From 3de4e7e9c650156f35f295f01158d901316d91bf Mon Sep 17 00:00:00 2001 From: Jonathan Sokolowski Date: Thu, 9 Dec 2021 08:58:46 +1100 Subject: [PATCH] Support installing without cert-manager (#834) * Support installing without cert-manager --- README.md | 32 ++++++++++++++++++- charts/actions-runner-controller/README.md | 8 +++-- .../templates/certificate.yaml | 2 ++ .../templates/webhook_configs.yaml | 25 +++++++++++++++ charts/actions-runner-controller/values.yaml | 6 ++++ 5 files changed, 69 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 45451004..cafab992 100644 --- a/README.md +++ b/README.md @@ -32,6 +32,7 @@ ToC: - [Stateful Runners](#stateful-runners) - [Ephemeral Runners](#ephemeral-runners) - [Software Installed in the Runner Image](#software-installed-in-the-runner-image) + - [Using without cert-manager](#using-without-cert-manager) - [Common Errors](#common-errors) - [Contributing](#contributing) @@ -43,7 +44,7 @@ ToC: ## Installation -actions-runner-controller uses [cert-manager](https://cert-manager.io/docs/installation/kubernetes/) for certificate management of Admission Webhook. Make sure you have already installed cert-manager before you install. The installation instructions for cert-manager can be found below. +By default, actions-runner-controller uses [cert-manager](https://cert-manager.io/docs/installation/kubernetes/) for certificate management of Admission Webhook. Make sure you have already installed cert-manager before you install. The installation instructions for cert-manager can be found below. - [Installing cert-manager on Kubernetes](https://cert-manager.io/docs/installation/kubernetes/) @@ -1236,6 +1237,35 @@ spec: image: YOUR_CUSTOM_DOCKER_IMAGE ``` +### Using without cert-manager + +Assuming you are installing in the default namespace, ensure your certificate has SANs: + +* `webhook-service.actions-runner-system.svc` +* `webhook-service.actions-runner-system.svc.cluster.local` + +It is possible to use a self-signed certificate by following a guide like +[this one](https://mariadb.com/docs/security/encryption/in-transit/create-self-signed-certificates-keys-openssl/) +using `openssl`. + +Install your certificate as a TLS secret: + +```shell +$ kubectl create secret tls webhook-server-cert \ + -n actions-runner-system \ + --cert=path/to/cert/file \ + --key=path/to/key/file +``` + +Set the Helm chart values as follows: + +```shell +$ CA_BUNDLE=$(cat path/to/ca.pem | base64) +$ helm --upgrade install actions-runner-controller/actions-runner-controller \ + certManagerEnabled=false \ + admissionWebHooks.caBundle=${CA_BUNDLE} +``` + ### Common Errors #### invalid header field value diff --git a/charts/actions-runner-controller/README.md b/charts/actions-runner-controller/README.md index 6226c36b..485d5b14 100644 --- a/charts/actions-runner-controller/README.md +++ b/charts/actions-runner-controller/README.md @@ -94,6 +94,8 @@ All additional docs are kept in the `docs/` folder, this README is solely for do | `githubWebhookServer.ingress.annotations` | Set annotations for the ingress kind | | | `githubWebhookServer.ingress.hosts` | Set hosts configuration for ingress | `[{"host": "chart-example.local", "paths": []}]` | | `githubWebhookServer.ingress.tls` | Set tls configuration for ingress | | -| `githubWebhookServer.podDisruptionBudget.enabled` | Enables a PDB to ensure HA of githubwebhook pods | false | -| `githubWebhookServer.podDisruptionBudget.minAvailable` | Minimum number of pods that must be available after eviction | | -| `githubWebhookServer.podDisruptionBudget.maxUnavailable` | Maximum number of pods that can be unavailable after eviction. Kubernetes 1.7+ required. | | \ No newline at end of file +| `githubWebhookServer.podDisruptionBudget.enabled` | Enables a PDB to ensure HA of githubwebhook pods | false | +| `githubWebhookServer.podDisruptionBudget.minAvailable` | Minimum number of pods that must be available after eviction | | +| `githubWebhookServer.podDisruptionBudget.maxUnavailable` | Maximum number of pods that can be unavailable after eviction. Kubernetes 1.7+ required. | | +| `certManagerEnabled` | Enable cert-manager. If disabled you must set admissionWebHooks.caBundle and create TLS secrets manually | true | +| `admissionWebHooks.caBundle` | Base64-encoded PEM bundle containing the CA that signed the webhook's serving certificate | | \ No newline