Update helm chart (#343)

* add replicaCount * Add authSecret.existingSecret * set image.tag null by default * implement ingress for githubwebhook server * fix deprecated and secretName template * backward compat .authSecret.enabled * existingSecret for github webhook secret * use secretName template * set default secret names * do not use app version based image tag * create and name variable for secrets
2021-02-26 09:26:51 +09:00 · 2021-02-26 09:26:51 +09:00 · 450e384c4c
parent e9eef04993
commit 450e384c4c
11 changed files with 137 additions and 73 deletions
--- a/charts/actions-runner-controller/Chart.yaml
+++ b/charts/actions-runner-controller/Chart.yaml
@ -15,17 +15,17 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.5.2
+version: 0.6.0

 home: https://github.com/summerwind/actions-runner-controller

 sources:
-    - https://github.com/summerwind/actions-runner-controller
+  - https://github.com/summerwind/actions-runner-controller

 maintainers:
-    - name: summerwind
-      email: contact@summerwind.jp
-      url: https://github.com/summerwind
-    - name: funkypenguin
-      email: davidy@funkypenguin.co.nz
-      url: https://www.funkypenguin.co.nz
+  - name: summerwind
+    email: contact@summerwind.jp
+    url: https://github.com/summerwind
+  - name: funkypenguin
+    email: davidy@funkypenguin.co.nz
+    url: https://www.funkypenguin.co.nz
--- a/charts/actions-runner-controller/templates/NOTES.txt
+++ b/charts/actions-runner-controller/templates/NOTES.txt
@ -1,8 +1,8 @@
 1. Get the application URL by running these commands:
-{{- if .Values.ingress.enabled }}
-{{- range $host := .Values.ingress.hosts }}
+{{- if .Values.githubWebhookServer.ingress.enabled }}
+{{- range $host := .Values.githubWebhookServer.ingress.hosts }}
  {{- range .paths }}
-  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }}
+  http{{ if $.Values.githubWebhookServer.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }}
  {{- end }}
 {{- end }}
 {{- else if contains "NodePort" .Values.service.type }}
--- a/charts/actions-runner-controller/templates/_github_webhook_server_helpers.tpl
+++ b/charts/actions-runner-controller/templates/_github_webhook_server_helpers.tpl
@ -47,6 +47,10 @@ Create the name of the service account to use
 {{- end }}
 {{- end }}

+{{- define "actions-runner-controller-github-webhook-server.secretName" -}}
+{{- default (include "actions-runner-controller-github-webhook-server.fullname" .) .Values.githubWebhookServer.secret.name }}
+{{- end }}
+
 {{- define "actions-runner-controller-github-webhook-server.roleName" -}}
 {{- include "actions-runner-controller-github-webhook-server.fullname" . }}
 {{- end }}
--- a/charts/actions-runner-controller/templates/_helpers.tpl
+++ b/charts/actions-runner-controller/templates/_helpers.tpl
@ -64,6 +64,10 @@ Create the name of the service account to use
 {{- end }}
 {{- end }}

