add dockerEnabled option (#191)

Add dockerEnabled option for users who does not need docker and want not to run privileged container.
if `dockerEnabled == false`, dind container not run, and there are no privileged container.

Do the same as closed #96

.github/workflows/build-runner.yml

@@ -18,9 +18,16 @@ name: Runner
 jobs:
   build:
     runs-on: ubuntu-latest
-    name: Build
+    name: Build ${{ matrix.name }}
+    strategy:
+      matrix:
+        include:
+          - name: actions-runner
+            dockerfile: Dockerfile
+          - name: actions-runner-dind
+            dockerfile: dindrunner.Dockerfile
     env:
-      RUNNER_VERSION: 2.273.5
+      RUNNER_VERSION: 2.274.1
       DOCKER_VERSION: 19.03.12
       DOCKERHUB_USERNAME: ${{ github.repository_owner }}
     steps:
@@ -41,16 +48,9 @@ jobs:
             --build-arg RUNNER_VERSION=${RUNNER_VERSION} \
             --build-arg DOCKER_VERSION=${DOCKER_VERSION} \
             --platform linux/amd64,linux/arm64 \
-            --tag ${DOCKERHUB_USERNAME}/actions-runner:v${RUNNER_VERSION} \
-            --tag ${DOCKERHUB_USERNAME}/actions-runner:latest \
-            -f Dockerfile .
-          docker buildx build \
-            --build-arg RUNNER_VERSION=${RUNNER_VERSION} \
-            --build-arg DOCKER_VERSION=${DOCKER_VERSION} \
-            --platform linux/amd64,linux/arm64 \
-            --tag ${DOCKERHUB_USERNAME}/actions-runner-dind:v${RUNNER_VERSION} \
-            --tag ${DOCKERHUB_USERNAME}/actions-runner-dind:latest \
-            -f dindrunner.Dockerfile .
+            --tag ${DOCKERHUB_USERNAME}/${{ matrix.name }}:v${RUNNER_VERSION} \
+            --tag ${DOCKERHUB_USERNAME}/${{ matrix.name }}:latest \
+            -f ${{ matrix.dockerfile }} .
 
       - name: Login to GitHub Docker Registry
         run: echo "${DOCKERHUB_PASSWORD}" | docker login -u "${DOCKERHUB_USERNAME}" --password-stdin
@@ -67,13 +67,6 @@ jobs:
             --build-arg RUNNER_VERSION=${RUNNER_VERSION} \
             --build-arg DOCKER_VERSION=${DOCKER_VERSION} \
             --platform linux/amd64,linux/arm64 \
-            --tag ${DOCKERHUB_USERNAME}/actions-runner:v${RUNNER_VERSION} \
-            --tag ${DOCKERHUB_USERNAME}/actions-runner:latest \
-            -f Dockerfile . --push
-          docker buildx build \
-            --build-arg RUNNER_VERSION=${RUNNER_VERSION} \
-            --build-arg DOCKER_VERSION=${DOCKER_VERSION} \
-            --platform linux/amd64,linux/arm64 \
-            --tag ${DOCKERHUB_USERNAME}/actions-runner-dind:v${RUNNER_VERSION} \
-            --tag ${DOCKERHUB_USERNAME}/actions-runner-dind:latest \
-            -f dindrunner.Dockerfile . --push
+            --tag ${DOCKERHUB_USERNAME}/${{ matrix.name }}:v${RUNNER_VERSION} \
+            --tag ${DOCKERHUB_USERNAME}/${{ matrix.name }}:latest \
+            -f ${{ matrix.dockerfile }} . --push

.gitignore

@@ -23,3 +23,6 @@ bin
 *.swp
 *.swo
 *~
+
+.envrc
+*.pem

Makefile

@@ -59,11 +59,14 @@ deploy: manifests
 	kustomize build config/default | kubectl apply -f -
 
 # Generate manifests e.g. CRD, RBAC etc.
-manifests: manifests-118 fix118
+manifests: manifests-118 fix118 chart-crds
 
 manifests-118: controller-gen
 	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases
 
+chart-crds:
+	cp config/crd/bases/*.yaml charts/actions-runner-controller/crds/
+
 # Run go fmt against code
 fmt:
 	go fmt ./...
@@ -118,6 +121,31 @@ release: manifests
 	mkdir -p release
 	kustomize build config/default > release/actions-runner-controller.yaml
 
