actions/actions-runner-controller
1
0
Fork 0
mirror of https://github.com/actions/actions-runner-controller.git synced 2026-03-21 17:33:04 +08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: actions:gha-runner-scale-set-0.13.0
Branches Tags
actions:master actions:update-runner-2026-03-19 actions:update-runner-2026-02-05 actions:nikola-jokic/renames actions:nikola-jokic/er-status actions:update-runner-2025-10-06 actions:update-runner-2025-04-18 actions:nikola-jokic/re-create-listener-on-github-secret-change actions:revert-client-go-rlimits actions:update-runner-2024-11-06 actions:responsive-runner-creation actions:ddtrace-wip-may actions:update-runner-2024-06-20 actions:users/johnsudol/update-runner-sched-workflow actions:update-runner-2024-02-27 actions:update-runner-2024-02-06 actions:Link-/docker-socket-dir actions:nikola-jokic/gha-e2e actions:gh-pages actions:update-runner-2023-10-09 actions:enhancec-arc-runner-images-for-scaleset-compat actions:runnerset-docker-socket actions:rentziass/no-ginkgo
actions:gha-runner-scale-set-0.14.0 actions:gha-runner-scale-set-0.13.1 actions:gha-runner-scale-set-0.13.0 actions:gha-runner-scale-set-0.12.1 actions:gha-runner-scale-set-0.12.0 actions:gha-runner-scale-set-0.11.0 actions:gha-runner-scale-set-0.10.1 actions:gha-runner-scale-set-0.10.0 actions:gha-runner-scale-set-0.9.3 actions:gha-runner-scale-set-0.9.2 actions:gha-runner-scale-set-0.9.1 actions:gha-runner-scale-set-0.9.0 actions:gha-runner-scale-set-0.8.3 actions:gha-runner-scale-set-0.8.2 actions:gha-runner-scale-set-0.8.1 actions:gha-runner-scale-set-0.8.0 actions:actions-runner-controller-0.23.7 actions:actions-runner-controller-0.23.6 actions:gha-runner-scale-set-0.7.0 actions:v0.27.6 actions:gha-runner-scale-set-0.6.1 actions:gha-runner-scale-set-0.6.0 actions:actions-runner-controller-0.23.5 actions:actions-runner-controller-0.23.4 actions:v0.27.5 actions:gha-runner-scale-set-0.5.0 actions:actions-runner-controller-0.23.3 actions:v0.27.4 actions:actions-runner-controller-0.23.2 actions:v0.27.3 actions:actions-runner-controller-0.23.1 actions:gha-runner-scale-set-0.4.0 actions:v0.27.2 actions:actions-runner-controller-0.23.0 actions:v0.27.1 actions:0.3.0 actions:0.2.0 actions:gha-runner-scale-set-0.3.0 actions:gha-runner-scale-set-0.2.0 actions:actions-runner-controller-0.22.0 actions:v0.27.0 actions:actions-runner-controller-0.21.1 actions:actions-runner-controller-0.21.0 actions:v0.26.0 actions:actions-runner-controller-0.20.2 actions:v0.25.2 actions:actions-runner-controller-0.20.1 actions:v0.25.1 actions:actions-runner-controller-0.20.0 actions:v0.25.0 actions:actions-runner-controller-0.19.1 actions:v0.24.1 actions:actions-runner-controller-0.19.0 actions:v0.24.0 actions:actions-runner-controller-0.18.0 actions:v0.23.0 actions:actions-runner-controller-0.17.3 actions:v0.22.3 actions:actions-runner-controller-0.17.2 actions:v0.22.2 actions:actions-runner-controller-0.17.1 actions:v0.22.1 actions:actions-runner-controller-0.17.0 actions:v0.22.0 actions:actions-runner-controller-0.16.1 actions:v0.21.1 actions:actions-runner-controller-0.16.0 actions:v0.21.0 actions:actions-runner-controller-0.15.3 actions:actions-runner-controller-0.15.2 actions:v0.20.4 actions:actions-runner-controller-0.15.1 actions:actions-runner-controller-0.15.0 actions:v0.20.3 actions:actions-runner-controller-0.14.0 actions:actions-runner-controller-0.13.2 actions:v0.20.2 actions:actions-runner-controller-0.13.1 actions:v0.20.1 actions:actions-runner-controller-0.13.0 actions:v0.20.0 actions:actions-runner-controller-0.12.8 actions:actions-runner-controller-0.12.7 actions:actions-runner-controller-0.12.6 actions:actions-runner-controller-0.12.5 actions:actions-runner-controller-0.12.4 actions:actions-runner-controller-0.12.3 actions:actions-runner-controller-0.12.2 actions:actions-runner-controller-0.12.1 actions:actions-runner-controller-0.12.0 actions:v0.19.0 actions:actions-runner-controller-0.11.0 actions:actions-runner-controller-0.10.5 actions:v0.18.2 actions:v0.18.1 actions:v0.18.0 actions:actions-runner-controller-0.10.4 actions:actions-runner-controller-0.10.3 actions:actions-runner-controller-0.10.2 actions:actions-runner-controller-0.10.1 actions:actions-runner-controller-0.10.0 actions:actions-runner-controller-0.9.0 actions:actions-runner-controller-0.8.0 actions:actions-runner-controller-0.7.0 actions:actions-runner-controller-0.6.1 actions:actions-runner-controller-0.6.0 actions:actions-runner-controller-0.5.2 actions:actions-runner-controller-0.5.1 actions:actions-runner-controller-0.5.0 actions:actions-runner-controller-0.4.0 actions:actions-runner-controller-0.3.1 actions:v0.17.0 actions:actions-runner-controller-0.2.1 actions:actions-runner-controller-0.2.0 actions:actions-runner-controller-0.1.2 actions:v0.16.1 actions:v0.16.0 actions:v0.15.0 actions:v0.14.0 actions:v0.13.0 actions:v0.13.1 actions:v0.12.0 actions:v0.11.3 actions:v0.11.2 actions:v0.11.1 actions:v0.11.0 actions:v0.10.0 actions:v0.9.5 actions:v0.9.4 actions:v0.9.3 actions:v0.9.2 actions:v0.9.1 actions:v0.9.0 actions:v0.8.0 actions:v0.7.2 actions:v0.7.1 actions:v0.7.0 actions:v0.6.0 actions:v0.5.0 actions:v0.4.3 actions:v0.4.2 actions:v0.4.1 actions:v0.4.0 actions:v0.3.0 actions:v0.2.0 actions:v0.1.0
...
compare: actions:gha-runner-scale-set-0.14.0
Branches Tags
actions:master actions:update-runner-2026-03-19 actions:update-runner-2026-02-05 actions:nikola-jokic/renames actions:nikola-jokic/er-status actions:update-runner-2025-10-06 actions:update-runner-2025-04-18 actions:nikola-jokic/re-create-listener-on-github-secret-change actions:revert-client-go-rlimits actions:update-runner-2024-11-06 actions:responsive-runner-creation actions:ddtrace-wip-may actions:update-runner-2024-06-20 actions:users/johnsudol/update-runner-sched-workflow actions:update-runner-2024-02-27 actions:update-runner-2024-02-06 actions:Link-/docker-socket-dir actions:nikola-jokic/gha-e2e actions:gh-pages actions:update-runner-2023-10-09 actions:enhancec-arc-runner-images-for-scaleset-compat actions:runnerset-docker-socket actions:rentziass/no-ginkgo
actions:gha-runner-scale-set-0.14.0 actions:gha-runner-scale-set-0.13.1 actions:gha-runner-scale-set-0.13.0 actions:gha-runner-scale-set-0.12.1 actions:gha-runner-scale-set-0.12.0 actions:gha-runner-scale-set-0.11.0 actions:gha-runner-scale-set-0.10.1 actions:gha-runner-scale-set-0.10.0 actions:gha-runner-scale-set-0.9.3 actions:gha-runner-scale-set-0.9.2 actions:gha-runner-scale-set-0.9.1 actions:gha-runner-scale-set-0.9.0 actions:gha-runner-scale-set-0.8.3 actions:gha-runner-scale-set-0.8.2 actions:gha-runner-scale-set-0.8.1 actions:gha-runner-scale-set-0.8.0 actions:actions-runner-controller-0.23.7 actions:actions-runner-controller-0.23.6 actions:gha-runner-scale-set-0.7.0 actions:v0.27.6 actions:gha-runner-scale-set-0.6.1 actions:gha-runner-scale-set-0.6.0 actions:actions-runner-controller-0.23.5 actions:actions-runner-controller-0.23.4 actions:v0.27.5 actions:gha-runner-scale-set-0.5.0 actions:actions-runner-controller-0.23.3 actions:v0.27.4 actions:actions-runner-controller-0.23.2 actions:v0.27.3 actions:actions-runner-controller-0.23.1 actions:gha-runner-scale-set-0.4.0 actions:v0.27.2 actions:actions-runner-controller-0.23.0 actions:v0.27.1 actions:0.3.0 actions:0.2.0 actions:gha-runner-scale-set-0.3.0 actions:gha-runner-scale-set-0.2.0 actions:actions-runner-controller-0.22.0 actions:v0.27.0 actions:actions-runner-controller-0.21.1 actions:actions-runner-controller-0.21.0 actions:v0.26.0 actions:actions-runner-controller-0.20.2 actions:v0.25.2 actions:actions-runner-controller-0.20.1 actions:v0.25.1 actions:actions-runner-controller-0.20.0 actions:v0.25.0 actions:actions-runner-controller-0.19.1 actions:v0.24.1 actions:actions-runner-controller-0.19.0 actions:v0.24.0 actions:actions-runner-controller-0.18.0 actions:v0.23.0 actions:actions-runner-controller-0.17.3 actions:v0.22.3 actions:actions-runner-controller-0.17.2 actions:v0.22.2 actions:actions-runner-controller-0.17.1 actions:v0.22.1 actions:actions-runner-controller-0.17.0 actions:v0.22.0 actions:actions-runner-controller-0.16.1 actions:v0.21.1 actions:actions-runner-controller-0.16.0 actions:v0.21.0 actions:actions-runner-controller-0.15.3 actions:actions-runner-controller-0.15.2 actions:v0.20.4 actions:actions-runner-controller-0.15.1 actions:actions-runner-controller-0.15.0 actions:v0.20.3 actions:actions-runner-controller-0.14.0 actions:actions-runner-controller-0.13.2 actions:v0.20.2 actions:actions-runner-controller-0.13.1 actions:v0.20.1 actions:actions-runner-controller-0.13.0 actions:v0.20.0 actions:actions-runner-controller-0.12.8 actions:actions-runner-controller-0.12.7 actions:actions-runner-controller-0.12.6 actions:actions-runner-controller-0.12.5 actions:actions-runner-controller-0.12.4 actions:actions-runner-controller-0.12.3 actions:actions-runner-controller-0.12.2 actions:actions-runner-controller-0.12.1 actions:actions-runner-controller-0.12.0 actions:v0.19.0 actions:actions-runner-controller-0.11.0 actions:actions-runner-controller-0.10.5 actions:v0.18.2 actions:v0.18.1 actions:v0.18.0 actions:actions-runner-controller-0.10.4 actions:actions-runner-controller-0.10.3 actions:actions-runner-controller-0.10.2 actions:actions-runner-controller-0.10.1 actions:actions-runner-controller-0.10.0 actions:actions-runner-controller-0.9.0 actions:actions-runner-controller-0.8.0 actions:actions-runner-controller-0.7.0 actions:actions-runner-controller-0.6.1 actions:actions-runner-controller-0.6.0 actions:actions-runner-controller-0.5.2 actions:actions-runner-controller-0.5.1 actions:actions-runner-controller-0.5.0 actions:actions-runner-controller-0.4.0 actions:actions-runner-controller-0.3.1 actions:v0.17.0 actions:actions-runner-controller-0.2.1 actions:actions-runner-controller-0.2.0 actions:actions-runner-controller-0.1.2 actions:v0.16.1 actions:v0.16.0 actions:v0.15.0 actions:v0.14.0 actions:v0.13.0 actions:v0.13.1 actions:v0.12.0 actions:v0.11.3 actions:v0.11.2 actions:v0.11.1 actions:v0.11.0 actions:v0.10.0 actions:v0.9.5 actions:v0.9.4 actions:v0.9.3 actions:v0.9.2 actions:v0.9.1 actions:v0.9.0 actions:v0.8.0 actions:v0.7.2 actions:v0.7.1 actions:v0.7.0 actions:v0.6.0 actions:v0.5.0 actions:v0.4.3 actions:v0.4.2 actions:v0.4.1 actions:v0.4.0 actions:v0.3.0 actions:v0.2.0 actions:v0.1.0

49 Commits
gha-runner ... gha-runner

Author SHA1 Message Date
Nikola Jokic
8b7f232dc4 Prepare 0.14.0 release (#4413) 2026-03-19 18:53:37 +01:00
Nikola Jokic
19f22b85e7 Add @steve-glass to CODEOWNERS (#4414) 2026-03-19 18:24:00 +01:00
Nikola Jokic
802dc28d38 Add multi-label support to scalesets (#4408) 2026-03-19 15:29:40 +01:00
Nikola Jokic
9bc1c9e53e Shutdown the scaleset when runner is deprecated (#4404) 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
 2026-03-19 13:30:20 +01:00
Nikola Jokic
40595d806f Add chart-level API to customize internal resources (#4410) 2026-03-18 14:44:30 +01:00
Nikola Jokic
dc7c858e68 Remove actions client (#4405) 2026-03-16 14:39:55 +01:00
Nikola Jokic
2fc51aaf32 Regenerate manifests for experimental charts (#4407) 2026-03-16 10:42:07 +01:00
Nikola Jokic
276717a04b Manually bump dependencies since it needs fixes related to the controller runtime API (#4406) 2026-03-16 10:09:36 +01:00
Nikola Jokic
aa031d3902 Introduce experimental chart release (#4373) 2026-03-16 10:09:05 +01:00
Nikola Jokic
f99c6eda0b Moving to scaleset client for the controller (#4390) 2026-03-13 14:36:41 +01:00
Nikola Jokic
1d9f626c53 Allow users to apply labels and annotations to internal resources (#4400) 2026-03-12 10:32:54 +01:00
dependabot[bot]
1f3e5b9027 Bump the actions group across 1 directory with 6 updates (#4402) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-03-11 16:54:22 +01:00
Nikola Jokic
cd5b93d1bc Bump Go version (#4398) 2026-03-11 10:24:20 +01:00
github-actions[bot]
396ee88f5a Updates: runner to v2.332.0 container-hooks to v0.8.1 (#4388) 
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
 2026-03-03 01:02:40 +01:00
gateixeira
1f615c1a33 feat: add default linux nodeSelector to listener pod (#4377) 
Co-authored-by: Nikola Jokic <jokicnikola07@gmail.com>
 2026-02-24 17:56:39 +01:00
Nikola Jokic
8b7fd9ffef Switch client to scaleset library for the listener and update mocks (#4383) 2026-02-24 14:17:31 +01:00
Nikola Jokic
c6e4c94a6a Fix tests and generate mocks (#4384) 2026-02-24 13:36:01 +01:00
dhawalseth
9de09f56eb Include the HTTP status code in jit error (#4361) 
Co-authored-by: Dhawal Seth <dseth@linkedin.com>
 2026-01-29 16:40:17 +01:00
Caius Durling
02aa70a64a Fix AcivityId typo in error strings (#4359) 2026-01-21 01:14:26 +01:00
Jiaren Wu
d3ca9de3ca Potential fix for code scanning alert no. 7: Use of a broken or weak cryptographic hashing algorithm on sensitive data (#4353) 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
 2026-01-14 21:04:02 -08:00
github-actions[bot]
a868229fe0 Updates: runner to v2.331.0 (#4351) 
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
 2026-01-14 13:32:39 -05:00
Nikola Jokic
a505fb5616 Prepare 0.13.1 release (#4341) 2025-12-23 14:57:05 +01:00
Nikola Jokic
bfe78ccd5d Make restart pod more flexible to different failure scenarios (#4340) 2025-12-19 15:49:42 +01:00
dependabot[bot]
3fd1048576 Bump golangci/golangci-lint-action from 9.1.0 to 9.2.0 in the actions group (#4335) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-12-16 14:15:21 +01:00
dependabot[bot]
180e0dabb2 Bump the gomod group across 1 directory with 10 updates (#4338) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-12-16 14:05:44 +01:00
Nikola Jokic
50038fba61 Re-schedule if the failed reason starts with OutOf (#4336) 2025-12-16 13:26:44 +01:00
Nikola Jokic
82d5579696 Restart the listener if pod is evicted (#4332) 2025-12-09 17:55:09 +01:00
Nikola Jokic
540269880f Typo in test name caused test to not execute (#4330) 2025-11-27 15:31:57 +01:00
dependabot[bot]
9ebb97fe2e Bump the actions group with 3 updates (#4328) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-11-25 12:00:40 +01:00
Nikola Jokic
75c401f6c1 Remove old e2e tests (#4325) 2025-11-25 00:37:32 +01:00
dependabot[bot]
a9e371e083 Bump the actions group across 1 directory with 4 updates (#4309) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Nikola Jokic <jokicnikola07@gmail.com>
 2025-11-21 19:23:19 +01:00
dependabot[bot]
fdf78189ab Bump golang.org/x/crypto from 0.43.0 to 0.45.0 (#4318) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Nikola Jokic <jokicnikola07@gmail.com>
 2025-11-21 17:14:05 +01:00
Marcus Ramberg
cac7a40b70 Add support for giving kubernetes mode scaleset service account additional permissions (#4282) 2025-11-21 15:56:08 +01:00
dependabot[bot]
837406ae01 Bump the gomod group across 1 directory with 11 updates (#4317) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Nikola Jokic <jokicnikola07@gmail.com>
 2025-11-21 14:49:28 +01:00
Nikola Jokic
95d2107a6a Code style changes on the controller (#4324) 2025-11-21 14:20:44 +01:00
github-actions[bot]
5a6bfc937a Updates: runner to v2.330.0 (#4319) 
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
 2025-11-21 10:10:16 +01:00
Nikola Jokic
6d07b8d853 Add ephemeral runner finalizer during creation and check finalizer without requeue (#4320) 2025-11-20 23:06:27 +01:00
Nikola Jokic
a50d8bfebc e2e: move from deprecated openebs charts to new registry (#4321) 2025-11-20 22:25:52 +01:00
Nikola Jokic
138b39bfcb Create e2e test suite (#3136) 
Co-authored-by: Bassem Dghaidi <568794+Link-@users.noreply.github.com>
 2025-11-19 16:25:58 +01:00
Rafik Salama
4615321588 Upgrade Docker and Docker Compose to match GH hosted runner (#4312) 2025-11-13 11:31:17 +01:00
Nikola Jokic
9f9409a4c1 Handle resource quota on status forbidden by retrying (#4305) 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2025-11-10 13:58:25 +01:00
Nikola Jokic
3d73636407 Use combination of namespace, GitHub URL, and runner group when hashing the listener name (#4299) 2025-11-10 13:58:16 +01:00
Nikola Jokic
722c6e9edd Bump kubebuilder tools in the workflow (#4300) 2025-11-10 12:26:08 +00:00
Nikola Jokic
dcb45f0617 Bump timeout for min runners workflow to 30s (#4306) 2025-11-10 12:01:58 +00:00
Jiaren Wu
dbac55ca9e Fix for code scanning alert no. 5: Workflow does not contain permissions (#4292) 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
 2025-10-31 10:20:30 +01:00
github-actions[bot]
91d45d870a Updates: runner to v2.329.0 container-hooks to v0.8.0 (#4279) 
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
 2025-10-30 10:32:22 +01:00
Nikola Jokic
4d22089978 Delete listener resources without requeueing on each call (#4289) 2025-10-29 13:01:00 +01:00
Nikola Jokic
8007b8af25 Fix first interaction action (#4290) 2025-10-29 12:49:39 +01:00
dependabot[bot]
0baa4f6b09 Bump github/codeql-action from 3 to 4 in the actions group (#4281) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-10-22 11:26:36 +02:00
285 changed files with 60525 additions and 10718 deletions
Expand all files Collapse all files

215
.github/actions/execute-assert-arc-e2e/action.yaml vendored
View File

@@ -1,215 +0,0 @@
name: 'Execute and Assert ARC E2E Test Action'
description: 'Queue E2E test workflow and assert workflow run result to be succeed'
inputs:
auth-token:
description: 'GitHub access token to queue workflow run'
required: true
repo-owner:
description: "The repository owner name that has the test workflow file, ex: actions"
required: true
repo-name:
description: "The repository name that has the test workflow file, ex: test"
required: true
workflow-file:
description: 'The file name of the workflow yaml, ex: test.yml'
required: true
arc-name:
description: 'The name of the configured gha-runner-scale-set'
required: true
arc-namespace:
description: 'The namespace of the configured gha-runner-scale-set'
required: true
arc-controller-namespace:
description: 'The namespace of the configured gha-runner-scale-set-controller'
required: true
wait-to-finish:
description: 'Wait for the workflow run to finish'
required: true
default: "true"
wait-to-running:
description: 'Wait for the workflow run to start running'
required: true
default: "false"
runs:
using: "composite"
steps:
- name: Queue test workflow
shell: bash
id: queue_workflow
run: |
queue_time=`date +%FT%TZ`
echo "queue_time=$queue_time" >> $GITHUB_OUTPUT
curl -X POST https://api.github.com/repos/${{inputs.repo-owner}}/${{inputs.repo-name}}/actions/workflows/${{inputs.workflow-file}}/dispatches \
-H "Accept: application/vnd.github.v3+json" \
-H "Authorization: token ${{inputs.auth-token}}" \
-d '{"ref": "main", "inputs": { "arc_name": "${{inputs.arc-name}}" } }'
- name: Fetch workflow run & job ids
uses: actions/github-script@v7
id: query_workflow
with:
script: |
// Try to find the workflow run triggered by the previous step using the workflow_dispatch event.
// - Find recently create workflow runs in the test repository
// - For each workflow run, list its workflow job and see if the job's labels contain `inputs.arc-name`
// - Since the inputs.arc-name should be unique per e2e workflow run, once we find the job with the label, we find the workflow that we just triggered.
function sleep(ms) {
return new Promise(resolve => setTimeout(resolve, ms))
}
const owner = '${{inputs.repo-owner}}'
const repo = '${{inputs.repo-name}}'
const workflow_id = '${{inputs.workflow-file}}'
let workflow_run_id = 0
let workflow_job_id = 0
let workflow_run_html_url = ""
let count = 0
while (count++<12) {
await sleep(10 * 1000);
let listRunResponse = await github.rest.actions.listWorkflowRuns({
owner: owner,
repo: repo,
workflow_id: workflow_id,
created: '>${{steps.queue_workflow.outputs.queue_time}}'
})
if (listRunResponse.data.total_count > 0) {
console.log(`Found some new workflow runs for ${workflow_id}`)
for (let i = 0; i<listRunResponse.data.total_count; i++) {
let workflowRun = listRunResponse.data.workflow_runs[i]
console.log(`Check if workflow run ${workflowRun.id} is triggered by us.`)
let listJobResponse = await github.rest.actions.listJobsForWorkflowRun({
owner: owner,
repo: repo,
run_id: workflowRun.id
})
console.log(`Workflow run ${workflowRun.id} has ${listJobResponse.data.total_count} jobs.`)
if (listJobResponse.data.total_count > 0) {
for (let j = 0; j<listJobResponse.data.total_count; j++) {
let workflowJob = listJobResponse.data.jobs[j]
console.log(`Check if workflow job ${workflowJob.id} is triggered by us.`)
console.log(JSON.stringify(workflowJob.labels));
if (workflowJob.labels.includes('${{inputs.arc-name}}')) {
console.log(`Workflow job ${workflowJob.id} (Run id: ${workflowJob.run_id}) is triggered by us.`)
workflow_run_id = workflowJob.run_id
workflow_job_id = workflowJob.id
workflow_run_html_url = workflowRun.html_url
break
}
}
}
if (workflow_job_id > 0) {
break;
}
}
}
if (workflow_job_id > 0) {
break;
}
}
if (workflow_job_id == 0) {
core.setFailed(`Can't find workflow run and workflow job triggered to 'runs-on ${{inputs.arc-name}}'`)
} else {
core.setOutput('workflow_run', workflow_run_id);
core.setOutput('workflow_job', workflow_job_id);
core.setOutput('workflow_run_url', workflow_run_html_url);
}
- name: Generate summary about the triggered workflow run
shell: bash
run: |
cat <<-EOF > $GITHUB_STEP_SUMMARY
| **Triggered workflow run** |
|:--------------------------:|
| ${{steps.query_workflow.outputs.workflow_run_url}} |
EOF
- name: Wait for workflow to start running
if: inputs.wait-to-running == 'true' && inputs.wait-to-finish == 'false'
uses: actions/github-script@v7
with:
script: |
function sleep(ms) {
return new Promise(resolve => setTimeout(resolve, ms))
}
const owner = '${{inputs.repo-owner}}'
const repo = '${{inputs.repo-name}}'
const workflow_run_id = ${{steps.query_workflow.outputs.workflow_run}}
const workflow_job_id = ${{steps.query_workflow.outputs.workflow_job}}
let count = 0
while (count++<10) {
await sleep(30 * 1000);
let getRunResponse = await github.rest.actions.getWorkflowRun({
owner: owner,
repo: repo,
run_id: workflow_run_id
})
console.log(`${getRunResponse.data.html_url}: ${getRunResponse.data.status} (${getRunResponse.data.conclusion})`);
if (getRunResponse.data.status == 'in_progress') {
console.log(`Workflow run is in progress.`)
return
}
}
core.setFailed(`The triggered workflow run didn't start properly using ${{inputs.arc-name}}`)
- name: Wait for workflow to finish successfully
if: inputs.wait-to-finish == 'true'
uses: actions/github-script@v7
with:
script: |
// Wait 5 minutes and make sure the workflow run we triggered completed with result 'success'
function sleep(ms) {
return new Promise(resolve => setTimeout(resolve, ms))
}
const owner = '${{inputs.repo-owner}}'
const repo = '${{inputs.repo-name}}'
const workflow_run_id = ${{steps.query_workflow.outputs.workflow_run}}
const workflow_job_id = ${{steps.query_workflow.outputs.workflow_job}}
let count = 0
while (count++<10) {
await sleep(30 * 1000);
let getRunResponse = await github.rest.actions.getWorkflowRun({
owner: owner,
repo: repo,
run_id: workflow_run_id
})
console.log(`${getRunResponse.data.html_url}: ${getRunResponse.data.status} (${getRunResponse.data.conclusion})`);
if (getRunResponse.data.status == 'completed') {
if ( getRunResponse.data.conclusion == 'success') {
console.log(`Workflow run finished properly.`)
return
} else {
core.setFailed(`The triggered workflow run finish with result ${getRunResponse.data.conclusion}`)
return
}
}
}
core.setFailed(`The triggered workflow run didn't finish properly using ${{inputs.arc-name}}`)
- name: Gather listener logs
shell: bash
if: always()
run: |
LISTENER_POD="$(kubectl get autoscalinglisteners.actions.github.com -n arc-systems -o jsonpath='{.items[*].metadata.name}')"
kubectl logs $LISTENER_POD -n ${{inputs.arc-controller-namespace}}
- name: Gather coredns logs
shell: bash
if: always()
run: |
kubectl logs deployments/coredns -n kube-system
- name: cleanup
if: inputs.wait-to-finish == 'true'
shell: bash
run: |
helm uninstall ${{ inputs.arc-name }} --namespace ${{inputs.arc-namespace}} --debug
kubectl wait --timeout=30s --for=delete AutoScalingRunnerSet -n ${{inputs.arc-namespace}} -l app.kubernetes.io/instance=${{ inputs.arc-name }}
- name: Gather controller logs
shell: bash
if: always()
run: |
kubectl logs deployment/arc-gha-rs-controller -n ${{inputs.arc-controller-namespace}}

65
.github/actions/setup-arc-e2e/action.yaml vendored
View File

@@ -1,65 +0,0 @@
name: "Setup ARC E2E Test Action"
description: "Build controller image, create kind cluster, load the image, and exchange ARC configure token."
inputs:
app-id:
description: "GitHub App Id for exchange access token"
required: true
app-pk:
description: "GitHub App private key for exchange access token"
required: true
image-name:
description: "Local docker image name for building"
required: true
image-tag:
description: "Tag of ARC Docker image for building"
required: true
target-org:
description: "The test organization for ARC e2e test"
required: true
outputs:
token:
description: "Token to use for configure ARC"
value: ${{steps.config-token.outputs.token}}
runs:
using: "composite"
steps:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2
with:
# Pinning v0.9.1 for Buildx and BuildKit v0.10.6
# BuildKit v0.11 which has a bug causing intermittent
# failures pushing images to GHCR
version: v0.9.1
driver-opts: image=moby/buildkit:v0.10.6
- name: Build controller image
# https://github.com/docker/build-push-action/releases/tag/v6.18.0
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
with:
file: Dockerfile
platforms: linux/amd64
load: true
build-args: |
DOCKER_IMAGE_NAME=${{inputs.image-name}}
VERSION=${{inputs.image-tag}}
tags: |
${{inputs.image-name}}:${{inputs.image-tag}}
no-cache: true
- name: Create minikube cluster and load image
shell: bash
run: |
minikube start
minikube image load ${{inputs.image-name}}:${{inputs.image-tag}}
- name: Get configure token
id: config-token
# https://github.com/peter-murray/workflow-application-token-action/releases/tag/v3.0.0
uses: peter-murray/workflow-application-token-action@dc0413987a085fa17d19df9e47d4677cf81ffef3
with:
application_id: ${{ inputs.app-id }}
application_private_key: ${{ inputs.app-pk }}
organization: ${{ inputs.target-org}}

