adding tests checking auth

charts/gha-runner-scale-set-dev/.helmignore

@@ -0,0 +1,24 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+tests/

charts/gha-runner-scale-set-dev/Chart.yaml

@@ -0,0 +1,33 @@
+apiVersion: v2
+name: gha-runner-scale-set
+description: A Helm chart for deploying an AutoScalingRunnerSet
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: "0.14.0"
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.14.0"
+
+home: https://github.com/actions/actions-runner-controller
+
+sources:
+  - "https://github.com/actions/actions-runner-controller"
+
+maintainers:
+  - name: actions
+    url: https://github.com/actions

charts/gha-runner-scale-set-dev/templates/_helpers.tpl

@@ -0,0 +1,87 @@
+
+{{- define "autoscaling-runner-set.name" -}}
+{{- $name := .Values.runnerScaleSetName | default .Release.Name | replace "_" "-" | trimSuffix "-" }}
+{{- if or (empty $name) (gt (len $name) 45) }}
+{{ fail "Autoscaling runner set name must have up to 45 characters" }}
+{{- end }}
+{{- $name }}
+{{- end }}
+
+{{- define "autoscaling-runner-set.namespace" -}}
+{{- .Values.namespaceOverride | default .Release.Namespace -}}
+{{- end }}
+
+{{/*
+The name of the GitHub secret used for authentication.
+*/}}
+{{- define "github-secret.name" -}}
+{{- if not (empty .Values.auth.secretName) }}
+{{- quote .Values.auth.secretName }}
+{{- else }}
+{{- include "autoscaling-runner-set.name" . }}-github-secret
+{{- end }}
+{{- end }}
+
+
+{{/*
+Create the labels for the autoscaling runner set.
+*/}}
+{{- define "autoscaling-runner-set.labels" -}}
+{{- $resourceLabels := dict "app.kubernetes.io/component" "autoscaling-runner-set" -}}
+{{- $commonLabels := include "gha-common-labels" . | fromYaml -}}
+{{- $userLabels := include "gha-process-labels" (.Values.resource.autoscalingRunnerSet.metadata.labels | default (dict)) | fromYaml -}}
+{{- $global := include "gha-process-labels" (.Values.resource.all.metadata.labels | default (dict)) | fromYaml -}}
+{{- toYaml (mergeOverwrite $global $userLabels $resourceLabels $commonLabels) }}
+{{- end }}
+
+{{/*
+Create the common labels used across all resources.
+*/}}
+{{- define "gha-common-labels" -}}
+helm.sh/chart: {{ include "gha-runner-scale-set.chart" . }}
+app.kubernetes.io/name: {{ include "autoscaling-runner-set.name" . }}
+app.kubernetes.io/instance: {{ include "autoscaling-runner-set.name" . }}
+app.kubernetes.io/version: {{ .Chart.AppVersion }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/part-of: "gha-rs"
+actions.github.com/scale-set-name: {{ include "autoscaling-runner-set.name" . }}
+actions.github.com/scale-set-namespace: {{ include "autoscaling-runner-set.namespace" . }}
+{{- end }}
+
+
+{{/*
+Takes a map of user labels and removes the ones with "actions.github.com/" prefix
+*/}}
+{{- define "gha-process-labels" -}}
+{{- $userLabels := . -}}
+{{- $processed := dict -}}
+{{- range $key, $value := $userLabels -}}
+  {{- if not (hasPrefix $key "actions.github.com/") -}}
+    {{- $_ := set $processed $key $value -}}
+  {{- end -}}
+{{- end -}}
+{{- $processed | toYaml -}}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "gha-runner-scale-set.chart" -}}
+{{- printf "gha-rs-%s" .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Container spec that is expanded for the runner container
+*/}}
+{{- define "container-spec.runner" -}}
+
+{{- if not .Values.runner.container }}
+{{ fail "You must provide a runner container specification in values.runner.container" }}
+{{- end }}
+
+{{- $tlsConfig := (default (dict) .Values.githubServerTLS) -}}
+name: runner
+image: {{ .Values.runner.container.image | default "ghcr.io/actions/runner:latest" }}
+command: {{ toJson (default (list "/home/runner/run.sh") .Values.runner.container.command) }}
+{{- end }}
+

