Include custom annotations and labels to all resources created by gha-runner-scale-set chart (#3934)

.github/workflows/gha-validate-chart.yaml

@@ -18,7 +18,7 @@ on:
   workflow_dispatch:
 env:
   KUBE_SCORE_VERSION: 1.16.1
-  HELM_VERSION: v3.8.0
+  HELM_VERSION: v3.17.0
 
 permissions:
   contents: read
@@ -46,22 +46,6 @@ jobs:
         with:
           version: ${{ env.HELM_VERSION }}
 
-      - name: Set up kube-score
-        run: |
-          wget https://github.com/zegl/kube-score/releases/download/v${{ env.KUBE_SCORE_VERSION }}/kube-score_${{ env.KUBE_SCORE_VERSION }}_linux_amd64 -O kube-score
-          chmod 755 kube-score
-
-      - name: Kube-score generated manifests
-        run: helm template  --values charts/.ci/values-kube-score.yaml charts/* | ./kube-score score -
-              --ignore-test pod-networkpolicy
-              --ignore-test deployment-has-poddisruptionbudget
-              --ignore-test deployment-has-host-podantiaffinity
-              --ignore-test container-security-context
-              --ignore-test pod-probes
-              --ignore-test container-image-tag
-              --enable-optional-test container-security-context-privileged
-              --enable-optional-test container-security-context-readonlyrootfilesystem
-
       # python is a requirement for the chart-testing action below (supports yamllint among other tests)
       - uses: actions/setup-python@v5
         with:

charts/gha-runner-scale-set/templates/autoscalingrunnerset.yaml

@@ -1,3 +1,4 @@
+{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.autoscalingRunnerSet) }}
 apiVersion: actions.github.com/v1alpha1
 kind: AutoscalingRunnerSet
 metadata:
@@ -10,9 +11,25 @@ metadata:
   name: {{ include "gha-runner-scale-set.scale-set-name" . }}
   namespace: {{ .Release.Namespace }}
   labels:
+    {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if $hasCustomResourceMeta }}
+    {{- with .Values.resourceMeta.autoscalingRunnerSet.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
     app.kubernetes.io/component: "autoscaling-runner-set"
     {{- include "gha-runner-scale-set.labels" . | nindent 4 }}
   annotations:
+    {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if $hasCustomResourceMeta }}
+    {{- with .Values.resourceMeta.autoscalingRunnerSet.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
     actions.github.com/values-hash: {{ toJson .Values | sha256sum | trunc 63 }}
     {{- $containerMode := .Values.containerMode }}
     {{- if not (kindIs "string" .Values.githubConfigSecret) }}

charts/gha-runner-scale-set/templates/githubsecret.yaml

@@ -1,11 +1,29 @@
 {{- if not (kindIs "string" .Values.githubConfigSecret) }}
+{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.githubConfigSecret) }}
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "gha-runner-scale-set.githubsecret" . }}
   namespace: {{ .Release.Namespace }}
   labels:
+    {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if $hasCustomResourceMeta }}
+    {{- with .Values.resourceMeta.githubConfigSecret.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
     {{- include "gha-runner-scale-set.labels" . | nindent 4 }}
+  annotations:
+    {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if $hasCustomResourceMeta }}
+    {{- with .Values.resourceMeta.githubConfigSecret.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
   finalizers:
     - actions.github.com/cleanup-protection
 data:

charts/gha-runner-scale-set/templates/kube_mode_role.yaml

@@ -1,4 +1,5 @@
 {{- $containerMode := .Values.containerMode }}
+{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.kubernetesModeRole) }}
 {{- if and (eq $containerMode.type "kubernetes") (not .Values.template.spec.serviceAccountName) }}
 # default permission for runner pod service account in kubernetes mode (container hook)
 apiVersion: rbac.authorization.k8s.io/v1
@@ -6,6 +7,25 @@ kind: Role
 metadata:
   name: {{ include "gha-runner-scale-set.kubeModeRoleName" . }}
   namespace: {{ .Release.Namespace }}
+  labels:
+    {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if $hasCustomResourceMeta }}
+    {{- with .Values.resourceMeta.kubernetesModeRole.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
+    {{- include "gha-runner-scale-set.labels" . | nindent 4 }}
+  annotations:
+    {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if $hasCustomResourceMeta }}
+    {{- with .Values.resourceMeta.kubernetesModeRole.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
   finalizers:
     - actions.github.com/cleanup-protection
 rules:

charts/gha-runner-scale-set/templates/kube_mode_role_binding.yaml

@@ -1,10 +1,31 @@
 {{- $containerMode := .Values.containerMode }}
+{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.kubernetesModeRoleBinding) }}
 {{- if and (eq $containerMode.type "kubernetes") (not .Values.template.spec.serviceAccountName) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: {{ include "gha-runner-scale-set.kubeModeRoleBindingName" . }}
   namespace: {{ .Release.Namespace }}
+  labels:
+    {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if $hasCustomResourceMeta }}
+    {{- with .Values.resourceMeta.kubernetesModeRoleBinding.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
+    {{- include "gha-runner-scale-set.labels" . | nindent 4 }}
+
+  annotations:
+    {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if $hasCustomResourceMeta }}
+    {{- with .Values.resourceMeta.kubernetesModeRoleBinding.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
   finalizers:
     - actions.github.com/cleanup-protection
 roleRef:

charts/gha-runner-scale-set/templates/kube_mode_serviceaccount.yaml

@@ -1,18 +1,34 @@
 {{- $containerMode := .Values.containerMode }}
+{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.kubernetesModeServiceAccount) }}
 {{- if and (eq $containerMode.type "kubernetes") (not .Values.template.spec.serviceAccountName) }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "gha-runner-scale-set.kubeModeServiceAccountName" . }}
   namespace: {{ .Release.Namespace }}
-  {{- if .Values.containerMode.kubernetesModeServiceAccount }}
+
-  {{- with .Values.containerMode.kubernetesModeServiceAccount.annotations }}
+  {{- if or .Values.annotations $hasCustomResourceMeta }}
   annotations:
-  {{- toYaml . | nindent 4 }}
+    {{- with .Values.annotations }}
-  {{- end }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if $hasCustomResourceMeta }}
+    {{- with .Values.resourceMeta.kubernetesModeServiceAccount.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
   {{- end }}
+  labels:
+    {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if $hasCustomResourceMeta }}
+    {{- with .Values.resourceMeta.kubernetesModeServiceAccount.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
+    {{- include "gha-runner-scale-set.labels" . | nindent 4 }}
+
   finalizers:
     - actions.github.com/cleanup-protection
-  labels:
-    {{- include "gha-runner-scale-set.labels" . | nindent 4 }}
 {{- end }}

charts/gha-runner-scale-set/templates/manager_role.yaml

@@ -1,11 +1,29 @@
+{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.managerRole) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: {{ include "gha-runner-scale-set.managerRoleName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
+    {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if $hasCustomResourceMeta }}
+    {{- with .Values.resourceMeta.managerRole.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
     {{- include "gha-runner-scale-set.labels" . | nindent 4 }}
     app.kubernetes.io/component: manager-role
+  annotations:
+    {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if $hasCustomResourceMeta }}
+    {{- with .Values.resourceMeta.managerRole.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
   finalizers:
     - actions.github.com/cleanup-protection
 rules:

charts/gha-runner-scale-set/templates/manager_role_binding.yaml

@@ -1,11 +1,29 @@
+{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.managerRoleBinding) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: {{ include "gha-runner-scale-set.managerRoleBindingName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
+    {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if $hasCustomResourceMeta }}
+    {{- with .Values.resourceMeta.managerRoleBinding.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
     {{- include "gha-runner-scale-set.labels" . | nindent 4 }}
     app.kubernetes.io/component: manager-role-binding
+  annotations:
+    {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if $hasCustomResourceMeta }}
+    {{- with .Values.resourceMeta.managerRoleBinding.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
   finalizers:
     - actions.github.com/cleanup-protection
 roleRef:

charts/gha-runner-scale-set/templates/no_permission_serviceaccount.yaml

@@ -1,3 +1,4 @@
+{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.noPermissionServiceAccount) }}
 {{- $containerMode := .Values.containerMode }}
 {{- if and (ne $containerMode.type "kubernetes") (not .Values.template.spec.serviceAccountName) }}
 apiVersion: v1
@@ -6,7 +7,24 @@ metadata:
   name: {{ include "gha-runner-scale-set.noPermissionServiceAccountName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
+    {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if $hasCustomResourceMeta }}
+    {{- with .Values.resourceMeta.noPermissionServiceAccount.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
     {{- include "gha-runner-scale-set.labels" . | nindent 4 }}
+  annotations:
+    {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if $hasCustomResourceMeta }}
+    {{- with .Values.resourceMeta.noPermissionServiceAccount.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- end }}
   finalizers:
     - actions.github.com/cleanup-protection
 {{- end }}

charts/gha-runner-scale-set/tests/template_test.go

@@ -742,37 +742,6 @@ func TestTemplateRenderedAutoScalingRunnerSet_DinD_ExtraInitContainers(t *testin
 	assert.Equal(t, "ls", ars.Spec.Template.Spec.InitContainers[2].Command[0], "InitContainers[2] Command[0] should be ls")
 }
 