51
.github/actions/setup-docker-environment/action.yaml vendored
View File

@@ -1,51 +0,0 @@
name: "Setup Docker"
inputs:
username:
description: "Username"
required: true
password:
description: "Password"
required: true
ghcr_username:
description: "GHCR username. Usually set from the github.actor variable"
required: true
ghcr_password:
description: "GHCR password. Usually set from the secrets.GITHUB_TOKEN variable"
required: true
runs:
using: "composite"
steps:
- name: Get Short SHA
id: vars
run: |
echo "sha_short=${GITHUB_SHA::7}" >> $GITHUB_ENV
shell: bash
- name: Set up QEMU
# https://github.com/docker/setup-qemu-action/releases/tag/v3.6.0
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392
- name: Set up Docker Buildx
# https://github.com/docker/setup-buildx-action/releases/tag/v3.10.0
uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2
with:
version: latest
- name: Login to DockerHub
if: ${{ github.event_name == 'release' || github.event_name == 'push' && github.ref == 'refs/heads/master' && inputs.password != '' }}
# https://github.com/docker/login-action/releases/tag/v3.4.0
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
with:
username: ${{ inputs.username }}
password: ${{ inputs.password }}
- name: Login to GitHub Container Registry
if: ${{ github.event_name == 'release' || github.event_name == 'push' && github.ref == 'refs/heads/master' && inputs.ghcr_password != '' }}
# https://github.com/docker/login-action/releases/tag/v3.4.0
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
with:
registry: ghcr.io
username: ${{ inputs.ghcr_username }}
password: ${{ inputs.ghcr_password }}

10
.github/workflows/arc-publish-chart.yaml vendored
View File

@@ -40,7 +40,7 @@ jobs:
publish-chart: ${{ steps.publish-chart-step.outputs.publish }}
steps:
- name: Checkout
uses: actions/checkout@v5
uses: actions/checkout@v6
with:
fetch-depth: 0
@@ -63,7 +63,7 @@ jobs:
python-version: "3.11"
- name: Set up chart-testing
uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b
uses: helm/chart-testing-action@6ec842c01de15ebb84c8627d2744a0c2f2755c9f
- name: Run chart-testing (list-changed)
id: list-changed
@@ -79,7 +79,7 @@ jobs:
- name: Create kind cluster
if: steps.list-changed.outputs.changed == 'true'
uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3
uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc
# We need cert-manager already installed in the cluster because we assume the CRDs exist
- name: Install cert-manager
@@ -134,7 +134,7 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v5
uses: actions/checkout@v6
with:
fetch-depth: 0
@@ -184,7 +184,7 @@ jobs:
# this workaround is intended to move the index.yaml to the target repo
# where the github pages are hosted
- name: Checkout target repository
uses: actions/checkout@v5
uses: actions/checkout@v6
with:
repository: ${{ env.CHART_TARGET_ORG }}/${{ env.CHART_TARGET_REPO }}
path: ${{ env.CHART_TARGET_REPO }}

6
.github/workflows/arc-publish.yaml vendored
View File

@@ -39,7 +39,7 @@ jobs:
if: ${{ !startsWith(github.event.inputs.release_tag_name, 'gha-runner-scale-set-') }}
steps:
- name: Checkout
uses: actions/checkout@v5
uses: actions/checkout@v6
- uses: actions/setup-go@v6
with:
@@ -47,9 +47,7 @@ jobs:
- name: Install tools
run: |
curl -L -O https://github.com/kubernetes-sigs/kubebuilder/releases/download/v2.2.0/kubebuilder_2.2.0_linux_amd64.tar.gz
tar zxvf kubebuilder_2.2.0_linux_amd64.tar.gz
sudo mv kubebuilder_2.2.0_linux_amd64 /usr/local/kubebuilder
curl -s https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh | bash
sudo mv kustomize /usr/local/bin
curl -L -O https://github.com/tcnksm/ghr/releases/download/v0.13.0/ghr_v0.13.0_linux_amd64.tar.gz

6
.github/workflows/arc-release-runners.yaml vendored
View File

@@ -1,4 +1,6 @@
name: Release ARC Runner Images
permissions:
contents: read
# Revert to https://github.com/actions-runner-controller/releases#releases
# for details on why we use this approach
@@ -17,7 +19,7 @@ env:
PUSH_TO_REGISTRIES: true
TARGET_ORG: actions-runner-controller
TARGET_WORKFLOW: release-runners.yaml
DOCKER_VERSION: 24.0.7
DOCKER_VERSION: 28.0.4
concurrency:
group: ${{ github.workflow }}
@@ -28,7 +30,7 @@ jobs:
name: Trigger Build and Push of Runner Images
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@v6
- name: Get runner version
id: versions
run: |

6
.github/workflows/arc-update-runners-scheduled.yaml vendored
View File

@@ -24,7 +24,7 @@ jobs:
container_hooks_current_version: ${{ steps.container_hooks_versions.outputs.container_hooks_current_version }}
container_hooks_latest_version: ${{ steps.container_hooks_versions.outputs.container_hooks_latest_version }}
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@v6
- name: Get runner current and latest versions
id: runner_versions
@@ -69,7 +69,7 @@ jobs:
echo "CONTAINER_HOOKS_CURRENT_VERSION=${{ needs.check_versions.outputs.container_hooks_current_version }}"
echo "CONTAINER_HOOKS_LATEST_VERSION=${{ needs.check_versions.outputs.container_hooks_latest_version }}"
- uses: actions/checkout@v5
- uses: actions/checkout@v6
- name: PR Name
id: pr_name
@@ -124,7 +124,7 @@ jobs:
PR_NAME: ${{ needs.check_pr.outputs.pr_name }}
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@v6
- name: New branch
run: git checkout -b update-runner-"$(date +%Y-%m-%d)"

6
.github/workflows/arc-validate-chart.yaml vendored
View File

@@ -40,7 +40,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v5
uses: actions/checkout@v6
with:
fetch-depth: 0
@@ -55,7 +55,7 @@ jobs:
python-version: "3.11"
- name: Set up chart-testing
uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b
uses: helm/chart-testing-action@6ec842c01de15ebb84c8627d2744a0c2f2755c9f
- name: Run chart-testing (list-changed)
id: list-changed
@@ -70,7 +70,7 @@ jobs:
ct lint --config charts/.ci/ct-config.yaml
- name: Create kind cluster
uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3
uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc
if: steps.list-changed.outputs.changed == 'true'
# We need cert-manager already installed in the cluster because we assume the CRDs exist

4
.github/workflows/arc-validate-runners.yaml vendored
View File

@@ -24,7 +24,7 @@ jobs:
name: runner / shellcheck
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@v6
- name: "Run shellcheck"
run: make shellcheck
@@ -33,7 +33,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v5
uses: actions/checkout@v6
- name: Run tests
run: |

1146
.github/workflows/gha-e2e-tests.yaml vendored
View File

File diff suppressed because it is too large Load Diff

121
.github/workflows/gha-publish-chart.yaml vendored
View File

@@ -23,11 +23,21 @@ on:
required: true
type: boolean
default: false
publish_gha_runner_scale_set_controller_experimental_chart:
description: "Publish new helm chart for gha-runner-scale-set-controller-experimental"
required: true
type: boolean
default: false
publish_gha_runner_scale_set_chart:
description: "Publish new helm chart for gha-runner-scale-set"
required: true
type: boolean
default: false
publish_gha_runner_scale_set_experimental_chart:
description: "Publish new helm chart for gha-runner-scale-set-experimental"
required: true
type: boolean
default: false
env:
HELM_VERSION: v3.8.0
@@ -45,7 +55,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v5
uses: actions/checkout@v6
with:
# If inputs.ref is empty, it'll resolve to the default branch
ref: ${{ inputs.ref }}
@@ -72,10 +82,10 @@ jobs:
echo "repository_owner=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
- name: Set up QEMU
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd
with:
# Pinning v0.9.1 for Buildx and BuildKit v0.10.6
# BuildKit v0.11 which has a bug causing intermittent
@@ -84,14 +94,14 @@ jobs:
driver-opts: image=moby/buildkit:v0.10.6
- name: Login to GitHub Container Registry
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build & push controller image
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294
with:
file: Dockerfile
platforms: linux/amd64,linux/arm64
@@ -119,7 +129,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v5
uses: actions/checkout@v6
with:
# If inputs.ref is empty, it'll resolve to the default branch
ref: ${{ inputs.ref }}
@@ -159,6 +169,54 @@ jobs:
echo "- Short SHA: ${{ steps.resolve_parameters.outputs.short_sha }}" >> $GITHUB_STEP_SUMMARY
echo "- gha-runner-scale-set-controller Chart version: ${{ env.GHA_RUNNER_SCALE_SET_CONTROLLER_CHART_VERSION_TAG }}" >> $GITHUB_STEP_SUMMARY
publish-helm-chart-gha-runner-scale-set-controller-experimental:
if: ${{ inputs.publish_gha_runner_scale_set_controller_experimental_chart == true }}
needs: build-push-image
name: Publish Helm chart for gha-runner-scale-set-controller-experimental
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6
with:
# If inputs.ref is empty, it'll resolve to the default branch
ref: ${{ inputs.ref }}
- name: Resolve parameters
id: resolve_parameters
run: |
resolvedRef="${{ inputs.ref }}"
if [ -z "$resolvedRef" ]
then
resolvedRef="${{ github.ref }}"
fi
echo "resolved_ref=$resolvedRef" >> $GITHUB_OUTPUT
echo "INFO: Resolving short SHA for $resolvedRef"
echo "short_sha=$(git rev-parse --short $resolvedRef)" >> $GITHUB_OUTPUT
echo "INFO: Normalizing repository name (lowercase)"
echo "repository_owner=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
- name: Set up Helm
uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4
with:
version: ${{ env.HELM_VERSION }}
- name: Publish new helm chart for gha-runner-scale-set-controller-experimental
run: |
echo ${{ secrets.GITHUB_TOKEN }} | helm registry login ghcr.io --username ${{ github.actor }} --password-stdin
GHA_RUNNER_SCALE_SET_CONTROLLER_CHART_VERSION_TAG=$(cat charts/gha-runner-scale-set-controller-experimental/Chart.yaml | grep version: | cut -d " " -d '"' -f 2)
echo "GHA_RUNNER_SCALE_SET_CONTROLLER_CHART_VERSION_TAG=${GHA_RUNNER_SCALE_SET_CONTROLLER_CHART_VERSION_TAG}" >> $GITHUB_ENV
helm package charts/gha-runner-scale-set-controller-experimental/ --version="${GHA_RUNNER_SCALE_SET_CONTROLLER_CHART_VERSION_TAG}"
helm push gha-runner-scale-set-controller-experimental-"${GHA_RUNNER_SCALE_SET_CONTROLLER_CHART_VERSION_TAG}".tgz oci://ghcr.io/${{ steps.resolve_parameters.outputs.repository_owner }}/actions-runner-controller-charts
- name: Job summary
run: |
echo "New helm chart for gha-runner-scale-set-controller-experimental published successfully!" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "**Parameters:**" >> $GITHUB_STEP_SUMMARY
echo "- Ref: ${{ steps.resolve_parameters.outputs.resolved_ref }}" >> $GITHUB_STEP_SUMMARY
echo "- Short SHA: ${{ steps.resolve_parameters.outputs.short_sha }}" >> $GITHUB_STEP_SUMMARY
echo "- gha-runner-scale-set-controller-experimental Chart version: ${{ env.GHA_RUNNER_SCALE_SET_CONTROLLER_CHART_VERSION_TAG }}" >> $GITHUB_STEP_SUMMARY
publish-helm-chart-gha-runner-scale-set:
if: ${{ inputs.publish_gha_runner_scale_set_chart == true }}
needs: build-push-image
@@ -166,7 +224,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v5
uses: actions/checkout@v6
with:
# If inputs.ref is empty, it'll resolve to the default branch
ref: ${{ inputs.ref }}
@@ -206,3 +264,52 @@ jobs:
echo "- Ref: ${{ steps.resolve_parameters.outputs.resolvedRef }}" >> $GITHUB_STEP_SUMMARY
echo "- Short SHA: ${{ steps.resolve_parameters.outputs.short_sha }}" >> $GITHUB_STEP_SUMMARY
echo "- gha-runner-scale-set Chart version: ${{ env.GHA_RUNNER_SCALE_SET_CHART_VERSION_TAG }}" >> $GITHUB_STEP_SUMMARY
publish-helm-chart-gha-runner-scale-set-experimental:
if: ${{ inputs.publish_gha_runner_scale_set_experimental_chart == true }}
needs: build-push-image
name: Publish Helm chart for gha-runner-scale-set-experimental
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6
with:
# If inputs.ref is empty, it'll resolve to the default branch
ref: ${{ inputs.ref }}
- name: Resolve parameters
id: resolve_parameters
run: |
resolvedRef="${{ inputs.ref }}"
if [ -z "$resolvedRef" ]
then
resolvedRef="${{ github.ref }}"
fi
echo "resolved_ref=$resolvedRef" >> $GITHUB_OUTPUT
echo "INFO: Resolving short SHA for $resolvedRef"
echo "short_sha=$(git rev-parse --short $resolvedRef)" >> $GITHUB_OUTPUT
echo "INFO: Normalizing repository name (lowercase)"
echo "repository_owner=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
- name: Set up Helm
uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4
with:
version: ${{ env.HELM_VERSION }}
- name: Publish new helm chart for gha-runner-scale-set-experimental
run: |
echo ${{ secrets.GITHUB_TOKEN }} | helm registry login ghcr.io --username ${{ github.actor }} --password-stdin
GHA_RUNNER_SCALE_SET_CHART_VERSION_TAG=$(cat charts/gha-runner-scale-set-experimental/Chart.yaml | grep version: | cut -d " " -d '"' -f 2)
echo "GHA_RUNNER_SCALE_SET_CHART_VERSION_TAG=${GHA_RUNNER_SCALE_SET_CHART_VERSION_TAG}" >> $GITHUB_ENV
helm package charts/gha-runner-scale-set-experimental/ --version="${GHA_RUNNER_SCALE_SET_CHART_VERSION_TAG}"
helm push gha-runner-scale-set-experimental-"${GHA_RUNNER_SCALE_SET_CHART_VERSION_TAG}".tgz oci://ghcr.io/${{ steps.resolve_parameters.outputs.repository_owner }}/actions-runner-controller-charts
- name: Job summary
run: |
echo "New helm chart for gha-runner-scale-set-experimental published successfully!" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "**Parameters:**" >> $GITHUB_STEP_SUMMARY
echo "- Ref: ${{ steps.resolve_parameters.outputs.resolved_ref }}" >> $GITHUB_STEP_SUMMARY
echo "- Short SHA: ${{ steps.resolve_parameters.outputs.short_sha }}" >> $GITHUB_STEP_SUMMARY
echo "- gha-runner-scale-set-experimental Chart version: ${{ env.GHA_RUNNER_SCALE_SET_CHART_VERSION_TAG }}" >> $GITHUB_STEP_SUMMARY

38
.github/workflows/gha-validate-chart.yaml vendored
View File

@@ -18,7 +18,7 @@ on:
workflow_dispatch:
env:
KUBE_SCORE_VERSION: 1.16.1
HELM_VERSION: v3.17.0
HELM_VERSION: v3.19.4
permissions:
contents: read
@@ -36,7 +36,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v5
uses: actions/checkout@v6
with:
fetch-depth: 0
@@ -51,7 +51,7 @@ jobs:
python-version: "3.11"
- name: Set up chart-testing
uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b
uses: helm/chart-testing-action@6ec842c01de15ebb84c8627d2744a0c2f2755c9f
- name: Run chart-testing (list-changed)
id: list-changed
@@ -61,19 +61,39 @@ jobs:
if [[ -n "$changed" ]]; then
echo "changed=true" >> $GITHUB_OUTPUT
fi
echo "changed_charts<<EOF" >> $GITHUB_OUTPUT
echo "$changed" >> $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
- name: Install helm-unittest
if: |
contains(steps.list-changed.outputs.changed_charts, 'charts/gha-runner-scale-set-controller-experimental') ||
contains(steps.list-changed.outputs.changed_charts, 'charts/gha-runner-scale-set-experimental')
run: |
helm plugin install https://github.com/helm-unittest/helm-unittest.git
- name: Run helm-unittest (gha-runner-scale-set-controller-experimental)
if: contains(steps.list-changed.outputs.changed_charts, 'charts/gha-runner-scale-set-controller-experimental')
run: |
helm unittest ./charts/gha-runner-scale-set-controller-experimental/
- name: Run helm-unittest (gha-runner-scale-set-experimental)
if: contains(steps.list-changed.outputs.changed_charts, 'charts/gha-runner-scale-set-experimental')
run: |
helm unittest ./charts/gha-runner-scale-set-experimental/
- name: Run chart-testing (lint)
run: |
ct lint --config charts/.ci/ct-config-gha.yaml
- name: Set up docker buildx
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd
if: steps.list-changed.outputs.changed == 'true'
with:
version: latest
- name: Build controller image
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294
if: steps.list-changed.outputs.changed == 'true'
with:
file: Dockerfile
@@ -88,7 +108,7 @@ jobs:
cache-to: type=gha,mode=max
- name: Create kind cluster
uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3
uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc
if: steps.list-changed.outputs.changed == 'true'
with:
cluster_name: chart-testing
@@ -111,7 +131,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v5
uses: actions/checkout@v6
- uses: actions/setup-go@v6
with:
go-version-file: "go.mod"
@@ -120,3 +140,7 @@ jobs:
run: go test ./charts/gha-runner-scale-set/...
- name: Test gha-runner-scale-set-controller
run: go test ./charts/gha-runner-scale-set-controller/...
- name: Test gha-runner-scale-set-experimental
run: go test ./charts/gha-runner-scale-set-experimental/...
- name: Test gha-runner-scale-set-controller-experimental
run: go test ./charts/gha-runner-scale-set-controller-experimental/...

12
.github/workflows/global-publish-canary.yaml vendored
View File

@@ -55,7 +55,7 @@ jobs:
TARGET_REPO: actions-runner-controller
steps:
- name: Checkout
uses: actions/checkout@v5
uses: actions/checkout@v6
- name: Get Token
id: get_workflow_token
@@ -90,10 +90,10 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v5
uses: actions/checkout@v6
- name: Login to GitHub Container Registry
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2
with:
registry: ghcr.io
username: ${{ github.actor }}
@@ -110,16 +110,16 @@ jobs:
echo "repository_owner=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
- name: Set up QEMU
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd
with:
version: latest
# Unstable builds - run at your own risk
- name: Build and Push
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294
with:
context: .
file: ./Dockerfile

8
.github/workflows/global-run-codeql.yaml vendored
View File

@@ -25,7 +25,7 @@ jobs:
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v5
uses: actions/checkout@v6
- name: Install Go
uses: actions/setup-go@v6
@@ -33,12 +33,12 @@ jobs:
go-version-file: go.mod
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
uses: github/codeql-action/init@v4
with:
languages: go, actions
- name: Autobuild
uses: github/codeql-action/autobuild@v3
uses: github/codeql-action/autobuild@v4
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
uses: github/codeql-action/analyze@v4

12
.github/workflows/global-run-first-interaction.yaml vendored
View File

@@ -16,19 +16,19 @@ jobs:
check_for_first_interaction:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/first-interaction@main
- uses: actions/checkout@v6
- uses: actions/first-interaction@v3
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
issue-message: |
repo_token: ${{ secrets.GITHUB_TOKEN }}
issue_message: |
Hello! Thank you for filing an issue.
The maintainers will triage your issue shortly.
In the meantime, please take a look at the [troubleshooting guide](https://github.com/actions/actions-runner-controller/blob/master/TROUBLESHOOTING.md) for bug reports.
If this is a feature request, please review our [contribution guidelines](https://github.com/actions/actions-runner-controller/blob/master/CONTRIBUTING.md).
pr-message: |
pr_message: |
Hello! Thank you for your contribution.
Please review our [contribution guidelines](https://github.com/actions/actions-runner-controller/blob/master/CONTRIBUTING.md) to understand the project's testing and code conventions.

35
.github/workflows/go.yaml vendored
View File

@@ -29,7 +29,7 @@ jobs:
fmt:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
with:
go-version-file: "go.mod"
@@ -42,21 +42,21 @@ jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
with:
go-version-file: "go.mod"
cache: false
- name: golangci-lint
uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20
with:
only-new-issues: true
version: v2.5.0
version: v2.11.2
generate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
with:
go-version-file: "go.mod"
@@ -66,23 +66,34 @@ jobs:
- name: Check diff
run: git diff --exit-code
mocks:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
with:
go-version-file: "go.mod"
cache: false
- name: "Run mockery"
run: go tool github.com/vektra/mockery/v3
- name: Check diff
run: git diff --exit-code
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
with:
go-version-file: "go.mod"
- run: make manifests
- name: Check diff
run: git diff --exit-code
- name: Install kubebuilder
- name: Setup envtest
run: |
curl -D headers.txt -fsL "https://storage.googleapis.com/kubebuilder-tools/kubebuilder-tools-1.26.1-linux-amd64.tar.gz" -o kubebuilder-tools
echo "$(grep -i etag headers.txt -m 1 | cut -d'"' -f2) kubebuilder-tools" > sum
md5sum -c sum
tar -zvxf kubebuilder-tools
sudo mv kubebuilder /usr/local/
go install sigs.k8s.io/controller-runtime/tools/setup-envtest@$(go list -m -f '{{ .Version }}' sigs.k8s.io/controller-runtime | awk -F'[v.]' '{printf "release-%d.%d", $2, $3}')
ENVTEST_K8S_VERSION=$(go list -m -f '{{ .Version }}' k8s.io/api | awk -F'[v.]' '{printf "1.%d", $3}')
echo "KUBEBUILDER_ASSETS=$(setup-envtest use ${ENVTEST_K8S_VERSION} -p path)" >> $GITHUB_ENV
- name: Run go tests
run: |
go test -short `go list ./... | grep -v ./test_e2e_arc`

2
.gitignore vendored
View File

@@ -34,5 +34,5 @@ bin
# OS
.DS_STORE
/test-assets
/.tools

4
.golangci.yaml
View File

@@ -12,3 +12,7 @@ linters:
exclusions:
presets:
- std-error-handling
rules:
- linters:
- staticcheck
text: "QF1008:"

17
.mockery.yaml Normal file
View File

@@ -0,0 +1,17 @@
all: false
dir: "{{.InterfaceDir}}"
filename: mocks_test.go
force-file-write: true
formatter: goimports
log-level: info
structname: "{{.Mock}}{{.InterfaceName}}"
pkgname: "{{.SrcPackageName}}"
recursive: false
template: testify
packages:
github.com/actions/actions-runner-controller/cmd/ghalistener/metrics:
config:
all: true
github.com/actions/actions-runner-controller/controllers/actions.github.com:
config:
all: true

2
CODEOWNERS
View File

@@ -1,2 +1,2 @@
# actions-runner-controller maintainers
* @mumoshu @toast-gear @actions/actions-launch @actions/actions-compute @nikola-jokic @rentziass
* @mumoshu @toast-gear @actions/actions-launch @actions/actions-compute @nikola-jokic @rentziass @steve-glass

11
CONTRIBUTING.md
View File

@@ -102,22 +102,19 @@ A set of example pipelines (./acceptance/pipelines) are provided in this reposit
When raising a PR please run the relevant suites to prove your change hasn't broken anything.
#### Running Ginkgo Tests
You can run the integration test suite that is written in Ginkgo with:
```shell
make test-with-deps
```
This will firstly install a few binaries required to setup the integration test environment and then runs `go test` to start the Ginkgo test.
This will install `setup-envtest`, download the required envtest binaries (etcd, kube-apiserver, kubectl), and then run `go test`.
If you don't want to use `make`, like when you're running tests from your IDE, install required binaries to `/usr/local/kubebuilder/bin`.
That's the directory in which controller-runtime's `envtest` framework locates the binaries.
If you don't want to use `make`, install the envtest binaries using `setup-envtest`:
```shell
sudo mkdir -p /usr/local/kubebuilder/bin
make kube-apiserver etcd
sudo mv test-assets/{etcd,kube-apiserver} /usr/local/kubebuilder/bin/
go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
export KUBEBUILDER_ASSETS=$(setup-envtest use -p path)
go test -v -run TestAPIs github.com/actions/actions-runner-controller/controllers/actions.summerwind.net
```

16
Dockerfile
View File

@@ -1,5 +1,5 @@
# Build the manager binary
FROM --platform=$BUILDPLATFORM golang:1.25.1 AS builder
FROM --platform=$BUILDPLATFORM golang:1.26.1 AS builder
WORKDIR /workspace
@@ -34,13 +34,13 @@ ENV GOCACHE="/build/${TARGETPLATFORM}/root/.cache/go-build"
# Build
RUN --mount=target=. \
--mount=type=cache,mode=0777,target=${GOCACHE} \
export GOOS=${TARGETOS} GOARCH=${TARGETARCH} GOARM=${TARGETVARIANT#v} && \
go build -trimpath -ldflags="-s -w -X 'github.com/actions/actions-runner-controller/build.Version=${VERSION}' -X 'github.com/actions/actions-runner-controller/build.CommitSHA=${COMMIT_SHA}'" -o /out/manager main.go && \
go build -trimpath -ldflags="-s -w -X 'github.com/actions/actions-runner-controller/build.Version=${VERSION}' -X 'github.com/actions/actions-runner-controller/build.CommitSHA=${COMMIT_SHA}'" -o /out/ghalistener ./cmd/ghalistener && \
go build -trimpath -ldflags="-s -w" -o /out/github-webhook-server ./cmd/githubwebhookserver && \
go build -trimpath -ldflags="-s -w" -o /out/actions-metrics-server ./cmd/actionsmetricsserver && \
go build -trimpath -ldflags="-s -w" -o /out/sleep ./cmd/sleep
--mount=type=cache,mode=0777,target=${GOCACHE} \
export GOOS=${TARGETOS} GOARCH=${TARGETARCH} GOARM=${TARGETVARIANT#v} && \
go build -trimpath -ldflags="-s -w -X 'github.com/actions/actions-runner-controller/build.Version=${VERSION}' -X 'github.com/actions/actions-runner-controller/build.CommitSHA=${COMMIT_SHA}'" -o /out/manager main.go && \
go build -trimpath -ldflags="-s -w -X 'github.com/actions/actions-runner-controller/build.Version=${VERSION}' -X 'github.com/actions/actions-runner-controller/build.CommitSHA=${COMMIT_SHA}'" -o /out/ghalistener ./cmd/ghalistener && \
go build -trimpath -ldflags="-s -w" -o /out/github-webhook-server ./cmd/githubwebhookserver && \
go build -trimpath -ldflags="-s -w" -o /out/actions-metrics-server ./cmd/actionsmetricsserver && \
go build -trimpath -ldflags="-s -w" -o /out/sleep ./cmd/sleep
# Use distroless as minimal base image to package the manager binary
# Refer to https://github.com/GoogleContainerTools/distroless for more details

