mirror of
https://github.com/actions/actions-runner-controller.git
synced 2025-12-11 03:57:01 +00:00
5b92c412a4
* chart: Allow using different secrets for controller-manager and gh-webhook-server As it is entirely possible to do so because they are two different K8s deployments. It may provide better scalability because then each component gets its own GitHub API quota.
230 lines
6.2 KiB
YAML
230 lines
6.2 KiB
YAML
# Default values for actions-runner-controller.
|
|
# This is a YAML-formatted file.
|
|
# Declare variables to be passed into your templates.
|
|
|
|
labels: {}
|
|
|
|
replicaCount: 1
|
|
|
|
syncPeriod: 10m
|
|
|
|
enableLeaderElection: true
|
|
# Specifies the controller id for leader election.
|
|
# Must be unique if more than one controller installed onto the same namespace.
|
|
#leaderElectionId: "actions-runner-controller"
|
|
|
|
# The controller tries its best not to repeat the duplicate GitHub API call
|
|
# within this duration.
|
|
# Defaults to syncPeriod - 10s.
|
|
#githubAPICacheDuration: 30s
|
|
|
|
# The URL of your GitHub Enterprise server, if you're using one.
|
|
#githubEnterpriseServerURL: https://github.example.com
|
|
|
|
# Override GitHub URLs in case of using proxy APIs
|
|
#githubURL: ""
|
|
#githubUploadURL: ""
|
|
#runnerGithubURL: ""
|
|
|
|
# Only 1 authentication method can be deployed at a time
|
|
# Uncomment the configuration you are applying and fill in the details
|
|
#
|
|
# If authSecret.enabled=true these values are inherited to actions-runner-controller's controller-manager container's env.
|
|
#
|
|
# Do set authSecret.enabled=false and set env if you want full control over
|
|
# the GitHub authn related envvars of the container.
|
|
# See https://github.com/actions-runner-controller/actions-runner-controller/pull/937 for more details.
|
|
authSecret:
|
|
enabled: true
|
|
create: false
|
|
name: "controller-manager"
|
|
annotations: {}
|
|
### GitHub Apps Configuration
|
|
## NOTE: IDs MUST be strings, use quotes
|
|
#github_app_id: ""
|
|
#github_app_installation_id: ""
|
|
#github_app_private_key: |
|
|
### GitHub PAT Configuration
|
|
#github_token: ""
|
|
### Basic auth for github API proxy
|
|
#github_basicauth_username: ""
|
|
#github_basicauth_password: ""
|
|
|
|
dockerRegistryMirror: ""
|
|
image:
|
|
repository: "summerwind/actions-runner-controller"
|
|
actionsRunnerRepositoryAndTag: "summerwind/actions-runner:latest"
|
|
dindSidecarRepositoryAndTag: "docker:dind"
|
|
pullPolicy: IfNotPresent
|
|
# The default image-pull secrets name for self-hosted runner container.
|
|
# It's added to spec.ImagePullSecrets of self-hosted runner pods.
|
|
actionsRunnerImagePullSecrets: []
|
|
|
|
imagePullSecrets: []
|
|
nameOverride: ""
|
|
fullnameOverride: ""
|
|
|
|
serviceAccount:
|
|
# Specifies whether a service account should be created
|
|
create: true
|
|
# Annotations to add to the service account
|
|
annotations: {}
|
|
# The name of the service account to use.
|
|
# If not set and create is true, a name is generated using the fullname template
|
|
name: ""
|
|
|
|
podAnnotations: {}
|
|
|
|
podLabels: {}
|
|
|
|
podSecurityContext:
|
|
{}
|
|
# fsGroup: 2000
|
|
|
|
securityContext:
|
|
{}
|
|
# capabilities:
|
|
# drop:
|
|
# - ALL
|
|
# readOnlyRootFilesystem: true
|
|
# runAsNonRoot: true
|
|
# runAsUser: 1000
|
|
|
|
# Webhook service resource
|
|
service:
|
|
type: ClusterIP
|
|
port: 443
|
|
annotations: {}
|
|
|
|
# Metrics service resource
|
|
metrics:
|
|
serviceAnnotations: {}
|
|
serviceMonitor: false
|
|
serviceMonitorLabels: {}
|
|
port: 8443
|
|
proxy:
|
|
enabled: true
|
|
image:
|
|
repository: quay.io/brancz/kube-rbac-proxy
|
|
tag: v0.11.0
|
|
|
|
resources:
|
|
{}
|
|
# We usually recommend not to specify default resources and to leave this as a conscious
|
|
# choice for the user. This also increases chances charts run on environments with little
|
|
# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
|
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
|
# limits:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
# requests:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
|
|
nodeSelector: {}
|
|
|
|
tolerations: []
|
|
|
|
affinity: {}
|
|
|
|
# Only one of minAvailable or maxUnavailable can be set
|
|
podDisruptionBudget:
|
|
enabled: false
|
|
# minAvailable: 1
|
|
# maxUnavailable: 3
|
|
|
|
# Leverage a PriorityClass to ensure your pods survive resource shortages
|
|
# ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
|
|
# PriorityClass: system-cluster-critical
|
|
priorityClassName: ""
|
|
|
|
env:
|
|
{}
|
|
# http_proxy: "proxy.com:8080"
|
|
# https_proxy: "proxy.com:8080"
|
|
# no_proxy: ""
|
|
|
|
## specify additional volumes to mount in the manager container, this can be used
|
|
## to specify additional storage of material or to inject files from ConfigMaps
|
|
## into the running container
|
|
additionalVolumes: []
|
|
|
|
## specify where the additional volumes are mounted in the manager container
|
|
additionalVolumeMounts: []
|
|
|
|
scope:
|
|
# If true, the controller will only watch custom resources in a single namespace
|
|
singleNamespace: false
|
|
# If `scope.singleNamespace=true`, the controller will only watch custom resources in this namespace
|
|
# The default value is "", which means the namespace of the controller
|
|
watchNamespace: ""
|
|
|
|
certManagerEnabled: true
|
|
|
|
admissionWebHooks:
|
|
{}
|
|
#caBundle: "Ci0tLS0tQk...<base64-encoded PEM bundle containing the CA that signed the webhook's serving certificate>...tLS0K"
|
|
|
|
githubWebhookServer:
|
|
enabled: false
|
|
replicaCount: 1
|
|
syncPeriod: 10m
|
|
useRunnerGroupsVisibility: false
|
|
secret:
|
|
enabled: false
|
|
create: false
|
|
name: "github-webhook-server"
|
|
### GitHub Webhook Configuration
|
|
github_webhook_secret_token: ""
|
|
imagePullSecrets: []
|
|
nameOverride: ""
|
|
fullnameOverride: ""
|
|
serviceAccount:
|
|
# Specifies whether a service account should be created
|
|
create: true
|
|
# Annotations to add to the service account
|
|
annotations: {}
|
|
# The name of the service account to use.
|
|
# If not set and create is true, a name is generated using the fullname template
|
|
name: ""
|
|
podAnnotations: {}
|
|
podLabels: {}
|
|
podSecurityContext: {}
|
|
# fsGroup: 2000
|
|
securityContext: {}
|
|
resources: {}
|
|
nodeSelector: {}
|
|
tolerations: []
|
|
affinity: {}
|
|
priorityClassName: ""
|
|
service:
|
|
type: ClusterIP
|
|
annotations: {}
|
|
ports:
|
|
- port: 80
|
|
targetPort: http
|
|
protocol: TCP
|
|
name: http
|
|
#nodePort: someFixedPortForUseWithTerraformCdkCfnEtc
|
|
ingress:
|
|
enabled: false
|
|
ingressClassName: ""
|
|
annotations: {}
|
|
# kubernetes.io/ingress.class: nginx
|
|
# kubernetes.io/tls-acme: "true"
|
|
hosts:
|
|
- host: chart-example.local
|
|
paths: []
|
|
# - path: /*
|
|
# pathType: ImplementationSpecific
|
|
tls: []
|
|
# - secretName: chart-example-tls
|
|
# hosts:
|
|
# - chart-example.local
|
|
|
|
# Only one of minAvailable or maxUnavailable can be set
|
|
podDisruptionBudget:
|
|
enabled: false
|
|
# minAvailable: 1
|
|
# maxUnavailable: 3
|