+{{- define "actions-runner-controller.secretName" -}}
+{{- default (include "actions-runner-controller.fullname" .) .Values.authSecret.name -}}
+{{- end }}
+
 {{- define "actions-runner-controller.leaderElectionRoleName" -}}
 {{- include "actions-runner-controller.fullname" . }}-leader-election
 {{- end }}
--- a/charts/actions-runner-controller/templates/deployment.yaml
+++ b/charts/actions-runner-controller/templates/deployment.yaml
@ -6,6 +6,7 @@ metadata:
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
 spec:
+  replicas: {{ .Values.replicaCount }}
  selector:
    matchLabels:
      {{- include "actions-runner-controller.selectorLabels" . | nindent 6 }}
@ -41,19 +42,19 @@ spec:
          valueFrom:
            secretKeyRef:
              key: github_token
-              name: controller-manager
+              name: {{ include "actions-runner-controller.secretName" . }}
              optional: true
        - name: GITHUB_APP_ID
          valueFrom:
            secretKeyRef:
              key: github_app_id
-              name: controller-manager
+              name: {{ include "actions-runner-controller.secretName" . }}
              optional: true
        - name: GITHUB_APP_INSTALLATION_ID
          valueFrom:
            secretKeyRef:
              key: github_app_installation_id
-              name: controller-manager
+              name: {{ include "actions-runner-controller.secretName" . }}
              optional: true
        - name: GITHUB_APP_PRIVATE_KEY
          value: /etc/actions-runner-controller/github_app_private_key
@ -61,7 +62,7 @@ spec:
        - name: {{ $key }}
          value: {{ $val | quote }}
        {{- end }}
-        image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (cat "v" .Chart.AppVersion | replace " " "") }}"
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
        name: manager
        imagePullPolicy: {{ .Values.image.pullPolicy }}
        ports:
@ -71,13 +72,13 @@ spec:
        resources:
          {{- toYaml .Values.resources | nindent 12 }}
        securityContext:
-          {{- toYaml .Values.securityContext | nindent 12 }}          
+          {{- toYaml .Values.securityContext | nindent 12 }}
        volumeMounts:
        - mountPath: "/etc/actions-runner-controller"
-          name: controller-manager
+          name: secret
          readOnly: true
        - mountPath: /tmp
-          name: tmp         
+          name: tmp
        - mountPath: /tmp/k8s-webhook-server/serving-certs
          name: cert
          readOnly: true
@ -93,14 +94,14 @@ spec:
        - containerPort: 8443
          name: https
        resources:
-          {{- toYaml .Values.resources | nindent 12 }}   
+          {{- toYaml .Values.resources | nindent 12 }}
        securityContext:
-          {{- toYaml .Values.securityContext | nindent 12 }}     
+          {{- toYaml .Values.securityContext | nindent 12 }}
      terminationGracePeriodSeconds: 10
      volumes:
-      - name: controller-manager
+      - name: secret
        secret:
-          secretName: controller-manager
+          secretName: {{ include "actions-runner-controller.secretName" . }}
      - name: cert
        secret:
          defaultMode: 420
--- a/charts/actions-runner-controller/templates/githubwebhook.deployment.yaml
+++ b/charts/actions-runner-controller/templates/githubwebhook.deployment.yaml
@ -7,6 +7,7 @@ metadata:
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
 spec:
+  replicas: {{ .Values.githubWebhookServer.replicaCount }}
  selector:
    matchLabels:
      {{- include "actions-runner-controller-github-webhook-server.selectorLabels" . | nindent 6 }}
@ -40,13 +41,13 @@ spec:
          valueFrom:
            secretKeyRef:
              key: github_webhook_secret_token
-              name: github-webhook-server
+              name: {{- include "actions-runner-controller-github-webhook-server.secretName" . }}
              optional: true
        {{- range $key, $val := .Values.githubWebhookServer.env }}
        - name: {{ $key }}
          value: {{ $val | quote }}
        {{- end }}
-        image: "{{ .Values.githubWebhookServer.image.repository }}:{{ .Values.githubWebhookServer.image.tag | default (cat "v" .Chart.AppVersion | replace " " "") }}"
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
        name: github-webhook-server
        imagePullPolicy: {{ .Values.image.pullPolicy }}
        ports:
@ -69,14 +70,10 @@ spec:
        - containerPort: 8443
          name: https
        resources:
-          {{- toYaml .Values.resources | nindent 12 }}   
+          {{- toYaml .Values.resources | nindent 12 }}
        securityContext:
-          {{- toYaml .Values.securityContext | nindent 12 }}     
+          {{- toYaml .Values.securityContext | nindent 12 }}
      terminationGracePeriodSeconds: 10
-      volumes:
-      - name: github-webhook-server
-        secret:
-          secretName: github-webhook-server
      {{- with .Values.githubWebhookServer.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
--- a/charts/actions-runner-controller/templates/githubwebhook.ingress.yaml
+++ b/charts/actions-runner-controller/templates/githubwebhook.ingress.yaml
@ -0,0 +1,41 @@
+{{- if .Values.githubWebhookServer.ingress.enabled -}}
+{{- $fullName := include "actions-runner-controller-github-webhook-server.fullname" . -}}
+{{- $svcPort := .Values.githubWebhookServer.service.port -}}
+{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  labels:
+    {{- include "actions-runner-controller.labels" . | nindent 4 }}
+  {{- with .Values.githubWebhookServer.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if .Values.githubWebhookServer.ingress.tls }}
+  tls:
+    {{- range .Values.githubWebhookServer.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.githubWebhookServer.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path }}
+            backend:
+              serviceName: {{ $fullName }}
+              servicePort: {{ $svcPort }}
+          {{- end }}
+    {{- end }}
+  {{- end }}
--- a/charts/actions-runner-controller/templates/githubwebhook.secrets.yaml
+++ b/charts/actions-runner-controller/templates/githubwebhook.secrets.yaml
@ -1,16 +1,16 @@
 {{- if .Values.githubWebhookServer.enabled }}
-{{- if .Values.githubWebhookServer.secret.enabled }}
+{{- if .Values.githubWebhookServer.secret.create }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: github-webhook-server
+  name: {{- include "actions-runner-controller-github-webhook-server.secretName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
 type: Opaque
 data:
-{{- range $k, $v := .Values.githubWebhookServer.secret }}
-  {{ $k }}: {{ $v | toString | b64enc }}
-{{- end }} 
+{{- if .Values.githubWebhookServer.secret.github_webhook_secret_token }}
+  github_webhook_secret_token: {{ .Values.githubWebhookServer.secret.github_webhook_secret_token | toString | b64enc }}
+{{- end }}
 {{- end }}
 {{- end }}
--- a/charts/actions-runner-controller/templates/manager_secrets.yaml
+++ b/charts/actions-runner-controller/templates/manager_secrets.yaml
@ -1,14 +1,23 @@
-{{- if or .Values.authSecret.enabled }}
+{{- if .Values.authSecret.create }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: controller-manager
+  name: {{ include "actions-runner-controller.secretName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "actions-runner-controller.labels" . | nindent 4 }}
 type: Opaque
 data:
-{{- range $k, $v := .Values.authSecret }}
-  {{ $k }}: {{ $v | toString | b64enc }}
-{{- end }} 
-{{- end }}
+{{- if .Values.authSecret.github_app_id }}
+  github_app_id: {{ .Values.authSecret.github_app_id | toString | b64enc }}
+{{- end }}
+{{- if .Values.authSecret.github_app_installation_id }}
+  github_app_installation_id: {{ .Values.authSecret.github_app_installation_id | toString | b64enc }}
+{{- end }}
+{{- if .Values.authSecret.github_app_private_key }}
+  github_app_private_key: {{ .Values.authSecret.github_app_private_key | toString | b64enc }}
+{{- end }}
+{{- if .Values.authSecret.github_token }}
+  github_token: {{ .Values.authSecret.github_token | toString | b64enc }}
+{{- end }}
+{{- end }}
--- a/charts/actions-runner-controller/templates/webhook_configs.yaml
+++ b/charts/actions-runner-controller/templates/webhook_configs.yaml
@ -1,6 +1,10 @@