128
Makefile
View File

@@ -6,7 +6,7 @@ endif
DOCKER_USER ?= $(shell echo ${DOCKER_IMAGE_NAME} | cut -d / -f1)
VERSION ?= dev
COMMIT_SHA = $(shell git rev-parse HEAD)
RUNNER_VERSION ?= 2.328.0
RUNNER_VERSION ?= 2.332.0
TARGETPLATFORM ?= $(shell arch)
RUNNER_NAME ?= ${DOCKER_USER}/actions-runner
RUNNER_TAG ?= ${VERSION}
@@ -32,21 +32,15 @@ else
GOBIN=$(shell go env GOBIN)
endif
TEST_ASSETS=$(PWD)/test-assets
TOOLS_PATH=$(PWD)/.tools
OS_NAME := $(shell uname -s | tr A-Z a-z)
# The etcd packages that coreos maintain use different extensions for each *nix OS on their github release page.
# ETCD_EXTENSION: the storage format file extension listed on the release page.
# EXTRACT_COMMAND: the appropriate CLI command for extracting this file format.
ifeq ($(OS_NAME), darwin)
ETCD_EXTENSION:=zip
EXTRACT_COMMAND:=unzip
else
ETCD_EXTENSION:=tar.gz
EXTRACT_COMMAND:=tar -xzf
endif
# ENVTEST_VERSION is the version of controller-runtime release branch to fetch the envtest setup script
ENVTEST_VERSION ?= $(shell go list -m -f "{{ .Version }}" sigs.k8s.io/controller-runtime | awk -F'[v.]' '{printf "release-%d.%d", $$2, $$3}')
# ENVTEST_K8S_VERSION is the version of Kubernetes to use for setting up ENVTEST binaries
ENVTEST_K8S_VERSION ?= $(shell go list -m -f "{{ .Version }}" k8s.io/api | awk -F'[v.]' '{printf "1.%d", $$3}')
ENVTEST ?= $(GOBIN)/setup-envtest
# default list of platforms for which multiarch image is built
ifeq (${PLATFORMS}, )
@@ -68,22 +62,23 @@ endif
all: manager
lint:
docker run --rm -v $(PWD):/app -w /app golangci/golangci-lint:v2.5.0 golangci-lint run
docker run --rm -v $(PWD):/app -w /app golangci/golangci-lint:v2.11.2 golangci-lint run
GO_TEST_ARGS ?= -short
# Run tests
test: generate fmt vet manifests shellcheck
go test $(GO_TEST_ARGS) `go list ./... | grep -v ./test_e2e_arc` -coverprofile cover.out
go test -fuzz=Fuzz -fuzztime=10s -run=Fuzz* ./controllers/actions.summerwind.net
test-with-deps: kube-apiserver etcd kubectl
# See https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/envtest#pkg-constants
TEST_ASSET_KUBE_APISERVER=$(KUBE_APISERVER_BIN) \
TEST_ASSET_ETCD=$(ETCD_BIN) \
TEST_ASSET_KUBECTL=$(KUBECTL_BIN) \
# Run tests
test: generate fmt vet manifests shellcheck setup-envtest
KUBEBUILDER_ASSETS="$$($(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(GOBIN) -p path)" \
go test $(GO_TEST_ARGS) `go list ./... | grep -v ./test_e2e_arc` -coverprofile cover.out
KUBEBUILDER_ASSETS="$$($(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(GOBIN) -p path)" \
go test -fuzz=Fuzz -fuzztime=10s -run=Fuzz* ./controllers/actions.summerwind.net
test-with-deps: setup-envtest
KUBEBUILDER_ASSETS="$$($(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(GOBIN) -p path)" \
make test
# Build manager binary
manager: generate fmt vet
go build -o bin/manager main.go
@@ -182,6 +177,10 @@ chart-crds:
cp config/crd/bases/actions.github.com_autoscalinglisteners.yaml charts/gha-runner-scale-set-controller/crds/
cp config/crd/bases/actions.github.com_ephemeralrunnersets.yaml charts/gha-runner-scale-set-controller/crds/
cp config/crd/bases/actions.github.com_ephemeralrunners.yaml charts/gha-runner-scale-set-controller/crds/
cp config/crd/bases/actions.github.com_autoscalingrunnersets.yaml charts/gha-runner-scale-set-controller-experimental/crds/
cp config/crd/bases/actions.github.com_autoscalinglisteners.yaml charts/gha-runner-scale-set-controller-experimental/crds/
cp config/crd/bases/actions.github.com_ephemeralrunnersets.yaml charts/gha-runner-scale-set-controller-experimental/crds/
cp config/crd/bases/actions.github.com_ephemeralrunners.yaml charts/gha-runner-scale-set-controller-experimental/crds/
rm charts/actions-runner-controller/crds/actions.github.com_autoscalingrunnersets.yaml
rm charts/actions-runner-controller/crds/actions.github.com_autoscalinglisteners.yaml
rm charts/actions-runner-controller/crds/actions.github.com_ephemeralrunnersets.yaml
@@ -210,8 +209,6 @@ docker-buildx:
docker buildx create --platform ${PLATFORMS} --name container-builder --use;\
fi
docker buildx build --platform ${PLATFORMS} \
--build-arg RUNNER_VERSION=${RUNNER_VERSION} \
--build-arg DOCKER_VERSION=${DOCKER_VERSION} \
--build-arg VERSION=${VERSION} \
--build-arg COMMIT_SHA=${COMMIT_SHA} \
-t "${DOCKER_IMAGE_NAME}:${VERSION}" \
@@ -297,6 +294,10 @@ acceptance/runner/startup:
e2e:
go test -count=1 -v -timeout 600s -run '^TestE2E$$' ./test/e2e
.PHONY: gha-e2e
gha-e2e:
bash hack/e2e-test.sh
# Upload release file to GitHub.
github-release: release
ghr ${VERSION} release/
@@ -307,7 +308,7 @@ github-release: release
# Otherwise we get errors like the below:
# Error: failed to install CRD crds/actions.summerwind.dev_runnersets.yaml: CustomResourceDefinition.apiextensions.k8s.io "runnersets.actions.summerwind.dev" is invalid: [spec.validation.openAPIV3Schema.properties[spec].properties[template].properties[spec].properties[containers].items.properties[ports].items.properties[protocol].default: Required value: this property is in x-kubernetes-list-map-keys, so it must have a default or be a required property, spec.validation.openAPIV3Schema.properties[spec].properties[template].properties[spec].properties[initContainers].items.properties[ports].items.properties[protocol].default: Required value: this property is in x-kubernetes-list-map-keys, so it must have a default or be a required property]
#
# Note that controller-gen newer than 0.7.0 is needed due to https://github.com/kubernetes-sigs/controller-tools/issues/448
# Note that controller-gen newer than 0.8.1 is needed due to https://github.com/kubernetes-sigs/controller-tools/issues/448
# Otherwise ObjectMeta embedded in Spec results in empty on the storage.
controller-gen:
ifeq (, $(shell which controller-gen))
@@ -317,7 +318,7 @@ ifeq (, $(wildcard $(GOBIN)/controller-gen))
CONTROLLER_GEN_TMP_DIR=$$(mktemp -d) ;\
cd $$CONTROLLER_GEN_TMP_DIR ;\
go mod init tmp ;\
go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.19.0 ;\
go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.20.1 ;\
rm -rf $$CONTROLLER_GEN_TMP_DIR ;\
}
endif
@@ -362,68 +363,29 @@ ifeq (, $(wildcard $(TOOLS_PATH)/shellcheck))
endif
SHELLCHECK=$(TOOLS_PATH)/shellcheck
# find or download etcd
etcd:
ifeq (, $(shell which etcd))
ifeq (, $(wildcard $(TEST_ASSETS)/etcd))
# find or download envtest
envtest:
ifeq (, $(shell which setup-envtest))
ifeq (, $(wildcard $(GOBIN)/setup-envtest))
@{ \
set -xe ;\
INSTALL_TMP_DIR=$$(mktemp -d) ;\
cd $$INSTALL_TMP_DIR ;\
wget https://github.com/coreos/etcd/releases/download/v3.4.22/etcd-v3.4.22-$(OS_NAME)-amd64.$(ETCD_EXTENSION);\
mkdir -p $(TEST_ASSETS) ;\
$(EXTRACT_COMMAND) etcd-v3.4.22-$(OS_NAME)-amd64.$(ETCD_EXTENSION) ;\
mv etcd-v3.4.22-$(OS_NAME)-amd64/etcd $(TEST_ASSETS)/etcd ;\
rm -rf $$INSTALL_TMP_DIR ;\
set -e ;\
ENVTEST_TMP_DIR=$$(mktemp -d) ;\
cd $$ENVTEST_TMP_DIR ;\
go mod init tmp ;\
go install sigs.k8s.io/controller-runtime/tools/setup-envtest@$(ENVTEST_VERSION) ;\
rm -rf $$ENVTEST_TMP_DIR ;\
}
ETCD_BIN=$(TEST_ASSETS)/etcd
else
ETCD_BIN=$(TEST_ASSETS)/etcd
endif
ENVTEST=$(GOBIN)/setup-envtest
else
ETCD_BIN=$(shell which etcd)
ENVTEST=$(shell which setup-envtest)
endif
# find or download kube-apiserver
kube-apiserver:
ifeq (, $(shell which kube-apiserver))
ifeq (, $(wildcard $(TEST_ASSETS)/kube-apiserver))
@{ \
set -xe ;\
INSTALL_TMP_DIR=$$(mktemp -d) ;\
cd $$INSTALL_TMP_DIR ;\
wget https://github.com/kubernetes-sigs/kubebuilder/releases/download/v2.3.2/kubebuilder_2.3.2_$(OS_NAME)_amd64.tar.gz ;\
mkdir -p $(TEST_ASSETS) ;\
tar zxvf kubebuilder_2.3.2_$(OS_NAME)_amd64.tar.gz ;\
mv kubebuilder_2.3.2_$(OS_NAME)_amd64/bin/kube-apiserver $(TEST_ASSETS)/kube-apiserver ;\
rm -rf $$INSTALL_TMP_DIR ;\
.PHONY: setup-envtest
setup-envtest: envtest
@echo "Setting up envtest binaries for Kubernetes version $(ENVTEST_K8S_VERSION)..."
@$(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(GOBIN) -p path || { \
echo "Error: Failed to set up envtest binaries for version $(ENVTEST_K8S_VERSION)."; \
exit 1; \
}
KUBE_APISERVER_BIN=$(TEST_ASSETS)/kube-apiserver
else
KUBE_APISERVER_BIN=$(TEST_ASSETS)/kube-apiserver
endif
else
KUBE_APISERVER_BIN=$(shell which kube-apiserver)
endif
# find or download kubectl
kubectl:
ifeq (, $(shell which kubectl))
ifeq (, $(wildcard $(TEST_ASSETS)/kubectl))
@{ \
set -xe ;\
INSTALL_TMP_DIR=$$(mktemp -d) ;\
cd $$INSTALL_TMP_DIR ;\
wget https://github.com/kubernetes-sigs/kubebuilder/releases/download/v2.3.2/kubebuilder_2.3.2_$(OS_NAME)_amd64.tar.gz ;\
mkdir -p $(TEST_ASSETS) ;\
tar zxvf kubebuilder_2.3.2_$(OS_NAME)_amd64.tar.gz ;\
mv kubebuilder_2.3.2_$(OS_NAME)_amd64/bin/kubectl $(TEST_ASSETS)/kubectl ;\
rm -rf $$INSTALL_TMP_DIR ;\
}
KUBECTL_BIN=$(TEST_ASSETS)/kubectl
else
KUBECTL_BIN=$(TEST_ASSETS)/kubectl
endif
else
KUBECTL_BIN=$(shell which kubectl)
endif

12
apis/actions.github.com/v1alpha1/autoscalinglistener_types.go
View File

@@ -69,6 +69,18 @@ type AutoscalingListenerSpec struct {
// +optional
Template *corev1.PodTemplateSpec `json:"template,omitempty"`
// +optional
ConfigSecretMetadata *ResourceMeta `json:"configSecretMetadata,omitempty"`
// +optional
ServiceAccountMetadata *ResourceMeta `json:"serviceAccountMetadata,omitempty"`
// +optional
RoleMetadata *ResourceMeta `json:"roleMetadata,omitempty"`
// +optional
RoleBindingMetadata *ResourceMeta `json:"roleBindingMetadata,omitempty"`
}
// AutoscalingListenerStatus defines the observed state of AutoscalingListener

53
apis/actions.github.com/v1alpha1/autoscalingrunnerset_types.go
View File

@@ -66,6 +66,9 @@ type AutoscalingRunnerSetSpec struct {
// +optional
RunnerScaleSetName string `json:"runnerScaleSetName,omitempty"`
// +optional
RunnerScaleSetLabels []string `json:"runnerScaleSetLabels,omitempty"`
// +optional
Proxy *ProxyConfig `json:"proxy,omitempty"`
@@ -78,12 +81,36 @@ type AutoscalingRunnerSetSpec struct {
// Required
Template corev1.PodTemplateSpec `json:"template,omitempty"`
// +optional
AutoscalingListenerMetadata *ResourceMeta `json:"autoscalingListener,omitempty"`
// +optional
ListenerMetrics *MetricsConfig `json:"listenerMetrics,omitempty"`
// +optional
ListenerTemplate *corev1.PodTemplateSpec `json:"listenerTemplate,omitempty"`
// +optional
ListenerServiceAccountMetadata *ResourceMeta `json:"listenerServiceAccountMetadata,omitempty"`
// +optional
ListenerRoleMetadata *ResourceMeta `json:"listenerRoleMetadata,omitempty"`
// +optional
ListenerRoleBindingMetadata *ResourceMeta `json:"listenerRoleBindingMetadata,omitempty"`
// +optional
ListenerConfigSecretMetadata *ResourceMeta `json:"listenerConfigSecretMetadata,omitempty"`
// +optional
EphemeralRunnerSetMetadata *ResourceMeta `json:"ephemeralRunnerSetMetadata,omitempty"`
// +optional
EphemeralRunnerMetadata *ResourceMeta `json:"ephemeralRunnerMetadata,omitempty"`
// +optional
EphemeralRunnerConfigSecretMetadata *ResourceMeta `json:"ephemeralRunnerConfigSecretMetadata,omitempty"`
// +optional
// +kubebuilder:validation:Minimum:=0
MaxRunners *int `json:"maxRunners,omitempty"`
@@ -291,7 +318,7 @@ type AutoscalingRunnerSetStatus struct {
CurrentRunners int `json:"currentRunners"`
// +optional
State string `json:"state"`
Phase AutoscalingRunnerSetPhase `json:"phase"`
// EphemeralRunner counts separated by the stage ephemeral runners are in, taken from the EphemeralRunnerSet
@@ -303,6 +330,30 @@ type AutoscalingRunnerSetStatus struct {
FailedEphemeralRunners int `json:"failedEphemeralRunners"`
}
type AutoscalingRunnerSetPhase string
const (
// AutoscalingRunnerSetPhasePending phase means that the listener is not
// yet started
AutoscalingRunnerSetPhasePending AutoscalingRunnerSetPhase = "Pending"
AutoscalingRunnerSetPhaseRunning AutoscalingRunnerSetPhase = "Running"
AutoscalingRunnerSetPhaseOutdated AutoscalingRunnerSetPhase = "Outdated"
)
func (ars *AutoscalingRunnerSet) Hash() string {
type data struct {
Spec *AutoscalingRunnerSetSpec
Labels map[string]string
}
d := &data{
Spec: ars.Spec.DeepCopy(),
Labels: ars.Labels,
}
return hash.ComputeTemplateHash(d)
}
func (ars *AutoscalingRunnerSet) ListenerSpecHash() string {
arsSpec := ars.Spec.DeepCopy()
spec := arsSpec

9
apis/actions.github.com/v1alpha1/common.go Normal file
View File

@@ -0,0 +1,9 @@
package v1alpha1
// ResourceMeta carries metadata common to all internal resources
type ResourceMeta struct {
// +optional
Labels map[string]string `json:"labels,omitempty"`
// +optional
Annotations map[string]string `json:"annotations,omitempty"`
}

36
apis/actions.github.com/v1alpha1/ephemeralrunner_types.go
View File

@@ -48,7 +48,7 @@ type EphemeralRunner struct {
}
func (er *EphemeralRunner) IsDone() bool {
return er.Status.Phase == corev1.PodSucceeded || er.Status.Phase == corev1.PodFailed
return er.Status.Phase == EphemeralRunnerPhaseSucceeded || er.Status.Phase == EphemeralRunnerPhaseFailed || er.Status.Phase == EphemeralRunnerPhaseOutdated
}
func (er *EphemeralRunner) HasJob() bool {
@@ -111,7 +111,7 @@ type EphemeralRunnerSpec struct {
GitHubServerTLS *TLSConfig `json:"githubServerTLS,omitempty"`
// +required
RunnerScaleSetId int `json:"runnerScaleSetId,omitempty"`
RunnerScaleSetID int `json:"runnerScaleSetId,omitempty"`
// +optional
Proxy *ProxyConfig `json:"proxy,omitempty"`
@@ -122,6 +122,9 @@ type EphemeralRunnerSpec struct {
// +optional
VaultConfig *VaultConfig `json:"vaultConfig,omitempty"`
// +optional
EphemeralRunnerConfigSecretMetadata *ResourceMeta `json:"ephemeralRunnerConfigSecretMetadata,omitempty"`
corev1.PodTemplateSpec `json:",inline"`
}
@@ -140,14 +143,14 @@ type EphemeralRunnerStatus struct {
// The PodSucceded phase should be set only when confirmed that EphemeralRunner
// actually executed the job and has been removed from the service.
// +optional
Phase corev1.PodPhase `json:"phase,omitempty"`
Phase EphemeralRunnerPhase `json:"phase,omitempty"`
// +optional
Reason string `json:"reason,omitempty"`
// +optional
Message string `json:"message,omitempty"`
// +optional
RunnerId int `json:"runnerId,omitempty"`
RunnerID int `json:"runnerId,omitempty"`
// +optional
RunnerName string `json:"runnerName,omitempty"`
@@ -155,7 +158,7 @@ type EphemeralRunnerStatus struct {
Failures map[string]metav1.Time `json:"failures,omitempty"`
// +optional
JobRequestId int64 `json:"jobRequestId,omitempty"`
JobRequestID int64 `json:"jobRequestId,omitempty"`
// +optional
JobID string `json:"jobId,omitempty"`
@@ -167,12 +170,33 @@ type EphemeralRunnerStatus struct {
JobWorkflowRef string `json:"jobWorkflowRef,omitempty"`
// +optional
WorkflowRunId int64 `json:"workflowRunId,omitempty"`
WorkflowRunID int64 `json:"workflowRunId,omitempty"`
// +optional
JobDisplayName string `json:"jobDisplayName,omitempty"`
}
// EphemeralRunnerPhase is the phase of the ephemeral runner.
// It must be a superset of the pod phase.
type EphemeralRunnerPhase string
const (
// EphemeralRunnerPhasePending is a phase set when the ephemeral runner is
// being provisioned and is not yet online.
EphemeralRunnerPhasePending EphemeralRunnerPhase = "Pending"
// EphemeralRunnerPhaseRunning is a phase set when the ephemeral runner is online and
// waiting for a job to execute.
EphemeralRunnerPhaseRunning EphemeralRunnerPhase = "Running"
// EphemeralRunnerPhaseSucceeded is a phase set when the ephemeral runner
// successfully executed the job and has been removed from the service.
EphemeralRunnerPhaseSucceeded EphemeralRunnerPhase = "Succeeded"
// EphemeralRunnerPhaseFailed is a phase set when the ephemeral runner
// fails with unrecoverable failure.
EphemeralRunnerPhaseFailed EphemeralRunnerPhase = "Failed"
// EphemeralRunnerPhaseOutdated is a special phase that indicates the runner is outdated and should be upgraded.
EphemeralRunnerPhaseOutdated EphemeralRunnerPhase = "Outdated"
)
func (s *EphemeralRunnerStatus) LastFailure() metav1.Time {
var maxTime metav1.Time
if len(s.Failures) == 0 {

14
apis/actions.github.com/v1alpha1/ephemeralrunnerset_types.go
View File

@@ -28,6 +28,8 @@ type EphemeralRunnerSetSpec struct {
PatchID int `json:"patchID"`
// EphemeralRunnerSpec is the spec of the ephemeral runner
EphemeralRunnerSpec EphemeralRunnerSpec `json:"ephemeralRunnerSpec,omitempty"`
// +optional
EphemeralRunnerMetadata *ResourceMeta `json:"ephemeralRunnerMetadata,omitempty"`
}
// EphemeralRunnerSetStatus defines the observed state of EphemeralRunnerSet
@@ -40,8 +42,20 @@ type EphemeralRunnerSetStatus struct {
RunningEphemeralRunners int `json:"runningEphemeralRunners"`
// +optional
FailedEphemeralRunners int `json:"failedEphemeralRunners"`
// +optional
Phase EphemeralRunnerSetPhase `json:"phase"`
}
// EphemeralRunnerSetPhase is the phase of the ephemeral runner set resource
type EphemeralRunnerSetPhase string
const (
EphemeralRunnerSetPhaseRunning EphemeralRunnerSetPhase = "Running"
// EphemeralRunnerSetPhaseOutdated is set when at least one ephemeral runner
// contains the outdated phase
EphemeralRunnerSetPhaseOutdated EphemeralRunnerSetPhase = "Outdated"
)
// +kubebuilder:object:root=true
// +kubebuilder:subresource:status
// +kubebuilder:printcolumn:JSONPath=".spec.replicas",name="DesiredReplicas",type="integer"

105
apis/actions.github.com/v1alpha1/tls_config_test.go
View File

@@ -1,105 +0,0 @@
package v1alpha1_test
import (
"crypto/tls"
"crypto/x509"
"net/http"
"os"
"path/filepath"
"testing"
"github.com/actions/actions-runner-controller/apis/actions.github.com/v1alpha1"
"github.com/actions/actions-runner-controller/github/actions/testserver"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
v1 "k8s.io/api/core/v1"
)
func TestGitHubServerTLSConfig_ToCertPool(t *testing.T) {
t.Run("returns an error if CertificateFrom not specified", func(t *testing.T) {
c := &v1alpha1.TLSConfig{
CertificateFrom: nil,
}
pool, err := c.ToCertPool(nil)
assert.Nil(t, pool)
require.Error(t, err)
assert.Equal(t, err.Error(), "certificateFrom not specified")
})
t.Run("returns an error if CertificateFrom.ConfigMapKeyRef not specified", func(t *testing.T) {
c := &v1alpha1.TLSConfig{
CertificateFrom: &v1alpha1.TLSCertificateSource{},
}
pool, err := c.ToCertPool(nil)
assert.Nil(t, pool)
require.Error(t, err)
assert.Equal(t, err.Error(), "configMapKeyRef not specified")
})
t.Run("returns a valid cert pool with correct configuration", func(t *testing.T) {
c := &v1alpha1.TLSConfig{
CertificateFrom: &v1alpha1.TLSCertificateSource{
ConfigMapKeyRef: &v1.ConfigMapKeySelector{
LocalObjectReference: v1.LocalObjectReference{
Name: "name",
},
Key: "key",
},
},
}
certsFolder := filepath.Join(
"../../../",
"github",
"actions",
"testdata",
)
fetcher := func(name, key string) ([]byte, error) {
cert, err := os.ReadFile(filepath.Join(certsFolder, "rootCA.crt"))
require.NoError(t, err)
pool := x509.NewCertPool()
ok := pool.AppendCertsFromPEM(cert)
assert.True(t, ok)
return cert, nil
}
pool, err := c.ToCertPool(fetcher)
require.NoError(t, err)
require.NotNil(t, pool)
// can be used to communicate with a server
serverSuccessfullyCalled := false
server := testserver.NewUnstarted(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
serverSuccessfullyCalled = true
w.WriteHeader(http.StatusOK)
}))
cert, err := tls.LoadX509KeyPair(
filepath.Join(certsFolder, "server.crt"),
filepath.Join(certsFolder, "server.key"),
)
require.NoError(t, err)
server.TLS = &tls.Config{Certificates: []tls.Certificate{cert}}
server.StartTLS()
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
RootCAs: pool,
},
},
}
_, err = client.Get(server.URL)
assert.NoError(t, err)
assert.True(t, serverSuccessfullyCalled)
})
}

104
apis/actions.github.com/v1alpha1/zz_generated.deepcopy.go
View File

@@ -118,6 +118,26 @@ func (in *AutoscalingListenerSpec) DeepCopyInto(out *AutoscalingListenerSpec) {
*out = new(v1.PodTemplateSpec)
(*in).DeepCopyInto(*out)
}
if in.ConfigSecretMetadata != nil {
in, out := &in.ConfigSecretMetadata, &out.ConfigSecretMetadata
*out = new(ResourceMeta)
(*in).DeepCopyInto(*out)
}
if in.ServiceAccountMetadata != nil {
in, out := &in.ServiceAccountMetadata, &out.ServiceAccountMetadata
*out = new(ResourceMeta)
(*in).DeepCopyInto(*out)
}
if in.RoleMetadata != nil {
in, out := &in.RoleMetadata, &out.RoleMetadata
*out = new(ResourceMeta)
(*in).DeepCopyInto(*out)
}
if in.RoleBindingMetadata != nil {
in, out := &in.RoleBindingMetadata, &out.RoleBindingMetadata
*out = new(ResourceMeta)
(*in).DeepCopyInto(*out)
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AutoscalingListenerSpec.
@@ -207,6 +227,11 @@ func (in *AutoscalingRunnerSetList) DeepCopyObject() runtime.Object {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *AutoscalingRunnerSetSpec) DeepCopyInto(out *AutoscalingRunnerSetSpec) {
*out = *in
if in.RunnerScaleSetLabels != nil {
in, out := &in.RunnerScaleSetLabels, &out.RunnerScaleSetLabels
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.Proxy != nil {
in, out := &in.Proxy, &out.Proxy
*out = new(ProxyConfig)
@@ -223,6 +248,11 @@ func (in *AutoscalingRunnerSetSpec) DeepCopyInto(out *AutoscalingRunnerSetSpec)
(*in).DeepCopyInto(*out)
}
in.Template.DeepCopyInto(&out.Template)
if in.AutoscalingListenerMetadata != nil {
in, out := &in.AutoscalingListenerMetadata, &out.AutoscalingListenerMetadata
*out = new(ResourceMeta)
(*in).DeepCopyInto(*out)
}
if in.ListenerMetrics != nil {
in, out := &in.ListenerMetrics, &out.ListenerMetrics
*out = new(MetricsConfig)
@@ -233,6 +263,41 @@ func (in *AutoscalingRunnerSetSpec) DeepCopyInto(out *AutoscalingRunnerSetSpec)
*out = new(v1.PodTemplateSpec)
(*in).DeepCopyInto(*out)
}
if in.ListenerServiceAccountMetadata != nil {
in, out := &in.ListenerServiceAccountMetadata, &out.ListenerServiceAccountMetadata
*out = new(ResourceMeta)
(*in).DeepCopyInto(*out)
}
if in.ListenerRoleMetadata != nil {
in, out := &in.ListenerRoleMetadata, &out.ListenerRoleMetadata
*out = new(ResourceMeta)
(*in).DeepCopyInto(*out)
}
if in.ListenerRoleBindingMetadata != nil {
in, out := &in.ListenerRoleBindingMetadata, &out.ListenerRoleBindingMetadata
*out = new(ResourceMeta)
(*in).DeepCopyInto(*out)
}
if in.ListenerConfigSecretMetadata != nil {
in, out := &in.ListenerConfigSecretMetadata, &out.ListenerConfigSecretMetadata
*out = new(ResourceMeta)
(*in).DeepCopyInto(*out)
}
if in.EphemeralRunnerSetMetadata != nil {
in, out := &in.EphemeralRunnerSetMetadata, &out.EphemeralRunnerSetMetadata
*out = new(ResourceMeta)
(*in).DeepCopyInto(*out)
}
if in.EphemeralRunnerMetadata != nil {
in, out := &in.EphemeralRunnerMetadata, &out.EphemeralRunnerMetadata
*out = new(ResourceMeta)
(*in).DeepCopyInto(*out)
}
if in.EphemeralRunnerConfigSecretMetadata != nil {
in, out := &in.EphemeralRunnerConfigSecretMetadata, &out.EphemeralRunnerConfigSecretMetadata
*out = new(ResourceMeta)
(*in).DeepCopyInto(*out)
}
if in.MaxRunners != nil {
in, out := &in.MaxRunners, &out.MaxRunners
*out = new(int)
@@ -427,6 +492,11 @@ func (in *EphemeralRunnerSetList) DeepCopyObject() runtime.Object {
func (in *EphemeralRunnerSetSpec) DeepCopyInto(out *EphemeralRunnerSetSpec) {
*out = *in
in.EphemeralRunnerSpec.DeepCopyInto(&out.EphemeralRunnerSpec)
if in.EphemeralRunnerMetadata != nil {
in, out := &in.EphemeralRunnerMetadata, &out.EphemeralRunnerMetadata
*out = new(ResourceMeta)
(*in).DeepCopyInto(*out)
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EphemeralRunnerSetSpec.
@@ -472,6 +542,11 @@ func (in *EphemeralRunnerSpec) DeepCopyInto(out *EphemeralRunnerSpec) {
*out = new(VaultConfig)
(*in).DeepCopyInto(*out)
}
if in.EphemeralRunnerConfigSecretMetadata != nil {
in, out := &in.EphemeralRunnerConfigSecretMetadata, &out.EphemeralRunnerConfigSecretMetadata
*out = new(ResourceMeta)
(*in).DeepCopyInto(*out)
}
in.PodTemplateSpec.DeepCopyInto(&out.PodTemplateSpec)
}
@@ -660,6 +735,35 @@ func (in *ProxyServerConfig) DeepCopy() *ProxyServerConfig {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ResourceMeta) DeepCopyInto(out *ResourceMeta) {
*out = *in
if in.Labels != nil {
in, out := &in.Labels, &out.Labels
*out = make(map[string]string, len(*in))
for key, val := range *in {
(*out)[key] = val
}
}
if in.Annotations != nil {
in, out := &in.Annotations, &out.Annotations
*out = make(map[string]string, len(*in))
for key, val := range *in {
(*out)[key] = val
}
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceMeta.
func (in *ResourceMeta) DeepCopy() *ResourceMeta {
if in == nil {
return nil
}
out := new(ResourceMeta)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TLSCertificateSource) DeepCopyInto(out *TLSCertificateSource) {
*out = *in

29
apis/actions.summerwind.net/v1alpha1/runner_webhook.go
View File

@@ -18,14 +18,11 @@ package v1alpha1
import (
"context"
"fmt"
apierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/util/validation/field"
ctrl "sigs.k8s.io/controller-runtime"
logf "sigs.k8s.io/controller-runtime/pkg/log"
"sigs.k8s.io/controller-runtime/pkg/webhook"
"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
)
@@ -33,8 +30,7 @@ import (
var runnerLog = logf.Log.WithName("runner-resource")
func (r *Runner) SetupWebhookWithManager(mgr ctrl.Manager) error {
return ctrl.NewWebhookManagedBy(mgr).
For(r).
return ctrl.NewWebhookManagedBy(mgr, r).
WithDefaulter(&RunnerDefaulter{}).
WithValidator(&RunnerValidator{}).
Complete()
@@ -42,44 +38,35 @@ func (r *Runner) SetupWebhookWithManager(mgr ctrl.Manager) error {
// +kubebuilder:webhook:path=/mutate-actions-summerwind-dev-v1alpha1-runner,verbs=create;update,mutating=true,failurePolicy=fail,groups=actions.summerwind.dev,resources=runners,versions=v1alpha1,name=mutate.runner.actions.summerwind.dev,sideEffects=None,admissionReviewVersions=v1beta1
var _ webhook.CustomDefaulter = &RunnerDefaulter{}
var _ admission.Defaulter[*Runner] = &RunnerDefaulter{}
type RunnerDefaulter struct{}
// Default implements webhook.Defaulter so a webhook will be registered for the type
func (*RunnerDefaulter) Default(ctx context.Context, obj runtime.Object) error {
// Nothing to do.
// Default implements [admission.Defaulter].
func (in *RunnerDefaulter) Default(ctx context.Context, obj *Runner) error {
return nil
}
// +kubebuilder:webhook:path=/validate-actions-summerwind-dev-v1alpha1-runner,verbs=create;update,mutating=false,failurePolicy=fail,groups=actions.summerwind.dev,resources=runners,versions=v1alpha1,name=validate.runner.actions.summerwind.dev,sideEffects=None,admissionReviewVersions=v1beta1
var _ webhook.CustomValidator = &RunnerValidator{}
var _ admission.Validator[*Runner] = &RunnerValidator{}
type RunnerValidator struct{}
// ValidateCreate implements webhook.Validator so a webhook will be registered for the type
func (*RunnerValidator) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
r, ok := obj.(*Runner)
if !ok {
return nil, fmt.Errorf("expected Runner object, got %T", obj)
}
func (*RunnerValidator) ValidateCreate(ctx context.Context, r *Runner) (admission.Warnings, error) {
runnerLog.Info("validate resource to be created", "name", r.Name)
return nil, r.Validate()
}
// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
func (*RunnerValidator) ValidateUpdate(ctx context.Context, old, obj runtime.Object) (admission.Warnings, error) {
r, ok := obj.(*Runner)
if !ok {
return nil, fmt.Errorf("expected Runner object, got %T", obj)
}
func (*RunnerValidator) ValidateUpdate(ctx context.Context, old, r *Runner) (admission.Warnings, error) {
runnerLog.Info("validate resource to be updated", "name", r.Name)
return nil, r.Validate()
}
// ValidateDelete implements webhook.Validator so a webhook will be registered for the type
func (*RunnerValidator) ValidateDelete(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
func (*RunnerValidator) ValidateDelete(ctx context.Context, obj *Runner) (admission.Warnings, error) {
return nil, nil
}

