actions/actions-runner-controller
1
0
Fork 0
mirror of https://github.com/actions/actions-runner-controller.git synced 2026-01-20 11:21:41 +08:00
Code Issues Packages Projects Releases Wiki Activity

wip

Browse Source
This commit is contained in:
Nikola Jokic
2026-01-19 18:34:20 +01:00
parent 5b7873ee9a
commit d253b5b13a
6 changed files with 225 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

120
charts/gha-runner-scale-set-dev/templates/_helpers.tpl
View File

@@ -168,6 +168,126 @@ Reserved annotations are excluded from both levels.
{{- end }}
{{/*
The name of the kubernetes-mode Role.
Kept intentionally aligned with the legacy chart behavior.
*/}}
{{- define "kube-mode-role.name" -}}
{{- printf "%s-kube-mode" (include "autoscaling-runner-set.name" .) -}}
{{- end }}
{{/*
The name of the kubernetes-mode RoleBinding.
Kept intentionally aligned with the kubernetes-mode Role name.
*/}}
{{- define "kube-mode-role-binding.name" -}}
{{- include "kube-mode-role.name" . -}}
{{- end }}
{{/*
The name of the kubernetes-mode ServiceAccount.
Kept intentionally aligned with the legacy chart behavior.
*/}}
{{- define "kube-mode-serviceaccount.name" -}}
{{- include "kube-mode-role.name" . -}}
{{- end }}
{{/*
Create the labels for the kubernetes-mode RoleBinding.
*/}}
{{- define "kube-mode-role-binding.labels" -}}
{{- $resourceLabels := dict "app.kubernetes.io/component" "kube-mode-role-binding" -}}
{{- $commonLabels := include "gha-common-labels" . | fromYaml -}}
{{- $userLabels := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.kubernetesModeRoleBinding.metadata.labels | default (dict)) | fromYaml -}}
{{- $global := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.labels | default (dict)) | fromYaml -}}
{{- toYaml (mergeOverwrite $global $userLabels $resourceLabels $commonLabels) }}
{{- end }}
{{/*
Create the annotations for the kubernetes-mode RoleBinding.
Order of precedence:
1) resource.all.metadata.annotations
2) resource.kubernetesModeRoleBinding.metadata.annotations
Reserved annotations are excluded from both levels.
*/}}
{{- define "kube-mode-role-binding.annotations" -}}
{{- $global := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.annotations | default (dict))) | fromYaml -}}
{{- $resource := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.kubernetesModeRoleBinding.metadata.annotations | default (dict))) | fromYaml -}}
{{- $annotations := mergeOverwrite $global $resource -}}
{{- if not (empty $annotations) -}}
{{- toYaml $annotations }}
{{- end }}
{{- end }}
{{/*
Create the labels for the kubernetes-mode Role.
*/}}
{{- define "kube-mode-role.labels" -}}
{{- $resourceLabels := dict "app.kubernetes.io/component" "kube-mode-role" -}}
{{- $commonLabels := include "gha-common-labels" . | fromYaml -}}
{{- $userLabels := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.kubernetesModeRole.metadata.labels | default (dict)) | fromYaml -}}
{{- $global := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.labels | default (dict)) | fromYaml -}}
{{- toYaml (mergeOverwrite $global $userLabels $resourceLabels $commonLabels) }}
{{- end }}
{{/*
Create the annotations for the kubernetes-mode Role.
Order of precedence:
1) resource.all.metadata.annotations
2) resource.kubernetesModeRole.metadata.annotations
Reserved annotations are excluded from both levels.
*/}}
{{- define "kube-mode-role.annotations" -}}
{{- $global := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.annotations | default (dict))) | fromYaml -}}
{{- $resource := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.kubernetesModeRole.metadata.annotations | default (dict))) | fromYaml -}}
{{- $annotations := mergeOverwrite $global $resource -}}
{{- if not (empty $annotations) -}}
{{- toYaml $annotations }}
{{- end }}
{{- end }}
{{/*
Create the labels for the kubernetes-mode ServiceAccount.
*/}}
{{- define "kube-mode-serviceaccount.labels" -}}
{{- $resourceLabels := dict "app.kubernetes.io/component" "kube-mode-serviceaccount" -}}
{{- $commonLabels := include "gha-common-labels" . | fromYaml -}}
{{- $userLabels := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.kubernetesModeServiceAccount.metadata.labels | default (dict)) | fromYaml -}}
{{- $global := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.labels | default (dict)) | fromYaml -}}
{{- toYaml (mergeOverwrite $global $userLabels $resourceLabels $commonLabels) }}
{{- end }}
{{/*
Create the annotations for the kubernetes-mode ServiceAccount.
Order of precedence:
1) resource.all.metadata.annotations
2) resource.kubernetesModeServiceAccount.metadata.annotations
Reserved annotations are excluded from both levels.
*/}}
{{- define "kube-mode-serviceaccount.annotations" -}}
{{- $global := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.annotations | default (dict))) | fromYaml -}}
{{- $resource := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.kubernetesModeServiceAccount.metadata.annotations | default (dict))) | fromYaml -}}
{{- $annotations := mergeOverwrite $global $resource -}}
{{- if not (empty $annotations) -}}
{{- toYaml $annotations }}
{{- end }}
{{- end }}
{{/*
Create the labels for the autoscaling runner set.
*/}}