charts/gha-runner-scale-set-dev/templates/autoscalingrunnserset.yaml

@@ -0,0 +1,97 @@
+apiVersion: actions.github.com/v1alpha1
+kind: AutoscalingRunnerSet
+metadata:
+  name: {{ include "autoscaling-runner-set.name" . | quote }}
+  namespace: {{ include "autoscaling-runner-set.namespace" . | quote }}
+  labels:
+    {{- include "autoscaling-runner-set.labels" . | nindent 4 }}
+
+spec:
+  githubConfigUrl: {{ required ".Values.auth.url is required" (trimSuffix "/" .Values.auth.url) | quote }}
+  githubConfigSecret: {{ include "github-secret.name" . | quote }}
+  runnerGroup: {{ .Values.scaleset.runnerGroup | quote }}
+  runnerScaleSetName: {{ .Values.scaleset.name | quote }}
+
+  {{- if .Values.githubServerTLS }}
+  githubServerTLS:
+    {{- with .Values.githubServerTLS.certificateFrom }}
+    certificateFrom:
+      configMapKeyRef:
+        name: {{ .configMapKeyRef.name }}
+        key: {{ .configMapKeyRef.key }}
+    {{- end }}
+  {{- end }}
+
+  {{- if and .Values.secretResolution (ne .Values.secretResolution.type "kubernetes") }}
+  vaultConfig:
+    type: {{ .Values.secretResolution.type }}
+    {{- if .Values.secretResolution.proxy }}
+    proxy: {{- toYaml .Values.secretResolution.proxy | nindent 6 }}
+    {{- end }}
+    {{- if eq .Values.secretResolution.type "azureKeyVault" }}
+    azureKeyVault:
+      url: {{ .Values.secretResolution.azureKeyVault.url }}
+      tenantId: {{ .Values.secretResolution.azureKeyVault.tenantId }}
+      clientId: {{ .Values.secretResolution.azureKeyVault.clientId }}
+      certificatePath: {{ .Values.secretResolution.azureKeyVault.certificatePath }}
+      secretKey: {{ .Values.secretResolution.azureKeyVault.secretKey }}
+    {{- else }}
+        {{- fail "Unsupported keyVault type: " .Values.secretResolution.type }}
+    {{- end }}
+  {{- end }}
+
+  {{- if .Values.proxy }}
+  proxy:
+    {{- if .Values.proxy.http }}
+    http:
+      url: {{ .Values.proxy.http.url }}
+      {{- if .Values.proxy.http.credentialSecretRef }}
+      credentialSecretRef: {{ .Values.proxy.http.credentialSecretRef }}
+      {{- end }}
+    {{- end }}
+    {{- if .Values.proxy.https }}
+    https:
+      url: {{ .Values.proxy.https.url }}
+      {{- if .Values.proxy.https.credentialSecretRef }}
+      credentialSecretRef: {{ .Values.proxy.https.credentialSecretRef }}
+      {{- end }}
+    {{- end }}
+    {{- if and .Values.proxy.noProxy (kindIs "slice" .Values.proxy.noProxy) }}
+    noProxy: {{ .Values.proxy.noProxy | toYaml | nindent 6}}
+    {{- end }}
+  {{- end }}
+
+  {{- if and (or (kindIs "int64" .Values.scaleset.minRunners) (kindIs "float64" .Values.scaleset.minRunners)) (or (kindIs "int64" .Values.scaleset.maxRunners) (kindIs "float64" .Values.scaleset.maxRunners)) }}
+    {{- if gt .Values.scaleset.minRunners .Values.scaleset.maxRunners }}
+      {{- fail "maxRunners has to be greater or equal to minRunners" }}
+    {{- end }}
+  {{- end }}
+
+  {{- if or (kindIs "int64" .Values.scaleset.maxRunners) (kindIs "float64" .Values.scaleset.maxRunners)}}
+    {{- if lt (.Values.scaleset.maxRunners | int) 0 }}
+      {{- fail "maxRunners has to be greater or equal to 0" }}
+    {{- end }}
+  maxRunners: {{ .Values.scaleset.maxRunners | int }}
+  {{- end }}
+
+  {{- if or (kindIs "int64" .Values.scaleset.minRunners) (kindIs "float64" .Values.scaleset.minRunners) }}
+    {{- if lt (.Values.scaleset.minRunners | int) 0 }}
+      {{- fail "minRunners has to be greater or equal to 0" }}
+    {{- end }}
+  minRunners: {{ .Values.scaleset.minRunners | int }}
+  {{- end }}
+
+  {{- with .Values.listenerPodTemplate }}
+  listenerTemplate:
+    {{- toYaml . | nindent 4}}
+  {{- end }}
+
+  {{- with .Values.listenerMetrics }}
+  listenerMetrics:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+
+  template:
+    spec:
+      containers:
+        # {{- include "container-spec.runner" . | nindent 8 }}

