wip

charts/gha-runner-scale-set-dev/templates/_helpers.tpl

@@ -168,6 +168,126 @@ Reserved annotations are excluded from both levels.
 {{- end }}
 
 
+{{/*
+The name of the kubernetes-mode Role.
+
+Kept intentionally aligned with the legacy chart behavior.
+*/}}
+{{- define "kube-mode-role.name" -}}
+{{- printf "%s-kube-mode" (include "autoscaling-runner-set.name" .) -}}
+{{- end }}
+
+
+{{/*
+The name of the kubernetes-mode RoleBinding.
+
+Kept intentionally aligned with the kubernetes-mode Role name.
+*/}}
+{{- define "kube-mode-role-binding.name" -}}
+{{- include "kube-mode-role.name" . -}}
+{{- end }}
+
+
+{{/*
+The name of the kubernetes-mode ServiceAccount.
+
+Kept intentionally aligned with the legacy chart behavior.
+*/}}
+{{- define "kube-mode-serviceaccount.name" -}}
+{{- include "kube-mode-role.name" . -}}
+{{- end }}
+
+
+{{/*
+Create the labels for the kubernetes-mode RoleBinding.
+*/}}
+{{- define "kube-mode-role-binding.labels" -}}
+{{- $resourceLabels := dict "app.kubernetes.io/component" "kube-mode-role-binding" -}}
+{{- $commonLabels := include "gha-common-labels" . | fromYaml -}}
+{{- $userLabels := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.kubernetesModeRoleBinding.metadata.labels | default (dict)) | fromYaml -}}
+{{- $global := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.labels | default (dict)) | fromYaml -}}
+{{- toYaml (mergeOverwrite $global $userLabels $resourceLabels $commonLabels) }}
+{{- end }}
+
+
+{{/*
+Create the annotations for the kubernetes-mode RoleBinding.
+
+Order of precedence:
+1) resource.all.metadata.annotations
+2) resource.kubernetesModeRoleBinding.metadata.annotations
+Reserved annotations are excluded from both levels.
+*/}}
+{{- define "kube-mode-role-binding.annotations" -}}
+{{- $global := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.annotations | default (dict))) | fromYaml -}}
+{{- $resource := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.kubernetesModeRoleBinding.metadata.annotations | default (dict))) | fromYaml -}}
+{{- $annotations := mergeOverwrite $global $resource -}}
+{{- if not (empty $annotations) -}}
+  {{- toYaml $annotations }}
+{{- end }}
+{{- end }}
+
+
+{{/*
+Create the labels for the kubernetes-mode Role.
+*/}}
+{{- define "kube-mode-role.labels" -}}
+{{- $resourceLabels := dict "app.kubernetes.io/component" "kube-mode-role" -}}
+{{- $commonLabels := include "gha-common-labels" . | fromYaml -}}
+{{- $userLabels := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.kubernetesModeRole.metadata.labels | default (dict)) | fromYaml -}}
+{{- $global := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.labels | default (dict)) | fromYaml -}}
+{{- toYaml (mergeOverwrite $global $userLabels $resourceLabels $commonLabels) }}
+{{- end }}
+
+
+{{/*
+Create the annotations for the kubernetes-mode Role.
+
+Order of precedence:
+1) resource.all.metadata.annotations
+2) resource.kubernetesModeRole.metadata.annotations
+Reserved annotations are excluded from both levels.
+*/}}
+{{- define "kube-mode-role.annotations" -}}
+{{- $global := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.annotations | default (dict))) | fromYaml -}}
+{{- $resource := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.kubernetesModeRole.metadata.annotations | default (dict))) | fromYaml -}}
+{{- $annotations := mergeOverwrite $global $resource -}}
+{{- if not (empty $annotations) -}}
+  {{- toYaml $annotations }}
+{{- end }}
+{{- end }}
+
+
+{{/*
+Create the labels for the kubernetes-mode ServiceAccount.
+*/}}
+{{- define "kube-mode-serviceaccount.labels" -}}
+{{- $resourceLabels := dict "app.kubernetes.io/component" "kube-mode-serviceaccount" -}}
+{{- $commonLabels := include "gha-common-labels" . | fromYaml -}}
+{{- $userLabels := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.kubernetesModeServiceAccount.metadata.labels | default (dict)) | fromYaml -}}
+{{- $global := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.labels | default (dict)) | fromYaml -}}
+{{- toYaml (mergeOverwrite $global $userLabels $resourceLabels $commonLabels) }}
+{{- end }}
+
+
+{{/*
+Create the annotations for the kubernetes-mode ServiceAccount.
+
+Order of precedence:
+1) resource.all.metadata.annotations
+2) resource.kubernetesModeServiceAccount.metadata.annotations
+Reserved annotations are excluded from both levels.
+*/}}
+{{- define "kube-mode-serviceaccount.annotations" -}}
+{{- $global := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.annotations | default (dict))) | fromYaml -}}
+{{- $resource := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.kubernetesModeServiceAccount.metadata.annotations | default (dict))) | fromYaml -}}
+{{- $annotations := mergeOverwrite $global $resource -}}
+{{- if not (empty $annotations) -}}
+  {{- toYaml $annotations }}
+{{- end }}
+{{- end }}
+
+
 {{/*
 Create the labels for the autoscaling runner set.
 */}}