-func TestTemplateRenderedKubernetesModeServiceAccountAnnotations(t *testing.T) {
-	t.Parallel()
-
-	// Path to the helm chart we will test
-	helmChartPath, err := filepath.Abs("../../gha-runner-scale-set")
-	require.NoError(t, err)
-
-	testValuesPath, err := filepath.Abs("../tests/values_kubernetes_mode_service_account_annotations.yaml")
-	require.NoError(t, err)
-
-	releaseName := "test-runners"
-	namespaceName := "test-" + strings.ToLower(random.UniqueId())
-
-	options := &helm.Options{
-		Logger: logger.Discard,
-		SetValues: map[string]string{
-			"controllerServiceAccount.name":      "arc",
-			"controllerServiceAccount.namespace": "arc-system",
-		},
-		ValuesFiles:    []string{testValuesPath},
-		KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName),
-	}
-
-	output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/kube_mode_serviceaccount.yaml"})
-
-	var sa corev1.ServiceAccount
-	helm.UnmarshalK8SYaml(t, output, &sa)
-
-	assert.Equal(t, "arn:aws:iam::123456789012:role/sample-role", sa.Annotations["eks.amazonaws.com/role-arn"], "Annotations should be arn:aws:iam::123456789012:role/sample-role")
-}
-
 func TestTemplateRenderedAutoScalingRunnerSet_DinD_ExtraVolumes(t *testing.T) {
 	t.Parallel()
 
