Add support for self-signed CA certificates (#2268)

Co-authored-by: Bassem Dghaidi <568794+Link-@users.noreply.github.com>
Co-authored-by: Nikola Jokic <jokicnikola07@gmail.com>
Co-authored-by: Tingluo Huang <tingluohuang@github.com>

cmd/githubrunnerscalesetlistener/main.go

@@ -18,6 +18,7 @@ package main
 
 import (
 	"context"
+	"crypto/x509"
 	"fmt"
 	"net/http"
 	"net/url"
@@ -44,6 +45,7 @@ type RunnerScaleSetListenerConfig struct {
 	MaxRunners                  int    `split_words:"true"`
 	MinRunners                  int    `split_words:"true"`
 	RunnerScaleSetId            int    `split_words:"true"`
+	ServerRootCA                string `split_words:"true"`
 }
 
 func main() {
@@ -90,8 +92,8 @@ func run(rc RunnerScaleSetListenerConfig, logger logr.Logger) error {
 	actionsServiceClient, err := newActionsClientFromConfig(
 		rc,
 		creds,
-		actions.WithUserAgent(fmt.Sprintf("actions-runner-controller/%s", build.Version)),
 		actions.WithLogger(logger),
+		actions.WithUserAgent(fmt.Sprintf("actions-runner-controller/%s", build.Version)),
 	)
 	if err != nil {
 		return fmt.Errorf("failed to create an Actions Service client: %w", err)
@@ -160,6 +162,20 @@ func validateConfig(config *RunnerScaleSetListenerConfig) error {
 }
 
 func newActionsClientFromConfig(config RunnerScaleSetListenerConfig, creds *actions.ActionsAuth, options ...actions.ClientOption) (*actions.Client, error) {
+	if config.ServerRootCA != "" {
+		systemPool, err := x509.SystemCertPool()
+		if err != nil {
+			return nil, fmt.Errorf("failed to load system cert pool: %w", err)
+		}
+		pool := systemPool.Clone()
+		ok := pool.AppendCertsFromPEM([]byte(config.ServerRootCA))
+		if !ok {
+			return nil, fmt.Errorf("failed to parse root certificate")
+		}
+
+		options = append(options, actions.WithRootCAs(pool))
+	}
+
 	proxyFunc := httpproxy.FromEnvironment().ProxyFunc()
 	options = append(options, actions.WithProxy(func(req *http.Request) (*url.URL, error) {
 		return proxyFunc(req.URL)

cmd/githubrunnerscalesetlistener/main_test.go

@@ -1,16 +1,20 @@
 package main
 
 import (
+	"context"
+	"crypto/tls"
 	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"os"
+	"path/filepath"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
 	"github.com/actions/actions-runner-controller/github/actions"
+	"github.com/actions/actions-runner-controller/github/actions/testserver"
 )
 
 func TestConfigValidationMinMax(t *testing.T) {
@@ -97,6 +101,54 @@ func TestConfigValidationConfigUrl(t *testing.T) {
 	assert.ErrorContains(t, err, "GitHubConfigUrl is not provided", "Expected error about missing ConfigureUrl")
 }
 
+func TestCustomerServerRootCA(t *testing.T) {
+	ctx := context.Background()
+	certsFolder := filepath.Join(
+		"../../",
+		"github",
+		"actions",
+		"testdata",
+	)
+	certPath := filepath.Join(certsFolder, "server.crt")
+	keyPath := filepath.Join(certsFolder, "server.key")
+
+	serverCalledSuccessfully := false
+
+	server := testserver.NewUnstarted(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		serverCalledSuccessfully = true
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte(`{"count": 0}`))
+	}))
+	cert, err := tls.LoadX509KeyPair(certPath, keyPath)
+	require.NoError(t, err)
+
+	server.TLS = &tls.Config{Certificates: []tls.Certificate{cert}}
+	server.StartTLS()
+
+	var certsString string
+	rootCA, err := os.ReadFile(filepath.Join(certsFolder, "rootCA.crt"))
+	require.NoError(t, err)
+	certsString = string(rootCA)
+
+	intermediate, err := os.ReadFile(filepath.Join(certsFolder, "intermediate.pem"))
+	require.NoError(t, err)
+	certsString = certsString + string(intermediate)
+
+	config := RunnerScaleSetListenerConfig{
+		ConfigureUrl: server.ConfigURLForOrg("myorg"),
+		ServerRootCA: certsString,
+	}
+	creds := &actions.ActionsAuth{
+		Token: "token",
+	}
+
+	client, err := newActionsClientFromConfig(config, creds)
+	require.NoError(t, err)
+	_, err = client.GetRunnerScaleSet(ctx, "test")
+	require.NoError(t, err)
+	assert.True(t, serverCalledSuccessfully)
+}
+
 func TestProxySettings(t *testing.T) {
 	t.Run("http", func(t *testing.T) {
 		wentThroughProxy := false