actions/actions-runner-controller
1
0
Fork 0
mirror of https://github.com/actions/actions-runner-controller.git synced 2026-01-24 21:50:06 +08:00
Code Issues Packages Projects Releases Wiki Activity

rewriting the gha-runner-scale-set-chart

Browse Source
This commit is contained in:
Nikola Jokic
2025-11-07 11:38:24 +01:00
parent d3ca9de3ca
commit a5961e75f3
43 changed files with 4553 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

79
charts/gha-runner-scale-set-dev/tests/autoscaling_runner_set_annotations_test.yaml Normal file
View File

@@ -0,0 +1,79 @@
suite: "Test AutoscalingRunnerSet Annotations"
templates:
- autoscalingrunnserset.yaml
tests:
- it: should render values-hash annotation
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- exists:
path: metadata.annotations["actions.github.com/values-hash"]
- it: should merge global and resource annotations (resource overrides global)
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
resource:
all:
metadata:
annotations:
a: "global"
shared: "global"
autoscalingRunnerSet:
metadata:
annotations:
b: "resource"
shared: "resource"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: metadata.annotations.a
value: "global"
- equal:
path: metadata.annotations.b
value: "resource"
- equal:
path: metadata.annotations.shared
value: "resource"
- it: should not allow overriding reserved values-hash annotation
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
resource:
all:
metadata:
annotations:
actions.github.com/values-hash: "user-value"
ok: "ok"
autoscalingRunnerSet:
metadata:
annotations:
actions.github.com/cleanup-something: "should-not-render"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: metadata.annotations.ok
value: "ok"
- notEqual:
path: metadata.annotations["actions.github.com/values-hash"]
value: "user-value"
- notExists:
path: metadata.annotations["actions.github.com/cleanup-something"]

245
charts/gha-runner-scale-set-dev/tests/autoscaling_runner_set_auth_test.yaml Normal file
View File

@@ -0,0 +1,245 @@
suite: "Test AutoscalingRunnerSet Authentication & Configuration"
templates:
- autoscalingrunnserset.yaml
tests:
- it: should require githubConfigUrl
set:
scaleset.name: "test"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- failedTemplate:
errorMessage: ".Values.auth.url is required"
- it: should render githubConfigUrl from auth.url
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.githubConfigUrl
value: "https://github.com/org"
- it: should trim trailing slash from githubConfigUrl
set:
scaleset.name: "test"
auth.url: "https://github.com/org/"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.githubConfigUrl
value: "https://github.com/org"
- it: should render default githubConfigSecret from release name
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.githubConfigSecret
value: "test-name-github-secret"
- it: should render custom githubConfigSecret when auth.secretName is provided
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
auth.secretName: "custom-github-secret"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.githubConfigSecret
value: "custom-github-secret"
- it: should render default runnerGroup when not configured
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.runnerGroup
value: "default"
- it: should render custom runnerGroup when configured
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
scaleset.runnerGroup: "custom-group"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.runnerGroup
value: "custom-group"
- it: should render runnerGroup with special characters
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
scaleset.runnerGroup: "my-custom-runner-group-123"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.runnerGroup
value: "my-custom-runner-group-123"
- it: should render runnerScaleSetName from scaleset.name
set:
scaleset.name: "my-runner-set"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.runnerScaleSetName
value: "my-runner-set"
- it: should use release name as metadata name when runnerScaleSetName not provided
set:
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
release:
name: "release-name"
namespace: "test-namespace"
asserts:
- equal:
path: metadata.name
value: "release-name"
- it: should use scaleset.name for spec.runnerScaleSetName when provided
set:
scaleset.name: "spec-runner-name"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
release:
name: "release-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.runnerScaleSetName
value: "spec-runner-name"
- it: should not normalize underscores in runnerScaleSetName (underscores are preserved)
set:
scaleset.name: "my_runner_set"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.runnerScaleSetName
value: "my_runner_set"
- it: should reject metadata name exceeding 45 characters
set:
runnerScaleSetName: "this-is-a-very-long-name-that-exceeds-forty-five-characters-long"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- failedTemplate:
errorMessage: "Autoscaling runner set name must have up to 45 characters"
- it: should handle githubConfigUrl with enterprise GitHub instance
set:
scaleset.name: "test"
auth.url: "https://github.enterprise.com/api/v3"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.githubConfigUrl
value: "https://github.enterprise.com/api/v3"
- it: should render all configuration together
set:
runnerScaleSetName: "prod-runners"
scaleset.name: "prod-spec-name"
auth.url: "https://github.com/myorg"
auth.githubToken: "gh_token12345"
auth.secretName: "gh-token-secret"
scaleset.runnerGroup: "prod-group"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
release:
name: "prod-scale-set"
namespace: "arc"
asserts:
- equal:
path: spec.githubConfigUrl
value: "https://github.com/myorg"
- equal:
path: spec.githubConfigSecret
value: "gh-token-secret"
- equal:
path: spec.runnerGroup
value: "prod-group"
- equal:
path: spec.runnerScaleSetName
value: "prod-spec-name"
- equal:
path: metadata.name
value: "prod-runners"
- equal:
path: metadata.namespace
value: "arc"

342
charts/gha-runner-scale-set-dev/tests/autoscaling_runner_set_dind_mode_spec_test.yaml Normal file
View File