+.PHONY: acceptance
+acceptance: release
+	ACCEPTANCE_TEST_SECRET_TYPE=token make acceptance/setup acceptance/tests acceptance/teardown
+	ACCEPTANCE_TEST_SECRET_TYPE=app make acceptance/setup acceptance/tests acceptance/teardown
+	ACCEPTANCE_TEST_DEPLOYMENT_TOOL=helm ACCEPTANCE_TEST_SECRET_TYPE=token make acceptance/setup acceptance/tests acceptance/teardown
+	ACCEPTANCE_TEST_DEPLOYMENT_TOOL=helm ACCEPTANCE_TEST_SECRET_TYPE=app make acceptance/setup acceptance/tests acceptance/teardown
+
+acceptance/setup:
+	kind create cluster --name acceptance
+	kubectl cluster-info --context kind-acceptance
+	kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.4/cert-manager.yaml	#kubectl create namespace actions-runner-system
+	kubectl -n cert-manager wait deploy/cert-manager-cainjector --for condition=available --timeout 60s
+	kubectl -n cert-manager wait deploy/cert-manager-webhook --for condition=available --timeout 60s
+	kubectl -n cert-manager wait deploy/cert-manager --for condition=available --timeout 60s
+	kubectl create namespace actions-runner-system
+	# Adhocly wait for some time until cert-manager's admission webhook gets ready
+	sleep 5
+
+acceptance/teardown:
+	kind delete cluster --name acceptance
+
+acceptance/tests:
+	acceptance/deploy.sh
+	acceptance/checks.sh
+
 # Upload release file to GitHub.
 github-release: release
 	ghr ${VERSION} release/

README.md

@@ -37,17 +37,23 @@ There are two ways for actions-runner-controller to authenticate with the GitHub
 1. Using GitHub App.
 2. Using Personal Access Token.
 
+Regardless of which authentication method you use, the same permissions are required, those permissions are:
+- Repository: Administration (read/write)
+- Repository: Actions (read)
+- Organization: Self-hosted runners (read/write)
+
+
 **NOTE: It is extremely important to only follow one of the sections below and not both.**
 
 ### Using GitHub App
 
 You can create a GitHub App for either your account or any organization. If you want to create a GitHub App for your account, open the following link to the creation page, enter any unique name in the "GitHub App name" field, and hit the "Create GitHub App" button at the bottom of the page.
 
-- [Create GitHub Apps on your account](https://github.com/settings/apps/new?url=http://github.com/summerwind/actions-runner-controller&webhook_active=false&public=false&administration=write)
+- [Create GitHub Apps on your account](https://github.com/settings/apps/new?url=http://github.com/summerwind/actions-runner-controller&webhook_active=false&public=false&administration=write&actions=read)
 
 If you want to create a GitHub App for your organization, replace the `:org` part of the following URL with your organization name before opening it. Then enter any unique name in the "GitHub App name" field, and hit the "Create GitHub App" button at the bottom of the page to create a GitHub App.
 
-- [Create GitHub Apps on your organization](https://github.com/organizations/:org/settings/apps/new?url=http://github.com/summerwind/actions-runner-controller&webhook_active=false&public=false&administration=write&organization_self_hosted_runners=write)
+- [Create GitHub Apps on your organization](https://github.com/organizations/:org/settings/apps/new?url=http://github.com/summerwind/actions-runner-controller&webhook_active=false&public=false&administration=write&organization_self_hosted_runners=write&actions=read)
 
 You will see an *App ID* on the page of the GitHub App you created as follows, the value of this App ID will be used later.
 
@@ -230,7 +236,7 @@ spec:
     - summerwind/actions-runner-controller
 ```
 
-Please also note that the sync period is set to 10 minutes by default and it's configurable via `--sync-period` flag.
+The scale out performance is controlled via the manager containers startup `--sync-period` argument. The default value is 10 minutes to prevent unconfigured deployments rate limiting themselves from the GitHub API. The period can be customised in the `config/default/manager_auth_proxy_patch.yaml` patch for those that are building the solution via the kustomize setup.
 
 Additionally, the autoscaling feature has an anti-flapping option that prevents periodic loop of scaling up and down.
 By default, it doesn't scale down until the grace period of 10 minutes passes after a scale up. The grace period can be configured by setting `scaleDownDelaySecondsAfterScaleUp`:
@@ -427,6 +433,41 @@ spec:
   image: YOUR_CUSTOM_DOCKER_IMAGE
 ```
 
+## Common Errors
+
+### invalid header field value
+
+```json
+2020-11-12T22:17:30.693Z	ERROR	controller-runtime.controller	Reconciler error	{"controller": "runner", "request": "actions-runner-system/runner-deployment-dk7q8-dk5c9", "error": "failed to create registration token: Post \"https://api.github.com/orgs/$YOUR_ORG_HERE/actions/runners/registration-token\": net/http: invalid header field value \"Bearer $YOUR_TOKEN_HERE\\n\" for key Authorization"}
+```
+
+**Solutions**<br />
+Your base64'ed PAT token has a new line at the end, it needs to be created without a `\n` added
+* `echo -n $TOKEN | base64`
+* Create the secret as described in the docs using the shell and documeneted flags
+
+# Developing
+
+If you'd like to modify the controller to fork or contribute, I'd suggest using the following snippet for running
+the acceptance test:
+
+```shell
+NAME=$DOCKER_USER/actions-runner-controller VERSION=dev \
+  GITHUB_TOKEN=*** \
+  APP_ID=*** \
+  PRIVATE_KEY_FILE_PATH=path/to/pem/file \
+  INSTALLATION_ID=*** \
+  make docker-build docker-push acceptance
+```
+
+Please follow the instructions explained in [Using Personal Access Token](#using-personal-access-token) to obtain
+`GITHUB_TOKEN`, and those in [Using GitHub App](#using-github-app) to obtain `APP_ID`, `INSTALLATION_ID`, and
+`PRIAVTE_KEY_FILE_PATH`.
+
+The test creates a one-off `kind` cluster, deploys `cert-manager` and `actions-runner-controller`,
+creates a `RunnerDeployment` custom resource for a public Git repository to confirm that the
+controller is able to bring up a runner pod with the actions runner registration token installed.
+
 # Alternatives
 
