SYaml(t, output, &noPermissionServiceAccount) + assert.Equal(t, wantCustomValue, noPermissionServiceAccount.Labels[targetLabel]) + assert.Equal(t, wantReservedValue, noPermissionServiceAccount.Labels[reservedLabel]) + assert.Equal(t, "npsa-custom-value", noPermissionServiceAccount.Labels["npsa-custom"]) +} + +func TestCustomAnnotations(t *testing.T) { + t.Parallel() + + // Path to the helm chart we will test + helmChartPath, err := filepath.Abs("../../gha-runner-scale-set") + require.NoError(t, err) + + releaseName := "test-runners" + namespaceName := "test-" + strings.ToLower(random.UniqueId()) + + options := &helm.Options{ + Logger: logger.Discard, + SetValues: map[string]string{ + "githubConfigUrl": "https://github.com/actions", + "githubConfigSecret.github_token": "gh_token12345", + "containerMode.type": "kubernetes", + "controllerServiceAccount.name": "arc", + "controllerServiceAccount.namespace": "arc-system", + `annotations.argocd\.argoproj\.io/sync-wave`: `"1"`, + "resourceMeta.autoscalingRunnerSet.annotations.ars-custom": "ars-custom-value", + "resourceMeta.githubConfigSecret.annotations.gh-custom": "gh-custom-value", + "resourceMeta.kubernetesModeRole.annotations.kmr-custom": "kmr-custom-value", + "resourceMeta.kubernetesModeRoleBinding.annotations.kmrb-custom": "kmrb-custom-value", + "resourceMeta.kubernetesModeServiceAccount.annotations.kmsa-custom": "kmsa-custom-value", + "resourceMeta.managerRole.annotations.mr-custom": "mr-custom-value", + "resourceMeta.managerRoleBinding.annotations.mrb-custom": "mrb-custom-value", + }, + KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName), + } + + const targetAnnotations = "argocd.argoproj.io/sync-wave" + const wantCustomValue = `"1"` + + output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/githubsecret.yaml"}) + + var githubSecret corev1.Secret + helm.UnmarshalK8SYaml(t, output, &githubSecret) + assert.Equal(t, wantCustomValue, githubSecret.Annotations[targetAnnotations]) + assert.Equal(t, "gh-custom-value", githubSecret.Annotations["gh-custom"]) + + output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/kube_mode_role.yaml"}) + var role rbacv1.Role + helm.UnmarshalK8SYaml(t, output, &role) + assert.Equal(t, wantCustomValue, role.Annotations[targetAnnotations]) + assert.Equal(t, "kmr-custom-value", role.Annotations["kmr-custom"]) + + output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/kube_mode_role_binding.yaml"}) + var roleBinding rbacv1.RoleBinding + helm.UnmarshalK8SYaml(t, output, &roleBinding) + assert.Equal(t, wantCustomValue, roleBinding.Annotations[targetAnnotations]) + assert.Equal(t, "kmrb-custom-value", roleBinding.Annotations["kmrb-custom"]) + + output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/autoscalingrunnerset.yaml"}) + var ars v1alpha1.AutoscalingRunnerSet + helm.UnmarshalK8SYaml(t, output, &ars) + assert.Equal(t, wantCustomValue, ars.Annotations[targetAnnotations]) + assert.Equal(t, "ars-custom-value", ars.Annotations["ars-custom"]) + + output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/kube_mode_serviceaccount.yaml"}) + var serviceAccount corev1.ServiceAccount + helm.UnmarshalK8SYaml(t, output, &serviceAccount) + assert.Equal(t, wantCustomValue, serviceAccount.Annotations[targetAnnotations]) + assert.Equal(t, "kmsa-custom-value", serviceAccount.Annotations["kmsa-custom"]) + + output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/manager_role.yaml"}) + var managerRole rbacv1.Role + helm.UnmarshalK8SYaml(t, output, &managerRole) + assert.Equal(t, wantCustomValue, managerRole.Annotations[targetAnnotations]) + assert.Equal(t, "mr-custom-value", managerRole.Annotations["mr-custom"]) + + output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/manager_role_binding.yaml"}) + var managerRoleBinding rbacv1.RoleBinding + helm.UnmarshalK8SYaml(t, output, &managerRoleBinding) + assert.Equal(t, wantCustomValue, managerRoleBinding.Annotations[targetAnnotations]) + assert.Equal(t, "mrb-custom-value", managerRoleBinding.Annotations["mrb-custom"]) + + options = &helm.Options{ + Logger: logger.Discard, + SetValues: map[string]string{ + "githubConfigUrl": "https://github.com/actions", + "githubConfigSecret.github_token": "gh_token12345", + "controllerServiceAccount.name": "arc", + "controllerServiceAccount.namespace": "arc-system", + `annotations.argocd\.argoproj\.io/sync-wave`: `"1"`, + "resourceMeta.noPermissionServiceAccount.annotations.npsa-custom": "npsa-custom-value", + }, + KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName), + } + + output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/no_permission_serviceaccount.yaml"}) + var noPermissionServiceAccount corev1.ServiceAccount + helm.UnmarshalK8SYaml(t, output, &noPermissionServiceAccount) + assert.Equal(t, wantCustomValue, noPermissionServiceAccount.Annotations[targetAnnotations]) + assert.Equal(t, "npsa-custom-value", noPermissionServiceAccount.Annotations["npsa-custom"]) +} diff --git a/charts/gha-runner-scale-set/tests/values_kubernetes_mode_service_account_annotations.yaml b/charts/gha-runner-scale-set/tests/values_kubernetes_mode_service_account_annotations.yaml deleted file mode 100644 index cf0cc375..00000000 --- a/charts/gha-runner-scale-set/tests/values_kubernetes_mode_service_account_annotations.yaml +++ /dev/null @@ -1,8 +0,0 @@ -githubConfigUrl: https://github.com/actions/actions-runner-controller -githubConfigSecret: - github_token: test -containerMode: - type: kubernetes - kubernetesModeServiceAccount: - annotations: - eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/sample-role diff --git a/charts/gha-runner-scale-set/values.yaml b/charts/gha-runner-scale-set/values.yaml index 214a2dce..7c32b436 100644 --- a/charts/gha-runner-scale-set/values.yaml +++ b/charts/gha-runner-scale-set/values.yaml @@ -4,15 +4,15 @@ githubConfigUrl: "" ## githubConfigSecret is the k8s secret information to use when authenticating via the GitHub API. ## You can choose to supply: -## A) a PAT token, -## B) a GitHub App, or +## A) a PAT token, +## B) a GitHub App, or ## C) a pre-defined Kubernetes secret. ## The syntax for each of these variations is documented below. ## (Variation A) When using a PAT token, the syntax is as follows: githubConfigSecret: - # Example: + # Example: # github_token: "ghp_sampleSampleSampleSampleSampleSample" - github_token: "" + github_token: "" # ## (Variation B) When using a GitHub App, the syntax is as follows: # githubConfigSecret: @@ -100,8 +100,7 @@ githubConfigSecret: # resources: # requests: # storage: 1Gi -# kubernetesModeServiceAccount: -# annotations: +# ## listenerTemplate is the PodSpec for each listener Pod ## For reference: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#PodSpec @@ -216,3 +215,63 @@ template: # controllerServiceAccount: # namespace: arc-system # name: test-arc-gha-runner-scale-set-controller + +## Optional annotations and labels applied to all resources created by helm installation +## +## Annotations applied to all resources created by this helm chart. Annotations will not override the default ones, so make sure +## the custom annotation is not reserved. +# annotations: +# key: value +## +## Labels applied to all resources created by this helm chart. Labels will not override the default ones, so make sure +## the custom label is not reserved. +# labels: +# key: value + +## If you want more fine-grained control over annotations applied to particular resource created by this chart, +## you can use `resourceMeta`. +## Order of applying labels and annotations is: +## 1. Apply labels/annotations globally, using `annotations` and `labels` field +## 2. Apply `resourceMeta` labels/annotations +## 3. Apply reserved labels/annotations +# resourceMeta: +# autoscalingRunnerSet: +# labels: +# key: value +# annotations: +# key: value +# githubConfigSecret: +# labels: +# key: value +# annotations: +# key: value +# kubernetesModeRole: +# labels: +# key: value +# annotations: +# key: value +# kubernetesModeRoleBinding: +# labels: +# key: value +# annotations: +# key: value +# kubernetesModeServiceAccount: +# labels: +# key: value +# annotations: +# key: value +# managerRole: +# labels: +# key: value +# annotations: +# key: value +# managerRoleBinding: +# labels: +# key: value +# annotations: +# key: value +# noPermissionServiceAccount: +# labels: +# key: value +# annotations: +# key: value