@@ -0,0 +1,342 @@
suite: "AutoscalingRunnerSet dind mode podspec"
templates:
- autoscalingrunnserset.yaml
tests:
- it: should render the default dind pod spec (initContainers, runner container, volumes)
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
runner:
mode: "dind"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.template.spec.initContainers[0].name
value: init-dind-externals
- equal:
path: spec.template.spec.initContainers[0].image
value: ghcr.io/actions/actions-runner:latest
- equal:
path: spec.template.spec.initContainers[0].command[0]
value: cp
- equal:
path: spec.template.spec.initContainers[1].name
value: dind
- equal:
path: spec.template.spec.initContainers[1].image
value: docker:dind
- equal:
path: spec.template.spec.initContainers[1].args[0]
value: dockerd
- equal:
path: spec.template.spec.initContainers[1].args[1]
value: --host=unix:///var/run/docker.sock
- equal:
path: spec.template.spec.initContainers[1].args[2]
value: --group=$(DOCKER_GROUP_GID)
- equal:
path: spec.template.spec.initContainers[1].env[0].name
value: DOCKER_GROUP_GID
- equal:
path: spec.template.spec.initContainers[1].env[0].value
value: "123"
- equal:
path: spec.template.spec.initContainers[1].securityContext.privileged
value: true
- equal:
path: spec.template.spec.initContainers[1].startupProbe.exec.command[0]
value: docker
- equal:
path: spec.template.spec.initContainers[1].startupProbe.exec.command[1]
value: info
- equal:
path: spec.template.spec.initContainers[1].volumeMounts[0].name
value: work
- equal:
path: spec.template.spec.initContainers[1].volumeMounts[0].mountPath
value: /home/runner/_work
- equal:
path: spec.template.spec.initContainers[1].volumeMounts[1].name
value: dind-sock
- equal:
path: spec.template.spec.initContainers[1].volumeMounts[1].mountPath
value: /var/run
- equal:
path: spec.template.spec.containers[0].name
value: runner
- equal:
path: spec.template.spec.containers[0].image
value: ghcr.io/actions/actions-runner:latest
- equal:
path: spec.template.spec.containers[0].env[0].name
value: DOCKER_HOST
- equal:
path: spec.template.spec.containers[0].env[0].value
value: unix:///var/run/docker.sock
- equal:
path: spec.template.spec.containers[0].env[1].name
value: RUNNER_WAIT_FOR_DOCKER_IN_SECONDS
- equal:
path: spec.template.spec.containers[0].env[1].value
value: "120"
- equal:
path: spec.template.spec.containers[0].volumeMounts[0].name
value: work
- equal:
path: spec.template.spec.containers[0].volumeMounts[0].mountPath
value: /home/runner/_work
- equal:
path: spec.template.spec.containers[0].volumeMounts[1].name
value: dind-sock
- equal:
path: spec.template.spec.containers[0].volumeMounts[1].mountPath
value: /var/run
- contains:
path: spec.template.spec.volumes
content:
name: work
emptyDir: {}
- contains:
path: spec.template.spec.volumes
content:
name: dind-sock
emptyDir: {}
- contains:
path: spec.template.spec.volumes
content:
name: dind-externals
emptyDir: {}
- it: should omit init-dind-externals and dind-externals volume when copyExternals is false
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
runner:
mode: "dind"
dind:
copyExternals: false
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.template.spec.initContainers[0].name
value: dind
- notExists:
path: spec.template.spec.initContainers[1]
- notExists:
path: spec.template.spec.volumes[2]
- notExists:
path: spec.template.spec.initContainers[0].volumeMounts[2]
- it: should allow overriding dind container name, image, and securityContext
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
runner:
mode: "dind"
dind:
container:
name: "dockerd-custom"
image: "docker:27.3-dind"
securityContext:
privileged: false
runAsUser: 1000
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.template.spec.initContainers[1].name
value: dockerd-custom
- equal:
path: spec.template.spec.initContainers[1].image
value: docker:27.3-dind
- equal:
path: spec.template.spec.initContainers[1].securityContext.privileged
value: false
- equal:
path: spec.template.spec.initContainers[1].securityContext.runAsUser
value: 1000
- it: should respect dockerSock override in DOCKER_HOST, mountPath, and dind args
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
runner:
mode: "dind"
dind:
dockerSock: "unix:///var/run/custom/docker.sock"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.template.spec.containers[0].env[0].name
value: DOCKER_HOST
- equal:
path: spec.template.spec.containers[0].env[0].value
value: unix:///var/run/custom/docker.sock
- equal:
path: spec.template.spec.containers[0].volumeMounts[1].mountPath
value: /var/run/custom
- equal:
path: spec.template.spec.initContainers[1].volumeMounts[1].mountPath
value: /var/run/custom
- equal:
path: spec.template.spec.initContainers[1].args[1]
value: --host=unix:///var/run/custom/docker.sock
- it: should respect waitForDockerInSeconds override
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
runner:
mode: "dind"
dind:
waitForDockerInSeconds: 30
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.template.spec.containers[0].env[1].name
value: RUNNER_WAIT_FOR_DOCKER_IN_SECONDS
- equal:
path: spec.template.spec.containers[0].env[1].value
value: "30"
- it: should include extraInitContainers in dind mode
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
runner:
mode: "dind"
pod:
spec:
initContainers:
- name: "extra-init-1"
image: "busybox:1.36"
imagePullPolicy: IfNotPresent
command:
- "sh"
- "-c"
args:
- "echo extra-init && env | grep FOO"
env:
- name: FOO
value: BAR
resources:
requests:
cpu: 10m
memory: 16Mi
limits:
cpu: 100m
memory: 64Mi
securityContext:
runAsNonRoot: true
runAsUser: 1000
volumeMounts:
- name: work
mountPath: /work
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.template.spec.initContainers[0].name
value: init-dind-externals
- equal:
path: spec.template.spec.initContainers[1].name
value: extra-init-1
- equal:
path: spec.template.spec.initContainers[1].image
value: busybox:1.36
- equal:
path: spec.template.spec.initContainers[1].imagePullPolicy
value: IfNotPresent
- equal:
path: spec.template.spec.initContainers[1].command[0]
value: sh
- equal:
path: spec.template.spec.initContainers[1].args[0]
value: echo extra-init && env | grep FOO
- equal:
path: spec.template.spec.initContainers[1].env[0].name
value: FOO
- equal:
path: spec.template.spec.initContainers[1].env[0].value
value: BAR
- equal:
path: spec.template.spec.initContainers[1].resources.requests.cpu
value: 10m
- equal:
path: spec.template.spec.initContainers[1].resources.requests.memory
value: 16Mi
- equal:
path: spec.template.spec.initContainers[1].resources.limits.cpu
value: 100m
- equal:
path: spec.template.spec.initContainers[1].resources.limits.memory
value: 64Mi
- equal:
path: spec.template.spec.initContainers[1].securityContext.runAsNonRoot
value: true
- equal:
path: spec.template.spec.initContainers[1].securityContext.runAsUser
value: 1000
- equal:
path: spec.template.spec.initContainers[1].volumeMounts[0].name
value: work
- equal:
path: spec.template.spec.initContainers[1].volumeMounts[0].mountPath
value: /work
- equal:
path: spec.template.spec.initContainers[2].name
value: dind
- it: should include extraVolumes in dind mode
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
runner:
mode: "dind"
pod:
spec:
volumes:
- name: "cache"
emptyDir: {}
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: cache
emptyDir: {}

84
charts/gha-runner-scale-set-dev/tests/autoscaling_runner_set_extra_containers_test.yaml Normal file
View File

@@ -0,0 +1,84 @@
suite: "AutoscalingRunnerSet extraContainers"
templates:
- autoscalingrunnserset.yaml
tests:
- it: should append extraContainers after the runner container
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
runner:
mode: "kubernetes"
pod:
spec:
containers:
- name: "sidecar"
image: "busybox:1.36"
command: ["sh", "-c", "sleep 3600"]
resources:
limits:
cpu: "250m"
memory: "64Mi"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.template.spec.containers[0].name
value: runner
- equal:
path: spec.template.spec.containers[1].name
value: sidecar
- equal:
path: spec.template.spec.containers[1].image
value: busybox:1.36
- equal:
path: spec.template.spec.containers[1].resources.limits.cpu
value: 250m
- equal:
path: spec.template.spec.containers[1].resources.limits.memory
value: 64Mi
- it: should fail when runner.pod.spec.containers is not a list
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
runner:
mode: "kubernetes"
pod:
spec:
containers:
name: "not-a-list"
image: "busybox:1.36"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- failedTemplate:
errorMessage: ".Values.runner.pod.spec.containers must be a list of container specifications"
- it: should fail when a container is named runner
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
runner:
mode: "kubernetes"
pod:
spec:
containers:
- name: "runner"
image: "busybox:1.36"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- failedTemplate:
errorMessage: ".Values.runner.pod.spec.containers[].name must not be 'runner' (reserved)"

84
charts/gha-runner-scale-set-dev/tests/autoscaling_runner_set_extra_init_containers_test.yaml Normal file
View File