 The following is a list of alternative solutions that may better fit you depending on your use-case:

acceptance/checks.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+set -e
+
+runner_name=
+
+while [ -z "${runner_name}" ]; do
+  echo Finding the runner... 1>&2
+  sleep 1
+  runner_name=$(kubectl get runner --output=jsonpath="{.items[*].metadata.name}")
+done
+
+echo Found runner ${runner_name}.
+
+pod_name=
+
+while [ -z "${pod_name}" ]; do
+  echo Finding the runner pod... 1>&2
+  sleep 1
+  pod_name=$(kubectl get pod --output=jsonpath="{.items[*].metadata.name}" | grep ${runner_name})
+done
+
+echo Found pod ${pod_name}.
+
+echo Waiting for pod ${runner_name} to become ready... 1>&2
+
+kubectl wait pod/${runner_name} --for condition=ready --timeout 120s
+
+echo All tests passed. 1>&2

acceptance/deploy.sh

@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+
+set -e
+
+tpe=${ACCEPTANCE_TEST_SECRET_TYPE}
+
+if [ "${tpe}" == "token" ]; then
+  kubectl create secret generic controller-manager \
+	  -n actions-runner-system \
+	  --from-literal=github_token=${GITHUB_TOKEN:?GITHUB_TOKEN must not be empty}
+elif [ "${tpe}" == "app" ]; then
+  kubectl create secret generic controller-manager \
+    -n actions-runner-system \
+    --from-literal=github_app_id=${APP_ID:?must not be empty} \
+    --from-literal=github_app_installation_id=${INSTALLATION_ID:?must not be empty} \
+    --from-file=github_app_private_key=${PRIVATE_KEY_FILE_PATH:?must not be empty}
+else
+  echo "ACCEPTANCE_TEST_SECRET_TYPE must be set to either \"token\" or \"app\"" 1>&2
+  exit 1
+fi
+
+tool=${ACCEPTANCE_TEST_DEPLOYMENT_TOOL}
+
+if [ "${tool}" == "helm" ]; then
+  helm upgrade --install actions-runner-controller \
+    charts/actions-runner-controller \
+    -n actions-runner-system \
+    --create-namespace \
+    --set syncPeriod=5m
+  kubectl -n actions-runner-system wait deploy/actions-runner-controller --for condition=available
+else
+  kubectl apply \
+    -n actions-runner-system \
+    -f release/actions-runner-controller.yaml
+  kubectl -n actions-runner-system wait deploy/controller-manager --for condition=available
+fi
+
+# Adhocly wait for some time until actions-runner-controller's admission webhook gets ready
+sleep 20
+
+kubectl apply \
+  -f acceptance/testdata/runnerdeploy.yaml

acceptance/testdata/runnerdeploy.yaml

@@ -0,0 +1,9 @@
+apiVersion: actions.summerwind.dev/v1alpha1
+kind: RunnerDeployment
+metadata:
+  name: example-runnerdeploy
+spec:
+#  replicas: 1
+  template:
+    spec:
+      repository: mumoshu/actions-runner-controller-ci

api/v1alpha1/runner_types.go

@@ -84,6 +84,8 @@ type RunnerSpec struct {
 	TerminationGracePeriodSeconds *int64 `json:"terminationGracePeriodSeconds,omitempty"`
 	// +optional
 	DockerdWithinRunnerContainer *bool `json:"dockerdWithinRunnerContainer,omitempty"`
+	// +optional
+	DockerEnabled *bool `json:"dockerEnabled,omitempty"`
 }
 
 // ValidateRepository validates repository field.

api/v1alpha1/runnerdeployment_types.go

@@ -27,6 +27,7 @@ const (
 // RunnerReplicaSetSpec defines the desired state of RunnerDeployment
 type RunnerDeploymentSpec struct {
 	// +optional
+	// +nullable
 	Replicas *int `json:"replicas,omitempty"`
 
 	Template RunnerTemplate `json:"template"`

api/v1alpha1/runnerreplicaset_types.go

@@ -22,7 +22,9 @@ import (
 
 // RunnerReplicaSetSpec defines the desired state of RunnerReplicaSet
 type RunnerReplicaSetSpec struct {
-	Replicas *int `json:"replicas"`
+	// +optional
+	// +nullable
+	Replicas *int `json:"replicas,omitempty"`
 
 	Template RunnerTemplate `json:"template"`
 }

api/v1alpha1/zz_generated.deepcopy.go

@@ -530,6 +530,11 @@ func (in *RunnerSpec) DeepCopyInto(out *RunnerSpec) {
 		*out = new(bool)
 		**out = **in
 	}
+	if in.DockerEnabled != nil {
+		in, out := &in.DockerEnabled, &out.DockerEnabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunnerSpec.

charts/actions-runner-controller/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/actions-runner-controller/Chart.yaml