26
apis/actions.summerwind.net/v1alpha1/runnerdeployment_webhook.go
View File

@@ -18,14 +18,11 @@ package v1alpha1
import (
"context"
"fmt"
apierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/util/validation/field"
ctrl "sigs.k8s.io/controller-runtime"
logf "sigs.k8s.io/controller-runtime/pkg/log"
"sigs.k8s.io/controller-runtime/pkg/webhook"
"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
)
@@ -33,8 +30,7 @@ import (
var runnerDeploymentLog = logf.Log.WithName("runnerdeployment-resource")
func (r *RunnerDeployment) SetupWebhookWithManager(mgr ctrl.Manager) error {
return ctrl.NewWebhookManagedBy(mgr).
For(r).
return ctrl.NewWebhookManagedBy(mgr, r).
WithDefaulter(&RunnerDeploymentDefaulter{}).
WithValidator(&RunnerDeploymentValidator{}).
Complete()
@@ -42,44 +38,36 @@ func (r *RunnerDeployment) SetupWebhookWithManager(mgr ctrl.Manager) error {
// +kubebuilder:webhook:path=/mutate-actions-summerwind-dev-v1alpha1-runnerdeployment,verbs=create;update,mutating=true,failurePolicy=fail,groups=actions.summerwind.dev,resources=runnerdeployments,versions=v1alpha1,name=mutate.runnerdeployment.actions.summerwind.dev,sideEffects=None,admissionReviewVersions=v1beta1
var _ webhook.CustomDefaulter = &RunnerDeploymentDefaulter{}
var _ admission.Defaulter[*RunnerDeployment] = &RunnerDeploymentDefaulter{}
type RunnerDeploymentDefaulter struct{}
// Default implements webhook.Defaulter so a webhook will be registered for the type
func (*RunnerDeploymentDefaulter) Default(context.Context, runtime.Object) error {
func (*RunnerDeploymentDefaulter) Default(context.Context, *RunnerDeployment) error {
// Nothing to do.
return nil
}
// +kubebuilder:webhook:path=/validate-actions-summerwind-dev-v1alpha1-runnerdeployment,verbs=create;update,mutating=false,failurePolicy=fail,groups=actions.summerwind.dev,resources=runnerdeployments,versions=v1alpha1,name=validate.runnerdeployment.actions.summerwind.dev,sideEffects=None,admissionReviewVersions=v1beta1
var _ webhook.CustomValidator = &RunnerDeploymentValidator{}
var _ admission.Validator[*RunnerDeployment] = &RunnerDeploymentValidator{}
type RunnerDeploymentValidator struct{}
// ValidateCreate implements webhook.Validator so a webhook will be registered for the type
func (*RunnerDeploymentValidator) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
r, ok := obj.(*RunnerDeployment)
if !ok {
return nil, fmt.Errorf("expected RunnerDeployment object, got %T", obj)
}
func (*RunnerDeploymentValidator) ValidateCreate(ctx context.Context, r *RunnerDeployment) (admission.Warnings, error) {
runnerDeploymentLog.Info("validate resource to be created", "name", r.Name)
return nil, r.Validate()
}
// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
func (*RunnerDeploymentValidator) ValidateUpdate(ctx context.Context, old, obj runtime.Object) (admission.Warnings, error) {
r, ok := obj.(*RunnerDeployment)
if !ok {
return nil, fmt.Errorf("expected RunnerDeployment object, got %T", obj)
}
func (*RunnerDeploymentValidator) ValidateUpdate(ctx context.Context, old, r *RunnerDeployment) (admission.Warnings, error) {
runnerDeploymentLog.Info("validate resource to be updated", "name", r.Name)
return nil, r.Validate()
}
// ValidateDelete implements webhook.Validator so a webhook will be registered for the type
func (*RunnerDeploymentValidator) ValidateDelete(context.Context, runtime.Object) (admission.Warnings, error) {
func (*RunnerDeploymentValidator) ValidateDelete(context.Context, *RunnerDeployment) (admission.Warnings, error) {
return nil, nil
}

26
apis/actions.summerwind.net/v1alpha1/runnerreplicaset_webhook.go
View File

@@ -18,14 +18,11 @@ package v1alpha1
import (
"context"
"fmt"
apierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/util/validation/field"
ctrl "sigs.k8s.io/controller-runtime"
logf "sigs.k8s.io/controller-runtime/pkg/log"
"sigs.k8s.io/controller-runtime/pkg/webhook"
"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
)
@@ -33,8 +30,7 @@ import (
var runnerReplicaSetLog = logf.Log.WithName("runnerreplicaset-resource")
func (r *RunnerReplicaSet) SetupWebhookWithManager(mgr ctrl.Manager) error {
return ctrl.NewWebhookManagedBy(mgr).
For(r).
return ctrl.NewWebhookManagedBy(mgr, r).
WithDefaulter(&RunnerReplicaSetDefaulter{}).
WithValidator(&RunnerReplicaSetValidator{}).
Complete()
@@ -42,44 +38,36 @@ func (r *RunnerReplicaSet) SetupWebhookWithManager(mgr ctrl.Manager) error {
// +kubebuilder:webhook:path=/mutate-actions-summerwind-dev-v1alpha1-runnerreplicaset,verbs=create;update,mutating=true,failurePolicy=fail,groups=actions.summerwind.dev,resources=runnerreplicasets,versions=v1alpha1,name=mutate.runnerreplicaset.actions.summerwind.dev,sideEffects=None,admissionReviewVersions=v1beta1
var _ webhook.CustomDefaulter = &RunnerReplicaSetDefaulter{}
var _ admission.Defaulter[*RunnerReplicaSet] = &RunnerReplicaSetDefaulter{}
type RunnerReplicaSetDefaulter struct{}
// Default implements webhook.Defaulter so a webhook will be registered for the type
func (*RunnerReplicaSetDefaulter) Default(context.Context, runtime.Object) error {
func (*RunnerReplicaSetDefaulter) Default(context.Context, *RunnerReplicaSet) error {
// Nothing to do.
return nil
}
// +kubebuilder:webhook:path=/validate-actions-summerwind-dev-v1alpha1-runnerreplicaset,verbs=create;update,mutating=false,failurePolicy=fail,groups=actions.summerwind.dev,resources=runnerreplicasets,versions=v1alpha1,name=validate.runnerreplicaset.actions.summerwind.dev,sideEffects=None,admissionReviewVersions=v1beta1
var _ webhook.CustomValidator = &RunnerReplicaSetValidator{}
var _ admission.Validator[*RunnerReplicaSet] = &RunnerReplicaSetValidator{}
type RunnerReplicaSetValidator struct{}
// ValidateCreate implements webhook.Validator so a webhook will be registered for the type
func (*RunnerReplicaSetValidator) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
r, ok := obj.(*RunnerReplicaSet)
if !ok {
return nil, fmt.Errorf("expected RunnerReplicaSet object, got %T", obj)
}
func (*RunnerReplicaSetValidator) ValidateCreate(ctx context.Context, r *RunnerReplicaSet) (admission.Warnings, error) {
runnerReplicaSetLog.Info("validate resource to be created", "name", r.Name)
return nil, r.Validate()
}
// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
func (*RunnerReplicaSetValidator) ValidateUpdate(ctx context.Context, old, obj runtime.Object) (admission.Warnings, error) {
r, ok := obj.(*RunnerReplicaSet)
if !ok {
return nil, fmt.Errorf("expected RunnerReplicaSet object, got %T", obj)
}
func (*RunnerReplicaSetValidator) ValidateUpdate(ctx context.Context, old, r *RunnerReplicaSet) (admission.Warnings, error) {
runnerReplicaSetLog.Info("validate resource to be updated", "name", r.Name)
return nil, r.Validate()
}
// ValidateDelete implements webhook.Validator so a webhook will be registered for the type
func (*RunnerReplicaSetValidator) ValidateDelete(context.Context, runtime.Object) (admission.Warnings, error) {
func (*RunnerReplicaSetValidator) ValidateDelete(context.Context, *RunnerReplicaSet) (admission.Warnings, error) {
return nil, nil
}

2
apis/actions.summerwind.net/v1alpha1/zz_generated.deepcopy.go
View File

@@ -23,7 +23,7 @@ package v1alpha1
import (
"k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
runtime "k8s.io/apimachinery/pkg/runtime"
)
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

2
charts/actions-runner-controller/crds/actions.summerwind.dev_horizontalrunnerautoscalers.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.19.0
controller-gen.kubebuilder.io/version: v0.20.1
name: horizontalrunnerautoscalers.actions.summerwind.dev
spec:
group: actions.summerwind.dev

37
charts/actions-runner-controller/crds/actions.summerwind.dev_runnerdeployments.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.19.0
controller-gen.kubebuilder.io/version: v0.20.1
name: runnerdeployments.actions.summerwind.dev
spec:
group: actions.summerwind.dev
@@ -1861,7 +1861,9 @@ spec:
type: integer
type: object
resizePolicy:
description: Resources resize policy for the container.
description: |-
Resources resize policy for the container.
This field cannot be set on ephemeral containers.
items:
description: ContainerResizePolicy represents resource resize policy for the container.
properties:
@@ -5323,7 +5325,9 @@ spec:
type: integer
type: object
resizePolicy:
description: Resources resize policy for the container.
description: |-
Resources resize policy for the container.
This field cannot be set on ephemeral containers.
items:
description: ContainerResizePolicy represents resource resize policy for the container.
properties:
@@ -7090,7 +7094,9 @@ spec:
type: integer
type: object
resizePolicy:
description: Resources resize policy for the container.
description: |-
Resources resize policy for the container.
This field cannot be set on ephemeral containers.
items:
description: ContainerResizePolicy represents resource resize policy for the container.
properties:
@@ -7741,9 +7747,10 @@ spec:
operator:
description: |-
Operator represents a key's relationship to the value.
Valid operators are Exists and Equal. Defaults to Equal.
Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod can
tolerate all taints of a particular category.
Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).
type: string
tolerationSeconds:
description: |-
@@ -8573,7 +8580,7 @@ spec:
resources:
description: |-
resources represents the minimum resources the volume should have.
If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements
Users are allowed to specify resource requirements
that are lower than previous value but must still be higher than capacity recorded in the
status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
@@ -9408,6 +9415,24 @@ spec:
signerName:
description: Kubelet's generated CSRs will be addressed to this signer.
type: string
userAnnotations:
additionalProperties:
type: string
description: |-
userAnnotations allow pod authors to pass additional information to
the signer implementation. Kubernetes does not restrict or validate this
metadata in any way.
These values are copied verbatim into the `spec.unverifiedUserAnnotations` field of
the PodCertificateRequest objects that Kubelet creates.
Entries are subject to the same validation as object metadata annotations,
with the addition that all keys must be domain-prefixed. No restrictions
are placed on values, except an overall size limitation on the entire field.
Signers should document the keys and values they support. Signers should
deny requests that contain keys they do not recognize.
type: object
required:
- keyType
- signerName

37
charts/actions-runner-controller/crds/actions.summerwind.dev_runnerreplicasets.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.19.0
controller-gen.kubebuilder.io/version: v0.20.1
name: runnerreplicasets.actions.summerwind.dev
spec:
group: actions.summerwind.dev
@@ -1844,7 +1844,9 @@ spec:
type: integer
type: object
resizePolicy:
description: Resources resize policy for the container.
description: |-
Resources resize policy for the container.
This field cannot be set on ephemeral containers.
items:
description: ContainerResizePolicy represents resource resize policy for the container.
properties:
@@ -5306,7 +5308,9 @@ spec:
type: integer
type: object
resizePolicy:
description: Resources resize policy for the container.
description: |-
Resources resize policy for the container.
This field cannot be set on ephemeral containers.
items:
description: ContainerResizePolicy represents resource resize policy for the container.
properties:
@@ -7073,7 +7077,9 @@ spec:
type: integer
type: object
resizePolicy:
description: Resources resize policy for the container.
description: |-
Resources resize policy for the container.
This field cannot be set on ephemeral containers.
items:
description: ContainerResizePolicy represents resource resize policy for the container.
properties:
@@ -7724,9 +7730,10 @@ spec:
operator:
description: |-
Operator represents a key's relationship to the value.
Valid operators are Exists and Equal. Defaults to Equal.
Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod can
tolerate all taints of a particular category.
Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).
type: string
tolerationSeconds:
description: |-
@@ -8556,7 +8563,7 @@ spec:
resources:
description: |-
resources represents the minimum resources the volume should have.
If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements
Users are allowed to specify resource requirements
that are lower than previous value but must still be higher than capacity recorded in the
status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
@@ -9391,6 +9398,24 @@ spec:
signerName:
description: Kubelet's generated CSRs will be addressed to this signer.
type: string
userAnnotations:
additionalProperties:
type: string
description: |-
userAnnotations allow pod authors to pass additional information to
the signer implementation. Kubernetes does not restrict or validate this
metadata in any way.
These values are copied verbatim into the `spec.unverifiedUserAnnotations` field of
the PodCertificateRequest objects that Kubelet creates.
Entries are subject to the same validation as object metadata annotations,
with the addition that all keys must be domain-prefixed. No restrictions
are placed on values, except an overall size limitation on the entire field.
Signers should document the keys and values they support. Signers should
deny requests that contain keys they do not recognize.
type: object
required:
- keyType
- signerName

37
charts/actions-runner-controller/crds/actions.summerwind.dev_runners.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.19.0
controller-gen.kubebuilder.io/version: v0.20.1
name: runners.actions.summerwind.dev
spec:
group: actions.summerwind.dev
@@ -1776,7 +1776,9 @@ spec:
type: integer
type: object
resizePolicy:
description: Resources resize policy for the container.
description: |-
Resources resize policy for the container.
This field cannot be set on ephemeral containers.
items:
description: ContainerResizePolicy represents resource resize policy for the container.
properties:
@@ -5238,7 +5240,9 @@ spec:
type: integer
type: object
resizePolicy:
description: Resources resize policy for the container.
description: |-
Resources resize policy for the container.
This field cannot be set on ephemeral containers.
items:
description: ContainerResizePolicy represents resource resize policy for the container.
properties:
@@ -7005,7 +7009,9 @@ spec:
type: integer
type: object
resizePolicy:
description: Resources resize policy for the container.
description: |-
Resources resize policy for the container.
This field cannot be set on ephemeral containers.
items:
description: ContainerResizePolicy represents resource resize policy for the container.
properties:
@@ -7656,9 +7662,10 @@ spec:
operator:
description: |-
Operator represents a key's relationship to the value.
Valid operators are Exists and Equal. Defaults to Equal.
Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod can
tolerate all taints of a particular category.
Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).
type: string
tolerationSeconds:
description: |-
@@ -8488,7 +8495,7 @@ spec:
resources:
description: |-
resources represents the minimum resources the volume should have.
If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements
Users are allowed to specify resource requirements
that are lower than previous value but must still be higher than capacity recorded in the
status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
@@ -9323,6 +9330,24 @@ spec:
signerName:
description: Kubelet's generated CSRs will be addressed to this signer.
type: string
userAnnotations:
additionalProperties:
type: string
description: |-
userAnnotations allow pod authors to pass additional information to
the signer implementation. Kubernetes does not restrict or validate this
metadata in any way.
These values are copied verbatim into the `spec.unverifiedUserAnnotations` field of
the PodCertificateRequest objects that Kubelet creates.
Entries are subject to the same validation as object metadata annotations,
with the addition that all keys must be domain-prefixed. No restrictions
are placed on values, except an overall size limitation on the entire field.
Signers should document the keys and values they support. Signers should
deny requests that contain keys they do not recognize.
type: object
required:
- keyType
- signerName

83
charts/actions-runner-controller/crds/actions.summerwind.dev_runnersets.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.19.0
controller-gen.kubebuilder.io/version: v0.20.1
name: runnersets.actions.summerwind.dev
spec:
group: actions.summerwind.dev
@@ -1998,7 +1998,9 @@ spec:
type: integer
type: object
resizePolicy:
description: Resources resize policy for the container.
description: |-
Resources resize policy for the container.
This field cannot be set on ephemeral containers.
items:
description: ContainerResizePolicy represents resource resize policy for the container.
properties:
@@ -5065,7 +5067,9 @@ spec:
type: integer
type: object
resizePolicy:
description: Resources resize policy for the container.
description: |-
Resources resize policy for the container.
This field cannot be set on ephemeral containers.
items:
description: ContainerResizePolicy represents resource resize policy for the container.
properties:
@@ -5823,8 +5827,8 @@ spec:
will be made available to those containers which consume them
by name.
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
This is a stable field but requires that the
DynamicResourceAllocation feature gate is enabled.
This field is immutable.
items:
@@ -6273,9 +6277,10 @@ spec:
operator:
description: |-
Operator represents a key's relationship to the value.
Valid operators are Exists and Equal. Defaults to Equal.
Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod can
tolerate all taints of a particular category.
Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).
type: string
tolerationSeconds:
description: |-
@@ -7047,7 +7052,7 @@ spec:
resources:
description: |-
resources represents the minimum resources the volume should have.
If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements
Users are allowed to specify resource requirements
that are lower than previous value but must still be higher than capacity recorded in the
status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
@@ -7882,6 +7887,24 @@ spec:
signerName:
description: Kubelet's generated CSRs will be addressed to this signer.
type: string
userAnnotations:
additionalProperties:
type: string
description: |-
userAnnotations allow pod authors to pass additional information to
the signer implementation. Kubernetes does not restrict or validate this
metadata in any way.
These values are copied verbatim into the `spec.unverifiedUserAnnotations` field of
the PodCertificateRequest objects that Kubelet creates.
Entries are subject to the same validation as object metadata annotations,
with the addition that all keys must be domain-prefixed. No restrictions
are placed on values, except an overall size limitation on the entire field.
Signers should document the keys and values they support. Signers should
deny requests that contain keys they do not recognize.
type: object
required:
- keyType
- signerName
@@ -8291,6 +8314,42 @@ spec:
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
workloadRef:
description: |-
WorkloadRef provides a reference to the Workload object that this Pod belongs to.
This field is used by the scheduler to identify the PodGroup and apply the
correct group scheduling policies. The Workload object referenced
by this field may not exist at the time the Pod is created.
This field is immutable, but a Workload object with the same name
may be recreated with different policies. Doing this during pod scheduling
may result in the placement not conforming to the expected policies.
properties:
name:
description: |-
Name defines the name of the Workload object this Pod belongs to.
Workload must be in the same namespace as the Pod.
If it doesn't match any existing Workload, the Pod will remain unschedulable
until a Workload object is created and observed by the kube-scheduler.
It must be a DNS subdomain.
type: string
podGroup:
description: |-
PodGroup is the name of the PodGroup within the Workload that this Pod
belongs to. If it doesn't match any existing PodGroup within the Workload,
the Pod will remain unschedulable until the Workload object is recreated
and observed by the kube-scheduler. It must be a DNS label.
type: string
podGroupReplicaKey:
description: |-
PodGroupReplicaKey specifies the replica key of the PodGroup to which this
Pod belongs. It is used to distinguish pods belonging to different replicas
of the same pod group. The pod group policy is applied separately to each replica.
When set, it must be a DNS label.
type: string
required:
- name
- podGroup
type: object
required:
- containers
type: object
@@ -8312,10 +8371,10 @@ spec:
The maximum number of pods that can be unavailable during the update.
Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
Absolute number is calculated from percentage by rounding up. This can not be 0.
Defaults to 1. This field is alpha-level and is only honored by servers that enable the
MaxUnavailableStatefulSet feature. The field applies to all pods in the range 0 to
Defaults to 1. This field is beta-level and is enabled by default. The field applies to all pods in the range 0 to
Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it
will be counted towards MaxUnavailable.
This setting might not be effective for the OrderedReady podManagementPolicy. That policy ensures pods are created and become ready one at a time.
x-kubernetes-int-or-string: true
partition:
description: |-
@@ -8472,7 +8531,7 @@ spec:
resources:
description: |-
resources represents the minimum resources the volume should have.
If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements
Users are allowed to specify resource requirements
that are lower than previous value but must still be higher than capacity recorded in the
status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
@@ -8594,7 +8653,7 @@ spec:
that it does not recognizes, then it should ignore that update and let other controllers
handle it.
type: string
description: "allocatedResourceStatuses stores status of resource being resized for the given PVC.\nKey names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered\nreserved and hence may not be used.\n\nClaimResourceStatus can be in any of following states:\n\t- ControllerResizeInProgress:\n\t\tState set when resize controller starts resizing the volume in control-plane.\n\t- ControllerResizeFailed:\n\t\tState set when resize has failed in resize controller with a terminal error.\n\t- NodeResizePending:\n\t\tState set when resize controller has finished resizing the volume but further resizing of\n\t\tvolume is needed on the node.\n\t- NodeResizeInProgress:\n\t\tState set when kubelet starts resizing the volume.\n\t- NodeResizeFailed:\n\t\tState set when resizing has failed in kubelet with a terminal error. Transient errors don't set\n\t\tNodeResizeFailed.\nFor example: if expanding a PVC for more capacity - this field can be one of the following states:\n\t- pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeInProgress\"\n - pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeFailed\"\n - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizePending\"\n - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeInProgress\"\n - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeFailed\"\nWhen this field is not set, it means that no resize operation is in progress for the given PVC.\n\nA controller that receives PVC update with previously unknown resourceName or ClaimResourceStatus\nshould ignore the update for the purpose it was designed. For example - a controller that\nonly is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid\nresources associated with PVC.\n\nThis is an alpha field and requires enabling RecoverVolumeExpansionFailure feature."
description: "allocatedResourceStatuses stores status of resource being resized for the given PVC.\nKey names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered\nreserved and hence may not be used.\n\nClaimResourceStatus can be in any of following states:\n\t- ControllerResizeInProgress:\n\t\tState set when resize controller starts resizing the volume in control-plane.\n\t- ControllerResizeFailed:\n\t\tState set when resize has failed in resize controller with a terminal error.\n\t- NodeResizePending:\n\t\tState set when resize controller has finished resizing the volume but further resizing of\n\t\tvolume is needed on the node.\n\t- NodeResizeInProgress:\n\t\tState set when kubelet starts resizing the volume.\n\t- NodeResizeFailed:\n\t\tState set when resizing has failed in kubelet with a terminal error. Transient errors don't set\n\t\tNodeResizeFailed.\nFor example: if expanding a PVC for more capacity - this field can be one of the following states:\n\t- pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeInProgress\"\n - pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeFailed\"\n - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizePending\"\n - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeInProgress\"\n - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeFailed\"\nWhen this field is not set, it means that no resize operation is in progress for the given PVC.\n\nA controller that receives PVC update with previously unknown resourceName or ClaimResourceStatus\nshould ignore the update for the purpose it was designed. For example - a controller that\nonly is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid\nresources associated with PVC."
type: object
x-kubernetes-map-type: granular
allocatedResources:
@@ -8604,7 +8663,7 @@ spec:
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: "allocatedResources tracks the resources allocated to a PVC including its capacity.\nKey names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered\nreserved and hence may not be used.\n\nCapacity reported here may be larger than the actual capacity when a volume expansion operation\nis requested.\nFor storage quota, the larger value from allocatedResources and PVC.spec.resources is used.\nIf allocatedResources is not set, PVC.spec.resources alone is used for quota calculation.\nIf a volume expansion capacity request is lowered, allocatedResources is only\nlowered if there are no expansion operations in progress and if the actual volume capacity\nis equal or lower than the requested capacity.\n\nA controller that receives PVC update with previously unknown resourceName\nshould ignore the update for the purpose it was designed. For example - a controller that\nonly is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid\nresources associated with PVC.\n\nThis is an alpha field and requires enabling RecoverVolumeExpansionFailure feature."
description: "allocatedResources tracks the resources allocated to a PVC including its capacity.\nKey names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered\nreserved and hence may not be used.\n\nCapacity reported here may be larger than the actual capacity when a volume expansion operation\nis requested.\nFor storage quota, the larger value from allocatedResources and PVC.spec.resources is used.\nIf allocatedResources is not set, PVC.spec.resources alone is used for quota calculation.\nIf a volume expansion capacity request is lowered, allocatedResources is only\nlowered if there are no expansion operations in progress and if the actual volume capacity\nis equal or lower than the requested capacity.\n\nA controller that receives PVC update with previously unknown resourceName\nshould ignore the update for the purpose it was designed. For example - a controller that\nonly is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid\nresources associated with PVC."
type: object
capacity:
additionalProperties:

24
charts/gha-runner-scale-set-controller-experimental/.helmignore Normal file
View File

@@ -0,0 +1,24 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
tests/

33
charts/gha-runner-scale-set-controller-experimental/Chart.yaml Normal file
View File

@@ -0,0 +1,33 @@
apiVersion: v2
name: gha-runner-scale-set-controller-experimental
description: A Helm chart for install actions-runner-controller CRD
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.14.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "0.14.0"
home: https://github.com/actions/actions-runner-controller
sources:
- "https://github.com/actions/actions-runner-controller"
maintainers:
- name: actions
url: https://github.com/actions

8816
charts/gha-runner-scale-set-controller-experimental/crds/actions.github.com_autoscalinglisteners.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

16563
charts/gha-runner-scale-set-controller-experimental/crds/actions.github.com_autoscalingrunnersets.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

8349
charts/gha-runner-scale-set-controller-experimental/crds/actions.github.com_ephemeralrunners.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

8333
charts/gha-runner-scale-set-controller-experimental/crds/actions.github.com_ephemeralrunnersets.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

3
charts/gha-runner-scale-set-controller-experimental/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,3 @@
Thank you for installing {{ .Chart.Name }}.
Your release is named {{ .Release.Name }}.

67
charts/gha-runner-scale-set-controller-experimental/templates/_controller.tpl Normal file
View File

@@ -0,0 +1,67 @@
{{/*
Allow overriding the namespace for the resources.
*/}}
{{- define "gha-controller.namespace" -}}
{{- if .Values.namespaceOverride }}
{{- .Values.namespaceOverride }}
{{- else }}
{{- .Release.Namespace }}
{{- end }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "gha-controller.name" -}}
{{- if .Values.nameOverride }}
{{- .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default (include "gha-base-name" .) .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Labels applied to the controller deployment
*/}}
{{- define "gha-controller.labels" -}}
{{- $resourceLabels := dict "app.kubernetes.io/component" "controller-manager" -}}
{{- $commonLabels := include "gha-common.labels" . | fromYaml -}}
{{- $userLabels := include "apply-non-reserved-gha-labels-and-annotations" (.Values.controller.metadata.labels | default (dict)) | fromYaml -}}
{{- $global := include "apply-non-reserved-gha-labels-and-annotations" (.Values.labels | default (dict)) | fromYaml -}}
{{- $labels := mergeOverwrite $global $userLabels $resourceLabels $commonLabels -}}
{{- /* Reserved actions.github.com/* labels owned by the chart itself */ -}}
{{- $_ := set $labels "actions.github.com/controller-service-account-namespace" (include "gha-controller.namespace" .) -}}
{{- $_ := set $labels "actions.github.com/controller-service-account-name" (include "gha-controller.service-account-name" .) -}}
{{- with .Values.controller.manager.config.watchSingleNamespace }}
{{- $_ := set $labels "actions.github.com/controller-watch-single-namespace" . -}}
{{- end }}
{{- toYaml $labels -}}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "gha-controller.service-account-name" -}}
{{- if eq .Values.controller.serviceAccount.name "default"}}
{{- fail "serviceAccount.name cannot be set to 'default'" }}
{{- end }}
{{- if .Values.controller.serviceAccount.create }}
{{- default (include "gha-controller.name" .) .Values.controller.serviceAccount.name }}
{{- else }}
{{- if not .Values.controller.serviceAccount.name }}
{{- fail "serviceAccount.name must be set if serviceAccount.create is false" }}
{{- else }}
{{- .Values.controller.serviceAccount.name }}
{{- end }}
{{- end }}
{{- end }}

122
charts/gha-runner-scale-set-controller-experimental/templates/_controller_template.tpl Normal file
View File

@@ -0,0 +1,122 @@
{{/*
Labels applied to the controller Pod template (spec.template.metadata.labels)
*/}}
{{- define "gha-controller-template.labels" -}}
{{- $static := dict "app.kubernetes.io/part-of" "gha-rs-controller" "app.kubernetes.io/component" "controller-manager" -}}
{{- $_ := set $static "app.kubernetes.io/version" (.Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-") -}}
{{- $selector := include "gha-controller.selector-labels" . | fromYaml -}}
{{- $podUser := include "apply-non-reserved-gha-labels-and-annotations" (.Values.controller.pod.metadata.labels | default (dict)) | fromYaml -}}
{{- $labels := mergeOverwrite $podUser $selector $static -}}
{{- toYaml $labels -}}
{{- end }}
{{/*
Annotations applied to the controller Pod template (spec.template.metadata.annotations)
*/}}
{{- define "gha-controller-template.annotations" -}}
{{- $static := dict "kubectl.kubernetes.io/default-container" "manager" -}}
{{- $podUser := include "apply-non-reserved-gha-labels-and-annotations" (.Values.controller.pod.metadata.annotations | default (dict)) | fromYaml -}}
{{- $annotations := mergeOverwrite $podUser $static -}}
{{- toYaml $annotations -}}
{{- end }}
{{- define "gha-controller-template.manager-container" -}}
name: manager
image: "{{ .Values.controller.manager.container.image }}"
imagePullPolicy: {{ default "IfNotPresent" .Values.controller.manager.container.pullPolicy }}
command:
- "/manager"
args:
- "--auto-scaling-runner-set-only"
{{- if gt (int (default 1 .Values.controller.replicaCount)) 1 }}
- "--enable-leader-election"
- "--leader-election-id={{ include "gha-controller.name" . }}"
{{- end }}
{{- with .Values.imagePullSecrets }}
{{- range . }}
- "--auto-scaler-image-pull-secrets={{- .name -}}"
{{- end }}
{{- end }}
{{- with .Values.controller.manager.config.logLevel }}
- "--log-level={{ . }}"
{{- end }}
{{- with .Values.controller.manager.config.logFormat }}
- "--log-format={{ . }}"
{{- end }}
{{- with .Values.controller.manager.config.watchSingleNamespace }}
- "--watch-single-namespace={{ . }}"
{{- end }}
{{- with .Values.controller.manager.config.runnerMaxConcurrentReconciles }}
- "--runner-max-concurrent-reconciles={{ . }}"
{{- end }}
{{- with .Values.controller.manager.config.updateStrategy }}
- "--update-strategy={{ . }}"
{{- end }}
{{- if .Values.controller.metrics }}
{{- with .Values.controller.metrics }}
- "--listener-metrics-addr={{ .listenerAddr }}"
- "--listener-metrics-endpoint={{ .listenerEndpoint }}"
- "--metrics-addr={{ .controllerManagerAddr }}"
{{- end }}
{{- else }}
- "--listener-metrics-addr=0"
- "--listener-metrics-endpoint="
- "--metrics-addr=0"
{{- end }}
{{- range .Values.controller.manager.config.excludeLabelPropagationPrefixes }}
- "--exclude-label-propagation-prefix={{ . }}"
{{- end }}
{{- with .Values.controller.manager.config.k8sClientRateLimiterQPS }}
- "--k8s-client-rate-limiter-qps={{ . }}"
{{- end }}
{{- with .Values.controller.manager.config.k8sClientRateLimiterBurst }}
- "--k8s-client-rate-limiter-burst={{ . }}"
{{- end }}
{{- with .Values.controller.manager.container.extraArgs }}
{{- range . }}
- "{{ . }}"
{{- end }}
{{- end }}
{{- $ports := list -}}
{{- if .Values.controller.metrics }}
{{- $metricsPort := dict "containerPort" ((regexReplaceAll ":([0-9]+)" .Values.controller.metrics.controllerManagerAddr "${1}") | int) "protocol" "TCP" "name" "metrics" -}}
{{- $ports = append $ports $metricsPort -}}
{{- end }}
{{- with .Values.controller.manager.container.extraPorts }}
{{- if kindIs "slice" . }}
{{- $ports = concat $ports . -}}
{{- end }}
{{- end }}
{{- if gt (len $ports) 0 }}
ports:
{{- toYaml $ports | nindent 2 }}
{{- end }}
env:
- name: CONTROLLER_MANAGER_CONTAINER_IMAGE
value: "{{ .Values.controller.manager.container.image }}"
- name: CONTROLLER_MANAGER_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- with .Values.controller.manager.container.env }}
{{- if kindIs "slice" . }}
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}
{{- with .Values.controller.manager.container.resources }}
resources:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- with .Values.controller.manager.container.securityContext }}
securityContext:
{{- toYaml . | nindent 2 }}
{{- end }}
volumeMounts:
- mountPath: /tmp
name: tmp
{{- $podVolumeMounts := (.Values.controller.pod.volumeMounts | default list) -}}
{{- range $podVolumeMounts }}
- {{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