@@ -0,0 +1,84 @@
suite: "AutoscalingRunnerSet initContainers"
templates:
- autoscalingrunnserset.yaml
tests:
- it: should render initContainers when runner.pod.spec.initContainers configured in non-dind mode
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
runner:
pod:
spec:
initContainers:
- name: "extra-init-1"
image: "busybox:1.36"
imagePullPolicy: IfNotPresent
command:
- "sh"
- "-c"
args:
- "echo non-dind extra init"
env:
- name: FOO
value: BAR
securityContext:
runAsNonRoot: true
runAsUser: 1000
resources:
requests:
cpu: 10m
memory: 16Mi
limits:
cpu: 100m
memory: 64Mi
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.template.spec.initContainers[0].name
value: extra-init-1
- equal:
path: spec.template.spec.initContainers[0].image
value: busybox:1.36
- equal:
path: spec.template.spec.initContainers[0].imagePullPolicy
value: IfNotPresent
- equal:
path: spec.template.spec.initContainers[0].command[0]
value: sh
- equal:
path: spec.template.spec.initContainers[0].args[0]
value: echo non-dind extra init
- equal:
path: spec.template.spec.initContainers[0].env[0].name
value: FOO
- equal:
path: spec.template.spec.initContainers[0].env[0].value
value: BAR
- equal:
path: spec.template.spec.initContainers[0].securityContext.runAsNonRoot
value: true
- equal:
path: spec.template.spec.initContainers[0].securityContext.runAsUser
value: 1000
- equal:
path: spec.template.spec.initContainers[0].resources.requests.cpu
value: 10m
- equal:
path: spec.template.spec.initContainers[0].resources.requests.memory
value: 16Mi
- equal:
path: spec.template.spec.initContainers[0].resources.limits.cpu
value: 100m
- equal:
path: spec.template.spec.initContainers[0].resources.limits.memory
value: 64Mi
- notExists:
path: spec.template.spec.initContainers[1]
- equal:
path: spec.template.spec.containers[0].name
value: runner

61
charts/gha-runner-scale-set-dev/tests/autoscaling_runner_set_github_server_tls_test.yaml Normal file
View File

@@ -0,0 +1,61 @@
suite: "GitHub Server TLS"
templates:
- autoscalingrunnserset.yaml
- manager_role.yaml
tests:
- it: should render spec.githubServerTLS and allow manager role to read the configmap
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
githubServerTLS:
certificateFrom:
configMapKeyRef:
name: "my-ca-config"
key: "ca.crt"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.githubServerTLS.certificateFrom.configMapKeyRef.name
value: my-ca-config
template: autoscalingrunnserset.yaml
- equal:
path: spec.githubServerTLS.certificateFrom.configMapKeyRef.key
value: ca.crt
template: autoscalingrunnserset.yaml
- contains:
path: rules
content:
apiGroups:
- ""
resources:
- configmaps
verbs:
- get
template: manager_role.yaml
- it: should not include the manager role configmap rule when githubServerTLS is not configured
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- notContains:
path: rules
content:
apiGroups:
- ""
resources:
- configmaps
verbs:
- get
template: manager_role.yaml

133
charts/gha-runner-scale-set-dev/tests/autoscaling_runner_set_kubernetes_mode_spec_test.yaml Normal file
View File

@@ -0,0 +1,133 @@
suite: "AutoscalingRunnerSet kubernetes mode podspec"
templates:
- autoscalingrunnserset.yaml
tests:
- it: should render the default kubernetes pod spec (runner container, ephemeral work volume)
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
runner:
mode: "kubernetes"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- notExists:
path: spec.template.spec.initContainers
- equal:
path: spec.template.spec.serviceAccountName
value: test-name-kube-mode
- equal:
path: spec.template.spec.containers[0].name
value: runner
- equal:
path: spec.template.spec.containers[0].image
value: ghcr.io/actions/actions-runner:latest
- equal:
path: spec.template.spec.containers[0].env[0].name
value: ACTIONS_RUNNER_CONTAINER_HOOKS
- equal:
path: spec.template.spec.containers[0].env[0].value
value: /home/runner/k8s/index.js
- equal:
path: spec.template.spec.containers[0].env[1].name
value: ACTIONS_RUNNER_POD_NAME
- equal:
path: spec.template.spec.containers[0].env[1].valueFrom.fieldRef.fieldPath
value: metadata.name
- equal:
path: spec.template.spec.containers[0].env[2].name
value: ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER
- equal:
path: spec.template.spec.containers[0].env[2].value
value: "true"
- equal:
path: spec.template.spec.containers[0].volumeMounts[0].name
value: work
- equal:
path: spec.template.spec.containers[0].volumeMounts[0].mountPath
value: /home/runner/_work
- notExists:
path: spec.template.spec.containers[0].volumeMounts[1]
- equal:
path: spec.template.spec.volumes[0].name
value: work
- equal:
path: spec.template.spec.volumes[0].ephemeral.volumeClaimTemplate.spec.accessModes[0]
value: ReadWriteOnce
- equal:
path: spec.template.spec.volumes[0].ephemeral.volumeClaimTemplate.spec.storageClassName
value: local-path
- equal:
path: spec.template.spec.volumes[0].ephemeral.volumeClaimTemplate.spec.resources.requests.storage
value: 1Gi
- it: should allow overriding kubernetes mode hookPath, requireJobContainer, and workVolumeClaim
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
runner:
mode: "kubernetes"
kubernetesMode:
hookPath: "/home/runner/custom/k8s/index.js"
requireJobContainer: false
workVolumeClaim:
storageClassName: "fast-ssd"
resources:
requests:
storage: 10Gi
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.template.spec.containers[0].env[0].value
value: /home/runner/custom/k8s/index.js
- equal:
path: spec.template.spec.containers[0].env[2].value
value: "false"
- equal:
path: spec.template.spec.volumes[0].ephemeral.volumeClaimTemplate.spec.storageClassName
value: fast-ssd
- equal:
path: spec.template.spec.volumes[0].ephemeral.volumeClaimTemplate.spec.resources.requests.storage
value: 10Gi
- it: should include extraVolumes in kubernetes mode
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
runner:
mode: "kubernetes"
pod:
spec:
volumes:
- name: cache
emptyDir: {}
- name: custom-config
configMap:
name: example-config
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: cache
emptyDir: {}
- contains:
path: spec.template.spec.volumes
content:
name: custom-config
configMap:
name: example-config

293
charts/gha-runner-scale-set-dev/tests/autoscaling_runner_set_labels_test.yaml Normal file
View File