@@ -0,0 +1,23 @@
+apiVersion: v2
+name: actions-runner-controller
+description: A Kubernetes controller that operates self-hosted runners for GitHub Actions on your Kubernetes cluster.
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+appVersion: 0.11.2

charts/actions-runner-controller/crds/actions.summerwind.dev_horizontalrunnerautoscalers.yaml

@@ -0,0 +1,118 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.3.0
+  creationTimestamp: null
+  name: horizontalrunnerautoscalers.actions.summerwind.dev
+spec:
+  additionalPrinterColumns:
+  - JSONPath: .spec.minReplicas
+    name: Min
+    type: number
+  - JSONPath: .spec.maxReplicas
+    name: Max
+    type: number
+  - JSONPath: .status.desiredReplicas
+    name: Desired
+    type: number
+  group: actions.summerwind.dev
+  names:
+    kind: HorizontalRunnerAutoscaler
+    listKind: HorizontalRunnerAutoscalerList
+    plural: horizontalrunnerautoscalers
+    singular: horizontalrunnerautoscaler
+  scope: Namespaced
+  subresources:
+    status: {}
+  validation:
+    openAPIV3Schema:
+      description: HorizontalRunnerAutoscaler is the Schema for the horizontalrunnerautoscaler
+        API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: HorizontalRunnerAutoscalerSpec defines the desired state of
+            HorizontalRunnerAutoscaler
+          properties:
+            maxReplicas:
+              description: MinReplicas is the maximum number of replicas the deployment
+                is allowed to scale
+              type: integer
+            metrics:
+              description: Metrics is the collection of various metric targets to
+                calculate desired number of runners
+              items:
+                properties:
+                  repositoryNames:
+                    description: RepositoryNames is the list of repository names to
+                      be used for calculating the metric. For example, a repository
+                      name is the REPO part of `github.com/USER/REPO`.
+                    items:
+                      type: string
+                    type: array
+                  type:
+                    description: Type is the type of metric to be used for autoscaling.
+                      The only supported Type is TotalNumberOfQueuedAndInProgressWorkflowRuns
+                    type: string
+                type: object
+              type: array
+            minReplicas:
+              description: MinReplicas is the minimum number of replicas the deployment
+                is allowed to scale
+              type: integer
+            scaleDownDelaySecondsAfterScaleOut:
+              description: ScaleDownDelaySecondsAfterScaleUp is the approximate delay
+                for a scale down followed by a scale up Used to prevent flapping (down->up->down->...
+                loop)
+              type: integer
+            scaleTargetRef:
+              description: ScaleTargetRef sis the reference to scaled resource like
+                RunnerDeployment
+              properties:
+                name:
+                  type: string
+              type: object
+          type: object
+        status:
+          properties:
+            desiredReplicas:
+              description: DesiredReplicas is the total number of desired, non-terminated
+                and latest pods to be set for the primary RunnerSet This doesn't include
+                outdated pods while upgrading the deployment and replacing the runnerset.
+              type: integer
+            lastSuccessfulScaleOutTime:
+              format: date-time
+              type: string
+            observedGeneration:
+              description: ObservedGeneration is the most recent generation observed
+                for the target. It corresponds to e.g. RunnerDeployment's generation,
+                which is updated on mutation by the API Server.
+              format: int64
+              type: integer
+          type: object
+      type: object
+  version: v1alpha1
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

charts/actions-runner-controller/templates/NOTES.txt

@@ -0,0 +1,22 @@
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }}
+  {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "actions-runner-controller.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "actions-runner-controller.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "actions-runner-controller.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "actions-runner-controller.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+{{- end }}

charts/actions-runner-controller/templates/_helpers.tpl

@@ -0,0 +1,98 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "actions-runner-controller.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "actions-runner-controller.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "actions-runner-controller.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "actions-runner-controller.labels" -}}
+helm.sh/chart: {{ include "actions-runner-controller.chart" . }}
+{{ include "actions-runner-controller.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "actions-runner-controller.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "actions-runner-controller.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "actions-runner-controller.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "actions-runner-controller.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{- define "actions-runner-controller.leaderElectionRoleName" -}}
+{{- include "actions-runner-controller.fullname" . }}-leader-election
+{{- end }}
+
+{{- define "actions-runner-controller.authProxyRoleName" -}}
+{{- include "actions-runner-controller.fullname" . }}-proxy
+{{- end }}
+
+{{- define "actions-runner-controller.managerRoleName" -}}
+{{- include "actions-runner-controller.fullname" . }}-manager
+{{- end }}
+
+{{- define "actions-runner-controller.runnerEditorRoleName" -}}
+{{- include "actions-runner-controller.fullname" . }}-runner-editor
+{{- end }}
+
+{{- define "actions-runner-controller.runnerViewerRoleName" -}}
+{{- include "actions-runner-controller.fullname" . }}-runner-viewer
+{{- end }}
+
+{{- define "actions-runner-controller.webhookServiceName" -}}
+{{- include "actions-runner-controller.fullname" . }}-webhook
+{{- end }}
+
+{{- define "actions-runner-controller.authProxyServiceName" -}}
+{{- include "actions-runner-controller.fullname" . }}-controller-manager-metrics-service
+{{- end }}
+
+{{- define "actions-runner-controller.selfsignedIssuerName" -}}
+{{- include "actions-runner-controller.fullname" . }}-selfsigned-issuer
+{{- end }}
+
+{{- define "actions-runner-controller.servingCertName" -}}
+{{- include "actions-runner-controller.fullname" . }}-serving-cert
+{{- end }}