74
charts/gha-runner-scale-set-controller-experimental/templates/_defaults.tpl Normal file
View File

@@ -0,0 +1,74 @@
{{- define "gha-base-name" -}}
gha-rs-controller
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "gha-controller.chart" -}}
{{- printf "%s-%s" (include "gha-base-name" .) .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "gha-common.labels" -}}
helm.sh/chart: {{ include "gha-controller.chart" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/part-of: "gha-rs-controller"
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/name: {{ include "gha-controller.name" . }}
app.kubernetes.io/namespace: {{ include "gha-controller.namespace" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{- define "gha-controller.manager-cluster-role-name" -}}
{{- include "gha-controller.name" . }}
{{- end }}
{{- define "gha-controller.manager-cluster-role-binding" -}}
{{- include "gha-controller.name" . }}
{{- end }}
{{- define "gha-controller.manager-single-namespace-role-name" -}}
{{- include "gha-controller.name" . }}-single-namespace
{{- end }}
{{- define "gha-controller.manager-single-namespace-role-binding" -}}
{{- include "gha-controller.name" . }}-single-namespace
{{- end }}
{{- define "gha-controller.manager-single-namespace-watch-role-name" -}}
{{- include "gha-controller.name" . }}-single-namespace-watch
{{- end }}
{{- define "gha-controller.manager-single-namespace-watch-role-binding" -}}
{{- include "gha-controller.name" . }}-single-namespace-watch
{{- end }}
{{- define "gha-controller.manager-listener-role-name" -}}
{{- include "gha-controller.name" . }}-listener
{{- end }}
{{- define "gha-controller.manager-listener-role-binding" -}}
{{- include "gha-controller.name" . }}-listener
{{- end }}
{{- define "gha-controller.leaderElectionRoleName" -}}
{{- include "gha-controller.name" . }}-leader-election
{{- end }}
{{- define "gha-controller.leader-election-role-name" -}}
{{- include "gha-controller.leaderElectionRoleName" . -}}
{{- end }}
{{- define "gha-controller.leaderElectionRoleBinding" -}}
{{- include "gha-controller.name" . }}-leader-election
{{- end }}
{{- define "gha-controller.leader-election-role-binding" -}}
{{- include "gha-controller.leaderElectionRoleBinding" . -}}
{{- end }}

21
charts/gha-runner-scale-set-controller-experimental/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,21 @@
{{/*
Takes a map of user labels and removes the ones with "actions.github.com/" prefix
*/}}
{{- define "apply-non-reserved-gha-labels-and-annotations" -}}
{{- $userLabels := . -}}
{{- $processed := dict -}}
{{- range $key, $value := $userLabels -}}
{{- if not (hasPrefix "actions.github.com/" $key) -}}
{{- $_ := set $processed $key $value -}}
{{- end -}}
{{- end -}}
{{- if not (empty $processed) -}}
{{- $processed | toYaml }}
{{- end }}
{{- end }}
{{- define "gha-controller.selector-labels" -}}
app.kubernetes.io/name: {{ include "gha-controller.name" . }}
app.kubernetes.io/namespace: {{ include "gha-controller.namespace" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}

54
charts/gha-runner-scale-set-controller-experimental/templates/deployment.yaml Normal file
View File

@@ -0,0 +1,54 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "gha-controller.name" . }}
namespace: {{ include "gha-controller.namespace" . }}
labels:
{{- include "gha-controller.labels" . | nindent 4 }}
spec:
replicas: {{ default 1 .Values.controller.replicaCount }}
selector:
matchLabels:
{{- include "gha-controller.selector-labels" . | nindent 6 }}
template:
metadata:
annotations:
{{- include "gha-controller-template.annotations" . | nindent 8 }}
labels:
{{- include "gha-controller-template.labels" . | nindent 8 }}
spec:
{{- $pod := (.Values.controller.pod | default dict) -}}
{{- if and (hasKey .Values.controller "pod") (not (kindIs "map" $pod)) -}}
{{- fail "controller.pod must be an object" -}}
{{- end -}}
{{- $podSpec := (index $pod "spec" | default dict) -}}
{{- if and (hasKey $pod "spec") (not (kindIs "map" $podSpec)) -}}
{{- fail "controller.pod.spec must be an object" -}}
{{- end -}}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "gha-controller.service-account-name" . }}
containers:
-
{{- include "gha-controller-template.manager-container" . | nindent 10 }}
{{- $extraContainers := (index $podSpec "containers" | default list) -}}
{{- range $extraContainers }}
-
{{- toYaml . | nindent 10 }}
{{- end }}
terminationGracePeriodSeconds: {{ default 10 (index $podSpec "terminationGracePeriodSeconds") }}
volumes:
- name: tmp
emptyDir: {}
{{- $podVolumes := (index $podSpec "volumes" | default list) -}}
{{- range $podVolumes }}
- {{- toYaml . | nindent 10 }}
{{- end }}
{{- $runnerPodSpecExtraFields := (omit $podSpec "containers" "serviceAccountName" "terminationGracePeriodSeconds" "volumes") -}}
{{- if gt (len $runnerPodSpecExtraFields) 0 }}
{{- toYaml $runnerPodSpecExtraFields | nindent 6 }}
{{- end }}

15
charts/gha-runner-scale-set-controller-experimental/templates/leader_election_role.yaml Normal file
View File

@@ -0,0 +1,15 @@
{{- if gt (int (default 1 .Values.controller.replicaCount)) 1 }}
# permissions to do leader election.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "gha-controller.leader-election-role-name" . }}
namespace: {{ include "gha-controller.namespace" . }}
rules:
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
{{- end }}

15
charts/gha-runner-scale-set-controller-experimental/templates/leader_election_role_binding.yaml Normal file
View File

@@ -0,0 +1,15 @@
{{- if gt (int (default 1 .Values.controller.replicaCount)) 1 }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "gha-controller.leader-election-role-binding" . }}
namespace: {{ include "gha-controller.namespace" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "gha-controller.leader-election-role-name" . }}
subjects:
- kind: ServiceAccount
name: {{ include "gha-controller.service-account-name" . }}
namespace: {{ include "gha-controller.namespace" . }}
{{- end }}

144
charts/gha-runner-scale-set-controller-experimental/templates/manager_cluster_role.yaml Normal file
View File

@@ -0,0 +1,144 @@
{{- if empty .Values.controller.manager.config.watchSingleNamespace }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "gha-controller.manager-cluster-role-name" . }}
rules:
- apiGroups:
- actions.github.com
resources:
- autoscalingrunnersets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- actions.github.com
resources:
- autoscalingrunnersets/finalizers
verbs:
- patch
- update
- apiGroups:
- actions.github.com
resources:
- autoscalingrunnersets/status
verbs:
- get
- patch
- update
- apiGroups:
- actions.github.com
resources:
- autoscalinglisteners
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- actions.github.com
resources:
- autoscalinglisteners/status
verbs:
- get
- patch
- update
- apiGroups:
- actions.github.com
resources:
- autoscalinglisteners/finalizers
verbs:
- patch
- update
- apiGroups:
- actions.github.com
resources:
- ephemeralrunnersets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- actions.github.com
resources:
- ephemeralrunnersets/status
verbs:
- get
- patch
- update
- apiGroups:
- actions.github.com
resources:
- ephemeralrunnersets/finalizers
verbs:
- patch
- update
- apiGroups:
- actions.github.com
resources:
- ephemeralrunners
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- actions.github.com
resources:
- ephemeralrunners/finalizers
verbs:
- patch
- update
- apiGroups:
- actions.github.com
resources:
- ephemeralrunners/status
verbs:
- get
- patch
- update
- apiGroups:
- ""
resources:
- pods
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
verbs:
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
verbs:
- list
- watch
- patch
{{- end }}

14
charts/gha-runner-scale-set-controller-experimental/templates/manager_cluster_role_binding.yaml Normal file
View File

@@ -0,0 +1,14 @@
{{- if empty .Values.controller.manager.config.watchSingleNamespace }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "gha-controller.manager-cluster-role-binding" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "gha-controller.manager-cluster-role-name" . }}
subjects:
- kind: ServiceAccount
name: {{ include "gha-controller.service-account-name" . }}
namespace: {{ include "gha-controller.namespace" . }}
{{- end }}

40
charts/gha-runner-scale-set-controller-experimental/templates/manager_listener_role.yaml Normal file
View File

@@ -0,0 +1,40 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "gha-controller.manager-listener-role-name" . }}
namespace: {{ include "gha-controller.namespace" . }}
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- create
- delete
- get
- apiGroups:
- ""
resources:
- pods/status
verbs:
- get
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- get
- patch
- update
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- create
- delete
- get
- patch
- update

13
charts/gha-runner-scale-set-controller-experimental/templates/manager_listener_role_binding.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "gha-controller.manager-listener-role-binding" . }}
namespace: {{ include "gha-controller.namespace" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "gha-controller.manager-listener-role-name" . }}
subjects:
- kind: ServiceAccount
name: {{ include "gha-controller.service-account-name" . }}
namespace: {{ include "gha-controller.namespace" . }}

84
charts/gha-runner-scale-set-controller-experimental/templates/manager_single_namespace_controller_role.yaml Normal file
View File

@@ -0,0 +1,84 @@
{{- if .Values.controller.manager.config.watchSingleNamespace }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "gha-controller.manager-single-namespace-role-name" . }}
namespace: {{ include "gha-controller.namespace" . }}
rules:
- apiGroups:
- actions.github.com
resources:
- autoscalinglisteners
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- actions.github.com
resources:
- autoscalinglisteners/status
verbs:
- get
- patch
- update
- apiGroups:
- actions.github.com
resources:
- autoscalinglisteners/finalizers
verbs:
- patch
- update
- apiGroups:
- ""
resources:
- pods
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
verbs:
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
verbs:
- list
- watch
- apiGroups:
- actions.github.com
resources:
- autoscalingrunnersets
verbs:
- list
- watch
- apiGroups:
- actions.github.com
resources:
- ephemeralrunnersets
verbs:
- list
- watch
- apiGroups:
- actions.github.com
resources:
- ephemeralrunners
verbs:
- list
- watch
{{- end }}

15
charts/gha-runner-scale-set-controller-experimental/templates/manager_single_namespace_controller_role_binding.yaml Normal file
View File

@@ -0,0 +1,15 @@
{{- if .Values.controller.manager.config.watchSingleNamespace }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "gha-controller.manager-single-namespace-role-binding" . }}
namespace: {{ include "gha-controller.namespace" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "gha-controller.manager-single-namespace-role-name" . }}
subjects:
- kind: ServiceAccount
name: {{ include "gha-controller.service-account-name" . }}
namespace: {{ include "gha-controller.namespace" . }}
{{- end }}

125
charts/gha-runner-scale-set-controller-experimental/templates/manager_single_namespace_watch_role.yaml Normal file
View File

@@ -0,0 +1,125 @@
{{- if .Values.controller.manager.config.watchSingleNamespace }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "gha-controller.manager-single-namespace-watch-role-name" . }}
namespace: {{ .Values.controller.manager.config.watchSingleNamespace }}
rules:
- apiGroups:
- actions.github.com
resources:
- autoscalingrunnersets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- actions.github.com
resources:
- autoscalingrunnersets/finalizers
verbs:
- patch
- update
- apiGroups:
- actions.github.com
resources:
- autoscalingrunnersets/status
verbs:
- get
- patch
- update
- apiGroups:
- actions.github.com
resources:
- ephemeralrunnersets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- actions.github.com
resources:
- ephemeralrunnersets/status
verbs:
- get
- patch
- update
- apiGroups:
- actions.github.com
resources:
- ephemeralrunnersets/finalizers
verbs:
- patch
- update
- apiGroups:
- actions.github.com
resources:
- ephemeralrunners
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- actions.github.com
resources:
- ephemeralrunners/finalizers
verbs:
- patch
- update
- apiGroups:
- actions.github.com
resources:
- ephemeralrunners/status
verbs:
- get
- patch
- update
- apiGroups:
- actions.github.com
resources:
- autoscalinglisteners
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- pods
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
verbs:
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
verbs:
- list
- watch
- patch
{{- end }}

15
charts/gha-runner-scale-set-controller-experimental/templates/manager_single_namespace_watch_role_binding.yaml Normal file
View File

@@ -0,0 +1,15 @@
{{- if .Values.controller.manager.config.watchSingleNamespace }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "gha-controller.manager-single-namespace-watch-role-binding" . }}
namespace: {{ .Values.controller.manager.config.watchSingleNamespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "gha-controller.manager-single-namespace-watch-role-name" . }}
subjects:
- kind: ServiceAccount
name: {{ include "gha-controller.service-account-name" . }}
namespace: {{ include "gha-controller.namespace" . }}
{{- end }}

13
charts/gha-runner-scale-set-controller-experimental/templates/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,13 @@
{{- if .Values.controller.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "gha-controller.service-account-name" . }}
namespace: {{ include "gha-controller.namespace" . }}
labels:
{{- include "gha-controller.labels" . | nindent 4 }}
{{- with .Values.controller.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

75
charts/gha-runner-scale-set-controller-experimental/tests/controller_deployment_args_test.yaml Normal file
View File

@@ -0,0 +1,75 @@
suite: "Controller Deployment args"
templates:
- deployment.yaml
tests:
- it: should include metrics-disabled flags by default
release:
name: "test-arc"
namespace: "test-ns"
asserts:
- contains:
path: spec.template.spec.containers[0].args
content: "--metrics-addr=0"
- contains:
path: spec.template.spec.containers[0].args
content: "--listener-metrics-addr=0"
- contains:
path: spec.template.spec.containers[0].args
content: "--listener-metrics-endpoint="
- it: should include watch-single-namespace flag when configured
set:
controller:
manager:
config:
watchSingleNamespace: "demo"
release:
name: "test-arc"
namespace: "test-ns"
asserts:
- contains:
path: spec.template.spec.containers[0].args
content: "--watch-single-namespace=demo"
- it: should include exclude-label-propagation-prefix flags when configured
set:
controller:
manager:
config:
excludeLabelPropagationPrefixes:
- "prefix.com/"
- "complete.io/label"
release:
name: "test-arc"
namespace: "test-ns"
asserts:
- contains:
path: spec.template.spec.containers[0].args
content: "--exclude-label-propagation-prefix=prefix.com/"
- contains:
path: spec.template.spec.containers[0].args
content: "--exclude-label-propagation-prefix=complete.io/label"
- it: should render metrics port when metrics are enabled
set:
controller:
metrics:
controllerManagerAddr: ":8080"
listenerAddr: ":8081"
listenerEndpoint: "/metrics"
release:
name: "test-arc"
namespace: "test-ns"
asserts:
- equal:
path: spec.template.spec.containers[0].ports[0].containerPort
value: 8080
- contains:
path: spec.template.spec.containers[0].args
content: "--metrics-addr=:8080"
- contains:
path: spec.template.spec.containers[0].args
content: "--listener-metrics-addr=:8081"
- contains:
path: spec.template.spec.containers[0].args
content: "--listener-metrics-endpoint=/metrics"

46
charts/gha-runner-scale-set-controller-experimental/tests/controller_deployment_env_test.yaml Normal file
View File

@@ -0,0 +1,46 @@
suite: "Controller Deployment env"
templates:
- deployment.yaml
tests:
- it: should not render envFrom in manager container
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- notExists:
path: spec.template.spec.containers[0].envFrom
- notExists:
path: spec.template.spec.containers[0].ports
- it: should include extra env entries from values
set:
controller:
manager:
container:
env:
- name: "FOO"
value: "bar"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: "FOO"
value: "bar"
- it: should enable leader election when replicaCount > 1
set:
controller:
replicaCount: 2
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- contains:
path: spec.template.spec.containers[0].args
content: "--enable-leader-election"
- contains:
path: spec.template.spec.containers[0].args
content: "--leader-election-id=test-name-gha-rs-controller"

55
charts/gha-runner-scale-set-controller-experimental/tests/controller_deployment_extra_containers_test.yaml Normal file
View File

@@ -0,0 +1,55 @@
suite: "Controller Deployment extra containers"
templates:
- deployment.yaml
tests:
- it: should render manager container first and then extra containers
set:
controller:
pod:
spec:
containers:
- name: "sidecar"
image: "busybox:1.36"
command:
- "sh"
- "-c"
args:
- "echo hello && sleep 3600"
- name: "another"
image: "alpine:3.19"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.template.spec.containers[0].name
value: "manager"
- equal:
path: spec.template.spec.containers[1].name
value: "sidecar"
- equal:
path: spec.template.spec.containers[1].image
value: "busybox:1.36"
- equal:
path: spec.template.spec.containers[1].command[0]
value: "sh"
- equal:
path: spec.template.spec.containers[1].args[0]
value: "echo hello && sleep 3600"
- equal:
path: spec.template.spec.containers[2].name
value: "another"
- equal:
path: spec.template.spec.containers[2].image
value: "alpine:3.19"
- it: should not fail when extra containers are unset
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.template.spec.containers[0].name
value: "manager"
- notExists:
path: spec.template.spec.containers[1]

33
charts/gha-runner-scale-set-controller-experimental/tests/controller_deployment_imagepullsecrets_test.yaml Normal file
View File

@@ -0,0 +1,33 @@
suite: "Controller Deployment imagePullSecrets"
templates:
- deployment.yaml
tests:
- it: should not render imagePullSecrets by default
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- notExists:
path: spec.template.spec.imagePullSecrets
- it: should render imagePullSecrets and forward them as args when configured
set:
imagePullSecrets:
- name: regcred
- name: another
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.template.spec.imagePullSecrets[0].name
value: regcred
- equal:
path: spec.template.spec.imagePullSecrets[1].name
value: another
- contains:
path: spec.template.spec.containers[0].args
content: "--auto-scaler-image-pull-secrets=regcred"
- contains:
path: spec.template.spec.containers[0].args
content: "--auto-scaler-image-pull-secrets=another"

54
charts/gha-runner-scale-set-controller-experimental/tests/controller_deployment_pod_extra_fields_test.yaml Normal file
View File

@@ -0,0 +1,54 @@
suite: "Controller Deployment pod extra fields"
templates:
- deployment.yaml
tests:
- it: should render extra pod spec fields from controller.pod
set:
controller:
pod:
spec:
nodeSelector:
kubernetes.io/os: linux
tolerations:
- key: "dedicated"
operator: "Equal"
value: "arc"
effect: "NoSchedule"
hostNetwork: true
dnsPolicy: "ClusterFirstWithHostNet"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.template.spec.nodeSelector["kubernetes.io/os"]
value: "linux"
- equal:
path: spec.template.spec.tolerations[0].key
value: "dedicated"
- equal:
path: spec.template.spec.tolerations[0].value
value: "arc"
- equal:
path: spec.template.spec.hostNetwork
value: true
- equal:
path: spec.template.spec.dnsPolicy
value: "ClusterFirstWithHostNet"
- it: should not allow overriding serviceAccountName via controller.pod
set:
controller:
pod:
spec:
serviceAccountName: "hacker-sa"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: spec.template.spec.serviceAccountName
value: "test-name-gha-rs-controller"
- notEqual:
path: spec.template.spec.serviceAccountName
value: "hacker-sa"

27
charts/gha-runner-scale-set-controller-experimental/tests/controller_deployment_smoke_test.yaml Normal file
View File

@@ -0,0 +1,27 @@
suite: "Controller Deployment smoke"
templates:
- deployment.yaml
tests:
- it: should render deployment basics
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: apiVersion
value: "apps/v1"
- equal:
path: kind
value: "Deployment"
- equal:
path: metadata.name
value: "test-name-gha-rs-controller"
- equal:
path: metadata.namespace
value: "test-namespace"
- equal:
path: spec.template.spec.containers[0].name
value: "manager"
- contains:
path: spec.template.spec.containers[0].command
content: "/manager"

25
charts/gha-runner-scale-set-controller-experimental/tests/controller_deployment_volume_mounts_test.yaml Normal file
View File

@@ -0,0 +1,25 @@
suite: "Controller Deployment volume mounts"
templates:
- deployment.yaml
tests:
- it: should append controller.pod.volumeMounts to manager container
set:
controller:
manager:
container:
image: "ghcr.io/actions/gha-runner-scale-set-controller:latest"
pod:
volumeMounts:
- name: my-config
mountPath: /etc/my-config
readOnly: true
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: my-config
mountPath: /etc/my-config
readOnly: true

26
charts/gha-runner-scale-set-controller-experimental/tests/controller_deployment_volumes_test.yaml Normal file
View File

@@ -0,0 +1,26 @@
suite: "Controller Deployment volumes"
templates:
- deployment.yaml
tests:
- it: should append controller.pod.spec.volumes to pod spec volumes
set:
controller:
manager:
container:
image: "ghcr.io/actions/gha-runner-scale-set-controller:latest"
pod:
spec:
volumes:
- name: my-config
configMap:
name: my-config
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: my-config
configMap:
name: my-config

37
charts/gha-runner-scale-set-controller-experimental/tests/controller_manager_clusterrolebinding_test.yaml Normal file
View File

@@ -0,0 +1,37 @@
suite: "Controller Manager ClusterRoleBinding"
templates:
- manager_cluster_role_binding.yaml
tests:
- it: should render when watchSingleNamespace is empty
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: apiVersion
value: "rbac.authorization.k8s.io/v1"
- equal:
path: kind
value: "ClusterRoleBinding"
- equal:
path: subjects[0].kind
value: "ServiceAccount"
- equal:
path: subjects[0].name
value: "test-name-gha-rs-controller"
- equal:
path: subjects[0].namespace
value: "test-namespace"
- it: should not render when watchSingleNamespace is set
set:
controller:
manager:
config:
watchSingleNamespace: "my-ns"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- hasDocuments:
count: 0

24
charts/gha-runner-scale-set-controller-experimental/tests/controller_namespace_override_test.yaml Normal file
View File

@@ -0,0 +1,24 @@
suite: "Controller namespaceOverride"
templates:
- deployment.yaml
- serviceaccount.yaml
tests:
- it: should apply namespaceOverride to deployment and serviceaccount
set:
namespaceOverride: "override-ns"
release:
name: "test-name"
namespace: "release-ns"
asserts:
- equal:
path: metadata.namespace
value: "override-ns"
template: deployment.yaml
- equal:
path: metadata.labels["actions.github.com/controller-service-account-namespace"]
value: "override-ns"
template: deployment.yaml
- equal:
path: metadata.namespace
value: "override-ns"
template: serviceaccount.yaml

38
charts/gha-runner-scale-set-controller-experimental/tests/controller_rbac_clusterrole_test.yaml Normal file
View File

@@ -0,0 +1,38 @@
suite: "Controller RBAC cluster"
templates:
- manager_cluster_role.yaml
tests:
- it: should render manager ClusterRole when watchSingleNamespace is empty
release:
name: "test-arc"
namespace: "test-ns"
asserts:
- equal:
path: kind
value: "ClusterRole"
- equal:
path: metadata.name
value: "test-arc-gha-rs-controller"
- contains:
path: rules
content:
apiGroups:
- ""
resources:
- pods
verbs:
- list
- watch
- it: should not render manager ClusterRole when watchSingleNamespace is set
set:
controller:
manager:
config:
watchSingleNamespace: "demo"
release:
name: "test-arc"
namespace: "test-ns"
asserts:
- hasDocuments:
count: 0

52
charts/gha-runner-scale-set-controller-experimental/tests/controller_rbac_leader_election_test.yaml Normal file
View File

@@ -0,0 +1,52 @@
suite: "Controller RBAC leader election"
templates:
- leader_election_role.yaml
- leader_election_role_binding.yaml
tests:
- it: should not render leader election resources when replicaCount is 1
set:
controller:
replicaCount: 1
release:
name: "test-arc"
namespace: "test-ns"
asserts:
- hasDocuments:
count: 0
template: leader_election_role.yaml
- hasDocuments:
count: 0
template: leader_election_role_binding.yaml
- it: should render leader election resources when replicaCount > 1
set:
controller:
replicaCount: 2
release:
name: "test-arc"
namespace: "test-ns"
asserts:
- equal:
path: kind
value: "Role"
template: leader_election_role.yaml
- equal:
path: metadata.name
value: "test-arc-gha-rs-controller-leader-election"
template: leader_election_role.yaml
- equal:
path: metadata.namespace
value: "test-ns"
template: leader_election_role.yaml
- equal:
path: kind
value: "RoleBinding"
template: leader_election_role_binding.yaml
- equal:
path: roleRef.name
value: "test-arc-gha-rs-controller-leader-election"
template: leader_election_role_binding.yaml
- equal:
path: subjects[0].name
value: "test-arc-gha-rs-controller"
template: leader_election_role_binding.yaml

68
charts/gha-runner-scale-set-controller-experimental/tests/controller_rbac_listener_role_test.yaml Normal file
View File

@@ -0,0 +1,68 @@
suite: "Controller RBAC listener"
templates:
- manager_listener_role.yaml
- manager_listener_role_binding.yaml
tests:
- it: should render listener role with expected rules
release:
name: "test-arc"
namespace: "test-ns"
asserts:
- equal:
path: kind
value: "Role"
template: manager_listener_role.yaml
- equal:
path: metadata.name
value: "test-arc-gha-rs-controller-listener"
template: manager_listener_role.yaml
- equal:
path: metadata.namespace
value: "test-ns"
template: manager_listener_role.yaml
- equal:
path: rules[0].resources[0]
value: "pods"
template: manager_listener_role.yaml
- equal:
path: rules[1].resources[0]
value: "pods/status"
template: manager_listener_role.yaml
- equal:
path: rules[2].resources[0]
value: "secrets"
template: manager_listener_role.yaml
- equal:
path: rules[3].resources[0]
value: "serviceaccounts"
template: manager_listener_role.yaml
- it: should bind listener role to controller serviceaccount
release:
name: "test-arc"
namespace: "test-ns"
asserts:
- equal:
path: kind
value: "RoleBinding"
template: manager_listener_role_binding.yaml
- equal:
path: metadata.name
value: "test-arc-gha-rs-controller-listener"
template: manager_listener_role_binding.yaml
- equal:
path: metadata.namespace
value: "test-ns"
template: manager_listener_role_binding.yaml
- equal:
path: roleRef.name
value: "test-arc-gha-rs-controller-listener"
template: manager_listener_role_binding.yaml
- equal:
path: subjects[0].name
value: "test-arc-gha-rs-controller"
template: manager_listener_role_binding.yaml
- equal:
path: subjects[0].namespace
value: "test-ns"
template: manager_listener_role_binding.yaml

56
charts/gha-runner-scale-set-controller-experimental/tests/controller_rbac_single_namespace_test.yaml Normal file
View File

@@ -0,0 +1,56 @@
suite: "Controller RBAC single-namespace mode"
templates:
- manager_single_namespace_controller_role.yaml
- manager_single_namespace_controller_role_binding.yaml
- manager_single_namespace_watch_role.yaml
- manager_single_namespace_watch_role_binding.yaml
tests:
- it: should not render single-namespace roles when watchSingleNamespace is empty
set:
controller:
manager:
config:
watchSingleNamespace: ""
release:
name: "test-arc"
namespace: "test-ns"
asserts:
- hasDocuments:
count: 0
template: manager_single_namespace_controller_role.yaml
- hasDocuments:
count: 0
template: manager_single_namespace_controller_role_binding.yaml
- hasDocuments:
count: 0
template: manager_single_namespace_watch_role.yaml
- hasDocuments:
count: 0
template: manager_single_namespace_watch_role_binding.yaml
- it: should render roles in controller namespace and watch namespace
set:
controller:
manager:
config:
watchSingleNamespace: "demo"
release:
name: "test-arc"
namespace: "ctrl-ns"
asserts:
- equal:
path: metadata.namespace
value: "ctrl-ns"
template: manager_single_namespace_controller_role.yaml
- equal:
path: metadata.namespace
value: "ctrl-ns"
template: manager_single_namespace_controller_role_binding.yaml
- equal:
path: metadata.namespace
value: "demo"
template: manager_single_namespace_watch_role.yaml
- equal:
path: metadata.namespace
value: "demo"
template: manager_single_namespace_watch_role_binding.yaml