charts/gha-runner-scale-set-dev/tests/autoscaling_runner_set_auth_test.yaml

@@ -0,0 +1,245 @@
+suite: "Test AutoscalingRunnerSet Authentication & Configuration"
+templates:
+  - autoscalingrunnserset.yaml
+tests:
+  - it: should require githubConfigUrl
+    set:
+      scaleset.name: "test"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - failedTemplate:
+          errorMessage: ".Values.auth.url is required"
+
+  - it: should render githubConfigUrl from auth.url
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - equal:
+          path: spec.githubConfigUrl
+          value: "https://github.com/org"
+
+  - it: should trim trailing slash from githubConfigUrl
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org/"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - equal:
+          path: spec.githubConfigUrl
+          value: "https://github.com/org"
+
+  - it: should render default githubConfigSecret from release name
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - equal:
+          path: spec.githubConfigSecret
+          value: "test-name-github-secret"
+
+  - it: should render custom githubConfigSecret when auth.secretName is provided
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      auth.secretName: "custom-github-secret"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - equal:
+          path: spec.githubConfigSecret
+          value: '"custom-github-secret"'
+
+  - it: should render default runnerGroup when not configured
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - equal:
+          path: spec.runnerGroup
+          value: "default"
+
+  - it: should render custom runnerGroup when configured
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      scaleset.runnerGroup: "custom-group"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - equal:
+          path: spec.runnerGroup
+          value: "custom-group"
+
+  - it: should render runnerGroup with special characters
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      scaleset.runnerGroup: "my-custom-runner-group-123"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - equal:
+          path: spec.runnerGroup
+          value: "my-custom-runner-group-123"
+
+  - it: should render runnerScaleSetName from scaleset.name
+    set:
+      scaleset.name: "my-runner-set"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - equal:
+          path: spec.runnerScaleSetName
+          value: "my-runner-set"
+
+  - it: should use release name as metadata name when runnerScaleSetName not provided
+    set:
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+    release:
+      name: "release-name"
+      namespace: "test-namespace"
+    asserts:
+      - equal:
+          path: metadata.name
+          value: "release-name"
+
+  - it: should use scaleset.name for spec.runnerScaleSetName when provided
+    set:
+      scaleset.name: "spec-runner-name"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+    release:
+      name: "release-name"
+      namespace: "test-namespace"
+    asserts:
+      - equal:
+          path: spec.runnerScaleSetName
+          value: "spec-runner-name"
+
+  - it: should not normalize underscores in runnerScaleSetName (underscores are preserved)
+    set:
+      scaleset.name: "my_runner_set"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - equal:
+          path: spec.runnerScaleSetName
+          value: "my_runner_set"
+
+  - it: should reject metadata name exceeding 45 characters
+    set:
+      runnerScaleSetName: "this-is-a-very-long-name-that-exceeds-forty-five-characters-long"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - failedTemplate:
+          errorMessage: "Autoscaling runner set name must have up to 45 characters"
+
+  - it: should handle githubConfigUrl with enterprise GitHub instance
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.enterprise.com/api/v3"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - equal:
+          path: spec.githubConfigUrl
+          value: "https://github.enterprise.com/api/v3"
+
+  - it: should render all configuration together
+    set:
+      runnerScaleSetName: "prod-runners"
+      scaleset.name: "prod-spec-name"
+      auth.url: "https://github.com/myorg"
+      auth.githubToken: "gh_token12345"
+      auth.secretName: "gh-token-secret"
+      scaleset.runnerGroup: "prod-group"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+    release:
+      name: "prod-scale-set"
+      namespace: "arc"
+    asserts:
+      - equal:
+          path: spec.githubConfigUrl
+          value: "https://github.com/myorg"
+      - equal:
+          path: spec.githubConfigSecret
+          value: '"gh-token-secret"'
+      - equal:
+          path: spec.runnerGroup
+          value: "prod-group"
+      - equal:
+          path: spec.runnerScaleSetName
+          value: "prod-spec-name"
+      - equal:
+          path: metadata.name
+          value: "prod-runners"
+      - equal:
+          path: metadata.namespace
+          value: "arc"