charts/actions-runner-controller/templates/auth_proxy_role.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "actions-runner-controller.authProxyRoleName" . }}
+rules:
+- apiGroups: ["authentication.k8s.io"]
+  resources:
+  - tokenreviews
+  verbs: ["create"]
+- apiGroups: ["authorization.k8s.io"]
+  resources:
+  - subjectaccessreviews
+  verbs: ["create"]

charts/actions-runner-controller/templates/auth_proxy_role_binding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "actions-runner-controller.authProxyRoleName" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "actions-runner-controller.authProxyRoleName" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "actions-runner-controller.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}

charts/actions-runner-controller/templates/auth_proxy_service.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    {{- include "actions-runner-controller.labels" . | nindent 4 }}
+  name: {{ include "actions-runner-controller.authProxyServiceName" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  ports:
+  - name: https
+    port: 8443
+    targetPort: https
+  selector:
+    {{- include "actions-runner-controller.selectorLabels" . | nindent 4 }}

charts/actions-runner-controller/templates/certificate.yaml

@@ -0,0 +1,24 @@
+# The following manifests contain a self-signed issuer CR and a certificate CR.
+# More document can be found at https://docs.cert-manager.io
+# WARNING: Targets CertManager 0.11 check https://docs.cert-manager.io/en/latest/tasks/upgrading/index.html for breaking changes
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ include "actions-runner-controller.selfsignedIssuerName" . }}
+  namespace: {{ .Namespace }}
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "actions-runner-controller.servingCertName" . }}
+  namespace: {{ .Namespace }}
+spec:
+  dnsNames:
+  - {{ include "actions-runner-controller.webhookServiceName" . }}.{{ .Release.Namespace }}.svc
+  - {{ include "actions-runner-controller.webhookServiceName" . }}.{{ .Release.Namespace }}.svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: {{ include "actions-runner-controller.selfsignedIssuerName" . }}
+  secretName: webhook-server-cert # this secret will not be prefixed, since it's not managed by kustomize

charts/actions-runner-controller/templates/deployment.yaml

@@ -0,0 +1,102 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "actions-runner-controller.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "actions-runner-controller.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "actions-runner-controller.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "actions-runner-controller.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "actions-runner-controller.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+      - args:
+        - "--metrics-addr=127.0.0.1:8080"
+        - "--enable-leader-election"
+        - "--sync-period={{ .Values.syncPeriod }}"
+        command:
+        - "/manager"
+        env:
+        - name: GITHUB_TOKEN
+          valueFrom:
+            secretKeyRef:
+              key: github_token
+              name: controller-manager
+              optional: true
+        - name: GITHUB_APP_ID
+          valueFrom:
+            secretKeyRef:
+              key: github_app_id
+              name: controller-manager
+              optional: true
+        - name: GITHUB_APP_INSTALLATION_ID
+          valueFrom:
+            secretKeyRef:
+              key: github_app_installation_id
+              name: controller-manager
+              optional: true
+        - name: GITHUB_APP_PRIVATE_KEY
+          value: /etc/actions-runner-controller/github_app_private_key
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (cat "v" .Chart.AppVersion | replace " " "") }}"
+        name: manager
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        ports:
+        - containerPort: 9443
+          name: webhook-server
+          protocol: TCP
+        resources:
+          {{- toYaml .Values.resources | nindent 12 }}
+        volumeMounts:
+        - mountPath: "/etc/actions-runner-controller"
+          name: controller-manager
+          readOnly: true
+        - mountPath: /tmp/k8s-webhook-server/serving-certs
+          name: cert
+          readOnly: true
+      - args:
+        - "--secure-listen-address=0.0.0.0:8443"
+        - "--upstream=http://127.0.0.1:8080/"
+        - "--logtostderr=true"
+        - "--v=10"
+        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.1
+        name: kube-rbac-proxy
+        ports:
+        - containerPort: 8443
+          name: https
+      terminationGracePeriodSeconds: 10
+      volumes:
+      - name: controller-manager
+        secret:
+          secretName: controller-manager
+      - name: cert
+        secret:
+          defaultMode: 420
+          secretName: webhook-server-cert
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

charts/actions-runner-controller/templates/leader_election_role.yaml

@@ -0,0 +1,33 @@
+# permissions to do leader election.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "actions-runner-controller.leaderElectionRoleName" . }}
+  namespace: {{ .Release.Namespace }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - configmaps/status
+  verbs:
+  - get
+  - update
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create

charts/actions-runner-controller/templates/leader_election_role_binding.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "actions-runner-controller.leaderElectionRoleName" . }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "actions-runner-controller.leaderElectionRoleName" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "actions-runner-controller.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}