@@ -0,0 +1,293 @@
suite: "Test AutoscalingRunnerSet Labels"
templates:
- autoscalingrunnserset.yaml
tests:
- it: should render base labels
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
release:
name: "test-name"
namespace: "test-namespace"
chart:
appVersion: "0.14.0"
asserts:
- equal:
path: metadata.labels["helm.sh/chart"]
value: "gha-rs-0.14.0"
- equal:
path: metadata.labels["app.kubernetes.io/name"]
value: "test-name"
- equal:
path: metadata.labels["app.kubernetes.io/instance"]
value: "test-name"
- equal:
path: metadata.labels["app.kubernetes.io/component"]
value: "autoscaling-runner-set"
- equal:
path: metadata.labels["app.kubernetes.io/managed-by"]
value: "Helm"
- equal:
path: metadata.labels["app.kubernetes.io/part-of"]
value: "gha-rs"
- equal:
path: metadata.labels["app.kubernetes.io/version"]
value: "0.14.0"
- equal:
path: metadata.labels["actions.github.com/scale-set-name"]
value: "test-name"
- equal:
path: metadata.labels["actions.github.com/scale-set-namespace"]
value: "test-namespace"
- it: should include user-defined labels
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
resource:
autoscalingRunnerSet:
metadata:
labels:
team: "backend"
environment: "production"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: metadata.labels["team"]
value: "backend"
- equal:
path: metadata.labels["environment"]
value: "production"
- equal:
path: metadata.labels["helm.sh/chart"]
value: "gha-rs-0.14.0"
- equal:
path: metadata.labels["app.kubernetes.io/name"]
value: "test-name"
- equal:
path: metadata.labels["app.kubernetes.io/instance"]
value: "test-name"
- equal:
path: metadata.labels["app.kubernetes.io/component"]
value: "autoscaling-runner-set"
- equal:
path: metadata.labels["app.kubernetes.io/managed-by"]
value: "Helm"
- equal:
path: metadata.labels["app.kubernetes.io/part-of"]
value: "gha-rs"
- equal:
path: metadata.labels["app.kubernetes.io/version"]
value: "0.14.0"
- equal:
path: metadata.labels["actions.github.com/scale-set-name"]
value: "test-name"
- equal:
path: metadata.labels["actions.github.com/scale-set-namespace"]
value: "test-namespace"
- it: should include global labels
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
resource:
all:
metadata:
labels:
global-team: "platform"
owner: "devops"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: metadata.labels["global-team"]
value: "platform"
- equal:
path: metadata.labels["owner"]
value: "devops"
- equal:
path: metadata.labels["helm.sh/chart"]
value: "gha-rs-0.14.0"
- equal:
path: metadata.labels["app.kubernetes.io/name"]
value: "test-name"
- equal:
path: metadata.labels["app.kubernetes.io/instance"]
value: "test-name"
- equal:
path: metadata.labels["app.kubernetes.io/component"]
value: "autoscaling-runner-set"
- equal:
path: metadata.labels["app.kubernetes.io/managed-by"]
value: "Helm"
- equal:
path: metadata.labels["app.kubernetes.io/part-of"]
value: "gha-rs"
- equal:
path: metadata.labels["app.kubernetes.io/version"]
value: "0.14.0"
- equal:
path: metadata.labels["actions.github.com/scale-set-name"]
value: "test-name"
- equal:
path: metadata.labels["actions.github.com/scale-set-namespace"]
value: "test-namespace"
- it: should merge both user and global labels
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
resource:
autoscalingRunnerSet:
metadata:
labels:
team: "backend"
environment: "staging"
all:
metadata:
labels:
global-team: "platform"
environment: "production"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: metadata.labels["team"]
value: "backend"
- equal:
path: metadata.labels["global-team"]
value: "platform"
- equal:
path: metadata.labels["environment"]
value: "staging"
- equal:
path: metadata.labels["helm.sh/chart"]
value: "gha-rs-0.14.0"
- equal:
path: metadata.labels["app.kubernetes.io/name"]
value: "test-name"
- equal:
path: metadata.labels["app.kubernetes.io/instance"]
value: "test-name"
- equal:
path: metadata.labels["app.kubernetes.io/component"]
value: "autoscaling-runner-set"
- equal:
path: metadata.labels["app.kubernetes.io/managed-by"]
value: "Helm"
- equal:
path: metadata.labels["app.kubernetes.io/part-of"]
value: "gha-rs"
- equal:
path: metadata.labels["app.kubernetes.io/version"]
value: "0.14.0"
- equal:
path: metadata.labels["actions.github.com/scale-set-name"]
value: "test-name"
- equal:
path: metadata.labels["actions.github.com/scale-set-namespace"]
value: "test-namespace"
- it: should allow user labels to override global labels
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
resource:
autoscalingRunnerSet:
metadata:
labels:
tier: "frontend"
cost-center: "100"
all:
metadata:
labels:
tier: "backend"
environment: "staging"
cost-center: "200"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: metadata.labels["tier"]
value: "frontend"
- equal:
path: metadata.labels["cost-center"]
value: "100"
- equal:
path: metadata.labels["environment"]
value: "staging"
- equal:
path: metadata.labels["app.kubernetes.io/name"]
value: "test-name"
- it: should preserve actions.github.com custom labels from user config
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
resource:
autoscalingRunnerSet:
metadata:
labels:
team: "backend"
actions.github.com/custom-label: "user-value"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: metadata.labels["team"]
value: "backend"
- notExists:
path: metadata.labels["actions.github.com/custom-label"]
- equal:
path: metadata.labels["actions.github.com/scale-set-name"]
value: "test-name"
- it: should preserve actions.github.com custom labels from global config
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
resource:
all:
metadata:
labels:
owner: "devops"
actions.github.com/global-custom: "global-value"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: metadata.labels["owner"]
value: "devops"
- notExists:
path: metadata.labels["actions.github.com/global-custom"]
- equal:
path: metadata.labels["actions.github.com/scale-set-name"]
value: "test-name"

55
charts/gha-runner-scale-set-dev/tests/autoscaling_runner_set_listener_metrics_test.yaml Normal file
View File

@@ -0,0 +1,55 @@
suite: "Test AutoscalingRunnerSet Listener Metrics"
templates:
- autoscalingrunnserset.yaml
tests:
- it: should not render listenerMetrics when not configured
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- notExists:
path: spec.listenerMetrics
- it: should render listenerMetrics when configured
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
listenerMetrics:
counters:
gha_started_jobs_total:
labels:
- repository
- organization
histograms:
gha_job_startup_duration_seconds:
buckets:
- 0.1
- 1
- 2.5
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- exists:
path: spec.listenerMetrics
- equal:
path: spec.listenerMetrics.counters.gha_started_jobs_total.labels[0]
value: repository
- equal:
path: spec.listenerMetrics.counters.gha_started_jobs_total.labels[1]
value: organization
- contains:
path: spec.listenerMetrics.histograms.gha_job_startup_duration_seconds.buckets
content: 0.1
- contains:
path: spec.listenerMetrics.histograms.gha_job_startup_duration_seconds.buckets
content: 2.5

28
charts/gha-runner-scale-set-dev/tests/autoscaling_runner_set_listener_pod_template_test.yaml Normal file
View File

@@ -0,0 +1,28 @@
suite: "AutoscalingRunnerSet listenerPodTemplate"
templates:
- autoscalingrunnserset.yaml
tests:
- it: should render listenerTemplate from listenerPodTemplate
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
listenerPodTemplate:
spec:
containers:
- name: listener
image: "ghcr.io/actions/actions-runner-controller/actionsmetricsserver:latest"
securityContext:
runAsUser: 1000
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.listenerTemplate.spec.containers[0].name
value: listener
- equal:
path: spec.listenerTemplate.spec.containers[0].securityContext.runAsUser
value: 1000

71
charts/gha-runner-scale-set-dev/tests/autoscaling_runner_set_min_max_runners_test.yaml Normal file
View File

@@ -0,0 +1,71 @@
suite: "Test AutoscalingRunnerSet MinMax Runners"
templates:
- autoscalingrunnserset.yaml
tests:
- it: should set minRunners and maxRunners correctly
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
scaleset.minRunners: 2
scaleset.maxRunners: 5
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.minRunners
value: 2
- equal:
path: spec.maxRunners
value: 5
- it: should fail when minRunners is greater than maxRunners
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
scaleset.minRunners: 6
scaleset.maxRunners: 5
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- failedTemplate: {}
- it: should work when minRunners equals maxRunners
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
scaleset.minRunners: 5
scaleset.maxRunners: 5
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.minRunners
value: 5
- equal:
path: spec.maxRunners
value: 5
- it: should not set minRunners and maxRunners when not provided
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- notExists:
path: spec.minRunners
- notExists:
path: spec.maxRunners

290
charts/gha-runner-scale-set-dev/tests/autoscaling_runner_set_proxy_test.yaml Normal file
View File