8
charts/gha-runner-scale-set-dev/templates/autoscalingrunnserset.yaml
View File

@@ -9,6 +9,7 @@ metadata:
{{- include "autoscaling-runner-set.annotations" . | nindent 4 }}
actions.github.com/values-hash: {{ toJson .Values | sha256sum | trunc 63 }}
{{- $runnerMode := (.Values.runner.mode | default "") }}
{{- $kubeDefaults := (.Values.runner.kubernetesMode.default | default true) }}
{{- $usesKubernetesSecrets := or (not .Values.secretResolution) (eq .Values.secretResolution.type "kubernetes") }}
{{- if and $usesKubernetesSecrets (empty .Values.auth.secretName) }}
actions.github.com/cleanup-github-secret-name: {{ include "github-secret.name" . | quote }}
@@ -18,6 +19,11 @@ metadata:
{{- if ne $runnerMode "kubernetes" }}
actions.github.com/cleanup-no-permission-service-account-name: {{ include "no-permission-serviceaccount.name" . | quote }}
{{- end }}
{{- if and (eq $runnerMode "kubernetes") $kubeDefaults (empty .Values.runner.kubernetesMode.serviceAccountName) }}
actions.github.com/cleanup-kubernetes-mode-role-binding-name: {{ include "kube-mode-role-binding.name" . | quote }}
actions.github.com/cleanup-kubernetes-mode-role-name: {{ include "kube-mode-role.name" . | quote }}
actions.github.com/cleanup-kubernetes-mode-service-account-name: {{ include "kube-mode-serviceaccount.name" . | quote }}
{{- end }}
spec:
githubConfigUrl: {{ required ".Values.auth.url is required" (trimSuffix "/" .Values.auth.url) | quote }}
@@ -111,6 +117,8 @@ spec:
serviceAccountName: {{ include "no-permission-serviceaccount.name" . | quote }}
{{- else if not (empty .Values.runner.kubernetesMode.serviceAccountName) }}
serviceAccountName: {{ .Values.runner.kubernetesMode.serviceAccountName | quote }}
{{- else if (.Values.runner.kubernetesMode.default | default true) }}
serviceAccountName: {{ include "kube-mode-serviceaccount.name" . | quote }}
{{- end }}
containers:
- name: runner

39
charts/gha-runner-scale-set-dev/templates/kube_mode_role.yaml Normal file
View File