at end of file diff --git a/charts/actions-runner-controller/templates/certificate.yaml b/charts/actions-runner-controller/templates/certificate.yaml index 0000be44..25ddfa0f 100644 --- a/charts/actions-runner-controller/templates/certificate.yaml +++ b/charts/actions-runner-controller/templates/certificate.yaml @@ -1,3 +1,4 @@ +{{- if .Values.certManagerEnabled }} # The following manifests contain a self-signed issuer CR and a certificate CR. # More document can be found at https://docs.cert-manager.io # WARNING: Targets CertManager 0.11 check https://docs.cert-manager.io/en/latest/tasks/upgrading/index.html for breaking changes @@ -22,3 +23,4 @@ spec: kind: Issuer name: {{ include "actions-runner-controller.selfsignedIssuerName" . }} secretName: {{ include "actions-runner-controller.servingCertName" . }} +{{- end }} diff --git a/charts/actions-runner-controller/templates/webhook_configs.yaml b/charts/actions-runner-controller/templates/webhook_configs.yaml index a7453e88..93be277f 100644 --- a/charts/actions-runner-controller/templates/webhook_configs.yaml +++ b/charts/actions-runner-controller/templates/webhook_configs.yaml @@ -5,12 +5,17 @@ kind: MutatingWebhookConfiguration metadata: creationTimestamp: null name: {{ include "actions-runner-controller.fullname" . }}-mutating-webhook-configuration + {{- if .Values.certManagerEnabled }} annotations: cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "actions-runner-controller.servingCertName" . }} + {{- end }} webhooks: - admissionReviewVersions: - v1beta1 clientConfig: + {{- if .Values.admissionWebHooks.caBundle }} + caBundle: {{ quote .Values.admissionWebHooks.caBundle }} + {{- end }} service: name: {{ include "actions-runner-controller.webhookServiceName" . }} namespace: {{ .Release.Namespace }} @@ -31,6 +36,9 @@ webhooks: - admissionReviewVersions: - v1beta1 clientConfig: + {{- if .Values.admissionWebHooks.caBundle }} + caBundle: {{ .Values.admissionWebHooks.caBundle }} + {{- end }} service: name: {{ include "actions-runner-controller.webhookServiceName" . }} namespace: {{ .Release.Namespace }} @@ -51,6 +59,9 @@ webhooks: - admissionReviewVersions: - v1beta1 clientConfig: + {{- if .Values.admissionWebHooks.caBundle }} + caBundle: {{ .Values.admissionWebHooks.caBundle }} + {{- end }} service: name: {{ include "actions-runner-controller.webhookServiceName" . }} namespace: {{ .Release.Namespace }} @@ -71,6 +82,9 @@ webhooks: - admissionReviewVersions: - v1beta1 clientConfig: + {{- if .Values.admissionWebHooks.caBundle }} + caBundle: {{ .Values.admissionWebHooks.caBundle }} + {{- end }} service: name: {{ include "actions-runner-controller.webhookServiceName" . }} namespace: {{ .Release.Namespace }} @@ -96,12 +110,17 @@ kind: ValidatingWebhookConfiguration metadata: creationTimestamp: null name: {{ include "actions-runner-controller.fullname" . }}-validating-webhook-configuration + {{- if .Values.certManagerEnabled }} annotations: cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "actions-runner-controller.servingCertName" . }} + {{- end }} webhooks: - admissionReviewVersions: - v1beta1 clientConfig: + {{- if .Values.admissionWebHooks.caBundle }} + caBundle: {{ .Values.admissionWebHooks.caBundle }} + {{- end }} service: name: {{ include "actions-runner-controller.webhookServiceName" . }} namespace: {{ .Release.Namespace }} @@ -122,6 +141,9 @@ webhooks: - admissionReviewVersions: - v1beta1 clientConfig: + {{- if .Values.admissionWebHooks.caBundle }} + caBundle: {{ .Values.admissionWebHooks.caBundle }} + {{- end }} service: name: {{ include "actions-runner-controller.webhookServiceName" . }} namespace: {{ .Release.Namespace }} @@ -142,6 +164,9 @@ webhooks: - admissionReviewVersions: - v1beta1 clientConfig: + {{- if .Values.admissionWebHooks.caBundle }} + caBundle: {{ .Values.admissionWebHooks.caBundle }} + {{- end }} service: name: {{ include "actions-runner-controller.webhookServiceName" . }} namespace: {{ .Release.Namespace }} diff --git a/charts/actions-runner-controller/values.yaml b/charts/actions-runner-controller/values.yaml index 6a5abeb9..61625835 100644 --- a/charts/actions-runner-controller/values.yaml +++ b/charts/actions-runner-controller/values.yaml @@ -199,3 +199,9 @@ githubWebhookServer: enabled: false # minAvailable: 1 # maxUnavailable: 3 + +certManagerEnabled: true + +admissionWebHooks: + {} + #caBundle: "Ci0tLS0tQk......tLS0K"