@@ -0,0 +1,290 @@
suite: "Test AutoscalingRunnerSet Proxy Configuration"
templates:
- autoscalingrunnserset.yaml
tests:
- it: should not render proxy section when not configured
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- notExists:
path: spec.proxy
- it: should render http proxy configuration
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
proxy:
http:
url: "http://proxy.example.com:3128"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.proxy.http.url
value: "http://proxy.example.com:3128"
- notExists:
path: spec.proxy.https
- it: should render https proxy configuration
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
proxy:
https:
url: "https://secure-proxy.example.com:3128"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.proxy.https.url
value: "https://secure-proxy.example.com:3128"
- notExists:
path: spec.proxy.http
- it: should render both http and https proxy configuration
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
proxy:
http:
url: "http://proxy.example.com:3128"
https:
url: "https://secure-proxy.example.com:3128"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.proxy.http.url
value: "http://proxy.example.com:3128"
- equal:
path: spec.proxy.https.url
value: "https://secure-proxy.example.com:3128"
- it: should render http proxy with credential secret reference
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
proxy:
http:
url: "http://proxy.example.com:3128"
credentialSecretRef: "proxy-credentials"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.proxy.http.url
value: "http://proxy.example.com:3128"
- equal:
path: spec.proxy.http.credentialSecretRef
value: "proxy-credentials"
- it: should render https proxy with credential secret reference
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
proxy:
https:
url: "https://secure-proxy.example.com:3128"
credentialSecretRef: "secure-proxy-creds"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.proxy.https.url
value: "https://secure-proxy.example.com:3128"
- equal:
path: spec.proxy.https.credentialSecretRef
value: "secure-proxy-creds"
- it: should render proxy with noProxy list
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
proxy:
http:
url: "http://proxy.example.com:3128"
noProxy:
- "localhost"
- "127.0.0.1"
- ".example.local"
- "10.0.0.0/8"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.proxy.http.url
value: "http://proxy.example.com:3128"
- contains:
path: spec.proxy.noProxy
content: "localhost"
- contains:
path: spec.proxy.noProxy
content: "127.0.0.1"
- contains:
path: spec.proxy.noProxy
content: ".example.local"
- contains:
path: spec.proxy.noProxy
content: "10.0.0.0/8"
- it: should render complete proxy configuration with all options
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
proxy:
http:
url: "http://proxy.example.com:3128"
credentialSecretRef: "proxy-credentials"
https:
url: "https://secure-proxy.example.com:3128"
credentialSecretRef: "secure-proxy-creds"
noProxy:
- "localhost"
- "127.0.0.1"
- ".local"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.proxy.http.url
value: "http://proxy.example.com:3128"
- equal:
path: spec.proxy.http.credentialSecretRef
value: "proxy-credentials"
- equal:
path: spec.proxy.https.url
value: "https://secure-proxy.example.com:3128"
- equal:
path: spec.proxy.https.credentialSecretRef
value: "secure-proxy-creds"
- contains:
path: spec.proxy.noProxy
content: "localhost"
- contains:
path: spec.proxy.noProxy
content: "127.0.0.1"
- contains:
path: spec.proxy.noProxy
content: ".local"
- it: should render proxy configuration with empty noProxy list
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
proxy:
http:
url: "http://proxy.example.com:3128"
noProxy: []
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.proxy.http.url
value: "http://proxy.example.com:3128"
- notExists:
path: spec.proxy.noProxy
- it: should not render proxy when configured as empty object
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
proxy: {}
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- notExists:
path: spec.proxy
- it: should render proxy with only http without credentials
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
proxy:
http:
url: "http://unauthenticated-proxy.example.com:8080"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.proxy.http.url
value: "http://unauthenticated-proxy.example.com:8080"
- notExists:
path: spec.proxy.http.credentialSecretRef
- notExists:
path: spec.proxy.https
- it: should render proxy with https and noProxy without http
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
proxy:
https:
url: "https://secure-proxy.example.com:3128"
noProxy:
- "internal.example.com"
- "*.local"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.proxy.https.url
value: "https://secure-proxy.example.com:3128"
- notExists:
path: spec.proxy.http
- contains:
path: spec.proxy.noProxy
content: "internal.example.com"
- contains:
path: spec.proxy.noProxy
content: "*.local"

87
charts/gha-runner-scale-set-dev/tests/autoscaling_runner_set_runner_pod_metadata_test.yaml Normal file
View File

@@ -0,0 +1,87 @@
suite: "AutoscalingRunnerSet runner pod metadata"
templates:
- autoscalingrunnserset.yaml
tests:
- it: should render runner.pod.metadata labels and annotations merged with common/global metadata
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
resource:
all:
metadata:
labels:
team: "platform"
annotations:
global-annotation: "1"
runner:
pod:
metadata:
labels:
purpose: "ci"
annotations:
pod-annotation: "2"
release:
name: "test-name"
namespace: "test-namespace"
chart:
appVersion: "0.14.0"
asserts:
- equal:
path: spec.template.metadata.labels["purpose"]
value: "ci"
- equal:
path: spec.template.metadata.labels["team"]
value: "platform"
- equal:
path: spec.template.metadata.labels["helm.sh/chart"]
value: "gha-rs-0.14.0"
- equal:
path: spec.template.metadata.labels["app.kubernetes.io/name"]
value: "test-name"
- equal:
path: spec.template.metadata.labels["app.kubernetes.io/managed-by"]
value: "Helm"
- equal:
path: spec.template.metadata.labels["actions.github.com/scale-set-name"]
value: "test-name"
- equal:
path: spec.template.metadata.annotations["global-annotation"]
value: "1"
- equal:
path: spec.template.metadata.annotations["pod-annotation"]
value: "2"
- it: should drop reserved actions.github.com/* keys from runner.pod.metadata
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
runner:
pod:
metadata:
labels:
actions.github.com/scale-set-name: "should-not-override"
ok: "yes"
annotations:
actions.github.com/some-annotation: "should-not-appear"
ok-annotation: "yes"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.template.metadata.labels["actions.github.com/scale-set-name"]
value: "test-name"
- equal:
path: spec.template.metadata.labels["ok"]
value: "yes"
- notExists:
path: spec.template.metadata.annotations["actions.github.com/some-annotation"]
- equal:
path: spec.template.metadata.annotations["ok-annotation"]
value: "yes"

45
charts/gha-runner-scale-set-dev/tests/autoscaling_runner_set_runner_pod_spec_init_containers_validation_test.yaml Normal file
View File

@@ -0,0 +1,45 @@
suite: autoscaling runner set runner pod spec initContainers validation
templates:
- templates/autoscalingrunnserset.yaml
tests:
- it: should fail when runner.pod.spec.initContainers is not a list
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
runner:
mode: "kubernetes"
pod:
spec:
initContainers:
name: "not-a-list"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- failedTemplate:
errorMessage: ".Values.runner.pod.spec.initContainers must be a list of container specifications"
- it: should fail when initContainers entry has no name
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
runner:
mode: "kubernetes"
pod:
spec:
initContainers:
- image: "busybox:1.36"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- failedTemplate:
errorMessage: ".Values.runner.pod.spec.initContainers[].name is required"

45
charts/gha-runner-scale-set-dev/tests/autoscaling_runner_set_runner_pod_spec_passthrough_fields_test.yaml Normal file
View File

@@ -0,0 +1,45 @@
suite: AutoscalingRunnerSet runner pod spec passthrough fields
templates:
- templates/autoscalingrunnserset.yaml
tests:
- it: should apply additional runner.pod.spec fields to the runner pod spec
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
runner:
mode: "kubernetes"
pod:
spec:
nodeSelector:
disktype: ssd
tolerations:
- key: "dedicated"
operator: "Equal"
value: "ci"
effect: "NoSchedule"
priorityClassName: "runner-high"
terminationGracePeriodSeconds: 42
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.template.spec.nodeSelector.disktype
value: ssd
- equal:
path: spec.template.spec.tolerations[0].key
value: dedicated
- equal:
path: spec.template.spec.tolerations[0].value
value: ci
- equal:
path: spec.template.spec.priorityClassName
value: runner-high
- equal:
path: spec.template.spec.terminationGracePeriodSeconds
value: 42

25
charts/gha-runner-scale-set-dev/tests/autoscaling_runner_set_runner_pod_spec_volumes_validation_test.yaml Normal file
View File