@@ -0,0 +1,39 @@
{{- $runnerMode := (.Values.runner.mode | default "") -}}
{{- $kubeDefaults := (.Values.runner.kubernetesMode.default | default true) -}}
{{- if and (eq $runnerMode "kubernetes") $kubeDefaults (empty .Values.runner.kubernetesMode.serviceAccountName) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "kube-mode-role.name" . | quote }}
namespace: {{ include "autoscaling-runner-set.namespace" . | quote }}
labels:
{{- include "kube-mode-role.labels" . | nindent 4 }}
annotations:
{{- include "kube-mode-role.annotations" . | nindent 4 }}
finalizers:
- actions.github.com/cleanup-protection
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "create", "delete"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["get", "create"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get", "list", "watch"]
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["get", "list", "create", "delete"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "create", "delete"]
{{- with .Values.runner.kubernetesMode.extraRules }}
{{- if not (empty .) }}
{{- if not (kindIs "slice" .) -}}
{{- fail ".Values.runner.kubernetesMode.extraRules must be a list of RBAC policy rules" -}}
{{- end }}
{{ toYaml . | nindent 2 }}
{{- end }}
{{- end }}
{{- end }}

23
charts/gha-runner-scale-set-dev/templates/kube_mode_role_binding.yaml Normal file
View File

@@ -0,0 +1,23 @@
{{- $runnerMode := (.Values.runner.mode | default "") -}}
{{- $kubeDefaults := (.Values.runner.kubernetesMode.default | default true) -}}
{{- if and (eq $runnerMode "kubernetes") $kubeDefaults (empty .Values.runner.kubernetesMode.serviceAccountName) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "kube-mode-role-binding.name" . | quote }}
namespace: {{ include "autoscaling-runner-set.namespace" . | quote }}
labels:
{{- include "kube-mode-role-binding.labels" . | nindent 4 }}
annotations:
{{- include "kube-mode-role-binding.annotations" . | nindent 4 }}
finalizers:
- actions.github.com/cleanup-protection
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "kube-mode-role.name" . | quote }}
subjects:
- kind: ServiceAccount
name: {{ include "kube-mode-serviceaccount.name" . | quote }}
namespace: {{ include "autoscaling-runner-set.namespace" . | quote }}
{{- end }}

15
charts/gha-runner-scale-set-dev/templates/kube_mode_serviceaccount.yaml Normal file
View File

@@ -0,0 +1,15 @@
{{- $runnerMode := (.Values.runner.mode | default "") -}}
{{- $kubeDefaults := (.Values.runner.kubernetesMode.default | default true) -}}
{{- if and (eq $runnerMode "kubernetes") $kubeDefaults (empty .Values.runner.kubernetesMode.serviceAccountName) }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "kube-mode-serviceaccount.name" . | quote }}
namespace: {{ include "autoscaling-runner-set.namespace" . | quote }}
labels:
{{- include "kube-mode-serviceaccount.labels" . | nindent 4 }}
annotations:
{{- include "kube-mode-serviceaccount.annotations" . | nindent 4 }}
finalizers:
- actions.github.com/cleanup-protection
{{- end }}

21
charts/gha-runner-scale-set-dev/values.yaml
View File

@@ -123,6 +123,25 @@ resource:
labels: {}
annotations: {}
# Specifies metadata that will be applied to the kubernetes-mode RoleBinding
# (created when runner.mode is "kubernetes" and a ServiceAccountName is not provided).
kubernetesModeRoleBinding:
metadata:
labels: {}
annotations: {}
# Specifies metadata that will be applied to the kubernetes-mode Role.
kubernetesModeRole:
metadata:
labels: {}
annotations: {}
# Specifies metadata that will be applied to the kubernetes-mode ServiceAccount.
kubernetesModeServiceAccount:
metadata:
labels: {}
annotations: {}
# TODO: Add more resource customizations when needed
# Template applied for the runner container
@@ -146,7 +165,7 @@ runner:
kubernetesMode:
default: true
serviceAccountName: ""
extraPermissions: []
extraRules: []
extension: {}
## A self-signed CA certificate for communication with the GitHub server can be
## provided using a config map key selector. If `runnerMountPath` is set, for