@@ -2143,3 +2112,206 @@ func TestAutoscalingRunnerSetAnnotationValuesHash(t *testing.T) {
 	assert.NotEqual(t, firstHash, secondHash)
 	assert.LessOrEqual(t, len(secondHash), 63)
 }
+
+func TestCustomLabels(t *testing.T) {
+	t.Parallel()
+
+	// Path to the helm chart we will test
+	helmChartPath, err := filepath.Abs("../../gha-runner-scale-set")
+	require.NoError(t, err)
+
+	releaseName := "test-runners"
+	namespaceName := "test-" + strings.ToLower(random.UniqueId())
+
+	options := &helm.Options{
+		Logger: logger.Discard,
+		SetValues: map[string]string{
+			"githubConfigUrl":                                              "https://github.com/actions",
+			"githubConfigSecret.github_token":                              "gh_token12345",
+			"controllerServiceAccount.name":                                "arc",
+			"containerMode.type":                                           "kubernetes",
+			"controllerServiceAccount.namespace":                           "arc-system",
+			`labels.argocd\.argoproj\.io/sync-wave`:                        `"1"`,
+			`labels.app\.kubernetes\.io/part-of`:                           "no-override", // this shouldn't be overwritten
+			"resourceMeta.autoscalingRunnerSet.labels.ars-custom":          "ars-custom-value",
+			"resourceMeta.githubConfigSecret.labels.gh-custom":             "gh-custom-value",
+			"resourceMeta.kubernetesModeRole.labels.kmr-custom":            "kmr-custom-value",
+			"resourceMeta.kubernetesModeRoleBinding.labels.kmrb-custom":    "kmrb-custom-value",
+			"resourceMeta.kubernetesModeServiceAccount.labels.kmsa-custom": "kmsa-custom-value",
+			"resourceMeta.managerRole.labels.mr-custom":                    "mr-custom-value",
+			"resourceMeta.managerRoleBinding.labels.mrb-custom":            "mrb-custom-value",
+		},
+		KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName),
+	}
+
+	output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/githubsecret.yaml"})
+
+	const targetLabel = "argocd.argoproj.io/sync-wave"
+	const wantCustomValue = `"1"`
+	const reservedLabel = "app.kubernetes.io/part-of"
+	const wantReservedValue = "gha-rs"
+
+	var githubSecret corev1.Secret
+	helm.UnmarshalK8SYaml(t, output, &githubSecret)
+	assert.Equal(t, wantCustomValue, githubSecret.Labels[targetLabel])
+	assert.Equal(t, wantReservedValue, githubSecret.Labels[reservedLabel])
+	assert.Equal(t, "gh-custom-value", githubSecret.Labels["gh-custom"])
+
+	output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/kube_mode_role.yaml"})
+	var role rbacv1.Role
+	helm.UnmarshalK8SYaml(t, output, &role)
+	assert.Equal(t, wantCustomValue, role.Labels[targetLabel])
+	assert.Equal(t, wantReservedValue, role.Labels[reservedLabel])
+	assert.Equal(t, "kmr-custom-value", role.Labels["kmr-custom"])
+
+	output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/kube_mode_role_binding.yaml"})
+	var roleBinding rbacv1.RoleBinding
+	helm.UnmarshalK8SYaml(t, output, &roleBinding)
+	assert.Equal(t, wantCustomValue, roleBinding.Labels[targetLabel])
+	assert.Equal(t, wantReservedValue, roleBinding.Labels[reservedLabel])
+	assert.Equal(t, "kmrb-custom-value", roleBinding.Labels["kmrb-custom"])
+
+	output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/autoscalingrunnerset.yaml"})
+	var ars v1alpha1.AutoscalingRunnerSet
+	helm.UnmarshalK8SYaml(t, output, &ars)
+	assert.Equal(t, wantCustomValue, ars.Labels[targetLabel])
+	assert.Equal(t, wantReservedValue, ars.Labels[reservedLabel])
+	assert.Equal(t, "ars-custom-value", ars.Labels["ars-custom"])
+
+	output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/kube_mode_serviceaccount.yaml"})
+	var serviceAccount corev1.ServiceAccount
+	helm.UnmarshalK8SYaml(t, output, &serviceAccount)
+	assert.Equal(t, wantCustomValue, serviceAccount.Labels[targetLabel])
+	assert.Equal(t, wantReservedValue, serviceAccount.Labels[reservedLabel])
+	assert.Equal(t, "kmsa-custom-value", serviceAccount.Labels["kmsa-custom"])
+
+	output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/manager_role.yaml"})
+	var managerRole rbacv1.Role
+	helm.UnmarshalK8SYaml(t, output, &managerRole)
+	assert.Equal(t, wantCustomValue, managerRole.Labels[targetLabel])
+	assert.Equal(t, wantReservedValue, managerRole.Labels[reservedLabel])
+	assert.Equal(t, "mr-custom-value", managerRole.Labels["mr-custom"])
+
+	output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/manager_role_binding.yaml"})
+	var managerRoleBinding rbacv1.RoleBinding
+	helm.UnmarshalK8SYaml(t, output, &managerRoleBinding)
+	assert.Equal(t, wantCustomValue, managerRoleBinding.Labels[targetLabel])
+	assert.Equal(t, wantReservedValue, managerRoleBinding.Labels[reservedLabel])
+	assert.Equal(t, "mrb-custom-value", managerRoleBinding.Labels["mrb-custom"])
+
+	options = &helm.Options{
+		Logger: logger.Discard,
+		SetValues: map[string]string{
+			"githubConfigUrl":                                            "https://github.com/actions",
+			"githubConfigSecret.github_token":                            "gh_token12345",
+			"controllerServiceAccount.name":                              "arc",
+			"controllerServiceAccount.namespace":                         "arc-system",
+			`labels.argocd\.argoproj\.io/sync-wave`:                      `"1"`,
+			"resourceMeta.noPermissionServiceAccount.labels.npsa-custom": "npsa-custom-value",
+		},
+		KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName),
+	}
+
+	output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/no_permission_serviceaccount.yaml"})