@@ -0,0 +1,25 @@
suite: autoscaling runner set runner pod spec volumes validation
templates:
- templates/autoscalingrunnserset.yaml
tests:
- it: should fail when runner.pod.spec.volumes is not a list
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
runner:
mode: "kubernetes"
pod:
spec:
volumes:
name: "not-a-list"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- failedTemplate:
errorMessage: ".Values.runner.pod.spec.volumes must be a list of volume specifications"

110
charts/gha-runner-scale-set-dev/tests/autoscaling_runner_set_vault_config_test.yaml Normal file
View File

@@ -0,0 +1,110 @@
suite: "Test AutoscalingRunnerSet Vault Config"
templates:
- autoscalingrunnserset.yaml
tests:
- it: should not render vaultConfig when secretResolution.type is kubernetes
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
secretResolution:
type: kubernetes
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- notExists:
path: spec.vaultConfig
- it: should render azureKeyVault vaultConfig when configured
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
secretResolution:
type: azureKeyVault
azureKeyVault:
url: "https://myvault.vault.azure.net"
tenantId: "tenant-123"
clientId: "client-456"
certificatePath: "/etc/certs/akv.pem"
secretKey: "secret-key-name"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.vaultConfig.type
value: azureKeyVault
- equal:
path: spec.vaultConfig.azureKeyVault.url
value: "https://myvault.vault.azure.net"
- equal:
path: spec.vaultConfig.azureKeyVault.tenantId
value: "tenant-123"
- equal:
path: spec.vaultConfig.azureKeyVault.clientId
value: "client-456"
- equal:
path: spec.vaultConfig.azureKeyVault.certificatePath
value: "/etc/certs/akv.pem"
- equal:
path: spec.vaultConfig.azureKeyVault.secretKey
value: "secret-key-name"
- it: should render vaultConfig proxy when configured
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
secretResolution:
type: azureKeyVault
proxy:
http:
url: "http://proxy.example.com:3128"
credentialSecretRef: "proxy-credentials"
noProxy:
- "localhost"
azureKeyVault:
url: "https://myvault.vault.azure.net"
tenantId: "tenant-123"
clientId: "client-456"
certificatePath: "/etc/certs/akv.pem"
secretKey: "secret-key-name"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.vaultConfig.proxy.http.url
value: "http://proxy.example.com:3128"
- equal:
path: spec.vaultConfig.proxy.http.credentialSecretRef
value: "proxy-credentials"
- contains:
path: spec.vaultConfig.proxy.noProxy
content: "localhost"
- notExists:
path: spec.proxy
- it: should fail for unsupported secretResolution.type
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
secretResolution:
type: "hashicorpVault"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- failedTemplate:
errorMessage: "Unsupported keyVault type: hashicorpVault"

49
charts/gha-runner-scale-set-dev/tests/github_secret_annotations_test.yaml Normal file
View File

@@ -0,0 +1,49 @@
suite: "Test GitHub Secret Annotations"
templates:
- githubsecret.yaml
tests:
- it: should include global annotations
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
resource:
all:
metadata:
annotations:
a: "global"
shared: "global"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: metadata.annotations.a
value: "global"
- equal:
path: metadata.annotations.shared
value: "global"
- it: should drop actions.github.com annotations from global config
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
resource:
all:
metadata:
annotations:
ok: "ok"
actions.github.com/values-hash: "user-value"
actions.github.com/cleanup-something: "should-not-render"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: metadata.annotations.ok
value: "ok"
- notExists:
path: metadata.annotations["actions.github.com/values-hash"]
- notExists:
path: metadata.annotations["actions.github.com/cleanup-something"]

70
charts/gha-runner-scale-set-dev/tests/github_secret_app_test.yaml Normal file
View File

@@ -0,0 +1,70 @@
suite: "Test GitHub Secret Data"
templates:
- githubsecret.yaml
tests:
- it: should render PAT token when configured
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- exists:
path: data.github_token
- equal:
path: data.github_token
value: "Z2hfdG9rZW4xMjM0NQ=="
- notExists:
path: data.github_app_id
- notExists:
path: data.github_app_installation_id
- notExists:
path: data.github_app_private_key
- it: should render GitHub App keys when app is configured
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.app:
clientId: "123"
installationId: "456"
privateKey: "mykey"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- notExists:
path: data.github_token
- equal:
path: data.github_app_id
value: "MTIz"
- equal:
path: data.github_app_installation_id
value: "NDU2"
- equal:
path: data.github_app_private_key
value: "bXlrZXk="
- it: should fail if app is configured without installationId
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.app:
clientId: "123"
privateKey: "mykey"
asserts:
- failedTemplate:
errorMessage: ".Values.auth.app.installationId is required when using GitHub App auth"
- it: should fail if app is configured without privateKey
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.app:
clientId: "123"
installationId: "456"
asserts:
- failedTemplate:
errorMessage: ".Values.auth.app.privateKey is required when using GitHub App auth"

129
charts/gha-runner-scale-set-dev/tests/github_secret_labels_test.yaml Normal file
View File

@@ -0,0 +1,129 @@
suite: "Test GitHub Secret Labels"
templates:
- githubsecret.yaml
tests:
- it: should render base labels
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
release:
name: "test-name"
namespace: "test-namespace"
chart:
appVersion: "0.14.0"
asserts:
- equal:
path: metadata.labels["helm.sh/chart"]
value: "gha-rs-0.14.0"
- equal:
path: metadata.labels["app.kubernetes.io/name"]
value: "test-name"
- equal:
path: metadata.labels["app.kubernetes.io/instance"]
value: "test-name"
- equal:
path: metadata.labels["app.kubernetes.io/component"]
value: "github-secret"
- equal:
path: metadata.labels["app.kubernetes.io/managed-by"]
value: "Helm"
- equal:
path: metadata.labels["app.kubernetes.io/part-of"]
value: "gha-rs"
- equal:
path: metadata.labels["app.kubernetes.io/version"]
value: "0.14.0"
- equal:
path: metadata.labels["actions.github.com/scale-set-name"]
value: "test-name"
- equal:
path: metadata.labels["actions.github.com/scale-set-namespace"]
value: "test-namespace"
- it: should include global labels
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
resource:
all:
metadata:
labels:
global-team: "platform"
owner: "devops"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: metadata.labels["global-team"]
value: "platform"
- equal:
path: metadata.labels["owner"]
value: "devops"
- equal:
path: metadata.labels["app.kubernetes.io/component"]
value: "github-secret"
- it: should drop actions.github.com custom labels from global config
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
resource:
all:
metadata:
labels:
owner: "devops"
actions.github.com/global-custom: "global-value"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: metadata.labels["owner"]
value: "devops"
- notExists:
path: metadata.labels["actions.github.com/global-custom"]
- equal:
path: metadata.labels["actions.github.com/scale-set-name"]
value: "test-name"
- it: should not allow global labels to override reserved labels
set:
scaleset.name: "test"
auth.url: "https://github.com/org"
auth.githubToken: "gh_token12345"
resource:
all:
metadata:
labels:
helm.sh/chart: "bad"
app.kubernetes.io/name: "bad"
app.kubernetes.io/instance: "bad"
app.kubernetes.io/component: "bad"
actions.github.com/scale-set-name: "bad"
actions.github.com/scale-set-namespace: "bad"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: metadata.labels["helm.sh/chart"]
value: "gha-rs-0.14.0"
- equal:
path: metadata.labels["app.kubernetes.io/name"]
value: "test-name"
- equal:
path: metadata.labels["app.kubernetes.io/instance"]
value: "test-name"
- equal:
path: metadata.labels["app.kubernetes.io/component"]
value: "github-secret"
- equal:
path: metadata.labels["actions.github.com/scale-set-name"]
value: "test-name"
- equal:
path: metadata.labels["actions.github.com/scale-set-namespace"]
value: "test-namespace"