charts/gha-runner-scale-set-dev/templates/autoscalingrunnserset.yaml

@@ -9,6 +9,7 @@ metadata:
     {{- include "autoscaling-runner-set.annotations" . | nindent 4 }}
     actions.github.com/values-hash: {{ toJson .Values | sha256sum | trunc 63 }}
     {{- $runnerMode := (.Values.runner.mode | default "") }}
+    {{- $kubeDefaults := (.Values.runner.kubernetesMode.default | default true) }}
     {{- $usesKubernetesSecrets := or (not .Values.secretResolution) (eq .Values.secretResolution.type "kubernetes") }}
     {{- if and $usesKubernetesSecrets (empty .Values.auth.secretName) }}
     actions.github.com/cleanup-github-secret-name: {{ include "github-secret.name" . | quote }}
@@ -18,6 +19,11 @@ metadata:
     {{- if ne $runnerMode "kubernetes" }}
     actions.github.com/cleanup-no-permission-service-account-name: {{ include "no-permission-serviceaccount.name" . | quote }}
     {{- end }}
+    {{- if and (eq $runnerMode "kubernetes") $kubeDefaults (empty .Values.runner.kubernetesMode.serviceAccountName) }}
+    actions.github.com/cleanup-kubernetes-mode-role-binding-name: {{ include "kube-mode-role-binding.name" . | quote }}
+    actions.github.com/cleanup-kubernetes-mode-role-name: {{ include "kube-mode-role.name" . | quote }}
+    actions.github.com/cleanup-kubernetes-mode-service-account-name: {{ include "kube-mode-serviceaccount.name" . | quote }}
+    {{- end }}
 
 spec:
   githubConfigUrl: {{ required ".Values.auth.url is required" (trimSuffix "/" .Values.auth.url) | quote }}
@@ -111,6 +117,8 @@ spec:
       serviceAccountName: {{ include "no-permission-serviceaccount.name" . | quote }}
       {{- else if not (empty .Values.runner.kubernetesMode.serviceAccountName) }}
       serviceAccountName: {{ .Values.runner.kubernetesMode.serviceAccountName | quote }}
+      {{- else if (.Values.runner.kubernetesMode.default | default true) }}
+      serviceAccountName: {{ include "kube-mode-serviceaccount.name" . | quote }}
       {{- end }}
       containers:
         - name: runner