46
charts/gha-runner-scale-set-controller-experimental/tests/controller_serviceaccount_create_toggle_test.yaml Normal file
View File

@@ -0,0 +1,46 @@
suite: "Controller serviceAccount.create toggle"
templates:
- serviceaccount.yaml
- deployment.yaml
tests:
- it: should create ServiceAccount and use it in Deployment when create is true
set:
controller:
manager:
container:
image: "ghcr.io/actions/gha-runner-scale-set-controller:latest"
serviceAccount:
create: true
name: ""
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- hasDocuments:
count: 1
template: serviceaccount.yaml
- equal:
path: spec.template.spec.serviceAccountName
value: "test-name-gha-rs-controller"
template: deployment.yaml
- it: should not create ServiceAccount and use provided name in Deployment when create is false
set:
controller:
manager:
container:
image: "ghcr.io/actions/gha-runner-scale-set-controller:latest"
serviceAccount:
create: false
name: "existing-sa"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- hasDocuments:
count: 0
template: serviceaccount.yaml
- equal:
path: spec.template.spec.serviceAccountName
value: "existing-sa"
template: deployment.yaml

72
charts/gha-runner-scale-set-controller-experimental/tests/controller_serviceaccount_test.yaml Normal file
View File

@@ -0,0 +1,72 @@
suite: "Controller ServiceAccount"
templates:
- serviceaccount.yaml
tests:
- it: should render serviceaccount by default
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: apiVersion
value: "v1"
- equal:
path: kind
value: "ServiceAccount"
- equal:
path: metadata.name
value: "test-name-gha-rs-controller"
- equal:
path: metadata.namespace
value: "test-namespace"
- equal:
path: metadata.labels["actions.github.com/controller-service-account-name"]
value: "test-name-gha-rs-controller"
- equal:
path: metadata.labels["actions.github.com/controller-service-account-namespace"]
value: "test-namespace"
- it: should allow overriding serviceAccount.name when create is true
set:
controller:
serviceAccount:
create: true
name: "overwritten-name"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: metadata.name
value: "overwritten-name"
- equal:
path: metadata.labels["actions.github.com/controller-service-account-name"]
value: "overwritten-name"
- it: should render serviceAccount annotations
set:
controller:
serviceAccount:
create: true
annotations:
foo: bar
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- equal:
path: metadata.annotations.foo
value: "bar"
- it: should not render when serviceAccount.create is false
set:
controller:
serviceAccount:
create: false
name: "existing-sa"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- hasDocuments:
count: 0

32
charts/gha-runner-scale-set-controller-experimental/tests/controller_serviceaccount_validation_test.yaml Normal file
View File

@@ -0,0 +1,32 @@
suite: "Controller ServiceAccount validation"
templates:
- serviceaccount.yaml
- deployment.yaml
tests:
- it: should fail if serviceAccount.name is 'default'
set:
controller:
serviceAccount:
create: true
name: "default"
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- failedTemplate:
errorMessage: "serviceAccount.name cannot be set to 'default'"
template: serviceaccount.yaml
- it: should fail when serviceAccount.create is false and name is not set
set:
controller:
serviceAccount:
create: false
name: ""
release:
name: "test-name"
namespace: "test-namespace"
asserts:
- failedTemplate:
errorMessage: "serviceAccount.name must be set if serviceAccount.create is false"
template: deployment.yaml

52
charts/gha-runner-scale-set-controller-experimental/tests/template_test.go Normal file
View File

@@ -0,0 +1,52 @@
package tests
import (
"os"
"path/filepath"
"strings"
"testing"
"github.com/gruntwork-io/terratest/modules/helm"
"github.com/gruntwork-io/terratest/modules/k8s"
"github.com/gruntwork-io/terratest/modules/logger"
"github.com/gruntwork-io/terratest/modules/random"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"gopkg.in/yaml.v2"
appsv1 "k8s.io/api/apps/v1"
)
type Chart struct {
Version string `yaml:"version"`
AppVersion string `yaml:"appVersion"`
}
func TestTemplate_RenderedDeployment_UsesChartMetadataLabels(t *testing.T) {
t.Parallel()
helmChartPath, err := filepath.Abs("../../gha-runner-scale-set-controller-experimental")
require.NoError(t, err)
chartContent, err := os.ReadFile(filepath.Join(helmChartPath, "Chart.yaml"))
require.NoError(t, err)
chart := new(Chart)
err = yaml.Unmarshal(chartContent, chart)
require.NoError(t, err)
releaseName := "test-arc"
namespaceName := "test-" + strings.ToLower(random.UniqueId())
options := &helm.Options{
Logger: logger.Discard,
KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName),
}
output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/deployment.yaml"})
var deployment appsv1.Deployment
helm.UnmarshalK8SYaml(t, output, &deployment)
assert.Equal(t, "gha-rs-controller-"+chart.Version, deployment.Labels["helm.sh/chart"])
assert.Equal(t, chart.AppVersion, deployment.Labels["app.kubernetes.io/version"])
}

106
charts/gha-runner-scale-set-controller-experimental/values.yaml Normal file
View File

@@ -0,0 +1,106 @@
# Global chart-level labels applied to all resources (Deployment, RBAC, etc.).
labels: {}
# Overrides the default `.Release.Namespace` for all resources in this chart.
namespaceOverride: ""
# Optional imagePullSecrets added to the controller Pod spec.
# When set, the manager container also receives `--auto-scaler-image-pull-secrets=<name>` args.
imagePullSecrets: []
controller:
# Number of controller replicas.
replicaCount: 1
# Deployment-level metadata
metadata:
labels: {}
annotations: {}
manager:
config:
# Log level: "debug", "info", "warn", "error".
logLevel: "debug"
# Log format: "text", "json".
logFormat: "text"
# Restricts the controller to only watch resources in the desired namespace.
# Defaults to watch all namespaces when unset.
watchSingleNamespace: ""
# The maximum number of concurrent reconciles which can be run by the EphemeralRunner controller.
runnerMaxConcurrentReconciles: 2
# How the controller handles upgrades with running jobs: "immediate" or "eventual".
updateStrategy: "immediate"
# List of label prefixes that should NOT be propagated to internal resources.
excludeLabelPropagationPrefixes: []
# Example:
# excludeLabelPropagationPrefixes:
# - "argocd.argoproj.io/instance"
# K8s client rate limiter parameters.
k8sClientRateLimiterQPS: null
k8sClientRateLimiterBurst: null
container:
image: "ghcr.io/actions/gha-runner-scale-set-controller:latest"
pullPolicy: IfNotPresent
# Extra arguments appended to the default set generated by the chart.
extraArgs: []
# Container-level environment variables.
env: []
# Container-level security context.
securityContext: {}
# Container-level resource requests/limits.
resources: {}
# Extra container ports (metrics port is derived from controller.metrics).
extraPorts: []
serviceAccount:
# Specifies whether a service account should be created.
create: true
# Annotations to add to the service account.
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template.
name: ""
# Pod-level configuration.
pod:
metadata:
labels: {}
annotations: {}
# PodSpec fields applied to spec.template.spec.
# Note: containers provided here are appended after the built-in manager container.
spec:
# Pod-level security context.
securityContext: {}
# Pod priority class name.
priorityClassName: ""
# Node selection constraints.
nodeSelector: {}
# Pod tolerations.
tolerations: []
# Pod affinity.
affinity: {}
# Pod topology spread constraints.
topologySpreadConstraints: []
# Pod termination grace period (overrides default 10s).
terminationGracePeriodSeconds: null
# Additional volumes appended to the default ones.
volumes: []
# Additional containers appended after the manager container.
containers: []
# Additional volume mounts appended to the manager container's default ones.
volumeMounts: []
# Metrics configuration. If omitted, metrics are disabled.
# metrics:
# controllerManagerAddr: ":8080"
# listenerAddr: ":8080"
# listenerEndpoint: "/metrics"

4
charts/gha-runner-scale-set-controller/Chart.yaml
View File

@@ -15,13 +15,13 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.13.0
version: 0.14.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "0.13.0"
appVersion: "0.14.0"
home: https://github.com/actions/actions-runner-controller

125
charts/gha-runner-scale-set-controller/crds/actions.github.com_autoscalinglisteners.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.19.0
controller-gen.kubebuilder.io/version: v0.20.1
name: autoscalinglisteners.actions.github.com
spec:
group: actions.github.com
@@ -56,6 +56,19 @@ spec:
autoscalingRunnerSetNamespace:
description: Required
type: string
configSecretMetadata:
description: ResourceMeta carries metadata common to all internal
resources
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
type: object
ephemeralRunnerSetName:
description: Required
type: string
@@ -196,9 +209,48 @@ spec:
type: string
type: array
type: object
roleBindingMetadata:
description: ResourceMeta carries metadata common to all internal
resources
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
type: object
roleMetadata:
description: ResourceMeta carries metadata common to all internal
resources
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
type: object
runnerScaleSetId:
description: Required
type: integer
serviceAccountMetadata:
description: ResourceMeta carries metadata common to all internal
resources
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
type: object
template:
description: PodTemplateSpec describes the data a pod should have
when created from a template
@@ -2049,7 +2101,9 @@ spec:
type: integer
type: object
resizePolicy:
description: Resources resize policy for the container.
description: |-
Resources resize policy for the container.
This field cannot be set on ephemeral containers.
items:
description: ContainerResizePolicy represents resource
resize policy for the container.
@@ -5272,7 +5326,9 @@ spec:
type: integer
type: object
resizePolicy:
description: Resources resize policy for the container.
description: |-
Resources resize policy for the container.
This field cannot be set on ephemeral containers.
items:
description: ContainerResizePolicy represents resource
resize policy for the container.
@@ -6059,8 +6115,8 @@ spec:
will be made available to those containers which consume them
by name.
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
This is a stable field but requires that the
DynamicResourceAllocation feature gate is enabled.
This field is immutable.
items:
@@ -6519,9 +6575,10 @@ spec:
operator:
description: |-
Operator represents a key's relationship to the value.
Valid operators are Exists and Equal. Defaults to Equal.
Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod can
tolerate all taints of a particular category.
Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).
type: string
tolerationSeconds:
description: |-
@@ -7332,7 +7389,7 @@ spec:
resources:
description: |-
resources represents the minimum resources the volume should have.
If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements
Users are allowed to specify resource requirements
that are lower than previous value but must still be higher than capacity recorded in the
status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
@@ -8218,6 +8275,24 @@ spec:
description: Kubelet's generated CSRs
will be addressed to this signer.
type: string
userAnnotations:
additionalProperties:
type: string
description: |-
userAnnotations allow pod authors to pass additional information to
the signer implementation. Kubernetes does not restrict or validate this
metadata in any way.
These values are copied verbatim into the `spec.unverifiedUserAnnotations` field of
the PodCertificateRequest objects that Kubelet creates.
Entries are subject to the same validation as object metadata annotations,
with the addition that all keys must be domain-prefixed. No restrictions
are placed on values, except an overall size limitation on the entire field.
Signers should document the keys and values they support. Signers should
deny requests that contain keys they do not recognize.
type: object
required:
- keyType
- signerName
@@ -8643,6 +8718,42 @@ spec:
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
workloadRef:
description: |-
WorkloadRef provides a reference to the Workload object that this Pod belongs to.
This field is used by the scheduler to identify the PodGroup and apply the
correct group scheduling policies. The Workload object referenced
by this field may not exist at the time the Pod is created.
This field is immutable, but a Workload object with the same name
may be recreated with different policies. Doing this during pod scheduling
may result in the placement not conforming to the expected policies.
properties:
name:
description: |-
Name defines the name of the Workload object this Pod belongs to.
Workload must be in the same namespace as the Pod.
If it doesn't match any existing Workload, the Pod will remain unschedulable
until a Workload object is created and observed by the kube-scheduler.
It must be a DNS subdomain.
type: string
podGroup:
description: |-
PodGroup is the name of the PodGroup within the Workload that this Pod
belongs to. If it doesn't match any existing PodGroup within the Workload,
the Pod will remain unschedulable until the Workload object is recreated
and observed by the kube-scheduler. It must be a DNS label.
type: string
podGroupReplicaKey:
description: |-
PodGroupReplicaKey specifies the replica key of the PodGroup to which this
Pod belongs. It is used to distinguish pods belonging to different replicas
of the same pod group. The pod group policy is applied separately to each replica.
When set, it must be a DNS label.
type: string
required:
- name
- podGroup
type: object
required:
- containers
type: object

248
charts/gha-runner-scale-set-controller/crds/actions.github.com_autoscalingrunnersets.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.19.0
controller-gen.kubebuilder.io/version: v0.20.1
name: autoscalingrunnersets.actions.github.com
spec:
group: actions.github.com
@@ -64,6 +64,54 @@ spec:
spec:
description: AutoscalingRunnerSetSpec defines the desired state of AutoscalingRunnerSet
properties:
autoscalingListener:
description: ResourceMeta carries metadata common to all internal resources
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
type: object
ephemeralRunnerConfigSecretMetadata:
description: ResourceMeta carries metadata common to all internal resources
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
type: object
ephemeralRunnerMetadata:
description: ResourceMeta carries metadata common to all internal resources
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
type: object
ephemeralRunnerSetMetadata:
description: ResourceMeta carries metadata common to all internal resources
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
type: object
githubConfigSecret:
description: Required
type: string
@@ -99,6 +147,18 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: object
listenerConfigSecretMetadata:
description: ResourceMeta carries metadata common to all internal resources
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
type: object
listenerMetrics:
description: MetricsConfig holds configuration parameters for each metric type
properties:
@@ -143,6 +203,42 @@ spec:
type: object
type: object
type: object
listenerRoleBindingMetadata:
description: ResourceMeta carries metadata common to all internal resources
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
type: object
listenerRoleMetadata:
description: ResourceMeta carries metadata common to all internal resources
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
type: object
listenerServiceAccountMetadata:
description: ResourceMeta carries metadata common to all internal resources
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
type: object
listenerTemplate:
description: PodTemplateSpec describes the data a pod should have when created from a template
properties:
@@ -1890,7 +1986,9 @@ spec:
type: integer
type: object
resizePolicy:
description: Resources resize policy for the container.
description: |-
Resources resize policy for the container.
This field cannot be set on ephemeral containers.
items:
description: ContainerResizePolicy represents resource resize policy for the container.
properties:
@@ -4963,7 +5061,9 @@ spec:
type: integer
type: object
resizePolicy:
description: Resources resize policy for the container.
description: |-
Resources resize policy for the container.
This field cannot be set on ephemeral containers.
items:
description: ContainerResizePolicy represents resource resize policy for the container.
properties:
@@ -5724,8 +5824,8 @@ spec:
will be made available to those containers which consume them
by name.
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
This is a stable field but requires that the
DynamicResourceAllocation feature gate is enabled.
This field is immutable.
items:
@@ -6177,9 +6277,10 @@ spec:
operator:
description: |-
Operator represents a key's relationship to the value.
Valid operators are Exists and Equal. Defaults to Equal.
Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod can
tolerate all taints of a particular category.
Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).
type: string
tolerationSeconds:
description: |-
@@ -6951,7 +7052,7 @@ spec:
resources:
description: |-
resources represents the minimum resources the volume should have.
If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements
Users are allowed to specify resource requirements
that are lower than previous value but must still be higher than capacity recorded in the
status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
@@ -7786,6 +7887,24 @@ spec:
signerName:
description: Kubelet's generated CSRs will be addressed to this signer.
type: string
userAnnotations:
additionalProperties:
type: string
description: |-
userAnnotations allow pod authors to pass additional information to
the signer implementation. Kubernetes does not restrict or validate this
metadata in any way.
These values are copied verbatim into the `spec.unverifiedUserAnnotations` field of
the PodCertificateRequest objects that Kubelet creates.
Entries are subject to the same validation as object metadata annotations,
with the addition that all keys must be domain-prefixed. No restrictions
are placed on values, except an overall size limitation on the entire field.
Signers should document the keys and values they support. Signers should
deny requests that contain keys they do not recognize.
type: object
required:
- keyType
- signerName
@@ -8195,6 +8314,42 @@ spec:
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
workloadRef:
description: |-
WorkloadRef provides a reference to the Workload object that this Pod belongs to.
This field is used by the scheduler to identify the PodGroup and apply the
correct group scheduling policies. The Workload object referenced
by this field may not exist at the time the Pod is created.
This field is immutable, but a Workload object with the same name
may be recreated with different policies. Doing this during pod scheduling
may result in the placement not conforming to the expected policies.
properties:
name:
description: |-
Name defines the name of the Workload object this Pod belongs to.
Workload must be in the same namespace as the Pod.
If it doesn't match any existing Workload, the Pod will remain unschedulable
until a Workload object is created and observed by the kube-scheduler.
It must be a DNS subdomain.
type: string
podGroup:
description: |-
PodGroup is the name of the PodGroup within the Workload that this Pod
belongs to. If it doesn't match any existing PodGroup within the Workload,
the Pod will remain unschedulable until the Workload object is recreated
and observed by the kube-scheduler. It must be a DNS label.
type: string
podGroupReplicaKey:
description: |-
PodGroupReplicaKey specifies the replica key of the PodGroup to which this
Pod belongs. It is used to distinguish pods belonging to different replicas
of the same pod group. The pod group policy is applied separately to each replica.
When set, it must be a DNS label.
type: string
required:
- name
- podGroup
type: object
required:
- containers
type: object
@@ -8230,6 +8385,10 @@ spec:
type: object
runnerGroup:
type: string
runnerScaleSetLabels:
items:
type: string
type: array
runnerScaleSetName:
type: string
template:
@@ -9979,7 +10138,9 @@ spec:
type: integer
type: object
resizePolicy:
description: Resources resize policy for the container.
description: |-
Resources resize policy for the container.
This field cannot be set on ephemeral containers.
items:
description: ContainerResizePolicy represents resource resize policy for the container.
properties:
@@ -13046,7 +13207,9 @@ spec:
type: integer
type: object
resizePolicy:
description: Resources resize policy for the container.
description: |-
Resources resize policy for the container.
This field cannot be set on ephemeral containers.
items:
description: ContainerResizePolicy represents resource resize policy for the container.
properties:
@@ -13804,8 +13967,8 @@ spec:
will be made available to those containers which consume them
by name.
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
This is a stable field but requires that the
DynamicResourceAllocation feature gate is enabled.
This field is immutable.
items:
@@ -14254,9 +14417,10 @@ spec:
operator:
description: |-
Operator represents a key's relationship to the value.
Valid operators are Exists and Equal. Defaults to Equal.
Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod can
tolerate all taints of a particular category.
Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).
type: string
tolerationSeconds:
description: |-
@@ -15028,7 +15192,7 @@ spec:
resources:
description: |-
resources represents the minimum resources the volume should have.
If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements
Users are allowed to specify resource requirements
that are lower than previous value but must still be higher than capacity recorded in the
status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
@@ -15863,6 +16027,24 @@ spec:
signerName:
description: Kubelet's generated CSRs will be addressed to this signer.
type: string
userAnnotations:
additionalProperties:
type: string
description: |-
userAnnotations allow pod authors to pass additional information to
the signer implementation. Kubernetes does not restrict or validate this
metadata in any way.
These values are copied verbatim into the `spec.unverifiedUserAnnotations` field of
the PodCertificateRequest objects that Kubelet creates.
Entries are subject to the same validation as object metadata annotations,
with the addition that all keys must be domain-prefixed. No restrictions
are placed on values, except an overall size limitation on the entire field.
Signers should document the keys and values they support. Signers should
deny requests that contain keys they do not recognize.
type: object
required:
- keyType
- signerName
@@ -16272,6 +16454,42 @@ spec:
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
workloadRef:
description: |-
WorkloadRef provides a reference to the Workload object that this Pod belongs to.
This field is used by the scheduler to identify the PodGroup and apply the
correct group scheduling policies. The Workload object referenced
by this field may not exist at the time the Pod is created.
This field is immutable, but a Workload object with the same name
may be recreated with different policies. Doing this during pod scheduling
may result in the placement not conforming to the expected policies.
properties:
name:
description: |-
Name defines the name of the Workload object this Pod belongs to.
Workload must be in the same namespace as the Pod.
If it doesn't match any existing Workload, the Pod will remain unschedulable
until a Workload object is created and observed by the kube-scheduler.
It must be a DNS subdomain.
type: string
podGroup:
description: |-
PodGroup is the name of the PodGroup within the Workload that this Pod
belongs to. If it doesn't match any existing PodGroup within the Workload,
the Pod will remain unschedulable until the Workload object is recreated
and observed by the kube-scheduler. It must be a DNS label.
type: string
podGroupReplicaKey:
description: |-
PodGroupReplicaKey specifies the replica key of the PodGroup to which this
Pod belongs. It is used to distinguish pods belonging to different replicas
of the same pod group. The pod group policy is applied separately to each replica.
When set, it must be a DNS label.
type: string
required:
- name
- podGroup
type: object
required:
- containers
type: object
@@ -16333,10 +16551,10 @@ spec:
type: integer
pendingEphemeralRunners:
type: integer
phase:
type: string
runningEphemeralRunners:
type: integer
state:
type: string
type: object
type: object
served: true

85
charts/gha-runner-scale-set-controller/crds/actions.github.com_ephemeralrunners.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.19.0
controller-gen.kubebuilder.io/version: v0.20.1
name: ephemeralrunners.actions.github.com
spec:
group: actions.github.com
@@ -70,6 +70,18 @@ spec:
spec:
description: EphemeralRunnerSpec defines the desired state of EphemeralRunner
properties:
ephemeralRunnerConfigSecretMetadata:
description: ResourceMeta carries metadata common to all internal resources
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
type: object
githubConfigSecret:
type: string
githubConfigUrl:
@@ -1874,7 +1886,9 @@ spec:
type: integer
type: object
resizePolicy:
description: Resources resize policy for the container.
description: |-
Resources resize policy for the container.
This field cannot be set on ephemeral containers.
items:
description: ContainerResizePolicy represents resource resize policy for the container.
properties:
@@ -4941,7 +4955,9 @@ spec:
type: integer
type: object
resizePolicy:
description: Resources resize policy for the container.
description: |-
Resources resize policy for the container.
This field cannot be set on ephemeral containers.
items:
description: ContainerResizePolicy represents resource resize policy for the container.
properties:
@@ -5699,8 +5715,8 @@ spec:
will be made available to those containers which consume them
by name.
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
This is a stable field but requires that the
DynamicResourceAllocation feature gate is enabled.
This field is immutable.
items:
@@ -6152,9 +6168,10 @@ spec:
operator:
description: |-
Operator represents a key's relationship to the value.
Valid operators are Exists and Equal. Defaults to Equal.
Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod can
tolerate all taints of a particular category.
Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).
type: string
tolerationSeconds:
description: |-
@@ -6926,7 +6943,7 @@ spec:
resources:
description: |-
resources represents the minimum resources the volume should have.
If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements
Users are allowed to specify resource requirements
that are lower than previous value but must still be higher than capacity recorded in the
status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
@@ -7761,6 +7778,24 @@ spec:
signerName:
description: Kubelet's generated CSRs will be addressed to this signer.
type: string
userAnnotations:
additionalProperties:
type: string
description: |-
userAnnotations allow pod authors to pass additional information to
the signer implementation. Kubernetes does not restrict or validate this
metadata in any way.
These values are copied verbatim into the `spec.unverifiedUserAnnotations` field of
the PodCertificateRequest objects that Kubelet creates.
Entries are subject to the same validation as object metadata annotations,
with the addition that all keys must be domain-prefixed. No restrictions
are placed on values, except an overall size limitation on the entire field.
Signers should document the keys and values they support. Signers should
deny requests that contain keys they do not recognize.
type: object
required:
- keyType
- signerName
@@ -8170,6 +8205,42 @@ spec:
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
workloadRef:
description: |-
WorkloadRef provides a reference to the Workload object that this Pod belongs to.
This field is used by the scheduler to identify the PodGroup and apply the
correct group scheduling policies. The Workload object referenced
by this field may not exist at the time the Pod is created.
This field is immutable, but a Workload object with the same name
may be recreated with different policies. Doing this during pod scheduling
may result in the placement not conforming to the expected policies.
properties:
name:
description: |-
Name defines the name of the Workload object this Pod belongs to.
Workload must be in the same namespace as the Pod.
If it doesn't match any existing Workload, the Pod will remain unschedulable
until a Workload object is created and observed by the kube-scheduler.
It must be a DNS subdomain.
type: string
podGroup:
description: |-
PodGroup is the name of the PodGroup within the Workload that this Pod
belongs to. If it doesn't match any existing PodGroup within the Workload,
the Pod will remain unschedulable until the Workload object is recreated
and observed by the kube-scheduler. It must be a DNS label.
type: string
podGroupReplicaKey:
description: |-
PodGroupReplicaKey specifies the replica key of the PodGroup to which this
Pod belongs. It is used to distinguish pods belonging to different replicas
of the same pod group. The pod group policy is applied separately to each replica.
When set, it must be a DNS label.
type: string
required:
- name
- podGroup
type: object
required:
- containers
type: object

100
charts/gha-runner-scale-set-controller/crds/actions.github.com_ephemeralrunnersets.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.19.0
controller-gen.kubebuilder.io/version: v0.20.1
name: ephemeralrunnersets.actions.github.com
spec:
group: actions.github.com
@@ -58,9 +58,33 @@ spec:
spec:
description: EphemeralRunnerSetSpec defines the desired state of EphemeralRunnerSet
properties:
ephemeralRunnerMetadata:
description: ResourceMeta carries metadata common to all internal resources
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
type: object
ephemeralRunnerSpec:
description: EphemeralRunnerSpec is the spec of the ephemeral runner
properties:
ephemeralRunnerConfigSecretMetadata:
description: ResourceMeta carries metadata common to all internal resources
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
type: object
githubConfigSecret:
type: string
githubConfigUrl:
@@ -1865,7 +1889,9 @@ spec:
type: integer
type: object
resizePolicy:
description: Resources resize policy for the container.
description: |-
Resources resize policy for the container.
This field cannot be set on ephemeral containers.
items:
description: ContainerResizePolicy represents resource resize policy for the container.
properties:
@@ -4932,7 +4958,9 @@ spec:
type: integer
type: object
resizePolicy:
description: Resources resize policy for the container.
description: |-
Resources resize policy for the container.
This field cannot be set on ephemeral containers.
items:
description: ContainerResizePolicy represents resource resize policy for the container.
properties:
@@ -5690,8 +5718,8 @@ spec:
will be made available to those containers which consume them
by name.
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
This is a stable field but requires that the
DynamicResourceAllocation feature gate is enabled.
This field is immutable.
items:
@@ -6143,9 +6171,10 @@ spec:
operator:
description: |-
Operator represents a key's relationship to the value.
Valid operators are Exists and Equal. Defaults to Equal.
Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod can
tolerate all taints of a particular category.
Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).
type: string
tolerationSeconds:
description: |-
@@ -6917,7 +6946,7 @@ spec:
resources:
description: |-
resources represents the minimum resources the volume should have.
If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements
Users are allowed to specify resource requirements
that are lower than previous value but must still be higher than capacity recorded in the
status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
@@ -7752,6 +7781,24 @@ spec:
signerName:
description: Kubelet's generated CSRs will be addressed to this signer.
type: string
userAnnotations:
additionalProperties:
type: string
description: |-
userAnnotations allow pod authors to pass additional information to
the signer implementation. Kubernetes does not restrict or validate this
metadata in any way.
These values are copied verbatim into the `spec.unverifiedUserAnnotations` field of
the PodCertificateRequest objects that Kubelet creates.
Entries are subject to the same validation as object metadata annotations,
with the addition that all keys must be domain-prefixed. No restrictions
are placed on values, except an overall size limitation on the entire field.
Signers should document the keys and values they support. Signers should
deny requests that contain keys they do not recognize.
type: object
required:
- keyType
- signerName
@@ -8161,6 +8208,42 @@ spec:
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
workloadRef:
description: |-
WorkloadRef provides a reference to the Workload object that this Pod belongs to.
This field is used by the scheduler to identify the PodGroup and apply the
correct group scheduling policies. The Workload object referenced
by this field may not exist at the time the Pod is created.
This field is immutable, but a Workload object with the same name
may be recreated with different policies. Doing this during pod scheduling
may result in the placement not conforming to the expected policies.
properties:
name:
description: |-
Name defines the name of the Workload object this Pod belongs to.
Workload must be in the same namespace as the Pod.
If it doesn't match any existing Workload, the Pod will remain unschedulable
until a Workload object is created and observed by the kube-scheduler.
It must be a DNS subdomain.
type: string
podGroup:
description: |-
PodGroup is the name of the PodGroup within the Workload that this Pod
belongs to. If it doesn't match any existing PodGroup within the Workload,
the Pod will remain unschedulable until the Workload object is recreated
and observed by the kube-scheduler. It must be a DNS label.
type: string
podGroupReplicaKey:
description: |-
PodGroupReplicaKey specifies the replica key of the PodGroup to which this
Pod belongs. It is used to distinguish pods belonging to different replicas
of the same pod group. The pod group policy is applied separately to each replica.
When set, it must be a DNS label.
type: string
required:
- name
- podGroup
type: object
required:
- containers
type: object
@@ -8235,6 +8318,9 @@ spec:
type: integer
pendingEphemeralRunners:
type: integer
phase:
description: EphemeralRunnerSetPhase is the phase of the ephemeral runner set resource
type: string
runningEphemeralRunners:
type: integer
required:

24
charts/gha-runner-scale-set-experimental/.helmignore Normal file
View File

@@ -0,0 +1,24 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
tests/

33
charts/gha-runner-scale-set-experimental/Chart.yaml Normal file
View File

@@ -0,0 +1,33 @@
apiVersion: v2
name: gha-runner-scale-set-experimental
description: A Helm chart for deploying an AutoScalingRunnerSet
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: "0.14.0"
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "0.14.0"
home: https://github.com/actions/actions-runner-controller
sources:
- "https://github.com/actions/actions-runner-controller"
maintainers:
- name: actions
url: https://github.com/actions

58
charts/gha-runner-scale-set-experimental/templates/_autoscalingrunnerset.tpl Normal file
View File