+	var noPermissionServiceAccount corev1.ServiceAccount
+	helm.UnmarshalK8SYaml(t, output, &noPermissionServiceAccount)
+	assert.Equal(t, wantCustomValue, noPermissionServiceAccount.Labels[targetLabel])
+	assert.Equal(t, wantReservedValue, noPermissionServiceAccount.Labels[reservedLabel])
+	assert.Equal(t, "npsa-custom-value", noPermissionServiceAccount.Labels["npsa-custom"])
+}
+
+func TestCustomAnnotations(t *testing.T) {
+	t.Parallel()
+
+	// Path to the helm chart we will test
+	helmChartPath, err := filepath.Abs("../../gha-runner-scale-set")
+	require.NoError(t, err)
+
+	releaseName := "test-runners"
+	namespaceName := "test-" + strings.ToLower(random.UniqueId())
+
+	options := &helm.Options{
+		Logger: logger.Discard,
+		SetValues: map[string]string{
+			"githubConfigUrl":                                                   "https://github.com/actions",
+			"githubConfigSecret.github_token":                                   "gh_token12345",
+			"containerMode.type":                                                "kubernetes",
+			"controllerServiceAccount.name":                                     "arc",
+			"controllerServiceAccount.namespace":                                "arc-system",
+			`annotations.argocd\.argoproj\.io/sync-wave`:                        `"1"`,
+			"resourceMeta.autoscalingRunnerSet.annotations.ars-custom":          "ars-custom-value",
+			"resourceMeta.githubConfigSecret.annotations.gh-custom":             "gh-custom-value",
+			"resourceMeta.kubernetesModeRole.annotations.kmr-custom":            "kmr-custom-value",
+			"resourceMeta.kubernetesModeRoleBinding.annotations.kmrb-custom":    "kmrb-custom-value",
+			"resourceMeta.kubernetesModeServiceAccount.annotations.kmsa-custom": "kmsa-custom-value",
+			"resourceMeta.managerRole.annotations.mr-custom":                    "mr-custom-value",
+			"resourceMeta.managerRoleBinding.annotations.mrb-custom":            "mrb-custom-value",
+		},
+		KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName),
+	}
+
+	const targetAnnotations = "argocd.argoproj.io/sync-wave"
+	const wantCustomValue = `"1"`
+
+	output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/githubsecret.yaml"})
+
+	var githubSecret corev1.Secret
+	helm.UnmarshalK8SYaml(t, output, &githubSecret)
+	assert.Equal(t, wantCustomValue, githubSecret.Annotations[targetAnnotations])
+	assert.Equal(t, "gh-custom-value", githubSecret.Annotations["gh-custom"])
+
+	output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/kube_mode_role.yaml"})
+	var role rbacv1.Role
+	helm.UnmarshalK8SYaml(t, output, &role)
+	assert.Equal(t, wantCustomValue, role.Annotations[targetAnnotations])
+	assert.Equal(t, "kmr-custom-value", role.Annotations["kmr-custom"])
+
+	output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/kube_mode_role_binding.yaml"})
+	var roleBinding rbacv1.RoleBinding
+	helm.UnmarshalK8SYaml(t, output, &roleBinding)
+	assert.Equal(t, wantCustomValue, roleBinding.Annotations[targetAnnotations])
+	assert.Equal(t, "kmrb-custom-value", roleBinding.Annotations["kmrb-custom"])
+
+	output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/autoscalingrunnerset.yaml"})
+	var ars v1alpha1.AutoscalingRunnerSet
+	helm.UnmarshalK8SYaml(t, output, &ars)
+	assert.Equal(t, wantCustomValue, ars.Annotations[targetAnnotations])
+	assert.Equal(t, "ars-custom-value", ars.Annotations["ars-custom"])
+
+	output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/kube_mode_serviceaccount.yaml"})
+	var serviceAccount corev1.ServiceAccount
+	helm.UnmarshalK8SYaml(t, output, &serviceAccount)
+	assert.Equal(t, wantCustomValue, serviceAccount.Annotations[targetAnnotations])
+	assert.Equal(t, "kmsa-custom-value", serviceAccount.Annotations["kmsa-custom"])
+
+	output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/manager_role.yaml"})
+	var managerRole rbacv1.Role
+	helm.UnmarshalK8SYaml(t, output, &managerRole)
+	assert.Equal(t, wantCustomValue, managerRole.Annotations[targetAnnotations])
+	assert.Equal(t, "mr-custom-value", managerRole.Annotations["mr-custom"])
+
+	output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/manager_role_binding.yaml"})
+	var managerRoleBinding rbacv1.RoleBinding
+	helm.UnmarshalK8SYaml(t, output, &managerRoleBinding)
+	assert.Equal(t, wantCustomValue, managerRoleBinding.Annotations[targetAnnotations])
+	assert.Equal(t, "mrb-custom-value", managerRoleBinding.Annotations["mrb-custom"])
+
+	options = &helm.Options{
+		Logger: logger.Discard,
+		SetValues: map[string]string{
+			"githubConfigUrl":                                                 "https://github.com/actions",
+			"githubConfigSecret.github_token":                                 "gh_token12345",
+			"controllerServiceAccount.name":                                   "arc",
+			"controllerServiceAccount.namespace":                              "arc-system",
+			`annotations.argocd\.argoproj\.io/sync-wave`:                      `"1"`,
+			"resourceMeta.noPermissionServiceAccount.annotations.npsa-custom": "npsa-custom-value",
+		},
+		KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName),
+	}
+
+	output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/no_permission_serviceaccount.yaml"})
+	var noPermissionServiceAccount corev1.ServiceAccount
+	helm.UnmarshalK8SYaml(t, output, &noPermissionServiceAccount)
+	assert.Equal(t, wantCustomValue, noPermissionServiceAccount.Annotations[targetAnnotations])
+	assert.Equal(t, "npsa-custom-value", noPermissionServiceAccount.Annotations["npsa-custom"])
+}