charts/gha-runner-scale-set-dev/tests/autoscaling_runner_set_labels_test.yaml

@@ -0,0 +1,295 @@
+suite: "Test AutoscalingRunnerSet Labels"
+templates:
+  - autoscalingrunnserset.yaml
+tests:
+  - it: should render base labels
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    chart:
+      appVersion: "0.14.0"
+    asserts:
+      - equal:
+          path: metadata.labels["helm.sh/chart"]
+          value: "gha-rs-0.14.0"
+      - equal:
+          path: metadata.labels["app.kubernetes.io/name"]
+          value: "test-name"
+      - equal:
+          path: metadata.labels["app.kubernetes.io/instance"]
+          value: "test-name"
+      - equal:
+          path: metadata.labels["app.kubernetes.io/component"]
+          value: "autoscaling-runner-set"
+      - equal:
+          path: metadata.labels["app.kubernetes.io/managed-by"]
+          value: "Helm"
+      - equal:
+          path: metadata.labels["app.kubernetes.io/part-of"]
+          value: "gha-rs"
+      - equal:
+          path: metadata.labels["app.kubernetes.io/version"]
+          value: "0.14.0"
+      - equal:
+          path: metadata.labels["actions.github.com/scale-set-name"]
+          value: "test-name"
+      - equal:
+          path: metadata.labels["actions.github.com/scale-set-namespace"]
+          value: "test-namespace"
+
+  - it: should include user-defined labels
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+      resource:
+        autoscalingRunnerSet:
+          metadata:
+            labels:
+              team: "backend"
+              environment: "production"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - equal:
+          path: metadata.labels["team"]
+          value: "backend"
+      - equal:
+          path: metadata.labels["environment"]
+          value: "production"
+      - equal:
+          path: metadata.labels["helm.sh/chart"]
+          value: "gha-rs-0.14.0"
+      - equal:
+          path: metadata.labels["app.kubernetes.io/name"]
+          value: "test-name"
+      - equal:
+          path: metadata.labels["app.kubernetes.io/instance"]
+          value: "test-name"
+      - equal:
+          path: metadata.labels["app.kubernetes.io/component"]
+          value: "autoscaling-runner-set"
+      - equal:
+          path: metadata.labels["app.kubernetes.io/managed-by"]
+          value: "Helm"
+      - equal:
+          path: metadata.labels["app.kubernetes.io/part-of"]
+          value: "gha-rs"
+      - equal:
+          path: metadata.labels["app.kubernetes.io/version"]
+          value: "0.14.0"
+      - equal:
+          path: metadata.labels["actions.github.com/scale-set-name"]
+          value: "test-name"
+      - equal:
+          path: metadata.labels["actions.github.com/scale-set-namespace"]
+          value: "test-namespace"
+
+  - it: should include global labels
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+      resource:
+        all:
+          metadata:
+            labels:
+              global-team: "platform"
+              owner: "devops"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - equal:
+          path: metadata.labels["global-team"]
+          value: "platform"
+      - equal:
+          path: metadata.labels["owner"]
+          value: "devops"
+      - equal:
+          path: metadata.labels["helm.sh/chart"]
+          value: "gha-rs-0.14.0"
+      - equal:
+          path: metadata.labels["app.kubernetes.io/name"]
+          value: "test-name"
+      - equal:
+          path: metadata.labels["app.kubernetes.io/instance"]
+          value: "test-name"
+      - equal:
+          path: metadata.labels["app.kubernetes.io/component"]
+          value: "autoscaling-runner-set"
+      - equal:
+          path: metadata.labels["app.kubernetes.io/managed-by"]
+          value: "Helm"
+      - equal:
+          path: metadata.labels["app.kubernetes.io/part-of"]
+          value: "gha-rs"
+      - equal:
+          path: metadata.labels["app.kubernetes.io/version"]
+          value: "0.14.0"
+      - equal:
+          path: metadata.labels["actions.github.com/scale-set-name"]