@@ -0,0 +1,58 @@
{{/*
Create the labels for the autoscaling runner set.
*/}}
{{- define "autoscaling-runner-set.labels" -}}
{{- $resourceLabels := dict "app.kubernetes.io/component" "autoscaling-runner-set" -}}
{{- $commonLabels := include "gha-common-labels" . | fromYaml -}}
{{- $userLabels := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.autoscalingRunnerSet.metadata.labels | default (dict)) | fromYaml -}}
{{- $global := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.labels | default (dict)) | fromYaml -}}
{{- toYaml (mergeOverwrite $global $userLabels $resourceLabels $commonLabels) }}
{{- end }}
{{/*
Create the annotations for the autoscaling runner set.
Order of precedence:
1) resource.all.metadata.annotations
2) resource.autoscalingRunnerSet.metadata.annotations
Reserved annotations are excluded from both levels.
*/}}
{{- define "autoscaling-runner-set.annotations" -}}
{{- $global := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.annotations | default (dict))) | fromYaml -}}
{{- $resource := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.autoscalingRunnerSet.metadata.annotations | default (dict))) | fromYaml -}}
{{- $annotations := mergeOverwrite $global $resource -}}
{{- if not (empty $annotations) -}}
{{- toYaml $annotations }}
{{- end }}
{{- end }}
{{/*
Render a ResourceMeta block for AutoscalingRunnerSet spec fields.
*/}}
{{- define "autoscaling-runner-set.spec-resource-metadata" -}}
{{- with .labels }}
labels:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- with .annotations }}
annotations:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}
{{- define "autoscaling-runner-set.template-service-account" -}}
{{- $runner := (.Values.runner | default dict) -}}
{{- $runnerMode := (index $runner "mode" | default "") -}}
{{- $kubeMode := (index $runner "kubernetesMode" | default dict) -}}
{{- $kubeServiceAccountName := (index $kubeMode "serviceAccountName" | default "") -}}
{{- $kubeDefaults := (index $kubeMode "default" | default true) -}}
{{- if ne $runnerMode "kubernetes" }}
{{- include "no-permission-serviceaccount.name" . }}
{{- else if not (empty $kubeServiceAccountName) }}
{{- $kubeServiceAccountName }}
{{- else if $kubeDefaults }}
{{- include "kube-mode-serviceaccount.name" . }}
{{- else }}
{{- fail "runner.kubernetesMode.serviceAccountName must be set when runner.mode is 'kubernetes' and runner.kubernetesMode.default is false" -}}
{{- end }}
{{- end }}

135
charts/gha-runner-scale-set-experimental/templates/_defaults.tpl Normal file
View File

@@ -0,0 +1,135 @@
{{- define "autoscaling-runner-set.name" -}}
{{- $name := .Values.runnerScaleSetName | default .Release.Name | replace "_" "-" | trimSuffix "-" }}
{{- if or (empty $name) (gt (len $name) 45) }}
{{ fail "Autoscaling runner set name must have up to 45 characters" }}
{{- end }}
{{- $name }}
{{- end }}
{{- define "autoscaling-runner-set.namespace" -}}
{{- .Values.namespaceOverride | default .Release.Namespace -}}
{{- end }}
{{/*
The name of the manager Role.
*/}}
{{- define "manager-role.name" -}}
{{- printf "%s-manager-role" (include "autoscaling-runner-set.name" .) -}}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "gha-runner-scale-set.chart" -}}
{{- printf "gha-rs-%s" .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
The name of the GitHub secret used for authentication.
*/}}
{{- define "github-secret.name" -}}
{{- if not (empty .Values.auth.secretName) -}}
{{- .Values.auth.secretName -}}
{{- else -}}
{{- printf "%s-github-secret" (include "autoscaling-runner-set.name" .) -}}
{{- end -}}
{{- end }}
{{/*
The name of the no-permission ServiceAccount.
This ServiceAccount is intended for non-kubernetes runner modes when the user
has not specified an explicit ServiceAccount.
*/}}
{{- define "no-permission-serviceaccount.name" -}}
{{- printf "%s-no-permission" (include "autoscaling-runner-set.name" .) -}}
{{- end }}
{{/*
The name of the kubernetes-mode Role.
Kept intentionally aligned with the legacy chart behavior.
*/}}
{{- define "kube-mode-role.name" -}}
{{- printf "%s-kube-mode" (include "autoscaling-runner-set.name" .) -}}
{{- end }}
{{/*
The name of the kubernetes-mode RoleBinding.
Kept intentionally aligned with the kubernetes-mode Role name.
*/}}
{{- define "kube-mode-role-binding.name" -}}
{{- include "kube-mode-role.name" . -}}
{{- end }}
{{/*
The name of the kubernetes-mode ServiceAccount.
Kept intentionally aligned with the legacy chart behavior.
*/}}
{{- define "kube-mode-serviceaccount.name" -}}
{{- include "kube-mode-role.name" . -}}
{{- end }}
{{/*
Create the common labels used across all resources.
*/}}
{{- define "gha-common-labels" -}}
helm.sh/chart: {{ include "gha-runner-scale-set.chart" . }}
app.kubernetes.io/name: {{ include "autoscaling-runner-set.name" . }}
app.kubernetes.io/instance: {{ include "autoscaling-runner-set.name" . }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/part-of: "gha-rs"
actions.github.com/scale-set-name: {{ include "autoscaling-runner-set.name" . }}
actions.github.com/scale-set-namespace: {{ include "autoscaling-runner-set.namespace" . }}
{{- end }}
{{/*
Get the runner container image.
It defaults to ghcr.io/actions/actions-runner:latest if not specified.
*/}}
{{- define "runner.image" -}}
{{- $runner := .Values.runner.container | default dict -}}
{{- if not (kindIs "map" $runner) -}}
{{- fail "runner.container must be a map/object" -}}
{{- end -}}
{{- $image := $runner.image | default "ghcr.io/actions/actions-runner:latest" -}}
{{- if not (kindIs "string" $image) -}}
{{- fail "runner.container.image must be a string" -}}
{{- end -}}
{{- $image }}
{{- end }}
{{- define "runner.command" -}}
{{- $runner := .Values.runner.container | default dict -}}
{{- if not (kindIs "map" $runner) -}}
{{- fail "runner.container must be a map/object" -}}
{{- end -}}
{{- $command := $runner.command | default (list "/home/runner/run.sh") -}}
{{- if not (kindIs "slice" $command) -}}
{{- fail "runner.container.command must be a list/array" -}}
{{- end -}}
{{- toJson $command -}}
{{- end }}
{{/*
Hook extension ConfigMap name for kubernetes runner mode.
If runner.kubernetesMode.extension.metadata.name is set, use it.
Otherwise, default to a name derived from the scale set name.
*/}}
{{- define "runner-mode-kubernetes.extension-name" -}}
{{- $runner := (.Values.runner | default dict) -}}
{{- $kubeMode := (index $runner "kubernetesMode" | default dict) -}}
{{- $extension := (index $kubeMode "extension" | default dict) -}}
{{- $meta := (index $extension "metadata" | default dict) -}}
{{- $name := (index $meta "name" | default "") -}}
{{- if not (kindIs "string" $name) -}}
{{- fail "runner.kubernetesMode.extension.metadata.name must be a string" -}}
{{- end -}}
{{- default (printf "%s-hook-extension" (include "autoscaling-runner-set.name" .) | trunc 63 | trimSuffix "-") $name -}}
{{- end }}

184
charts/gha-runner-scale-set-experimental/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,184 @@
{{/*
Create the labels for the GitHub auth secret.
*/}}
{{- define "github-secret.labels" -}}
{{- $resourceLabels := dict "app.kubernetes.io/component" "github-secret" -}}
{{- $commonLabels := include "gha-common-labels" . | fromYaml -}}
{{- $global := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.labels | default (dict)) | fromYaml -}}
{{- toYaml (mergeOverwrite $global $resourceLabels $commonLabels) }}
{{- end }}
{{/*
Create the annotations for the GitHub auth secret.
Only global annotations are applied.
Reserved annotations are excluded.
*/}}
{{- define "github-secret.annotations" -}}
{{- $annotations := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.annotations | default (dict))) | fromYaml -}}
{{- if not (empty $annotations) -}}
{{- toYaml $annotations }}
{{- end }}
{{- end }}
{{/*
Create the labels for the no-permission ServiceAccount.
*/}}
{{- define "no-permission-serviceaccount.labels" -}}
{{- $resourceLabels := dict "app.kubernetes.io/component" "no-permission-serviceaccount" -}}
{{- $commonLabels := include "gha-common-labels" . | fromYaml -}}
{{- $userLabels := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.noPermissionServiceAccount.metadata.labels | default (dict)) | fromYaml -}}
{{- $global := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.labels | default (dict)) | fromYaml -}}
{{- toYaml (mergeOverwrite $global $userLabels $resourceLabels $commonLabels) }}
{{- end }}
{{/*
Create the annotations for the no-permission ServiceAccount.
Order of precedence:
1) resource.all.metadata.annotations
2) resource.noPermissionServiceAccount.metadata.annotations
Reserved annotations are excluded from both levels.
*/}}
{{- define "no-permission-serviceaccount.annotations" -}}
{{- $global := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.annotations | default (dict))) | fromYaml -}}
{{- $resource := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.noPermissionServiceAccount.metadata.annotations | default (dict))) | fromYaml -}}
{{- $annotations := mergeOverwrite $global $resource -}}
{{- if not (empty $annotations) -}}
{{- toYaml $annotations }}
{{- end }}
{{- end }}
{{/*
Takes a map of user labels and removes the ones with "actions.github.com/" prefix
*/}}
{{- define "apply-non-reserved-gha-labels-and-annotations" -}}
{{- $userLabels := . -}}
{{- $processed := dict -}}
{{- range $key, $value := $userLabels -}}
{{- if not (hasPrefix "actions.github.com/" $key) -}}
{{- $_ := set $processed $key $value -}}
{{- end -}}
{{- end -}}
{{- if not (empty $processed) -}}
{{- $processed | toYaml }}
{{- end }}
{{- end }}
{{/*
GitHub Server TLS helper parts
These helpers centralize TLS env/volumeMount/volume snippets so that runner modes
inject the certificate consistently.
Behavior:
- If githubServerTLS.runnerMountPath is empty: emit nothing.
- If runnerMountPath is set: require certificateFrom.configMapKeyRef.name + key.
- Avoid duplicating user-provided env vars / volumeMounts.
*/}}
{{- define "githubServerTLS.config" -}}
{{- $tls := (default (dict) .Values.githubServerTLS) -}}
{{- if and (not (empty $tls)) (not (kindIs "map" $tls)) -}}
{{- fail "githubServerTLS must be a map/object" -}}
{{- end -}}
{{- toYaml $tls -}}
{{- end -}}
{{- define "githubServerTLS.mountPath" -}}
{{- $tls := (include "githubServerTLS.config" .) | fromYaml -}}
{{- (index $tls "runnerMountPath" | default "") -}}
{{- end -}}
{{- define "githubServerTLS.configMapName" -}}
{{- $mountPath := include "githubServerTLS.mountPath" . -}}
{{- if not (empty $mountPath) -}}
{{- $tls := (include "githubServerTLS.config" .) | fromYaml -}}
{{- required "githubServerTLS.certificateFrom.configMapKeyRef.name is required when githubServerTLS.runnerMountPath is set" (dig "certificateFrom" "configMapKeyRef" "name" "" $tls) -}}
{{- end -}}
{{- end -}}
{{- define "githubServerTLS.certKey" -}}
{{- $mountPath := include "githubServerTLS.mountPath" . -}}
{{- if not (empty $mountPath) -}}
{{- $tls := (include "githubServerTLS.config" .) | fromYaml -}}
{{- required "githubServerTLS.certificateFrom.configMapKeyRef.key is required when githubServerTLS.runnerMountPath is set" (dig "certificateFrom" "configMapKeyRef" "key" "" $tls) -}}
{{- end -}}
{{- end -}}
{{- define "githubServerTLS.certFilePath" -}}
{{- $mountPath := include "githubServerTLS.mountPath" . -}}
{{- if not (empty $mountPath) -}}
{{- $key := include "githubServerTLS.certKey" . -}}
{{- printf "%s/%s" (trimSuffix "/" $mountPath) $key -}}
{{- end -}}
{{- end -}}
{{- define "githubServerTLS.envItems" -}}
{{- $root := .root -}}
{{- $mountPath := include "githubServerTLS.mountPath" $root -}}
{{- if not (empty $mountPath) -}}
{{- $existing := (.existingEnv | default list) -}}
{{- $hasNodeExtra := false -}}
{{- $hasRunnerUpdate := false -}}
{{- if kindIs "slice" $existing -}}
{{- range $existing -}}
{{- if and (kindIs "map" .) (eq ((index . "name") | default "") "NODE_EXTRA_CA_CERTS") -}}
{{- $hasNodeExtra = true -}}
{{- end -}}
{{- if and (kindIs "map" .) (eq ((index . "name") | default "") "RUNNER_UPDATE_CA_CERTS") -}}
{{- $hasRunnerUpdate = true -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if not $hasNodeExtra -}}
- name: NODE_EXTRA_CA_CERTS
value: {{ include "githubServerTLS.certFilePath" $root | quote }}
{{ end }}
{{- if not $hasRunnerUpdate -}}
- name: RUNNER_UPDATE_CA_CERTS
value: "1"
{{ end }}
{{- end -}}
{{- end -}}
{{- define "githubServerTLS.volumeMountItem" -}}
{{- $root := .root -}}
{{- $mountPath := include "githubServerTLS.mountPath" $root -}}
{{- if not (empty $mountPath) -}}
{{- $existing := (.existingVolumeMounts | default list) -}}
{{- $hasMount := false -}}
{{- if kindIs "slice" $existing -}}
{{- range $existing -}}
{{- if and (kindIs "map" .) (eq ((index . "name") | default "") "github-server-tls-cert") -}}
{{- $hasMount = true -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if not $hasMount -}}
- name: github-server-tls-cert
mountPath: {{ $mountPath | quote }}
readOnly: true
{{ end }}
{{- end -}}
{{- end -}}
{{- define "githubServerTLS.podVolumeItem" -}}
{{- $mountPath := include "githubServerTLS.mountPath" . -}}
{{- if not (empty $mountPath) -}}
{{- $cmName := include "githubServerTLS.configMapName" . -}}
{{- $key := include "githubServerTLS.certKey" . -}}
- name: github-server-tls-cert
configMap:
name: {{ $cmName | quote }}
items:
- key: {{ $key | quote }}
path: {{ $key | quote }}
{{ end }}
{{ end }}

26
charts/gha-runner-scale-set-experimental/templates/_listener_template.tpl Normal file
View File

@@ -0,0 +1,26 @@
{{- define "listener-template.pod" -}}
{{- $metadata := .Values.listenerPodTemplate.metadata | default dict -}}
{{- $spec := .Values.listenerPodTemplate.spec | default dict -}}
{{- if and (empty $metadata) (empty $spec) -}}
{{- fail "listenerPodTemplate must have at least metadata or spec defined" -}}
{{- end -}}
{{- with $metadata -}}
metadata:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- with $spec -}}
spec:
{{- $containers := (index . "containers" | default (list)) -}}
{{- if empty $containers }}
containers:
- name: listener
{{- else }}
containers:
{{- toYaml $containers | nindent 4 }}
{{- end }}
{{- $rest := (omit . "containers") -}}
{{- if gt (len $rest) 0 }}
{{- toYaml $rest | nindent 2 }}
{{- end }}
{{- end }}
{{- end -}}

69
charts/gha-runner-scale-set-experimental/templates/_manager_role.tpl Normal file
View File

@@ -0,0 +1,69 @@
{{/*
Create the labels for the manager Role.
*/}}
{{- define "manager-role.labels" -}}
{{- $resourceLabels := dict "app.kubernetes.io/component" "manager-role" -}}
{{- $commonLabels := include "gha-common-labels" . | fromYaml -}}
{{- $userLabels := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.managerRole.metadata.labels | default (dict)) | fromYaml -}}
{{- $global := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.labels | default (dict)) | fromYaml -}}
{{- toYaml (mergeOverwrite $global $userLabels $resourceLabels $commonLabels) }}
{{- end }}
{{/*
Create the annotations for the manager Role.
Order of precedence:
1) resource.all.metadata.annotations
2) resource.managerRole.metadata.annotations
Reserved annotations are excluded from both levels.
*/}}
{{- define "manager-role.annotations" -}}
{{- $global := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.annotations | default (dict))) | fromYaml -}}
{{- $resource := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.managerRole.metadata.annotations | default (dict))) | fromYaml -}}
{{- $annotations := mergeOverwrite $global $resource -}}
{{- if not (empty $annotations) -}}
{{- toYaml $annotations }}
{{- end }}
{{- end }}
{{/*
The name of the manager RoleBinding.
Kept intentionally aligned with the manager Role name, mirroring the legacy
chart behavior.
*/}}
{{- define "manager-role-binding.name" -}}
{{- include "manager-role.name" . -}}
{{- end }}
{{/*
Create the labels for the manager RoleBinding.
*/}}
{{- define "manager-role-binding.labels" -}}
{{- $resourceLabels := dict "app.kubernetes.io/component" "manager-role-binding" -}}
{{- $commonLabels := include "gha-common-labels" . | fromYaml -}}
{{- $userLabels := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.managerRoleBinding.metadata.labels | default (dict)) | fromYaml -}}
{{- $global := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.labels | default (dict)) | fromYaml -}}
{{- toYaml (mergeOverwrite $global $userLabels $resourceLabels $commonLabels) }}
{{- end }}
{{/*
Create the annotations for the manager RoleBinding.
Order of precedence:
1) resource.all.metadata.annotations
2) resource.managerRoleBinding.metadata.annotations
Reserved annotations are excluded from both levels.
*/}}
{{- define "manager-role-binding.annotations" -}}
{{- $global := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.annotations | default (dict))) | fromYaml -}}
{{- $resource := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.managerRoleBinding.metadata.annotations | default (dict))) | fromYaml -}}
{{- $annotations := mergeOverwrite $global $resource -}}
{{- if not (empty $annotations) -}}
{{- toYaml $annotations }}
{{- end }}
{{- end }}

166
charts/gha-runner-scale-set-experimental/templates/_mode_dind.tpl Normal file
View File

@@ -0,0 +1,166 @@
{{- define "runner-mode-dind.runner-container" -}}
name: runner
image: {{ include "runner.image" . | quote }}
command: {{ include "runner.command" . }}
env:
- {{ include "runner-mode-dind.env-docker-host" . | nindent 4 }}
- {{ include "runner-mode-dind.env-wait-for-docker-timeout" . | nindent 4 }}
{{/* TODO:: Should we skip DOCKER_HOST and RUNNER_WAIT_FOR_DOCKER_IN_SECONDS? */}}
{{- with .Values.runner.env }}
{{- toYaml . | nindent 2 }}
{{- end }}
{{ include "githubServerTLS.envItems" (dict "root" $ "existingEnv" (.Values.runner.env | default list)) | nindent 2 }}
volumeMounts:
- name: work
mountPath: /home/runner/_work
- name: dind-sock
mountPath: {{ include "runner-mode-dind.sock-mount-dir" . | quote }}
{{ include "githubServerTLS.volumeMountItem" (dict "root" $ "existingVolumeMounts" (list)) | nindent 2 }}
{{- end }}
{{- define "runner-mode-dind.dind-container" -}}
{{- $dind := .Values.runner.dind | default dict -}}
{{- $dindContainer := ($dind.container | default dict) -}}
{{- if and (hasKey $dind "container") (not (kindIs "map" $dindContainer)) -}}
{{- fail "runner.dind.container must be a map/object" -}}
{{- end -}}
{{- if and (hasKey $dindContainer "env") (not (kindIs "slice" $dindContainer.env)) -}}
{{- fail "runner.dind.container.env must be a list" -}}
{{- end -}}
{{- if and (hasKey $dindContainer "volumeMounts") (not (kindIs "slice" $dindContainer.volumeMounts)) -}}
{{- fail "runner.dind.container.volumeMounts must be a list" -}}
{{- end -}}
{{- if hasKey $dindContainer "volumes" -}}
{{- fail "runner.dind.container.volumes is not supported; use runner.pod.spec.volumes" -}}
{{- end -}}
{{- if and (hasKey $dindContainer "args") (not (kindIs "slice" $dindContainer.args)) -}}
{{- fail "runner.dind.container.args must be a list" -}}
{{- end -}}
{{- if and (hasKey $dindContainer "securityContext") (not (kindIs "map" $dindContainer.securityContext)) -}}
{{- fail "runner.dind.container.securityContext must be a map/object" -}}
{{- end -}}
{{- if and (hasKey $dindContainer "startupProbe") (not (kindIs "map" $dindContainer.startupProbe)) -}}
{{- fail "runner.dind.container.startupProbe must be a map/object" -}}
{{- end -}}
name: {{ $dindContainer.name | default "dind" }}
image: {{ $dindContainer.image | default "docker:dind" | quote }}
args:
{{- if $dindContainer.args }}
{{- toYaml $dindContainer.args | nindent 2 }}
{{- else }}
{{- include "runner-mode-dind.args" . | nindent 2 }}
{{- end }}
env:
- name: DOCKER_GROUP_GID
value: {{ ($dind.dockerGroupId | default "123") | quote }}
{{- with $dindContainer.env }}
{{- toYaml . | nindent 2 }}
{{- end }}
securityContext:
{{- if $dindContainer.securityContext }}
{{- toYaml $dindContainer.securityContext | nindent 2 }}
{{ else }}
{{- toYaml (dict "privileged" true) | nindent 2 }}
{{- end }}
restartPolicy: Always
startupProbe:
{{- if $dindContainer.startupProbe }}
{{- toYaml $dindContainer.startupProbe | nindent 2 }}
{{- else }}
{{- include "runner-mode-dind.startup-probe" . | nindent 2 }}
{{- end }}
volumeMounts:
- name: work
mountPath: /home/runner/_work
- name: dind-sock
mountPath: {{ include "runner-mode-dind.sock-mount-dir" . | quote }}
{{- with $dindContainer.volumeMounts }}
{{- toYaml . | nindent 2 }}
{{- end }}
{{- if $dind.copyRunnerExternals }}
- name: dind-externals
mountPath: /home/runner/externals
{{ end }}
{{- $extra := omit $dindContainer "name" "image" "args" "env" "securityContext" "startupProbe" "volumeMounts" -}}
{{- if not (empty $extra) -}}
{{ toYaml $extra }}
{{- end -}}
{{- end }}
{{- define "runner-mode-dind.pod-volumes" -}}
- name: work
emptyDir: {}
- name: dind-sock
emptyDir: {}
{{ include "githubServerTLS.podVolumeItem" . }}
{{- if .Values.runner.dind.copyRunnerExternals }}
- name: dind-externals
emptyDir: {}
{{- end }}
{{- end }}
{{- define "runner-mode-dind.copy-externals" -}}
name: init-dind-externals
image: ghcr.io/actions/actions-runner:latest
command: ["cp", "-r", "/home/runner/externals/.", "/home/runner/tmpDir/"]
volumeMounts:
- name: dind-externals
mountPath: /home/runner/tmpDir
{{- end }}
{{- define "runner-mode-dind.startup-probe" -}}
exec:
command:
- docker
- info
initialDelaySeconds: 0
failureThreshold: 24
periodSeconds: 5
{{- end }}
{{- define "runner-mode-dind.args" -}}
{{- $dind := .Values.runner.dind | default dict -}}
{{- $dockerSock := $dind.dockerSock | default "unix:///var/run/docker.sock" -}}
{{- if not (kindIs "string" $dockerSock) -}}
{{- fail "runner.dind.dockerSock must be a string" -}}
{{- end -}}
- dockerd
- {{ printf "--host=%s" $dockerSock }}
- --group=$(DOCKER_GROUP_GID)
{{- end }}
{{- define "runner-mode-dind.env-docker-host" -}}
{{- $dind := .Values.runner.dind | default dict -}}
{{- $dockerSock := $dind.dockerSock | default "unix:///var/run/docker.sock" -}}
{{- if not (kindIs "string" $dockerSock) -}}
{{- fail "runner.dind.dockerSock must be a string" -}}
{{- end -}}
name: DOCKER_HOST
value: {{ $dockerSock | quote }}
{{- end }}
{{- define "runner-mode-dind.env-wait-for-docker-timeout" -}}
{{- $dind := .Values.runner.dind | default dict -}}
{{- $waitForDockerInSeconds := $dind.waitForDockerInSeconds | default 120 -}}
{{- if not (or (kindIs "int" $waitForDockerInSeconds) (kindIs "int64" $waitForDockerInSeconds) (kindIs "float64" $waitForDockerInSeconds)) -}}
{{- fail "runner.dind.waitForDockerInSeconds must be a number" -}}
{{- end -}}
{{- $waitForDockerInSecondsInt := ($waitForDockerInSeconds | int) -}}
{{- if lt $waitForDockerInSecondsInt 0 -}}
{{- fail "runner.dind.waitForDockerInSeconds must be non-negative" -}}
{{- end -}}
name: RUNNER_WAIT_FOR_DOCKER_IN_SECONDS
value: {{ $waitForDockerInSecondsInt | toString | quote }}
{{- end }}
{{- define "runner-mode-dind.sock-mount-dir" -}}
{{- $dind := .Values.runner.dind | default dict -}}
{{- $dockerSock := $dind.dockerSock | default "unix:///var/run/docker.sock" -}}
{{- if not (kindIs "string" $dockerSock) -}}
{{- fail "runner.dind.dockerSock must be a string" -}}
{{- end -}}
{{- $dockerSockPath := trimPrefix "unix://" $dockerSock -}}
{{- dir $dockerSockPath -}}
{{- end }}

34
charts/gha-runner-scale-set-experimental/templates/_mode_empty.tpl Normal file
View File

@@ -0,0 +1,34 @@
{{/*
Container spec that is expanded for the runner container
*/}}
{{- define "runner-mode-empty.runner-container" -}}
{{- if not .Values.runner.container }}
{{ fail "You must provide a runner container specification in values.runner.container" }}
{{- end }}
name: runner
image: {{ .Values.runner.container.image | default "ghcr.io/actions/actions-runner:latest" }}
command: {{ toJson (default (list "/home/runner/run.sh") .Values.runner.container.command) }}
{{ $tlsEnvItems := include "githubServerTLS.envItems" (dict "root" $ "existingEnv" (.Values.runner.container.env | default list)) }}
{{ if or .Values.runner.container.env $tlsEnvItems }}
env:
{{- with .Values.runner.container.env }}
{{- toYaml . | nindent 2 }}
{{- end }}
{{ $tlsEnvItems | nindent 2 }}
{{ end }}
{{ $tlsVolumeMountItem := include "githubServerTLS.volumeMountItem" (dict "root" $ "existingVolumeMounts" (.Values.runner.container.volumeMounts | default list)) }}
{{ if or .Values.runner.container.volumeMounts $tlsVolumeMountItem }}
volumeMounts:
{{- with .Values.runner.container.volumeMounts }}
{{- toYaml . | nindent 2 }}
{{- end }}
{{ $tlsVolumeMountItem | nindent 2 }}
{{ end }}
{{ $extra := omit .Values.runner.container "name" "image" "command" "env" "volumeMounts" }}
{{- if not (empty $extra) -}}
{{ toYaml $extra }}
{{- end -}}
{{- end }}

242
charts/gha-runner-scale-set-experimental/templates/_mode_kubernetes.tpl Normal file
View File