charts/actions-runner-controller/templates/manager_role.yaml

@@ -0,0 +1,165 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: {{ include "actions-runner-controller.managerRoleName" . }}
+rules:
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - horizontalrunnerautoscalers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - horizontalrunnerautoscalers/finalizers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - horizontalrunnerautoscalers/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - runnerdeployments
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - runnerdeployments/finalizers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - runnerdeployments/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - runnerreplicasets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - runnerreplicasets/finalizers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - runnerreplicasets/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - runners
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - runners/finalizers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - runners/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/finalizers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch

charts/actions-runner-controller/templates/manager_role_binding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "actions-runner-controller.managerRoleName" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "actions-runner-controller.managerRoleName" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "actions-runner-controller.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}

charts/actions-runner-controller/templates/runner_editor_role.yaml

@@ -0,0 +1,26 @@
+# permissions to do edit runners.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "actions-runner-controller.runnerEditorRoleName" . }}
+rules:
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - runners
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - runners/status
+  verbs:
+  - get
+  - patch
+  - update

charts/actions-runner-controller/templates/runner_viewer_role.yaml

@@ -0,0 +1,20 @@
+# permissions to do viewer runners.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "actions-runner-controller.runnerViewerRoleName" . }}
+rules:
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - runners
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - actions.summerwind.dev
+  resources:
+  - runners/status
+  verbs:
+  - get

charts/actions-runner-controller/templates/serviceaccount.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "actions-runner-controller.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "actions-runner-controller.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

charts/actions-runner-controller/templates/webhook_configs.yaml

@@ -0,0 +1,128 @@
+
+---
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+  creationTimestamp: null
+  name: {{ include "actions-runner-controller.fullname" . }}-mutating-webhook-configuration
+  annotations:
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "actions-runner-controller.servingCertName" . }}
+webhooks:
+- clientConfig:
+    caBundle: Cg==
+    service:
+      name: {{ include "actions-runner-controller.webhookServiceName" . }}
+      namespace: {{ .Release.Namespace }}
+      path: /mutate-actions-summerwind-dev-v1alpha1-runner
+  failurePolicy: Fail
+  name: mutate.runner.actions.summerwind.dev
+  rules:
+  - apiGroups:
+    - actions.summerwind.dev
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - runners
+- clientConfig:
+    caBundle: Cg==
+    service:
+      name: {{ include "actions-runner-controller.webhookServiceName" . }}
+      namespace: {{ .Release.Namespace }}
+      path: /mutate-actions-summerwind-dev-v1alpha1-runnerdeployment
+  failurePolicy: Fail
+  name: mutate.runnerdeployment.actions.summerwind.dev
+  rules:
+  - apiGroups:
+    - actions.summerwind.dev
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - runnerdeployments
+- clientConfig:
+    caBundle: Cg==
+    service:
+      name: {{ include "actions-runner-controller.webhookServiceName" . }}
+      namespace: {{ .Release.Namespace }}
+      path: /mutate-actions-summerwind-dev-v1alpha1-runnerreplicaset
+  failurePolicy: Fail
+  name: mutate.runnerreplicaset.actions.summerwind.dev
+  rules:
+  - apiGroups:
+    - actions.summerwind.dev
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - runnerreplicasets
+
+---
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingWebhookConfiguration
+metadata:
+  creationTimestamp: null
+  name: {{ include "actions-runner-controller.fullname" . }}-validating-webhook-configuration
+  annotations:
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "actions-runner-controller.servingCertName" . }}
+webhooks:
+- clientConfig:
+    caBundle: Cg==
+    service:
+      name: {{ include "actions-runner-controller.webhookServiceName" . }}
+      namespace: {{ .Release.Namespace }}
+      path: /validate-actions-summerwind-dev-v1alpha1-runner
+  failurePolicy: Fail
+  name: validate.runner.actions.summerwind.dev
+  rules:
+  - apiGroups:
+    - actions.summerwind.dev
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - runners
+- clientConfig:
+    caBundle: Cg==
+    service:
+      name: {{ include "actions-runner-controller.webhookServiceName" . }}
+      namespace: {{ .Release.Namespace }}
+      path: /validate-actions-summerwind-dev-v1alpha1-runnerdeployment
+  failurePolicy: Fail
+  name: validate.runnerdeployment.actions.summerwind.dev
+  rules:
+  - apiGroups:
+    - actions.summerwind.dev
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - runnerdeployments
+- clientConfig:
+    caBundle: Cg==
+    service:
+      name: {{ include "actions-runner-controller.webhookServiceName" . }}
+      namespace: {{ .Release.Namespace }}
+      path: /validate-actions-summerwind-dev-v1alpha1-runnerreplicaset
+  failurePolicy: Fail
+  name: validate.runnerreplicaset.actions.summerwind.dev
+  rules:
+  - apiGroups:
+    - actions.summerwind.dev
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - runnerreplicasets

charts/actions-runner-controller/templates/webhook_service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "actions-runner-controller.webhookServiceName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "actions-runner-controller.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: 443
+      targetPort: 9443
+      protocol: TCP
+      name: https
+  selector:
+    {{- include "actions-runner-controller.selectorLabels" . | nindent 4 }}

