From d253b5b13a1ea1f2e8e1a4fde6e57b7382257a0d Mon Sep 17 00:00:00 2001 From: Nikola Jokic Date: Mon, 19 Jan 2026 18:34:20 +0100 Subject: [PATCH] wip --- .../templates/_helpers.tpl | 120 ++++++++++++++++++ .../templates/autoscalingrunnserset.yaml | 8 ++ .../templates/kube_mode_role.yaml | 39 ++++++ .../templates/kube_mode_role_binding.yaml | 23 ++++ .../templates/kube_mode_serviceaccount.yaml | 15 +++ charts/gha-runner-scale-set-dev/values.yaml | 21 ++- 6 files changed, 225 insertions(+), 1 deletion(-) create mode 100644 charts/gha-runner-scale-set-dev/templates/kube_mode_role.yaml create mode 100644 charts/gha-runner-scale-set-dev/templates/kube_mode_role_binding.yaml create mode 100644 charts/gha-runner-scale-set-dev/templates/kube_mode_serviceaccount.yaml diff --git a/charts/gha-runner-scale-set-dev/templates/_helpers.tpl b/charts/gha-runner-scale-set-dev/templates/_helpers.tpl index aa3510d3..ef086237 100644 --- a/charts/gha-runner-scale-set-dev/templates/_helpers.tpl +++ b/charts/gha-runner-scale-set-dev/templates/_helpers.tpl @@ -168,6 +168,126 @@ Reserved annotations are excluded from both levels. {{- end }} +{{/* +The name of the kubernetes-mode Role. + +Kept intentionally aligned with the legacy chart behavior. +*/}} +{{- define "kube-mode-role.name" -}} +{{- printf "%s-kube-mode" (include "autoscaling-runner-set.name" .) -}} +{{- end }} + + +{{/* +The name of the kubernetes-mode RoleBinding. + +Kept intentionally aligned with the kubernetes-mode Role name. +*/}} +{{- define "kube-mode-role-binding.name" -}} +{{- include "kube-mode-role.name" . -}} +{{- end }} + + +{{/* +The name of the kubernetes-mode ServiceAccount. + +Kept intentionally aligned with the legacy chart behavior. +*/}} +{{- define "kube-mode-serviceaccount.name" -}} +{{- include "kube-mode-role.name" . -}} +{{- end }} + + +{{/* +Create the labels for the kubernetes-mode RoleBinding. +*/}} +{{- define "kube-mode-role-binding.labels" -}} +{{- $resourceLabels := dict "app.kubernetes.io/component" "kube-mode-role-binding" -}} +{{- $commonLabels := include "gha-common-labels" . | fromYaml -}} +{{- $userLabels := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.kubernetesModeRoleBinding.metadata.labels | default (dict)) | fromYaml -}} +{{- $global := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.labels | default (dict)) | fromYaml -}} +{{- toYaml (mergeOverwrite $global $userLabels $resourceLabels $commonLabels) }} +{{- end }} + + +{{/* +Create the annotations for the kubernetes-mode RoleBinding. + +Order of precedence: +1) resource.all.metadata.annotations +2) resource.kubernetesModeRoleBinding.metadata.annotations +Reserved annotations are excluded from both levels. +*/}} +{{- define "kube-mode-role-binding.annotations" -}} +{{- $global := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.annotations | default (dict))) | fromYaml -}} +{{- $resource := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.kubernetesModeRoleBinding.metadata.annotations | default (dict))) | fromYaml -}} +{{- $annotations := mergeOverwrite $global $resource -}} +{{- if not (empty $annotations) -}} + {{- toYaml $annotations }} +{{- end }} +{{- end }} + + +{{/* +Create the labels for the kubernetes-mode Role. +*/}} +{{- define "kube-mode-role.labels" -}} +{{- $resourceLabels := dict "app.kubernetes.io/component" "kube-mode-role" -}} +{{- $commonLabels := include "gha-common-labels" . | fromYaml -}} +{{- $userLabels := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.kubernetesModeRole.metadata.labels | default (dict)) | fromYaml -}} +{{- $global := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.labels | default (dict)) | fromYaml -}} +{{- toYaml (mergeOverwrite $global $userLabels $resourceLabels $commonLabels) }} +{{- end }} + + +{{/* +Create the annotations for the kubernetes-mode Role. + +Order of precedence: +1) resource.all.metadata.annotations +2) resource.kubernetesModeRole.metadata.annotations +Reserved annotations are excluded from both levels. +*/}} +{{- define "kube-mode-role.annotations" -}} +{{- $global := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.annotations | default (dict))) | fromYaml -}} +{{- $resource := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.kubernetesModeRole.metadata.annotations | default (dict))) | fromYaml -}} +{{- $annotations := mergeOverwrite $global $resource -}} +{{- if not (empty $annotations) -}} + {{- toYaml $annotations }} +{{- end }} +{{- end }} + + +{{/* +Create the labels for the kubernetes-mode ServiceAccount. +*/}} +{{- define "kube-mode-serviceaccount.labels" -}} +{{- $resourceLabels := dict "app.kubernetes.io/component" "kube-mode-serviceaccount" -}} +{{- $commonLabels := include "gha-common-labels" . | fromYaml -}} +{{- $userLabels := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.kubernetesModeServiceAccount.metadata.labels | default (dict)) | fromYaml -}} +{{- $global := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.labels | default (dict)) | fromYaml -}} +{{- toYaml (mergeOverwrite $global $userLabels $resourceLabels $commonLabels) }} +{{- end }} + + +{{/* +Create the annotations for the kubernetes-mode ServiceAccount. + +Order of precedence: +1) resource.all.metadata.annotations +2) resource.kubernetesModeServiceAccount.metadata.annotations +Reserved annotations are excluded from both levels. +*/}} +{{- define "kube-mode-serviceaccount.annotations" -}} +{{- $global := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.annotations | default (dict))) | fromYaml -}} +{{- $resource := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.kubernetesModeServiceAccount.metadata.annotations | default (dict))) | fromYaml -}} +{{- $annotations := mergeOverwrite $global $resource -}} +{{- if not (empty $annotations) -}} + {{- toYaml $annotations }} +{{- end }} +{{- end }} + + {{/* Create the labels for the autoscaling runner set. */}} diff --git a/charts/gha-runner-scale-set-dev/templates/autoscalingrunnserset.yaml b/charts/gha-runner-scale-set-dev/templates/autoscalingrunnserset.yaml index 0e382081..de03fce3 100644 --- a/charts/gha-runner-scale-set-dev/templates/autoscalingrunnserset.yaml +++ b/charts/gha-runner-scale-set-dev/templates/autoscalingrunnserset.yaml @@ -9,6 +9,7 @@ metadata: {{- include "autoscaling-runner-set.annotations" . | nindent 4 }} actions.github.com/values-hash: {{ toJson .Values | sha256sum | trunc 63 }} {{- $runnerMode := (.Values.runner.mode | default "") }} + {{- $kubeDefaults := (.Values.runner.kubernetesMode.default | default true) }} {{- $usesKubernetesSecrets := or (not .Values.secretResolution) (eq .Values.secretResolution.type "kubernetes") }} {{- if and $usesKubernetesSecrets (empty .Values.auth.secretName) }} actions.github.com/cleanup-github-secret-name: {{ include "github-secret.name" . | quote }} @@ -18,6 +19,11 @@ metadata: {{- if ne $runnerMode "kubernetes" }} actions.github.com/cleanup-no-permission-service-account-name: {{ include "no-permission-serviceaccount.name" . | quote }} {{- end }} + {{- if and (eq $runnerMode "kubernetes") $kubeDefaults (empty .Values.runner.kubernetesMode.serviceAccountName) }} + actions.github.com/cleanup-kubernetes-mode-role-binding-name: {{ include "kube-mode-role-binding.name" . | quote }} + actions.github.com/cleanup-kubernetes-mode-role-name: {{ include "kube-mode-role.name" . | quote }} + actions.github.com/cleanup-kubernetes-mode-service-account-name: {{ include "kube-mode-serviceaccount.name" . | quote }} + {{- end }} spec: githubConfigUrl: {{ required ".Values.auth.url is required" (trimSuffix "/" .Values.auth.url) | quote }} @@ -111,6 +117,8 @@ spec: serviceAccountName: {{ include "no-permission-serviceaccount.name" . | quote }} {{- else if not (empty .Values.runner.kubernetesMode.serviceAccountName) }} serviceAccountName: {{ .Values.runner.kubernetesMode.serviceAccountName | quote }} + {{- else if (.Values.runner.kubernetesMode.default | default true) }} + serviceAccountName: {{ include "kube-mode-serviceaccount.name" . | quote }} {{- end }} containers: - name: runner diff --git a/charts/gha-runner-scale-set-dev/templates/kube_mode_role.yaml b/charts/gha-runner-scale-set-dev/templates/kube_mode_role.yaml new file mode 100644 index 00000000..2ea6cdc6 --- /dev/null +++ b/charts/gha-runner-scale-set-dev/templates/kube_mode_role.yaml @@ -0,0 +1,39 @@ +{{- $runnerMode := (.Values.runner.mode | default "") -}} +{{- $kubeDefaults := (.Values.runner.kubernetesMode.default | default true) -}} +{{- if and (eq $runnerMode "kubernetes") $kubeDefaults (empty .Values.runner.kubernetesMode.serviceAccountName) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kube-mode-role.name" . | quote }} + namespace: {{ include "autoscaling-runner-set.namespace" . | quote }} + labels: + {{- include "kube-mode-role.labels" . | nindent 4 }} + annotations: + {{- include "kube-mode-role.annotations" . | nindent 4 }} + finalizers: + - actions.github.com/cleanup-protection +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "create", "delete"] + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get", "create"] + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get", "list", "watch"] + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["get", "list", "create", "delete"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "create", "delete"] + {{- with .Values.runner.kubernetesMode.extraRules }} + {{- if not (empty .) }} + {{- if not (kindIs "slice" .) -}} + {{- fail ".Values.runner.kubernetesMode.extraRules must be a list of RBAC policy rules" -}} + {{- end }} +{{ toYaml . | nindent 2 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/gha-runner-scale-set-dev/templates/kube_mode_role_binding.yaml b/charts/gha-runner-scale-set-dev/templates/kube_mode_role_binding.yaml new file mode 100644 index 00000000..f1f1766b --- /dev/null +++ b/charts/gha-runner-scale-set-dev/templates/kube_mode_role_binding.yaml @@ -0,0 +1,23 @@ +{{- $runnerMode := (.Values.runner.mode | default "") -}} +{{- $kubeDefaults := (.Values.runner.kubernetesMode.default | default true) -}} +{{- if and (eq $runnerMode "kubernetes") $kubeDefaults (empty .Values.runner.kubernetesMode.serviceAccountName) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kube-mode-role-binding.name" . | quote }} + namespace: {{ include "autoscaling-runner-set.namespace" . | quote }} + labels: + {{- include "kube-mode-role-binding.labels" . | nindent 4 }} + annotations: + {{- include "kube-mode-role-binding.annotations" . | nindent 4 }} + finalizers: + - actions.github.com/cleanup-protection +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kube-mode-role.name" . | quote }} +subjects: + - kind: ServiceAccount + name: {{ include "kube-mode-serviceaccount.name" . | quote }} + namespace: {{ include "autoscaling-runner-set.namespace" . | quote }} +{{- end }} diff --git a/charts/gha-runner-scale-set-dev/templates/kube_mode_serviceaccount.yaml b/charts/gha-runner-scale-set-dev/templates/kube_mode_serviceaccount.yaml new file mode 100644 index 00000000..aa6a0fd7 --- /dev/null +++ b/charts/gha-runner-scale-set-dev/templates/kube_mode_serviceaccount.yaml @@ -0,0 +1,15 @@ +{{- $runnerMode := (.Values.runner.mode | default "") -}} +{{- $kubeDefaults := (.Values.runner.kubernetesMode.default | default true) -}} +{{- if and (eq $runnerMode "kubernetes") $kubeDefaults (empty .Values.runner.kubernetesMode.serviceAccountName) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kube-mode-serviceaccount.name" . | quote }} + namespace: {{ include "autoscaling-runner-set.namespace" . | quote }} + labels: + {{- include "kube-mode-serviceaccount.labels" . | nindent 4 }} + annotations: + {{- include "kube-mode-serviceaccount.annotations" . | nindent 4 }} + finalizers: + - actions.github.com/cleanup-protection +{{- end }} diff --git a/charts/gha-runner-scale-set-dev/values.yaml b/charts/gha-runner-scale-set-dev/values.yaml index 4fd081f9..41c59a56 100644 --- a/charts/gha-runner-scale-set-dev/values.yaml +++ b/charts/gha-runner-scale-set-dev/values.yaml @@ -123,6 +123,25 @@ resource: labels: {} annotations: {} + # Specifies metadata that will be applied to the kubernetes-mode RoleBinding + # (created when runner.mode is "kubernetes" and a ServiceAccountName is not provided). + kubernetesModeRoleBinding: + metadata: + labels: {} + annotations: {} + + # Specifies metadata that will be applied to the kubernetes-mode Role. + kubernetesModeRole: + metadata: + labels: {} + annotations: {} + + # Specifies metadata that will be applied to the kubernetes-mode ServiceAccount. + kubernetesModeServiceAccount: + metadata: + labels: {} + annotations: {} + # TODO: Add more resource customizations when needed # Template applied for the runner container @@ -146,7 +165,7 @@ runner: kubernetesMode: default: true serviceAccountName: "" - extraPermissions: [] + extraRules: [] extension: {} ## A self-signed CA certificate for communication with the GitHub server can be ## provided using a config map key selector. If `runnerMountPath` is set, for