+          value: "test-name"
+      - equal:
+          path: metadata.labels["actions.github.com/scale-set-namespace"]
+          value: "test-namespace"
+
+  - it: should merge both user and global labels
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+      resource:
+        autoscalingRunnerSet:
+          metadata:
+            labels:
+              team: "backend"
+              environment: "staging"
+        all:
+          metadata:
+            labels:
+              global-team: "platform"
+              environment: "production"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - equal:
+          path: metadata.labels["team"]
+          value: "backend"
+      - equal:
+          path: metadata.labels["global-team"]
+          value: "platform"
+      - equal:
+          path: metadata.labels["environment"]
+          value: "staging"
+      - equal:
+          path: metadata.labels["helm.sh/chart"]
+          value: "gha-rs-0.14.0"
+      - equal:
+          path: metadata.labels["app.kubernetes.io/name"]
+          value: "test-name"
+      - equal:
+          path: metadata.labels["app.kubernetes.io/instance"]
+          value: "test-name"
+      - equal:
+          path: metadata.labels["app.kubernetes.io/component"]
+          value: "autoscaling-runner-set"
+      - equal:
+          path: metadata.labels["app.kubernetes.io/managed-by"]
+          value: "Helm"
+      - equal:
+          path: metadata.labels["app.kubernetes.io/part-of"]
+          value: "gha-rs"
+      - equal:
+          path: metadata.labels["app.kubernetes.io/version"]
+          value: "0.14.0"
+      - equal:
+          path: metadata.labels["actions.github.com/scale-set-name"]
+          value: "test-name"
+      - equal:
+          path: metadata.labels["actions.github.com/scale-set-namespace"]
+          value: "test-namespace"
+
+  - it: should allow user labels to override global labels
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+      resource:
+        autoscalingRunnerSet:
+          metadata:
+            labels:
+              tier: "frontend"
+              cost-center: "100"
+        all:
+          metadata:
+            labels:
+              tier: "backend"
+              environment: "staging"
+              cost-center: "200"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - equal:
+          path: metadata.labels["tier"]
+          value: "frontend"
+      - equal:
+          path: metadata.labels["cost-center"]
+          value: "100"
+      - equal:
+          path: metadata.labels["environment"]
+          value: "staging"
+      - equal:
+          path: metadata.labels["app.kubernetes.io/name"]
+          value: "test-name"
+
+  - it: should preserve actions.github.com custom labels from user config
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+      resource:
+        autoscalingRunnerSet:
+          metadata:
+            labels:
+              team: "backend"
+              actions.github.com/custom-label: "user-value"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - equal:
+          path: metadata.labels["team"]
+          value: "backend"
+      - equal:
+          path: metadata.labels["actions.github.com/custom-label"]
+          value: "user-value"
+      - equal:
+          path: metadata.labels["actions.github.com/scale-set-name"]
+          value: "test-name"
+
+  - it: should preserve actions.github.com custom labels from global config
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+      resource:
+        all:
+          metadata:
+            labels:
+              owner: "devops"
+              actions.github.com/global-custom: "global-value"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - equal:
+          path: metadata.labels["owner"]
+          value: "devops"
+      - equal:
+          path: metadata.labels["actions.github.com/global-custom"]
+          value: "global-value"
+      - equal:
+          path: metadata.labels["actions.github.com/scale-set-name"]
+          value: "test-name"