charts/actions-runner-controller/values.yaml

@@ -0,0 +1,81 @@
+# Default values for actions-runner-controller.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+syncPeriod: 10m
+
+image:
+  repository: summerwind/actions-runner-controller
+  pullPolicy: IfNotPresent
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: ""
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+podAnnotations: {}
+
+podSecurityContext: {}
+  # fsGroup: 2000
+
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+service:
+  type: ClusterIP
+  port: 443
+
+ingress:
+  enabled: false
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+  hosts:
+    - host: chart-example.local
+      paths: []
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - chart-example.local
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 100
+  targetCPUUtilizationPercentage: 80
+  # targetMemoryUtilizationPercentage: 80
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}

config/crd/bases/actions.summerwind.dev_runnerdeployments.yaml

@@ -41,6 +41,7 @@ spec:
           description: RunnerReplicaSetSpec defines the desired state of RunnerDeployment
           properties:
             replicas:
+              nullable: true
               type: integer
             template:
               properties:
@@ -399,6 +400,8 @@ spec:
                           - name
                         type: object
                       type: array
+                    dockerEnabled:
+                      type: boolean
                     dockerdContainerResources:
                       description: ResourceRequirements describes the compute resource requirements.
                       properties:

config/crd/bases/actions.summerwind.dev_runnerreplicasets.yaml

@@ -41,6 +41,7 @@ spec:
           description: RunnerReplicaSetSpec defines the desired state of RunnerReplicaSet
           properties:
             replicas:
+              nullable: true
               type: integer
             template:
               properties:
@@ -399,6 +400,8 @@ spec:
                           - name
                         type: object
                       type: array
+                    dockerEnabled:
+                      type: boolean
                     dockerdContainerResources:
                       description: ResourceRequirements describes the compute resource requirements.
                       properties:
@@ -1533,7 +1536,6 @@ spec:
                   type: object
               type: object
           required:
-            - replicas
             - template
           type: object
         status:

config/crd/bases/actions.summerwind.dev_runners.yaml

@@ -393,6 +393,8 @@ spec:
                   - name
                 type: object
               type: array
+            dockerEnabled:
+              type: boolean
             dockerdContainerResources:
               description: ResourceRequirements describes the compute resource requirements.
               properties:

config/default/manager_auth_proxy_patch.yaml

@@ -23,3 +23,4 @@ spec:
         args:
         - "--metrics-addr=127.0.0.1:8080"
         - "--enable-leader-election"
+        - "--sync-period=10m"

config/manager/manager.yaml

@@ -57,7 +57,7 @@ spec:
         resources:
           limits:
             cpu: 100m
-            memory: 30Mi
+            memory: 100Mi
           requests:
             cpu: 100m
             memory: 20Mi

controllers/runner_controller.go

@@ -126,7 +126,13 @@ func (r *RunnerReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
 			return ctrl.Result{}, err
 		}
 
-		newPod, err := r.newPod(ctx, runner)
+		if updated, err := r.updateRegistrationToken(ctx, runner); err != nil {
+			return ctrl.Result{}, err
+		} else if updated {
+			return ctrl.Result{Requeue: true}, nil
+		}
+
+		newPod, err := r.newPod(runner)
 		if err != nil {
 			log.Error(err, "Could not create pod")
 			return ctrl.Result{}, err
@@ -174,7 +180,13 @@ func (r *RunnerReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
 			}
 		}
 
-		newPod, err := r.newPod(ctx, runner)
+		if updated, err := r.updateRegistrationToken(ctx, runner); err != nil {
+			return ctrl.Result{}, err
+		} else if updated {
+			return ctrl.Result{Requeue: true}, nil
+		}
+
+		newPod, err := r.newPod(runner)
 		if err != nil {
 			log.Error(err, "Could not create pod")
 			return ctrl.Result{}, err
@@ -249,21 +261,47 @@ func (r *RunnerReconciler) unregisterRunner(ctx context.Context, org, repo, name
 	return true, nil
 }
 
-func (r *RunnerReconciler) newPod(ctx context.Context, runner v1alpha1.Runner) (corev1.Pod, error) {
+func (r *RunnerReconciler) updateRegistrationToken(ctx context.Context, runner v1alpha1.Runner) (bool, error) {
+	if runner.IsRegisterable() {
+		return false, nil
+	}
+
+	log := r.Log.WithValues("runner", runner.Name)
+
+	rt, err := r.GitHubClient.GetRegistrationToken(ctx, runner.Spec.Organization, runner.Spec.Repository, runner.Name)
+	if err != nil {
+		r.Recorder.Event(&runner, corev1.EventTypeWarning, "FailedUpdateRegistrationToken", "Updating registration token failed")
+		log.Error(err, "Failed to get new registration token")
+		return false, err
+	}
+
+	updated := runner.DeepCopy()
+	updated.Status.Registration = v1alpha1.RunnerStatusRegistration{
+		Organization: runner.Spec.Organization,
+		Repository:   runner.Spec.Repository,
+		Labels:       runner.Spec.Labels,
+		Token:        rt.GetToken(),
+		ExpiresAt:    metav1.NewTime(rt.GetExpiresAt().Time),
+	}
+
+	if err := r.Status().Update(ctx, updated); err != nil {
+		log.Error(err, "Failed to update runner status")
+		return false, err
+	}
+
+	r.Recorder.Event(&runner, corev1.EventTypeNormal, "RegistrationTokenUpdated", "Successfully update registration token")
+	log.Info("Updated registration token", "repository", runner.Spec.Repository)
+
+	return true, nil
+}
+
+func (r *RunnerReconciler) newPod(runner v1alpha1.Runner) (corev1.Pod, error) {
 	var (
 		privileged      bool = true
 		dockerdInRunner bool = runner.Spec.DockerdWithinRunnerContainer != nil && *runner.Spec.DockerdWithinRunnerContainer
-		err             error
+		dockerEnabled   bool = runner.Spec.DockerEnabled == nil || *runner.Spec.DockerEnabled
 	)
 
