Azure Key Vault integration to resolve secrets (#4090)

2025-12-11 20:21:02 +00:00 · 2025-06-11 15:53:33 +02:00
parent d4af75d82e
commit e46c929241
48 changed files with 2013 additions and 599 deletions
--- a/controllers/actions.github.com/ephemeralrunner_controller_test.go
+++ b/controllers/actions.github.com/ephemeralrunner_controller_test.go
@@ -107,10 +107,15 @@ var _ = Describe("EphemeralRunner", func() {
 			configSecret = createDefaultSecret(GinkgoT(), k8sClient, autoscalingNS.Name)

 			controller = &EphemeralRunnerReconciler{
-				Client:        mgr.GetClient(),
-				Scheme:        mgr.GetScheme(),
-				Log:           logf.Log,
-				ActionsClient: fake.NewMultiClient(),
+				Client: mgr.GetClient(),
+				Scheme: mgr.GetScheme(),
+				Log:    logf.Log,
+				ResourceBuilder: ResourceBuilder{
+					SecretResolver: &SecretResolver{
+						k8sClient:   mgr.GetClient(),
+						multiClient: fake.NewMultiClient(),
+					},
+				},
 			}

 			err := controller.SetupWithManager(mgr)
@@ -789,22 +794,27 @@ var _ = Describe("EphemeralRunner", func() {
 				Client: mgr.GetClient(),
 				Scheme: mgr.GetScheme(),
 				Log:    logf.Log,
-				ActionsClient: fake.NewMultiClient(
-					fake.WithDefaultClient(
-						fake.NewFakeClient(
-							fake.WithGetRunner(
+				ResourceBuilder: ResourceBuilder{
+					SecretResolver: &SecretResolver{
+						k8sClient: mgr.GetClient(),
+						multiClient: fake.NewMultiClient(
+							fake.WithDefaultClient(
+								fake.NewFakeClient(
+									fake.WithGetRunner(
+										nil,
+										&actions.ActionsError{
+											StatusCode: http.StatusNotFound,
+											Err: &actions.ActionsExceptionError{
+												ExceptionName: "AgentNotFoundException",
+											},
+										},
+									),
+								),
 								nil,
-								&actions.ActionsError{
-									StatusCode: http.StatusNotFound,
-									Err: &actions.ActionsExceptionError{
-										ExceptionName: "AgentNotFoundException",
-									},
-								},
 							),
 						),
-						nil,
-					),
-				),
+					},
+				},
 			}
 			err := controller.SetupWithManager(mgr)
 			Expect(err).To(BeNil(), "failed to setup controller")
@@ -861,10 +871,15 @@ var _ = Describe("EphemeralRunner", func() {
 			configSecret = createDefaultSecret(GinkgoT(), k8sClient, autoScalingNS.Name)

 			controller = &EphemeralRunnerReconciler{
-				Client:        mgr.GetClient(),
-				Scheme:        mgr.GetScheme(),
-				Log:           logf.Log,
-				ActionsClient: fake.NewMultiClient(),
+				Client: mgr.GetClient(),
+				Scheme: mgr.GetScheme(),
+				Log:    logf.Log,
+				ResourceBuilder: ResourceBuilder{
+					SecretResolver: &SecretResolver{
+						k8sClient:   mgr.GetClient(),
+						multiClient: fake.NewMultiClient(),
+					},
+				},
 			}
 			err := controller.SetupWithManager(mgr)
 			Expect(err).To(BeNil(), "failed to setup controller")
@@ -874,7 +889,12 @@ var _ = Describe("EphemeralRunner", func() {

 		It("uses an actions client with proxy transport", func() {
 			// Use an actual client
-			controller.ActionsClient = actions.NewMultiClient(logr.Discard())
+			controller.ResourceBuilder = ResourceBuilder{
+				SecretResolver: &SecretResolver{
+					k8sClient:   mgr.GetClient(),
+					multiClient: actions.NewMultiClient(logr.Discard()),
+				},
+			}

 			proxySuccessfulllyCalled := false
 			proxy := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -1025,10 +1045,15 @@ var _ = Describe("EphemeralRunner", func() {
 			Expect(err).NotTo(HaveOccurred(), "failed to create configmap with root CAs")

 			controller = &EphemeralRunnerReconciler{
-				Client:        mgr.GetClient(),
-				Scheme:        mgr.GetScheme(),
-				Log:           logf.Log,
-				ActionsClient: fake.NewMultiClient(),
+				Client: mgr.GetClient(),
+				Scheme: mgr.GetScheme(),
+				Log:    logf.Log,
+				ResourceBuilder: ResourceBuilder{
+					SecretResolver: &SecretResolver{
+						k8sClient:   mgr.GetClient(),
+						multiClient: fake.NewMultiClient(),
+					},
+				},
 			}

 			err = controller.SetupWithManager(mgr)
@@ -1059,11 +1084,16 @@ var _ = Describe("EphemeralRunner", func() {
 			server.StartTLS()

 			// Use an actual client
-			controller.ActionsClient = actions.NewMultiClient(logr.Discard())
+			controller.ResourceBuilder = ResourceBuilder{
+				SecretResolver: &SecretResolver{
+					k8sClient:   mgr.GetClient(),
+					multiClient: actions.NewMultiClient(logr.Discard()),
+				},
+			}

 			ephemeralRunner := newExampleRunner("test-runner", autoScalingNS.Name, configSecret.Name)
 			ephemeralRunner.Spec.GitHubConfigUrl = server.ConfigURLForOrg("my-org")
-			ephemeralRunner.Spec.GitHubServerTLS = &v1alpha1.GitHubServerTLSConfig{
+			ephemeralRunner.Spec.GitHubServerTLS = &v1alpha1.TLSConfig{
 				CertificateFrom: &v1alpha1.TLSCertificateSource{
 					ConfigMapKeyRef: &corev1.ConfigMapKeySelector{
 						LocalObjectReference: corev1.LocalObjectReference{