charts/gha-runner-scale-set-dev/tests/autoscaling_runner_set_min_max_runners_test.yaml

@@ -0,0 +1,71 @@
+suite: "Test AutoscalingRunnerSet MinMax Runners"
+templates:
+  - autoscalingrunnserset.yaml
+tests:
+  - it: should set minRunners and maxRunners correctly
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+      scaleset.minRunners: 2
+      scaleset.maxRunners: 5
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - equal:
+          path: spec.minRunners
+          value: 2
+      - equal:
+          path: spec.maxRunners
+          value: 5
+  - it: should fail when minRunners is greater than maxRunners
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+      scaleset.minRunners: 6
+      scaleset.maxRunners: 5
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - failedTemplate: {}
+  - it: should work when minRunners equals maxRunners
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+      scaleset.minRunners: 5
+      scaleset.maxRunners: 5
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - equal:
+          path: spec.minRunners
+          value: 5
+      - equal:
+          path: spec.maxRunners
+          value: 5
+  - it: should not set minRunners and maxRunners when not provided
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - notExists: 
+          path: spec.minRunners
+      - notExists:
+          path: spec.maxRunners

charts/gha-runner-scale-set-dev/tests/autoscaling_runner_set_proxy_test.yaml

@@ -0,0 +1,290 @@
+suite: "Test AutoscalingRunnerSet Proxy Configuration"
+templates:
+  - autoscalingrunnserset.yaml
+tests:
+  - it: should not render proxy section when not configured
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - notExists:
+          path: spec.proxy
+
+  - it: should render http proxy configuration
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+      proxy:
+        http:
+          url: "http://proxy.example.com:3128"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - equal:
+          path: spec.proxy.http.url
+          value: "http://proxy.example.com:3128"
+      - notExists:
+          path: spec.proxy.https
+
+  - it: should render https proxy configuration
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+      proxy:
+        https:
+          url: "https://secure-proxy.example.com:3128"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - equal:
+          path: spec.proxy.https.url
+          value: "https://secure-proxy.example.com:3128"
+      - notExists:
+          path: spec.proxy.http
+
+  - it: should render both http and https proxy configuration
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+      proxy:
+        http:
+          url: "http://proxy.example.com:3128"
+        https:
+          url: "https://secure-proxy.example.com:3128"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - equal:
+          path: spec.proxy.http.url
+          value: "http://proxy.example.com:3128"
+      - equal:
+          path: spec.proxy.https.url
+          value: "https://secure-proxy.example.com:3128"
+
+  - it: should render http proxy with credential secret reference
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+      proxy:
+        http:
+          url: "http://proxy.example.com:3128"
+          credentialSecretRef: "proxy-credentials"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - equal:
+          path: spec.proxy.http.url
+          value: "http://proxy.example.com:3128"
+      - equal:
+          path: spec.proxy.http.credentialSecretRef
+          value: "proxy-credentials"
+
+  - it: should render https proxy with credential secret reference
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+      proxy:
+        https:
+          url: "https://secure-proxy.example.com:3128"
+          credentialSecretRef: "secure-proxy-creds"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - equal:
+          path: spec.proxy.https.url
+          value: "https://secure-proxy.example.com:3128"
+      - equal:
+          path: spec.proxy.https.credentialSecretRef
+          value: "secure-proxy-creds"
+
+  - it: should render proxy with noProxy list
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+      proxy:
+        http:
+          url: "http://proxy.example.com:3128"
+        noProxy:
+          - "localhost"
+          - "127.0.0.1"
+          - ".example.local"
+          - "10.0.0.0/8"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - equal:
+          path: spec.proxy.http.url
+          value: "http://proxy.example.com:3128"
+      - contains:
+          path: spec.proxy.noProxy
+          content: "localhost"
+      - contains:
+          path: spec.proxy.noProxy
+          content: "127.0.0.1"
+      - contains:
+          path: spec.proxy.noProxy
+          content: ".example.local"
+      - contains:
+          path: spec.proxy.noProxy
+          content: "10.0.0.0/8"
+
+  - it: should render complete proxy configuration with all options
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+      proxy:
+        http:
+          url: "http://proxy.example.com:3128"
+          credentialSecretRef: "proxy-credentials"
+        https:
+          url: "https://secure-proxy.example.com:3128"
+          credentialSecretRef: "secure-proxy-creds"
+        noProxy:
+          - "localhost"
+          - "127.0.0.1"
+          - ".local"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - equal:
+          path: spec.proxy.http.url
+          value: "http://proxy.example.com:3128"
+      - equal:
+          path: spec.proxy.http.credentialSecretRef
+          value: "proxy-credentials"
+      - equal:
+          path: spec.proxy.https.url
+          value: "https://secure-proxy.example.com:3128"
+      - equal:
+          path: spec.proxy.https.credentialSecretRef
+          value: "secure-proxy-creds"
+      - contains:
+          path: spec.proxy.noProxy
+          content: "localhost"
+      - contains:
+          path: spec.proxy.noProxy
+          content: "127.0.0.1"
+      - contains:
+          path: spec.proxy.noProxy
+          content: ".local"
+
+  - it: should render proxy configuration with empty noProxy list
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+      proxy:
+        http:
+          url: "http://proxy.example.com:3128"
+        noProxy: []
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - equal:
+          path: spec.proxy.http.url
+          value: "http://proxy.example.com:3128"
+      - notExists:
+          path: spec.proxy.noProxy
+
+  - it: should not render proxy when configured as empty object
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+      proxy: {}
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - notExists:
+          path: spec.proxy
+
+  - it: should render proxy with only http without credentials
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+      proxy:
+        http:
+          url: "http://unauthenticated-proxy.example.com:8080"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - equal:
+          path: spec.proxy.http.url
+          value: "http://unauthenticated-proxy.example.com:8080"
+      - notExists:
+          path: spec.proxy.http.credentialSecretRef
+      - notExists:
+          path: spec.proxy.https
+
+  - it: should render proxy with https and noProxy without http
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+      proxy:
+        https:
+          url: "https://secure-proxy.example.com:3128"
+        noProxy:
+          - "internal.example.com"
+          - "*.local"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - equal:
+          path: spec.proxy.https.url
+          value: "https://secure-proxy.example.com:3128"
+      - notExists:
+          path: spec.proxy.http
+      - contains:
+          path: spec.proxy.noProxy
+          content: "internal.example.com"
+      - contains:
+          path: spec.proxy.noProxy
+          content: "*.local"