-	token := runner.Status.Registration.Token
-	if !runner.IsRegisterable() {
-		token, err = r.getRegistrationToken(ctx, runner)
-		if err != nil {
-			return corev1.Pod{}, err
-		}
-	}
-
 	runnerImage := runner.Spec.Image
 	if runnerImage == "" {
 		runnerImage = r.RunnerImage
@@ -297,7 +335,7 @@ func (r *RunnerReconciler) newPod(ctx context.Context, runner v1alpha1.Runner) (
 		},
 		{
 			Name:  "RUNNER_TOKEN",
-			Value: token,
+			Value: runner.Status.Registration.Token,
 		},
 		{
 			Name:  "DOCKERD_IN_RUNNER",
@@ -336,7 +374,7 @@ func (r *RunnerReconciler) newPod(ctx context.Context, runner v1alpha1.Runner) (
 		},
 	}
 
-	if !dockerdInRunner {
+	if !dockerdInRunner && dockerEnabled {
 		pod.Spec.Volumes = []corev1.Volume{
 			{
 				Name: "work",
@@ -344,23 +382,17 @@ func (r *RunnerReconciler) newPod(ctx context.Context, runner v1alpha1.Runner) (
 					EmptyDir: &corev1.EmptyDirVolumeSource{},
 				},
 			},
-			{
-				Name: "docker",
-				VolumeSource: corev1.VolumeSource{
-					EmptyDir: &corev1.EmptyDirVolumeSource{},
-				},
-			},
 		}
 		pod.Spec.Containers[0].VolumeMounts = []corev1.VolumeMount{
 			{
 				Name:      "work",
 				MountPath: "/runner/_work",
 			},
-			{
-				Name:      "docker",
-				MountPath: "/var/run",
-			},
 		}
+		pod.Spec.Containers[0].Env = append(pod.Spec.Containers[0].Env, corev1.EnvVar{
+			Name:  "DOCKER_HOST",
+			Value: "tcp://localhost:2375",
+		})
 		pod.Spec.Containers = append(pod.Spec.Containers, corev1.Container{
 			Name:  "docker",
 			Image: r.DockerImage,
@@ -369,9 +401,11 @@ func (r *RunnerReconciler) newPod(ctx context.Context, runner v1alpha1.Runner) (
 					Name:      "work",
 					MountPath: "/runner/_work",
 				},
+			},
+			Env: []corev1.EnvVar{
 				{
-					Name:      "docker",
-					MountPath: "/var/run",
+					Name:  "DOCKER_TLS_CERTDIR",
+					Value: "",
 				},
 			},
 			SecurityContext: &corev1.SecurityContext{
@@ -484,20 +518,3 @@ func removeFinalizer(finalizers []string) ([]string, bool) {
 
 	return result, removed
 }
-
-func (r *RunnerReconciler) getRegistrationToken(ctx context.Context, runner v1alpha1.Runner) (string, error) {
-	log := r.Log.WithValues("runner", runner.Name)
-	if runner.IsRegisterable() {
-		return runner.Status.Registration.Token, nil
-	} else {
-		rt, err := r.GitHubClient.GetRegistrationToken(ctx, runner.Spec.Organization, runner.Spec.Repository, runner.Name)
-		if err != nil {
-			r.Recorder.Event(&runner, corev1.EventTypeWarning, "FailedUpdateRegistrationToken", "Updating registration token failed")
-			log.Error(err, "Failed to get new registration token")
-			return "", err
-		}
-
-		log.Info("Updated registration token", "repository", runner.Spec.Repository)
-		return rt.GetToken(), nil
-	}
-}

runner/Dockerfile

@@ -1,7 +1,7 @@
 FROM ubuntu:18.04
 
 ARG TARGETPLATFORM
-ARG RUNNER_VERSION=2.272.0
+ARG RUNNER_VERSION=2.274.1
 ARG DOCKER_VERSION=19.03.12
 
 ENV DEBIAN_FRONTEND=noninteractive

runner/dindrunner.Dockerfile

@@ -43,7 +43,7 @@ RUN adduser --disabled-password --gecos "" --uid 1000 runner \
     && echo "%sudo   ALL=(ALL:ALL) NOPASSWD:ALL" > /etc/sudoers
 
 ARG TARGETPLATFORM
-ARG RUNNER_VERSION=2.272.0
+ARG RUNNER_VERSION=2.274.1
 ARG DOCKER_CHANNEL=stable
 ARG DOCKER_VERSION=19.03.13
 ARG DEBUG=false