@@ -0,0 +1,242 @@
{{- define "runner-mode-kubernetes.runner-container" -}}
{{- $runner := (.Values.runner | default dict) -}}
{{- $kubeMode := (index $runner "kubernetesMode" | default dict) -}}
{{- $hookPath := (index $kubeMode "hookPath" | default "/home/runner/k8s/index.js") -}}
{{- $extensionRef := (index $kubeMode "extensionRef" | default "") -}}
{{- $extension := (index $kubeMode "extension" | default dict) -}}
{{- $extensionYamlRaw := "" -}}
{{- if kindIs "map" $extension -}}
{{- if hasKey $extension "yaml" -}}
{{- $extensionYamlRaw = (index $extension "yaml") -}}
{{- end -}}
{{- end -}}
{{- $extensionYamlStr := "" -}}
{{- if empty $extensionYamlRaw -}}
{{- $extensionYamlStr = "" -}}
{{- else if kindIs "string" $extensionYamlRaw -}}
{{- $extensionYamlStr = $extensionYamlRaw -}}
{{- else if kindIs "map" $extensionYamlRaw -}}
{{- $extensionYamlStr = toYaml $extensionYamlRaw -}}
{{- end -}}
{{- $hasExtension := or (not (empty $extensionRef)) (not (empty $extensionYamlStr)) -}}
{{- $hookTemplatePath := printf "%s/hook-template.yaml" (dir $hookPath) -}}
{{- $setHookTemplateEnv := true -}}
{{- $userEnv := (.Values.runner.env | default list) -}}
{{- if kindIs "slice" $userEnv -}}
{{- range $userEnv -}}
{{- if and (kindIs "map" .) (eq ((index . "name") | default "") "ACTIONS_RUNNER_CONTAINER_HOOK_TEMPLATE") -}}
{{- $setHookTemplateEnv = false -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if not (kindIs "string" $hookPath) -}}
{{- fail "runner.kubernetesMode.hookPath must be a string" -}}
{{- end -}}
{{- if not (kindIs "string" $extensionRef) -}}
{{- fail "runner.kubernetesMode.extensionRef must be a string" -}}
{{- end -}}
{{- if and (empty $extensionRef) (hasKey $kubeMode "extension") (not (kindIs "map" $extension)) -}}
{{- fail "runner.kubernetesMode.extension must be an object when runner.kubernetesMode.extensionRef is empty" -}}
{{- end -}}
{{- if and (empty $extensionRef) (not (empty $extensionYamlRaw)) (not (or (kindIs "string" $extensionYamlRaw) (kindIs "map" $extensionYamlRaw))) -}}
{{- fail "runner.kubernetesMode.extension.yaml must be a string or an object" -}}
{{- end -}}
{{- $requireJobContainer := true -}}
{{- if hasKey $kubeMode "requireJobContainer" -}}
{{- $requireJobContainer = (index $kubeMode "requireJobContainer") -}}
{{- end -}}
{{- if not (kindIs "bool" $requireJobContainer) -}}
{{- fail "runner.kubernetesMode.requireJobContainer must be a bool" -}}
{{- end -}}
name: runner
image: {{ include "runner.image" . | quote }}
command: {{ include "runner.command" . }}
{{ $tlsEnvItems := include "githubServerTLS.envItems" (dict "root" $ "existingEnv" (.Values.runner.env | default list)) }}
env:
- name: ACTIONS_RUNNER_CONTAINER_HOOKS
value: {{ $hookPath | quote }}
- name: ACTIONS_RUNNER_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER
value: {{ ternary "true" "false" $requireJobContainer | quote }}
{{- if not $requireJobContainer -}}
{{- printf "# WARNING: runner.kubernetesMode.requireJobContainer is set to false. This means that the runner container will be used to execute jobs, which may lead to security risks if the runner is compromised. It is recommended to set runner.kubernetesMode.requireJobContainer to true in production environments." }}
{{- end -}}
{{- if and $hasExtension $setHookTemplateEnv }}
- name: ACTIONS_RUNNER_CONTAINER_HOOK_TEMPLATE
value: {{ $hookTemplatePath | quote }}
{{- end }}
{{- with .Values.runner.env }}
{{- toYaml . | nindent 2 }}
{{- end }}
{{ $tlsEnvItems | nindent 2 }}
volumeMounts:
- name: work
mountPath: /home/runner/_work
{{- if $hasExtension }}
- name: hook-extension
mountPath: {{ $hookTemplatePath | quote }}
subPath: extension
readOnly: true
{{- end }}
{{ include "githubServerTLS.volumeMountItem" (dict "root" $ "existingVolumeMounts" (list)) | nindent 2 }}
{{- end }}
{{- define "runner-mode-kubernetes.pod-volumes" -}}
{{- $runner := (.Values.runner | default dict) -}}
{{- $kubeMode := (index $runner "kubernetesMode" | default dict) -}}
{{- $extensionRef := (index $kubeMode "extensionRef" | default "") -}}
{{- $extension := (index $kubeMode "extension" | default dict) -}}
{{- $extensionYamlRaw := "" -}}
{{- if kindIs "map" $extension -}}
{{- if hasKey $extension "yaml" -}}
{{- $extensionYamlRaw = (index $extension "yaml") -}}
{{- end -}}
{{- end -}}
{{- $extensionYamlStr := "" -}}
{{- if empty $extensionYamlRaw -}}
{{- $extensionYamlStr = "" -}}
{{- else if kindIs "string" $extensionYamlRaw -}}
{{- $extensionYamlStr = $extensionYamlRaw -}}
{{- else if kindIs "map" $extensionYamlRaw -}}
{{- $extensionYamlStr = toYaml $extensionYamlRaw -}}
{{- end -}}
{{- $hasExtension := or (not (empty $extensionRef)) (not (empty $extensionYamlStr)) -}}
{{- $claim := (index $kubeMode "workVolumeClaim" | default dict) -}}
{{- if and (not (empty $claim)) (not (kindIs "map" $claim)) -}}
{{- fail "runner.kubernetesMode.workVolumeClaim must be a map/object" -}}
{{- end -}}
{{- if not (kindIs "string" $extensionRef) -}}
{{- fail "runner.kubernetesMode.extensionRef must be a string" -}}
{{- end -}}
{{- if and (empty $extensionRef) (hasKey $kubeMode "extension") (not (kindIs "map" $extension)) -}}
{{- fail "runner.kubernetesMode.extension must be an object when runner.kubernetesMode.extensionRef is empty" -}}
{{- end -}}
{{- if and (empty $extensionRef) (not (empty $extensionYamlRaw)) (not (or (kindIs "string" $extensionYamlRaw) (kindIs "map" $extensionYamlRaw))) -}}
{{- fail "runner.kubernetesMode.extension.yaml must be a string or an object" -}}
{{- end -}}
{{- $defaultClaim := dict "accessModes" (list "ReadWriteOnce") "storageClassName" "local-path" "resources" (dict "requests" (dict "storage" "1Gi")) -}}
{{- $claimSpec := mergeOverwrite $defaultClaim $claim -}}
- name: work
ephemeral:
volumeClaimTemplate:
spec:
{{- toYaml $claimSpec | nindent 8 }}
{{- if $hasExtension }}
- name: hook-extension
configMap:
name: {{ if not (empty $extensionRef) }}{{ $extensionRef | quote }}{{ else }}{{ include "runner-mode-kubernetes.extension-name" . | quote }}{{ end }}
{{- end }}
{{ include "githubServerTLS.podVolumeItem" . }}
{{- end }}
{{/*
Create the annotations for the kubernetes-mode ServiceAccount.
Order of precedence:
1) resource.all.metadata.annotations
2) resource.kubernetesModeServiceAccount.metadata.annotations
Reserved annotations are excluded from both levels.
*/}}
{{- define "kube-mode-serviceaccount.annotations" -}}
{{- $global := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.annotations | default (dict))) | fromYaml -}}
{{- $resource := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.kubernetesModeServiceAccount.metadata.annotations | default (dict))) | fromYaml -}}
{{- $annotations := mergeOverwrite $global $resource -}}
{{- if not (empty $annotations) -}}
{{- toYaml $annotations }}
{{- end }}
{{- end }}
{{/*
Create the labels for the kubernetes-mode ServiceAccount.
*/}}
{{- define "kube-mode-serviceaccount.labels" -}}
{{- $resourceLabels := dict "app.kubernetes.io/component" "kube-mode-serviceaccount" -}}
{{- $commonLabels := include "gha-common-labels" . | fromYaml -}}
{{- $userLabels := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.kubernetesModeServiceAccount.metadata.labels | default (dict)) | fromYaml -}}
{{- $global := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.labels | default (dict)) | fromYaml -}}
{{- toYaml (mergeOverwrite $global $userLabels $resourceLabels $commonLabels) }}
{{- end }}
{{/*
Create the labels for the kubernetes-mode Role.
*/}}
{{- define "kube-mode-role.labels" -}}
{{- $resourceLabels := dict "app.kubernetes.io/component" "kube-mode-role" -}}
{{- $commonLabels := include "gha-common-labels" . | fromYaml -}}
{{- $userLabels := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.kubernetesModeRole.metadata.labels | default (dict)) | fromYaml -}}
{{- $global := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.labels | default (dict)) | fromYaml -}}
{{- toYaml (mergeOverwrite $global $userLabels $resourceLabels $commonLabels) }}
{{- end }}
{{/*
Create the annotations for the kubernetes-mode RoleBinding.
Order of precedence:
1) resource.all.metadata.annotations
2) resource.kubernetesModeRoleBinding.metadata.annotations
Reserved annotations are excluded from both levels.
*/}}
{{- define "kube-mode-role-binding.annotations" -}}
{{- $global := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.annotations | default (dict))) | fromYaml -}}
{{- $resource := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.kubernetesModeRoleBinding.metadata.annotations | default (dict))) | fromYaml -}}
{{- $annotations := mergeOverwrite $global $resource -}}
{{- if not (empty $annotations) -}}
{{- toYaml $annotations }}
{{- end }}
{{- end }}
{{/*
Create the labels for the kubernetes-mode RoleBinding.
*/}}
{{- define "kube-mode-role-binding.labels" -}}
{{- $resourceLabels := dict "app.kubernetes.io/component" "kube-mode-role-binding" -}}
{{- $commonLabels := include "gha-common-labels" . | fromYaml -}}
{{- $userLabels := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.kubernetesModeRoleBinding.metadata.labels | default (dict)) | fromYaml -}}
{{- $global := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.labels | default (dict)) | fromYaml -}}
{{- toYaml (mergeOverwrite $global $userLabels $resourceLabels $commonLabels) }}
{{- end }}
{{/*
Create the annotations for the kubernetes-mode Role.
Order of precedence:
1) resource.all.metadata.annotations
2) resource.kubernetesModeRole.metadata.annotations
Reserved annotations are excluded from both levels.
*/}}
{{- define "kube-mode-role.annotations" -}}
{{- $global := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.annotations | default (dict))) | fromYaml -}}
{{- $resource := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.kubernetesModeRole.metadata.annotations | default (dict))) | fromYaml -}}
{{- $annotations := mergeOverwrite $global $resource -}}
{{- if not (empty $annotations) -}}
{{- toYaml $annotations }}
{{- end }}
{{- end }}
{{- define "kube-mode-extension.name" -}}
{{- $runner := (.Values.runner | default dict) -}}
{{- $kubeMode := (index $runner "kubernetesMode" | default dict) -}}
{{- $extension := (index $kubeMode "extension" | default dict) -}}
{{- $meta := (index $extension "metadata" | default dict) -}}
{{- $name := (index $meta "name" | default "") -}}
{{- if not (kindIs "string" $name) -}}
{{- fail "runner.kubernetesMode.extension.metadata.name must be a string" -}}
{{- end -}}
{{- default (printf "%s-hook-extension" (include "autoscaling-runner-set.name" .) | trunc 63 | trimSuffix "-") $name -}}
{{- end }}
{{/*
Create the labels for the hook extension ConfigMap.
*/}}
{{- define "kube-mode-extension.labels" -}}
{{- $resourceLabels := dict "app.kubernetes.io/component" "hook-extension" -}}
{{- $commonLabels := include "gha-common-labels" . | fromYaml -}}
{{- $global := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.labels | default (dict)) | fromYaml -}}
{{- toYaml (mergeOverwrite $global $resourceLabels $commonLabels) -}}
{{- end }}

65
charts/gha-runner-scale-set-experimental/templates/_runner_pod.tpl Normal file
View File

@@ -0,0 +1,65 @@
{{/*
Create labels for the runner Pod template (spec.template.metadata.labels).
Order of precedence:
1) resource.all.metadata.labels
2) runner.pod.metadata.labels
3) common labels (cannot be overridden)
Reserved actions.github.com/* labels are excluded from user/global inputs.
*/}}
{{- define "autoscaling-runner-set.runner-pod.labels" -}}
{{- $runner := (.Values.runner | default dict) -}}
{{- $pod := (index $runner "pod" | default dict) -}}
{{- if not (kindIs "map" $pod) -}}
{{- fail ".Values.runner.pod must be a map/object" -}}
{{- end -}}
{{- $podMetadata := (index $pod "metadata" | default dict) -}}
{{- if not (kindIs "map" $podMetadata) -}}
{{- fail ".Values.runner.pod.metadata must be a map/object" -}}
{{- end -}}
{{- $userRaw := (index $podMetadata "labels" | default (dict)) -}}
{{- if not (kindIs "map" $userRaw) -}}
{{- fail ".Values.runner.pod.metadata.labels must be a map/object" -}}
{{- end -}}
{{- $global := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.labels | default (dict)) | fromYaml -}}
{{- $user := include "apply-non-reserved-gha-labels-and-annotations" $userRaw | fromYaml -}}
{{- $common := include "gha-common-labels" . | fromYaml -}}
{{- $labels := mergeOverwrite $global $user $common -}}
{{- if not (empty $labels) -}}
{{- toYaml $labels -}}
{{- end -}}
{{- end }}
{{/*
Create annotations for the runner Pod template (spec.template.metadata.annotations).
Order of precedence:
1) resource.all.metadata.annotations
2) runner.pod.metadata.annotations
Reserved actions.github.com/* annotations are excluded from user/global inputs.
*/}}
{{- define "autoscaling-runner-set.runner-pod.annotations" -}}
{{- $runner := (.Values.runner | default dict) -}}
{{- $pod := (index $runner "pod" | default dict) -}}
{{- if not (kindIs "map" $pod) -}}
{{- fail ".Values.runner.pod must be a map/object" -}}
{{- end -}}
{{- $podMetadata := (index $pod "metadata" | default dict) -}}
{{- if not (kindIs "map" $podMetadata) -}}
{{- fail ".Values.runner.pod.metadata must be a map/object" -}}
{{- end -}}
{{- $userRaw := (index $podMetadata "annotations" | default (dict)) -}}
{{- if not (kindIs "map" $userRaw) -}}
{{- fail ".Values.runner.pod.metadata.annotations must be a map/object" -}}
{{- end -}}
{{- $global := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.annotations | default (dict))) | fromYaml -}}
{{- $user := (include "apply-non-reserved-gha-labels-and-annotations" $userRaw) | fromYaml -}}
{{- $annotations := mergeOverwrite $global $user -}}
{{- if not (empty $annotations) -}}
{{- toYaml $annotations -}}
{{- end -}}
{{- end }}

275
charts/gha-runner-scale-set-experimental/templates/autoscalingrunnserset.yaml Normal file
View File

@@ -0,0 +1,275 @@
{{- $runner := (.Values.runner | default dict) }}
{{- $runnerMode := (index $runner "mode" | default "") }}
{{- $kubeMode := (index $runner "kubernetesMode" | default dict) }}
{{- $dind := (index $runner "dind" | default dict) }}
{{- $kubeDefaults := (index $kubeMode "default" | default true) }}
{{- $kubeServiceAccountName := (index $kubeMode "serviceAccountName" | default "") }}
{{- $usesKubernetesSecrets := or (not .Values.secretResolution) (eq .Values.secretResolution.type "kubernetes") }}
{{- $runnerPod := (index $runner "pod" | default dict) -}}
{{- if not (kindIs "map" $runnerPod) -}}
{{- fail ".Values.runner.pod must be an object" -}}
{{- end }}
{{- $runnerPodSpec := (index $runnerPod "spec" | default dict) -}}
{{- if not (kindIs "map" $runnerPodSpec) -}}
{{- fail ".Values.runner.pod.spec must be an object" -}}
{{- end }}
{{- $extraContainers := (index $runnerPodSpec "containers" | default list) -}}
{{- if not (kindIs "slice" $extraContainers) -}}
{{- fail ".Values.runner.pod.spec.containers must be a list of container specifications" -}}
{{- end }}
{{- range $extraContainers -}}
{{- if not (kindIs "map" .) -}}
{{- fail ".Values.runner.pod.spec.containers must be a list of container specifications" -}}
{{- end }}
{{- $extraContainerName := (index . "name" | default "") -}}
{{- if empty $extraContainerName -}}
{{- fail ".Values.runner.pod.spec.containers[].name is required" -}}
{{- end }}
{{- if eq $extraContainerName "runner" -}}
{{- fail ".Values.runner.pod.spec.containers[].name must not be 'runner' (reserved)" -}}
{{- end }}
{{- end }}
{{- $extraInitContainers := (index $runnerPodSpec "initContainers" | default list) -}}
{{- if not (kindIs "slice" $extraInitContainers) -}}
{{- fail ".Values.runner.pod.spec.initContainers must be a list of container specifications" -}}
{{- end }}
{{- range $extraInitContainers -}}
{{- if not (kindIs "map" .) -}}
{{- fail ".Values.runner.pod.spec.initContainers must be a list of container specifications" -}}
{{- end }}
{{- $extraInitContainerName := (index . "name" | default "") -}}
{{- if empty $extraInitContainerName -}}
{{- fail ".Values.runner.pod.spec.initContainers[].name is required" -}}
{{- end }}
{{- end }}
{{- $runnerPodSpecExtraFields := (omit $runnerPodSpec "containers" "initContainers" "volumes" "serviceAccountName") -}}
{{- $extraVolumes := (index $runnerPodSpec "volumes" | default list) -}}
{{- if not (kindIs "slice" $extraVolumes) -}}
{{- fail ".Values.runner.pod.spec.volumes must be a list of volume specifications" -}}
{{- end }}
{{- $tlsConfig := (default (dict) .Values.githubServerTLS) -}}
{{- $tlsMountPath := (index $tlsConfig "runnerMountPath" | default "") -}}
{{- $hasInitContainers := or (gt (len $extraInitContainers) 0) (eq $runnerMode "dind") -}}
{{- $hasVolumes := or (gt (len $extraVolumes) 0) (eq $runnerMode "kubernetes") (eq $runnerMode "dind") (not (empty $tlsMountPath)) -}}
apiVersion: actions.github.com/v1alpha1
kind: AutoscalingRunnerSet
metadata:
name: {{ include "autoscaling-runner-set.name" . | quote }}
namespace: {{ include "autoscaling-runner-set.namespace" . | quote }}
labels:
{{- include "autoscaling-runner-set.labels" . | nindent 4 }}
annotations:
{{- include "autoscaling-runner-set.annotations" . | nindent 4 }}
actions.github.com/values-hash: {{ toJson .Values | sha256sum | trunc 63 }}
{{- if and $usesKubernetesSecrets (empty .Values.auth.secretName) }}
actions.github.com/cleanup-github-secret-name: {{ include "github-secret.name" . | quote }}
{{- end }}
actions.github.com/cleanup-manager-role-binding: {{ include "manager-role-binding.name" . | quote }}
actions.github.com/cleanup-manager-role-name: {{ include "manager-role.name" . | quote }}
{{- if ne $runnerMode "kubernetes" }}
actions.github.com/cleanup-no-permission-service-account-name: {{ include "no-permission-serviceaccount.name" . | quote }}
{{- end }}
{{- if and (eq $runnerMode "kubernetes") $kubeDefaults (empty $kubeServiceAccountName) }}
actions.github.com/cleanup-kubernetes-mode-role-binding-name: {{ include "kube-mode-role-binding.name" . | quote }}
actions.github.com/cleanup-kubernetes-mode-role-name: {{ include "kube-mode-role.name" . | quote }}
actions.github.com/cleanup-kubernetes-mode-service-account-name: {{ include "kube-mode-serviceaccount.name" . | quote }}
{{- end }}
spec:
githubConfigUrl: {{ required ".Values.auth.url is required" (trimSuffix "/" .Values.auth.url) | quote }}
githubConfigSecret: {{ include "github-secret.name" . | quote }}
runnerGroup: {{ .Values.scaleset.runnerGroup | quote }}
runnerScaleSetName: {{ .Values.scaleset.name | quote }}
{{- if and .Values.scaleset.labels (kindIs "slice" .Values.scaleset.labels) }}
{{- range .Values.scaleset.labels }}
{{- if empty . }}
{{- fail "scaleset.labels contains an empty string, each label must be a non-empty string of less than 256 characters" }}
{{- end }}
{{- if ge (len .) 256 }}
{{- fail "scaleset.labels contains a label that is 256 characters or more, each label must be a non-empty string of less than 256 characters" }}
{{- end }}
{{- end }}
runnerScaleSetLabels:
{{- toYaml .Values.scaleset.labels | nindent 4 }}
{{- end }}
{{- if .Values.githubServerTLS }}
githubServerTLS:
{{- with .Values.githubServerTLS.certificateFrom }}
certificateFrom:
configMapKeyRef:
name: {{ .configMapKeyRef.name }}
key: {{ .configMapKeyRef.key }}
{{- end }}
{{- end }}
{{- if and .Values.secretResolution (ne .Values.secretResolution.type "kubernetes") }}
vaultConfig:
type: {{ .Values.secretResolution.type }}
{{- if .Values.secretResolution.proxy }}
proxy: {{- toYaml .Values.secretResolution.proxy | nindent 6 }}
{{- end }}
{{- if eq .Values.secretResolution.type "azureKeyVault" }}
azureKeyVault:
url: {{ .Values.secretResolution.azureKeyVault.url }}
tenantId: {{ .Values.secretResolution.azureKeyVault.tenantId }}
clientId: {{ .Values.secretResolution.azureKeyVault.clientId }}
certificatePath: {{ .Values.secretResolution.azureKeyVault.certificatePath }}
secretKey: {{ .Values.secretResolution.azureKeyVault.secretKey }}
{{- else }}
{{- fail (printf "Unsupported keyVault type: %s" .Values.secretResolution.type) }}
{{- end }}
{{- end }}
{{- if .Values.proxy }}
proxy:
{{- if .Values.proxy.http }}
http:
url: {{ .Values.proxy.http.url }}
{{- if .Values.proxy.http.credentialSecretRef }}
credentialSecretRef: {{ .Values.proxy.http.credentialSecretRef }}
{{- end }}
{{- end }}
{{- if .Values.proxy.https }}
https:
url: {{ .Values.proxy.https.url }}
{{- if .Values.proxy.https.credentialSecretRef }}
credentialSecretRef: {{ .Values.proxy.https.credentialSecretRef }}
{{- end }}
{{- end }}
{{- if and .Values.proxy.noProxy (kindIs "slice" .Values.proxy.noProxy) }}
noProxy: {{ .Values.proxy.noProxy | toYaml | nindent 6}}
{{- end }}
{{- end }}
{{- if and (or (kindIs "int64" .Values.scaleset.minRunners) (kindIs "float64" .Values.scaleset.minRunners)) (or (kindIs "int64" .Values.scaleset.maxRunners) (kindIs "float64" .Values.scaleset.maxRunners)) }}
{{- if gt .Values.scaleset.minRunners .Values.scaleset.maxRunners }}
{{- fail "maxRunners has to be greater or equal to minRunners" }}
{{- end }}
{{- end }}
{{- if or (kindIs "int64" .Values.scaleset.maxRunners) (kindIs "float64" .Values.scaleset.maxRunners)}}
{{- if lt (.Values.scaleset.maxRunners | int) 0 }}
{{- fail "maxRunners has to be greater or equal to 0" }}
{{- end }}
maxRunners: {{ .Values.scaleset.maxRunners | int }}
{{- end }}
{{- if or (kindIs "int64" .Values.scaleset.minRunners) (kindIs "float64" .Values.scaleset.minRunners) }}
{{- if lt (.Values.scaleset.minRunners | int) 0 }}
{{- fail "minRunners has to be greater or equal to 0" }}
{{- end }}
minRunners: {{ .Values.scaleset.minRunners | int }}
{{- end }}
{{- if and .Values.listenerPodTemplate (or .Values.listenerPodTemplate.metadata .Values.listenerPodTemplate.spec) }}
listenerTemplate:
{{- include "listener-template.pod" . | nindent 4}}
{{- end }}
{{- with .Values.listenerMetrics }}
listenerMetrics:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.resource.autoscalingListener.metadata }}
autoscalingListener:
{{- include "autoscaling-runner-set.spec-resource-metadata" . | nindent 4 }}
{{- end }}
{{- with .Values.resource.listenerServiceAccount.metadata }}
listenerServiceAccountMetadata:
{{- include "autoscaling-runner-set.spec-resource-metadata" . | nindent 4 }}
{{- end }}
{{- with .Values.resource.listenerRole.metadata }}
listenerRoleMetadata:
{{- include "autoscaling-runner-set.spec-resource-metadata" . | nindent 4 }}
{{- end }}
{{- with .Values.resource.listenerRoleBinding.metadata }}
listenerRoleBindingMetadata:
{{- include "autoscaling-runner-set.spec-resource-metadata" . | nindent 4 }}
{{- end }}
{{- with .Values.resource.listenerConfigSecret.metadata }}
listenerConfigSecretMetadata:
{{- include "autoscaling-runner-set.spec-resource-metadata" . | nindent 4 }}
{{- end }}
{{- with .Values.resource.ephemeralRunnerSet.metadata }}
ephemeralRunnerSetMetadata:
{{- include "autoscaling-runner-set.spec-resource-metadata" . | nindent 4 }}
{{- end }}
{{- with .Values.resource.ephemeralRunner.metadata }}
ephemeralRunnerMetadata:
{{- include "autoscaling-runner-set.spec-resource-metadata" . | nindent 4 }}
{{- end }}
{{- with .Values.resource.ephemeralRunnerConfigSecret.metadata }}
ephemeralRunnerConfigSecretMetadata:
{{- include "autoscaling-runner-set.spec-resource-metadata" . | nindent 4 }}
{{- end }}
template:
{{- $runnerPodLabels := (include "autoscaling-runner-set.runner-pod.labels" .) -}}
{{- $runnerPodAnnotations := (include "autoscaling-runner-set.runner-pod.annotations" .) -}}
{{- if or $runnerPodLabels $runnerPodAnnotations }}
metadata:
{{- if $runnerPodLabels }}
labels:
{{- $runnerPodLabels | nindent 8 }}
{{- end }}
{{- if $runnerPodAnnotations }}
annotations:
{{- $runnerPodAnnotations | nindent 8 }}
{{- end }}
{{- end }}
spec:
serviceAccountName: {{ include "autoscaling-runner-set.template-service-account" . | quote }}
{{- if $hasInitContainers }}
initContainers:
{{- if and (eq $runnerMode "dind") $dind.copyRunnerExternals }}
- {{ include "runner-mode-dind.copy-externals" . | nindent 10 }}
{{- end }}
{{- range $extraInitContainers }}
- {{ toYaml . | nindent 10 }}
{{- end }}
{{- if eq $runnerMode "dind" }}
- {{ include "runner-mode-dind.dind-container" . | nindent 10 }}
{{- end }}
{{- end }}
containers:
-
{{- if eq $runnerMode "kubernetes" }}
{{- include "runner-mode-kubernetes.runner-container" . | nindent 10 }}
{{- else if eq $runnerMode "dind" }}
{{- include "runner-mode-dind.runner-container" . | nindent 10 }}
{{- else }}
{{- include "runner-mode-empty.runner-container" . | nindent 10 }}
{{- end }}
{{- if $extraContainers }}
{{- range $extraContainers }}
- {{ toYaml . | nindent 10 }}
{{- end }}
{{- end }}
{{- if $hasVolumes }}
volumes:
{{- if eq $runnerMode "kubernetes" }}
{{- include "runner-mode-kubernetes.pod-volumes" . | nindent 8 }}
{{- else }}
{{- include "runner-mode-dind.pod-volumes" . | nindent 8 }}
{{- end }}
{{- if $extraVolumes }}
{{- range $extraVolumes }}
- {{ toYaml . | nindent 10 }}
{{- end }}
{{- end }}
{{- end }}
{{- if gt (len $runnerPodSpecExtraFields) 0 }}
{{- toYaml $runnerPodSpecExtraFields | nindent 6 }}
{{- end }}

28
charts/gha-runner-scale-set-experimental/templates/githubsecret.yaml Normal file
View File

@@ -0,0 +1,28 @@
{{- $usesKubernetesSecrets := or (not .Values.secretResolution) (eq .Values.secretResolution.type "kubernetes") -}}
{{- if and (not $usesKubernetesSecrets) (empty .Values.auth.secretName) -}}
{{- fail ".Values.auth.secretName is required when .Values.secretResolution.type is not \"kubernetes\"" -}}
{{- end -}}
{{- if and $usesKubernetesSecrets (empty .Values.auth.secretName) -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "github-secret.name" . | quote }}
namespace: {{ include "autoscaling-runner-set.namespace" . | quote }}
labels:
{{- include "github-secret.labels" . | nindent 4 }}
annotations:
{{- include "github-secret.annotations" . | nindent 4 }}
finalizers:
- actions.github.com/cleanup-protection
type: Opaque
data:
{{- if not (empty .Values.auth.app.clientId) }}
github_app_id: {{ .Values.auth.app.clientId | toString | b64enc }}
github_app_installation_id: {{ required ".Values.auth.app.installationId is required when using GitHub App auth" .Values.auth.app.installationId | toString | b64enc }}
github_app_private_key: {{ required ".Values.auth.app.privateKey is required when using GitHub App auth" .Values.auth.app.privateKey | toString | b64enc }}
{{- else }}
github_token: {{ required ".Values.auth.githubToken is required when auth.secretName and auth.app.clientId are not set" .Values.auth.githubToken | toString | b64enc }}
{{- end }}
{{- end -}}

60
charts/gha-runner-scale-set-experimental/templates/hook_extension.yaml Normal file
View File

@@ -0,0 +1,60 @@
{{- $runner := (.Values.runner | default dict) -}}
{{- $runnerMode := (index $runner "mode" | default "") -}}
{{- $kubeMode := (index $runner "kubernetesMode" | default dict) -}}
{{- $extensionRef := (index $kubeMode "extensionRef" | default "") -}}
{{- if not (kindIs "string" $extensionRef) -}}
{{- fail "runner.kubernetesMode.extensionRef must be a string" -}}
{{- end -}}
{{- if and (eq $runnerMode "kubernetes") (empty $extensionRef) -}}
{{- $extension := (index $kubeMode "extension" | default dict) -}}
{{- if and (hasKey $kubeMode "extension") (not (kindIs "map" $extension)) -}}
{{- fail "runner.kubernetesMode.extension must be an object" -}}
{{- end -}}
{{- $extensionMeta := dict -}}
{{- $extensionName := "" -}}
{{- $extensionYamlRaw := "" -}}
{{- $extensionYamlStr := "" -}}
{{- if kindIs "map" $extension -}}
{{- $extensionMeta = (index $extension "metadata" | default dict) -}}
{{- if not (kindIs "map" $extensionMeta) -}}
{{- fail "runner.kubernetesMode.extension.metadata must be an object" -}}
{{- end -}}
{{- $extensionName = (index $extensionMeta "name" | default "") -}}
{{- if hasKey $extension "yaml" -}}
{{- $extensionYamlRaw = (index $extension "yaml") -}}
{{- end -}}
{{- end -}}
{{- if not (kindIs "string" $extensionName) -}}
{{- fail "runner.kubernetesMode.extension.metadata.name must be a string" -}}
{{- end -}}
{{- if empty $extensionYamlRaw -}}
{{- $extensionYamlStr = "" -}}
{{- else if kindIs "string" $extensionYamlRaw -}}
{{- $extensionYamlStr = $extensionYamlRaw -}}
{{- else if kindIs "map" $extensionYamlRaw -}}
{{- $extensionYamlStr = toYaml $extensionYamlRaw -}}
{{- else -}}
{{- fail "runner.kubernetesMode.extension.yaml must be a string or an object" -}}
{{- end -}}
{{- if not (empty $extensionYamlStr) -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ default (include "runner-mode-kubernetes.extension-name" .) $extensionName | quote }}
namespace: {{ include "autoscaling-runner-set.namespace" . | quote }}
labels:
{{- include "kube-mode-extension.labels" . | nindent 4 }}
{{- $annotations := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.annotations | default (dict))) | fromYaml -}}
{{- if not (empty $annotations) }}
annotations:
{{- toYaml $annotations | nindent 4 }}
{{- end }}
data:
extension: |-
{{ $extensionYamlStr | indent 4 }}
{{- end -}}
{{- end -}}

Some files were not shown because too many files have changed in this diff Show More