charts/gha-runner-scale-set-dev/values.yaml

@@ -0,0 +1,310 @@
+## By default .Release.namespace is used
+namespaceOverride: ""
+
+scaleset:
+  # Name of the scaleset
+  name: ""
+  runnerGroup: "default"
+  ## minRunners is the min number of idle runners. The target number of runners created will be
+  ## calculated as a sum of minRunners and the number of jobs assigned to the scale set.
+  # minRunners: 0
+  ## maxRunners is the max number of runners the autoscaling runner set will scale up to.
+  # maxRunners: 5
+
+# Auth object provides authorization parameters.
+# You should apply either:
+# 1) secretName referencing the secret containing authorization parameters in the same namespace where the scale set is being installed in
+# 2) app object parameters
+# 3) github_tokne
+#
+# If multiple of them are set, only single one will be applied based on the above mentioned order.
+auth:
+  url: "" # Required
+  githubToken: ""
+  secretName: ""
+  app:
+    clientId: ""
+    installationId: ""
+    privateKey: ""
+
+# secretResolution configures how secrets are resolved for this scale set.
+# By default, secrets are resolved using Kubernetes secrets. When Kubernetes
+# secrets are used, no proxy config will be applied.
+#
+# If you decide to use secret integrations with vaults, you can configure
+# proxy settings for the vault communication here.
+secretResolution:
+  # Name of the secret resolver to use.
+  # Available values:
+  # - "kubernetes" - use Kubernetes secrets
+  # - "azureKeyVault" - use Azure Key Vault
+  type: "kubernetes"
+
+  ## Proxy settings when type is NOT "kubernetes"
+  # proxy:
+  #   http:
+  #     url: http://proxy.com:1234
+  #     credentialSecretRef: proxy-auth # a secret with `username` and `password` keys
+  #   https:
+  #     url: http://proxy.com:1234
+  #     credentialSecretRef: proxy-auth # a secret with `username` and `password` keys
+  #   noProxy:
+  #     - example.com
+  #     - example.org
+
+  ## Configuration for Azure Key Vault integration
+  # azureKeyVault:
+  #   url: ""
+  #   client_id: ""
+  #   tenant_id: ""
+  #   certificate_path: ""
+
+## Proxy can be used to define proxy settings that will be used by the
+## controller, the listener and the runner of this scale set.
+# proxy:
+#   http:
+#     url: http://proxy.com:1234
+#     credentialSecretRef: proxy-auth # a secret with `username` and `password` keys
+#   https:
+#     url: http://proxy.com:1234
+#     credentialSecretRef: proxy-auth # a secret with `username` and `password` keys
+#   noProxy:
+#     - example.com
+#     - example.org
+
+## listenerTemplate is the PodSpec for each listener Pod
+## For reference: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#PodSpec
+# listenerPodTemplate:
+#   spec:
+#     containers:
+#     # Use this section to append additional configuration to the listener container.
+#     # If you change the name of the container, the configuration will not be applied to the listener,
+#     # and it will be treated as a side-car container.
+#     - name: listener
+#       securityContext:
+#         runAsUser: 1000
+#     # Use this section to add the configuration of a side-car container.
+#     # Comment it out or remove it if you don't need it.
+#     # Spec for this container will be applied as is without any modifications.
+#     - name: side-car
+#       image: example-sidecar
+
+## Resource object allows modifying resources created by the chart itself
+resource:
+  # Specifies metadata that will be applied to all resources managed by ARC
+  all:
+    metadata:
+      labels: {}
+      annotations: {}
+
+  # Specifies metadata that will be applied to the AutoscalingRunnerSet resource
+  autoscalingRunnerSet:
+    metadata:
+      labels: {}
+      annotations: {}
+      
+  # TODO: Add more resource customizations when needed
+
+# Template applied for the runner container
+runner:
+  # metadata:
+  #   labels: []
+  #   annotations: []
+
+  # Mode can be used to automatically add required configuration for the selected mode
+  mode: "" # Available modes: "", "kubernetes", "dind"
+
+  # container field is applied to the container named "runner". You cannot override the name of the runner container
+  container:
+    image: "ghcr.io/actions/actions-runner:latest"
+    command: ["/home/runner/run.sh"]
+
+  dind:
+    # If default is set to true, we will expand the default spec for the `dind` container, and you can provide fields to override them
+    default: true
+
+  kubernetesMode:
+    default: true
+    serviceAccountName: ""
+    extraPermissions: []
+    extension: {}
+## A self-signed CA certificate for communication with the GitHub server can be
+## provided using a config map key selector. If `runnerMountPath` is set, for
+## each runner pod ARC will:
+## - create a `github-server-tls-cert` volume containing the certificate
+##   specified in `certificateFrom`
+## - mount that volume on path `runnerMountPath`/{certificate name}
+## - set NODE_EXTRA_CA_CERTS environment variable to that same path
+## - set RUNNER_UPDATE_CA_CERTS environment variable to "1" (as of version
+##   2.303.0 this will instruct the runner to reload certificates on the host)