charts/gha-runner-scale-set/tests/values_kubernetes_mode_service_account_annotations.yaml

@@ -1,8 +0,0 @@
-githubConfigUrl: https://github.com/actions/actions-runner-controller
-githubConfigSecret:
-  github_token: test
-containerMode:
-  type: kubernetes
-  kubernetesModeServiceAccount:
-    annotations:
-      eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/sample-role

charts/gha-runner-scale-set/values.yaml

@@ -4,15 +4,15 @@ githubConfigUrl: ""
 
 ## githubConfigSecret is the k8s secret information to use when authenticating via the GitHub API.
 ## You can choose to supply:
-##   A) a PAT token, 
+##   A) a PAT token,
-##   B) a GitHub App, or 
+##   B) a GitHub App, or
 ##   C) a pre-defined Kubernetes secret.
 ## The syntax for each of these variations is documented below.
 ## (Variation A) When using a PAT token, the syntax is as follows:
 githubConfigSecret:
-  # Example:  
+  # Example:
   # github_token: "ghp_sampleSampleSampleSampleSampleSample"
-  github_token: ""  
+  github_token: ""
 #
 ## (Variation B) When using a GitHub App, the syntax is as follows:
 # githubConfigSecret:
@@ -100,8 +100,7 @@ githubConfigSecret:
 #     resources:
 #       requests:
 #         storage: 1Gi
-#   kubernetesModeServiceAccount:
+#
-#     annotations:
 
 ## listenerTemplate is the PodSpec for each listener Pod
 ## For reference: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#PodSpec
@@ -216,3 +215,63 @@ template:
 # controllerServiceAccount:
 #   namespace: arc-system
 #   name: test-arc-gha-runner-scale-set-controller
+
+## Optional annotations and labels applied to all resources created by helm installation
+##
+## Annotations applied to all resources created by this helm chart. Annotations will not override the default ones, so make sure
+## the custom annotation is not reserved.
+# annotations:
+#   key: value
+##
+## Labels applied to all resources created by this helm chart. Labels will not override the default ones, so make sure
+## the custom label is not reserved.
+# labels:
+#   key: value
+
+## If you want more fine-grained control over annotations applied to particular resource created by this chart,
+## you can use `resourceMeta`.
+## Order of applying labels and annotations is:
+## 1. Apply labels/annotations globally, using `annotations` and `labels` field
+## 2. Apply `resourceMeta` labels/annotations
+## 3. Apply reserved labels/annotations
+# resourceMeta:
+#   autoscalingRunnerSet:
+#     labels:
+#       key: value
+#     annotations:
+#       key: value
+#   githubConfigSecret:
+#     labels:
+#       key: value
+#     annotations:
+#       key: value
+#   kubernetesModeRole:
+#     labels:
+#       key: value
+#     annotations:
+#       key: value
+#   kubernetesModeRoleBinding:
+#     labels:
+#       key: value
+#     annotations:
+#       key: value
+#   kubernetesModeServiceAccount:
+#     labels:
+#       key: value
+#     annotations:
+#       key: value
+#   managerRole:
+#     labels:
+#       key: value
+#     annotations:
+#       key: value
+#   managerRoleBinding:
+#     labels:
+#       key: value
+#     annotations:
+#       key: value
+#   noPermissionServiceAccount:
+#     labels:
+#       key: value
+#     annotations:
+#       key: value