charts/gha-runner-scale-set-dev/templates/kube_mode_role.yaml

@@ -0,0 +1,39 @@
+{{- $runnerMode := (.Values.runner.mode | default "") -}}
+{{- $kubeDefaults := (.Values.runner.kubernetesMode.default | default true) -}}
+{{- if and (eq $runnerMode "kubernetes") $kubeDefaults (empty .Values.runner.kubernetesMode.serviceAccountName) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "kube-mode-role.name" . | quote }}
+  namespace: {{ include "autoscaling-runner-set.namespace" . | quote }}
+  labels:
+    {{- include "kube-mode-role.labels" . | nindent 4 }}
+  annotations:
+    {{- include "kube-mode-role.annotations" . | nindent 4 }}
+  finalizers:
+    - actions.github.com/cleanup-protection
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["get", "create"]
+  - apiGroups: [""]
+    resources: ["pods/log"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["get", "list", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "create", "delete"]
+  {{- with .Values.runner.kubernetesMode.extraRules }}
+    {{- if not (empty .) }}
+      {{- if not (kindIs "slice" .) -}}
+        {{- fail ".Values.runner.kubernetesMode.extraRules must be a list of RBAC policy rules" -}}
+      {{- end }}
+{{ toYaml . | nindent 2 }}
+    {{- end }}
+  {{- end }}
+{{- end }}

charts/gha-runner-scale-set-dev/templates/kube_mode_role_binding.yaml

@@ -0,0 +1,23 @@
+{{- $runnerMode := (.Values.runner.mode | default "") -}}
+{{- $kubeDefaults := (.Values.runner.kubernetesMode.default | default true) -}}
+{{- if and (eq $runnerMode "kubernetes") $kubeDefaults (empty .Values.runner.kubernetesMode.serviceAccountName) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "kube-mode-role-binding.name" . | quote }}
+  namespace: {{ include "autoscaling-runner-set.namespace" . | quote }}
+  labels:
+    {{- include "kube-mode-role-binding.labels" . | nindent 4 }}
+  annotations:
+    {{- include "kube-mode-role-binding.annotations" . | nindent 4 }}
+  finalizers:
+    - actions.github.com/cleanup-protection
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "kube-mode-role.name" . | quote }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "kube-mode-serviceaccount.name" . | quote }}
+    namespace: {{ include "autoscaling-runner-set.namespace" . | quote }}
+{{- end }}

charts/gha-runner-scale-set-dev/templates/kube_mode_serviceaccount.yaml

@@ -0,0 +1,15 @@
+{{- $runnerMode := (.Values.runner.mode | default "") -}}
+{{- $kubeDefaults := (.Values.runner.kubernetesMode.default | default true) -}}
+{{- if and (eq $runnerMode "kubernetes") $kubeDefaults (empty .Values.runner.kubernetesMode.serviceAccountName) }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "kube-mode-serviceaccount.name" . | quote }}
+  namespace: {{ include "autoscaling-runner-set.namespace" . | quote }}
+  labels:
+    {{- include "kube-mode-serviceaccount.labels" . | nindent 4 }}
+  annotations:
+    {{- include "kube-mode-serviceaccount.annotations" . | nindent 4 }}
+  finalizers:
+    - actions.github.com/cleanup-protection
+{{- end }}

charts/gha-runner-scale-set-dev/values.yaml

@@ -123,6 +123,25 @@ resource:
       labels: {}
       annotations: {}
 
+  # Specifies metadata that will be applied to the kubernetes-mode RoleBinding
+  # (created when runner.mode is "kubernetes" and a ServiceAccountName is not provided).
+  kubernetesModeRoleBinding:
+    metadata:
+      labels: {}
+      annotations: {}
+
+  # Specifies metadata that will be applied to the kubernetes-mode Role.
+  kubernetesModeRole:
+    metadata:
+      labels: {}
+      annotations: {}
+
+  # Specifies metadata that will be applied to the kubernetes-mode ServiceAccount.
+  kubernetesModeServiceAccount:
+    metadata:
+      labels: {}
+      annotations: {}
+
   # TODO: Add more resource customizations when needed
 
 # Template applied for the runner container
@@ -146,7 +165,7 @@ runner:
   kubernetesMode:
     default: true
     serviceAccountName: ""
-    extraPermissions: []
+    extraRules: []
     extension: {}
 ## A self-signed CA certificate for communication with the GitHub server can be
 ## provided using a config map key selector. If `runnerMountPath` is set, for