+##
+## If any of the above had already been set by the user in the runner pod
+## template, ARC will observe those and not overwrite them.
+## Example configuration:
+#
+# githubServerTLS:
+#   certificateFrom:
+#     configMapKeyRef:
+#       name: config-map-name
+#       key: ca.crt
+#   runnerMountPath: /usr/local/share/ca-certificates/
+
+## controllerServiceAccount is the service account of the controller
+controllerServiceAccount:
+  namespace: ""
+  name: ""
+## listenerMetrics are configurable metrics applied to the listener.
+## In order to avoid helm merging these fields, we left the metrics commented out.
+## When configuring metrics, please uncomment the listenerMetrics object below.
+## You can modify the configuration to remove the label or specify custom buckets for histogram.
+##
+## If the buckets field is not specified, the default buckets will be applied. Default buckets are
+## provided here for documentation purposes
+# listenerMetrics:
+#   counters:
+#     gha_started_jobs_total:
+#       labels:
+#         ["repository", "organization", "enterprise", "job_name", "event_name", "job_workflow_ref", "job_workflow_name", "job_workflow_target"]
+#     gha_completed_jobs_total:
+#       labels:
+#         [
+#           "repository",
+#           "organization",
+#           "enterprise",
+#           "job_name",
+#           "event_name",
+#           "job_result",
+#           "job_workflow_ref",
+#           "job_workflow_name",
+#           "job_workflow_target",
+#         ]
+#   gauges:
+#     gha_assigned_jobs:
+#       labels: ["name", "namespace", "repository", "organization", "enterprise"]
+#     gha_running_jobs:
+#       labels: ["name", "namespace", "repository", "organization", "enterprise"]
+#     gha_registered_runners:
+#       labels: ["name", "namespace", "repository", "organization", "enterprise"]
+#     gha_busy_runners:
+#       labels: ["name", "namespace", "repository", "organization", "enterprise"]
+#     gha_min_runners:
+#       labels: ["name", "namespace", "repository", "organization", "enterprise"]
+#     gha_max_runners:
+#       labels: ["name", "namespace", "repository", "organization", "enterprise"]
+#     gha_desired_runners:
+#       labels: ["name", "namespace", "repository", "organization", "enterprise"]
+#     gha_idle_runners:
+#       labels: ["name", "namespace", "repository", "organization", "enterprise"]
+#   histograms:
+#     gha_job_startup_duration_seconds:
+#       labels:
+#         ["repository", "organization", "enterprise", "job_name", "event_name","job_workflow_ref", "job_workflow_name", "job_workflow_target"]
+#       buckets:
+#         [
+#           0.01,
+#           0.05,
+#           0.1,
+#           0.5,
+#           1.0,
+#           2.0,
+#           3.0,
+#           4.0,
+#           5.0,
+#           6.0,
+#           7.0,
+#           8.0,
+#           9.0,
+#           10.0,
+#           12.0,
+#           15.0,
+#           18.0,
+#           20.0,
+#           25.0,
+#           30.0,
+#           40.0,
+#           50.0,
+#           60.0,
+#           70.0,
+#           80.0,
+#           90.0,
+#           100.0,
+#           110.0,
+#           120.0,
+#           150.0,
+#           180.0,
+#           210.0,
+#           240.0,
+#           300.0,
+#           360.0,
+#           420.0,
+#           480.0,
+#           540.0,
+#           600.0,
+#           900.0,
+#           1200.0,
+#           1800.0,
+#           2400.0,
+#           3000.0,
+#           3600.0,
+#         ]
+#     gha_job_execution_duration_seconds:
+#       labels:
+#         [
+#           "repository",
+#           "organization",
+#           "enterprise",
+#           "job_name",
+#           "event_name",
+#           "job_result",
+#           "job_workflow_ref",
+#           "job_workflow_name",
+#           "job_workflow_target"
+#         ]
+#       buckets:
+#         [
+#           0.01,
+#           0.05,
+#           0.1,
+#           0.5,
+#           1.0,
+#           2.0,
+#           3.0,
+#           4.0,
+#           5.0,
+#           6.0,
+#           7.0,
+#           8.0,
+#           9.0,
+#           10.0,
+#           12.0,
+#           15.0,
+#           18.0,
+#           20.0,
+#           25.0,
+#           30.0,
+#           40.0,
+#           50.0,
+#           60.0,
+#           70.0,
+#           80.0,
+#           90.0,
+#           100.0,
+#           110.0,
+#           120.0,
+#           150.0,
+#           180.0,
+#           210.0,
+#           240.0,
+#           300.0,
+#           360.0,
+#           420.0,
+#           480.0,
+#           540.0,
+#           600.0,
+#           900.0,
+#           1200.0,
+#           1800.0,
+#           2400.0,
+#           3000.0,
+#           3600.0,
+#         ]

charts/gha-runner-scale-set/.helmignore

@@ -21,3 +21,4 @@
 .idea/
 *.tmproj
 .vscode/
+tests/

charts/gha-runner-scale-set/tests/autoscaling_runner_set_test.yaml

@@ -0,0 +1,9 @@
+suite: "AutoscalingRunnerSet"
+templates:
+  - autoscalingrunnserset.yaml
+tests:
+  - it: should render base labels
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_"