182
charts/gha-runner-scale-set-dev/tests/kube_mode_role_binding_test.yaml Normal file
View File

@@ -0,0 +1,182 @@
suite: "Test Kubernetes Mode RoleBinding"
templates:
- kube_mode_role_binding.yaml
tests:
- it: should render base rolebinding metadata in kubernetes mode
set:
runner:
mode: "kubernetes"
kubernetesMode:
default: true
serviceAccountName: ""
release:
name: "test-name"
namespace: "test-namespace"
chart:
appVersion: "0.14.0"
asserts:
- equal:
path: apiVersion
value: "rbac.authorization.k8s.io/v1"
- equal:
path: kind
value: "RoleBinding"
- equal:
path: metadata.name
value: "test-name-kube-mode"
- equal:
path: metadata.namespace
value: "test-namespace"
- equal:
path: metadata.labels["app.kubernetes.io/component"]
value: "kube-mode-role-binding"
- equal:
path: metadata.labels["actions.github.com/scale-set-name"]
value: "test-name"
- equal:
path: metadata.labels["actions.github.com/scale-set-namespace"]
value: "test-namespace"
- equal:
path: metadata.finalizers[0]
value: "actions.github.com/cleanup-protection"
- equal:
path: roleRef.kind
value: "Role"
- equal:
path: roleRef.name
value: "test-name-kube-mode"
- equal:
path: subjects[0].kind
value: "ServiceAccount"
- equal:
path: subjects[0].name
value: "test-name-kube-mode"
- equal:
path: subjects[0].namespace
value: "test-namespace"
- it: should not render when runner mode is not kubernetes
set:
runner:
mode: "dind"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- hasDocuments:
count: 0
- it: should not render when serviceAccountName is provided
set:
runner:
mode: "kubernetes"
kubernetesMode:
default: true
serviceAccountName: "custom-sa"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- hasDocuments:
count: 0
- it: should include global and resource labels
set:
runner:
mode: "kubernetes"
kubernetesMode:
default: true
serviceAccountName: ""
resource:
all:
metadata:
labels:
global-team: "platform"
kubernetesModeRoleBinding:
metadata:
labels:
rb-team: "arc"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: metadata.labels["global-team"]
value: "platform"
- equal:
path: metadata.labels["rb-team"]
value: "arc"
- equal:
path: metadata.labels["app.kubernetes.io/component"]
value: "kube-mode-role-binding"
- it: should drop actions.github.com custom labels from config
set:
runner:
mode: "kubernetes"
kubernetesMode:
default: true
serviceAccountName: ""
resource:
all:
metadata:
labels:
owner: "devops"
actions.github.com/global-custom: "global-value"
kubernetesModeRoleBinding:
metadata:
labels:
actions.github.com/rb-custom: "rb-value"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: metadata.labels["owner"]
value: "devops"
- notExists:
path: metadata.labels["actions.github.com/global-custom"]
- notExists:
path: metadata.labels["actions.github.com/rb-custom"]
- it: should not allow overriding reserved labels
set:
runner:
mode: "kubernetes"
kubernetesMode:
default: true
serviceAccountName: ""
resource:
all:
metadata:
labels:
helm.sh/chart: "bad"
app.kubernetes.io/name: "bad"
app.kubernetes.io/instance: "bad"
app.kubernetes.io/component: "bad"
actions.github.com/scale-set-name: "bad"
actions.github.com/scale-set-namespace: "bad"
release:
name: "test-name"
namespace: "test-namespace"
chart:
appVersion: "0.14.0"
asserts:
- equal:
path: metadata.labels["helm.sh/chart"]
value: "gha-rs-0.14.0"
- equal:
path: metadata.labels["app.kubernetes.io/name"]
value: "test-name"
- equal:
path: metadata.labels["app.kubernetes.io/instance"]
value: "test-name"
- equal:
path: metadata.labels["app.kubernetes.io/component"]
value: "kube-mode-role-binding"
- equal:
path: metadata.labels["actions.github.com/scale-set-name"]
value: "test-name"
- equal:
path: metadata.labels["actions.github.com/scale-set-namespace"]
value: "test-namespace"

117
charts/gha-runner-scale-set-dev/tests/kube_mode_role_test.yaml Normal file
View File

@@ -0,0 +1,117 @@
suite: "Test Kubernetes Mode Role"
templates:
- kube_mode_role.yaml
tests:
- it: should render base role metadata in kubernetes mode
set:
runner:
mode: "kubernetes"
kubernetesMode:
default: true
serviceAccountName: ""
release:
name: "test-name"
namespace: "test-namespace"
chart:
appVersion: "0.14.0"
asserts:
- equal:
path: apiVersion
value: "rbac.authorization.k8s.io/v1"
- equal:
path: kind
value: "Role"
- equal:
path: metadata.name
value: "test-name-kube-mode"
- equal:
path: metadata.namespace
value: "test-namespace"
- equal:
path: metadata.labels["app.kubernetes.io/component"]
value: "kube-mode-role"
- equal:
path: metadata.labels["actions.github.com/scale-set-name"]
value: "test-name"
- equal:
path: metadata.labels["actions.github.com/scale-set-namespace"]
value: "test-namespace"
- equal:
path: metadata.finalizers[0]
value: "actions.github.com/cleanup-protection"
- it: should append extra RBAC policy rules
set:
runner:
mode: "kubernetes"
kubernetesMode:
default: true
serviceAccountName: ""
resource:
kubernetesModeRole:
extraRules:
- apiGroups:
- ""
resources:
- "events"
verbs:
- "create"
- "patch"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: rules[5].apiGroups[0]
value: ""
- equal:
path: rules[5].resources[0]
value: "events"
- equal:
path: rules[5].verbs[0]
value: "create"
- equal:
path: rules[5].verbs[1]
value: "patch"
- it: should fail when extraRules is not a list
set:
runner:
mode: "kubernetes"
kubernetesMode:
default: true
serviceAccountName: ""
resource:
kubernetesModeRole:
extraRules: "not-a-list"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- failedTemplate:
errorMessage: ".Values.resource.kubernetesModeRole.extraRules must be a list of RBAC policy rules"
- it: should not render when runner mode is not kubernetes
set:
runner:
mode: "dind"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- hasDocuments:
count: 0
- it: should not render when serviceAccountName is provided
set:
runner:
mode: "kubernetes"
kubernetesMode:
default: true
serviceAccountName: "custom-sa"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- hasDocuments:
count: 0

167
charts/gha-runner-scale-set-dev/tests/kube_mode_serviceaccount_test.yaml Normal file
View File