 ---
+{{- if semverCompare ">=1.16-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: admissionregistration.k8s.io/v1
+{{- else -}}
 apiVersion: admissionregistration.k8s.io/v1beta1
+{{- end }}
 kind: MutatingWebhookConfiguration
 metadata:
  creationTimestamp: null
@ -64,7 +68,11 @@ webhooks:
    - runnerreplicasets

 ---
+{{- if semverCompare ">=1.16-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: admissionregistration.k8s.io/v1
+{{- else -}}
 apiVersion: admissionregistration.k8s.io/v1beta1
+{{- end }}
 kind: ValidatingWebhookConfiguration
 metadata:
  creationTimestamp: null
--- a/charts/actions-runner-controller/values.yaml
+++ b/charts/actions-runner-controller/values.yaml
@ -11,7 +11,8 @@ syncPeriod: 10m
 # Only 1 authentication method can be deployed at a time
 # Uncomment the configuration you are applying and fill in the details
 authSecret:
-  enabled: false
+  create: true
+  name: "controller-manager"
  ### GitHub Apps Configuration
  #github_app_id: ""
  #github_app_installation_id: ""
@ -21,8 +22,7 @@ authSecret:

 image:
  repository: summerwind/actions-runner-controller
-  # Overrides the manager image tag whose default is the chart appVersion if the tag key is commented out
-  tag: "latest"
+  tag: "v0.17.0"
  dindSidecarRepositoryAndTag: "docker:dind"
  pullPolicy: IfNotPresent

@ -46,10 +46,12 @@ serviceAccount:

 podAnnotations: {}

-podSecurityContext: {}
+podSecurityContext:
+  {}
  # fsGroup: 2000

-securityContext: {}
+securityContext:
+  {}
  # capabilities:
  #   drop:
  #   - ALL
@ -61,20 +63,8 @@ service:
  type: ClusterIP
  port: 443

-ingress:
-  enabled: false
-  annotations: {}
-    # kubernetes.io/ingress.class: nginx
-    # kubernetes.io/tls-acme: "true"
-  hosts:
-    - host: chart-example.local
-      paths: []
-  tls: []
-  #  - secretName: chart-example-tls
-  #    hosts:
-  #      - chart-example.local
-
-resources: {}
+resources:
+  {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
@ -104,7 +94,8 @@ affinity: {}
 # PriorityClass: system-cluster-critical
 priorityClassName: ""

-env: {}
+env:
+  {}
  # http_proxy: "proxy.com:8080"
  # https_proxy: "proxy.com:8080"
  # no_proxy: ""
@ -115,14 +106,10 @@ githubWebhookServer:
  replicaCount: 1
  syncPeriod: 10m
  secret:
-    enabled: false
+    create: true
+    name: "github-webhook-server"
    ### GitHub Webhook Configuration
    #github_webhook_secret_token: ""
-  image:
-    repository: summerwind/actions-runner-controller
-    # Overrides the manager image tag whose default is the chart appVersion if the tag key is commented out
-    tag: "latest"
-    pullPolicy: IfNotPresent
  imagePullSecrets: []
  nameOverride: ""
  fullnameOverride: ""
@ -144,10 +131,23 @@ githubWebhookServer:
  affinity: {}
  priorityClassName: ""
  service:
-    type: NodePort
+    type: ClusterIP
    ports:
-    - port: 80
-      targetPort: http
-      protocol: TCP
-      name: http
-      #nodePort: someFixedPortForUseWithTerraformCdkCfnEtc
+      - port: 80
+        targetPort: http
+        protocol: TCP
+        name: http
+        #nodePort: someFixedPortForUseWithTerraformCdkCfnEtc
+  ingress:
+    enabled: false
+    annotations:
+      {}
+      # kubernetes.io/ingress.class: nginx
+      # kubernetes.io/tls-acme: "true"
+    hosts:
+      - host: chart-example.local
+        paths: []
+    tls: []
+    #  - secretName: chart-example-tls
+    #    hosts:
+    #      - chart-example.local