@@ -0,0 +1,167 @@
suite: "Test Kubernetes Mode ServiceAccount"
templates:
- kube_mode_serviceaccount.yaml
tests:
- it: should render base serviceaccount metadata in kubernetes mode
set:
runner:
mode: "kubernetes"
kubernetesMode:
default: true
serviceAccountName: ""
release:
name: "test-name"
namespace: "test-namespace"
chart:
appVersion: "0.14.0"
asserts:
- equal:
path: apiVersion
value: "v1"
- equal:
path: kind
value: "ServiceAccount"
- equal:
path: metadata.name
value: "test-name-kube-mode"
- equal:
path: metadata.namespace
value: "test-namespace"
- equal:
path: metadata.labels["app.kubernetes.io/component"]
value: "kube-mode-serviceaccount"
- equal:
path: metadata.labels["actions.github.com/scale-set-name"]
value: "test-name"
- equal:
path: metadata.labels["actions.github.com/scale-set-namespace"]
value: "test-namespace"
- equal:
path: metadata.finalizers[0]
value: "actions.github.com/cleanup-protection"
- it: should not render when runner mode is not kubernetes
set:
runner:
mode: "dind"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- hasDocuments:
count: 0
- it: should not render when serviceAccountName is provided
set:
runner:
mode: "kubernetes"
kubernetesMode:
default: true
serviceAccountName: "custom-sa"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- hasDocuments:
count: 0
- it: should include global and resource labels
set:
runner:
mode: "kubernetes"
kubernetesMode:
default: true
serviceAccountName: ""
resource:
all:
metadata:
labels:
global-team: "platform"
kubernetesModeServiceAccount:
metadata:
labels:
sa-team: "arc"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: metadata.labels["global-team"]
value: "platform"
- equal:
path: metadata.labels["sa-team"]
value: "arc"
- equal:
path: metadata.labels["app.kubernetes.io/component"]
value: "kube-mode-serviceaccount"
- it: should drop actions.github.com custom labels from config
set:
runner:
mode: "kubernetes"
kubernetesMode:
default: true
serviceAccountName: ""
resource:
all:
metadata:
labels:
owner: "devops"
actions.github.com/global-custom: "global-value"
kubernetesModeServiceAccount:
metadata:
labels:
actions.github.com/sa-custom: "sa-value"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: metadata.labels["owner"]
value: "devops"
- notExists:
path: metadata.labels["actions.github.com/global-custom"]
- notExists:
path: metadata.labels["actions.github.com/sa-custom"]
- it: should not allow overriding reserved labels
set:
runner:
mode: "kubernetes"
kubernetesMode:
default: true
serviceAccountName: ""
resource:
all:
metadata:
labels:
helm.sh/chart: "bad"
app.kubernetes.io/name: "bad"
app.kubernetes.io/instance: "bad"
app.kubernetes.io/component: "bad"
actions.github.com/scale-set-name: "bad"
actions.github.com/scale-set-namespace: "bad"
release:
name: "test-name"
namespace: "test-namespace"
chart:
appVersion: "0.14.0"
asserts:
- equal:
path: metadata.labels["helm.sh/chart"]
value: "gha-rs-0.14.0"
- equal:
path: metadata.labels["app.kubernetes.io/name"]
value: "test-name"
- equal:
path: metadata.labels["app.kubernetes.io/instance"]
value: "test-name"
- equal:
path: metadata.labels["app.kubernetes.io/component"]
value: "kube-mode-serviceaccount"
- equal:
path: metadata.labels["actions.github.com/scale-set-name"]
value: "test-name"
- equal:
path: metadata.labels["actions.github.com/scale-set-namespace"]
value: "test-namespace"

48
charts/gha-runner-scale-set-dev/tests/manager_role_binding_annotations_test.yaml Normal file
View File

@@ -0,0 +1,48 @@
suite: "Test Manager RoleBinding Annotations"
templates:
- manager_role_binding.yaml
tests:
- it: should merge global and resource annotations (resource wins)
set:
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
resource:
all:
metadata:
annotations:
owner: "platform"
environment: "production"
managerRoleBinding:
metadata:
annotations:
environment: "staging"
team: "backend"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: metadata.annotations["owner"]
value: "platform"
- equal:
path: metadata.annotations["team"]
value: "backend"
- equal:
path: metadata.annotations["environment"]
value: "staging"
- it: should not allow actions.github.com/* annotations from user input
set:
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
resource:
managerRoleBinding:
metadata:
annotations:
actions.github.com/something: "overridden"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- notExists:
path: metadata.annotations["actions.github.com/something"]

91
charts/gha-runner-scale-set-dev/tests/manager_role_binding_labels_test.yaml Normal file
View File

@@ -0,0 +1,91 @@
suite: "Test Manager RoleBinding Labels"
templates:
- manager_role_binding.yaml
tests:
- it: should render base labels
set:
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
release:
name: "test-name"
namespace: "test-namespace"
chart:
appVersion: "0.14.0"
asserts:
- equal:
path: metadata.labels["helm.sh/chart"]
value: "gha-rs-0.14.0"
- equal:
path: metadata.labels["app.kubernetes.io/name"]
value: "test-name"
- equal:
path: metadata.labels["app.kubernetes.io/instance"]
value: "test-name"
- equal:
path: metadata.labels["app.kubernetes.io/component"]
value: "manager-role-binding"
- equal:
path: metadata.labels["app.kubernetes.io/managed-by"]
value: "Helm"
- equal:
path: metadata.labels["app.kubernetes.io/part-of"]
value: "gha-rs"
- equal:
path: metadata.labels["app.kubernetes.io/version"]
value: "0.14.0"
- equal:
path: metadata.labels["actions.github.com/scale-set-name"]
value: "test-name"
- equal:
path: metadata.labels["actions.github.com/scale-set-namespace"]
value: "test-namespace"
- it: should merge global and resource labels (resource wins)
set:
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
resource:
all:
metadata:
labels:
owner: "platform"
environment: "production"
managerRoleBinding:
metadata:
labels:
environment: "staging"
team: "backend"
release:
name: "test-name"
namespace: "test-namespace"
chart:
appVersion: "0.14.0"
asserts:
- equal:
path: metadata.labels["owner"]
value: "platform"
- equal:
path: metadata.labels["team"]
value: "backend"
- equal:
path: metadata.labels["environment"]
value: "staging"
- it: should not allow actions.github.com/* labels from user input
set:
controllerServiceAccount.name: "arc"
controllerServiceAccount.namespace: "arc-system"
resource:
managerRoleBinding:
metadata:
labels:
actions.github.com/scale-set-name: "overridden"
release:
name: "test-name"
namespace: "test-namespace"
chart:
appVersion: "0.14.0"
asserts:
- equal:
path: metadata.labels["actions.github.com/scale-set-name"]
value: "test-name"

76
charts/gha-runner-scale-set-dev/tests/manager_role_extra_rules_test.yaml Normal file
View File

@@ -0,0 +1,76 @@
suite: "Test Manager Role Extra Rules"
templates:
- manager_role.yaml
tests:
- it: should render base role metadata
release:
name: "test-name"
namespace: "test-namespace"
chart:
appVersion: "0.14.0"
asserts:
- equal:
path: apiVersion
value: "rbac.authorization.k8s.io/v1"
- equal:
path: kind
value: "Role"
- equal:
path: metadata.name
value: "test-name-manager-role"
- equal:
path: metadata.namespace
value: "test-namespace"
- equal:
path: metadata.labels["app.kubernetes.io/component"]
value: "manager-role"
- equal:
path: metadata.labels["actions.github.com/scale-set-name"]
value: "test-name"
- equal:
path: metadata.labels["actions.github.com/scale-set-namespace"]
value: "test-namespace"
- equal:
path: metadata.finalizers[0]
value: "actions.github.com/cleanup-protection"
- it: should append extra RBAC policy rules
set:
resource:
managerRole:
extraRules:
- apiGroups:
- ""
resources:
- "events"
verbs:
- "create"
- "patch"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: rules[6].apiGroups[0]
value: ""
- equal:
path: rules[6].resources[0]
value: "events"
- equal:
path: rules[6].verbs[0]
value: "create"
- equal:
path: rules[6].verbs[1]
value: "patch"
- it: should fail when extraRules is not a list
set:
resource:
managerRole:
extraRules: "not-a-list"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- failedTemplate:
errorMessage: ".Values.resource.managerRole.extraRules must be a list of RBAC policy rules"