From 450e384c4c97b667379a5fd0766525b5fc26db99 Mon Sep 17 00:00:00 2001 From: Taehyun Kim Date: Fri, 26 Feb 2021 09:26:51 +0900 Subject: [PATCH] Update helm chart (#343) * add replicaCount * Add authSecret.existingSecret * set image.tag null by default * implement ingress for githubwebhook server * fix deprecated and secretName template * backward compat .authSecret.enabled * existingSecret for github webhook secret * use secretName template * set default secret names * do not use app version based image tag * create and name variable for secrets --- charts/actions-runner-controller/Chart.yaml | 16 ++--- .../templates/NOTES.txt | 6 +- .../_github_webhook_server_helpers.tpl | 4 ++ .../templates/_helpers.tpl | 4 ++ .../templates/deployment.yaml | 23 +++---- .../templates/githubwebhook.deployment.yaml | 13 ++-- .../templates/githubwebhook.ingress.yaml | 41 ++++++++++++ .../templates/githubwebhook.secrets.yaml | 10 +-- .../templates/manager_secrets.yaml | 21 ++++-- .../templates/webhook_configs.yaml | 8 +++ charts/actions-runner-controller/values.yaml | 64 +++++++++---------- 11 files changed, 137 insertions(+), 73 deletions(-) create mode 100644 charts/actions-runner-controller/templates/githubwebhook.ingress.yaml diff --git a/charts/actions-runner-controller/Chart.yaml b/charts/actions-runner-controller/Chart.yaml index bfc7ded3..c9c7aedc 100644 --- a/charts/actions-runner-controller/Chart.yaml +++ b/charts/actions-runner-controller/Chart.yaml @@ -15,17 +15,17 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.5.2 +version: 0.6.0 home: https://github.com/summerwind/actions-runner-controller sources: - - https://github.com/summerwind/actions-runner-controller + - https://github.com/summerwind/actions-runner-controller maintainers: - - name: summerwind - email: contact@summerwind.jp - url: https://github.com/summerwind - - name: funkypenguin - email: davidy@funkypenguin.co.nz - url: https://www.funkypenguin.co.nz + - name: summerwind + email: contact@summerwind.jp + url: https://github.com/summerwind + - name: funkypenguin + email: davidy@funkypenguin.co.nz + url: https://www.funkypenguin.co.nz diff --git a/charts/actions-runner-controller/templates/NOTES.txt b/charts/actions-runner-controller/templates/NOTES.txt index 50d04bde..faf893f0 100644 --- a/charts/actions-runner-controller/templates/NOTES.txt +++ b/charts/actions-runner-controller/templates/NOTES.txt @@ -1,8 +1,8 @@ 1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range $host := .Values.ingress.hosts }} +{{- if .Values.githubWebhookServer.ingress.enabled }} +{{- range $host := .Values.githubWebhookServer.ingress.hosts }} {{- range .paths }} - http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }} + http{{ if $.Values.githubWebhookServer.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }} {{- end }} {{- end }} {{- else if contains "NodePort" .Values.service.type }} diff --git a/charts/actions-runner-controller/templates/_github_webhook_server_helpers.tpl b/charts/actions-runner-controller/templates/_github_webhook_server_helpers.tpl index a022bf3e..6aaa8a6c 100644 --- a/charts/actions-runner-controller/templates/_github_webhook_server_helpers.tpl +++ b/charts/actions-runner-controller/templates/_github_webhook_server_helpers.tpl @@ -47,6 +47,10 @@ Create the name of the service account to use {{- end }} {{- end }} +{{- define "actions-runner-controller-github-webhook-server.secretName" -}} +{{- default (include "actions-runner-controller-github-webhook-server.fullname" .) .Values.githubWebhookServer.secret.name }} +{{- end }} + {{- define "actions-runner-controller-github-webhook-server.roleName" -}} {{- include "actions-runner-controller-github-webhook-server.fullname" . }} {{- end }} diff --git a/charts/actions-runner-controller/templates/_helpers.tpl b/charts/actions-runner-controller/templates/_helpers.tpl index 21482e39..bc91388b 100644 --- a/charts/actions-runner-controller/templates/_helpers.tpl +++ b/charts/actions-runner-controller/templates/_helpers.tpl @@ -64,6 +64,10 @@ Create the name of the service account to use {{- end }} {{- end }} +{{- define "actions-runner-controller.secretName" -}} +{{- default (include "actions-runner-controller.fullname" .) .Values.authSecret.name -}} +{{- end }} + {{- define "actions-runner-controller.leaderElectionRoleName" -}} {{- include "actions-runner-controller.fullname" . }}-leader-election {{- end }} diff --git a/charts/actions-runner-controller/templates/deployment.yaml b/charts/actions-runner-controller/templates/deployment.yaml index 269aab49..89ade7ba 100644 --- a/charts/actions-runner-controller/templates/deployment.yaml +++ b/charts/actions-runner-controller/templates/deployment.yaml @@ -6,6 +6,7 @@ metadata: labels: {{- include "actions-runner-controller.labels" . | nindent 4 }} spec: + replicas: {{ .Values.replicaCount }} selector: matchLabels: {{- include "actions-runner-controller.selectorLabels" . | nindent 6 }} @@ -41,19 +42,19 @@ spec: valueFrom: secretKeyRef: key: github_token - name: controller-manager + name: {{ include "actions-runner-controller.secretName" . }} optional: true - name: GITHUB_APP_ID valueFrom: secretKeyRef: key: github_app_id - name: controller-manager + name: {{ include "actions-runner-controller.secretName" . }} optional: true - name: GITHUB_APP_INSTALLATION_ID valueFrom: secretKeyRef: key: github_app_installation_id - name: controller-manager + name: {{ include "actions-runner-controller.secretName" . }} optional: true - name: GITHUB_APP_PRIVATE_KEY value: /etc/actions-runner-controller/github_app_private_key @@ -61,7 +62,7 @@ spec: - name: {{ $key }} value: {{ $val | quote }} {{- end }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (cat "v" .Chart.AppVersion | replace " " "") }}" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" name: manager imagePullPolicy: {{ .Values.image.pullPolicy }} ports: @@ -71,13 +72,13 @@ spec: resources: {{- toYaml .Values.resources | nindent 12 }} securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- toYaml .Values.securityContext | nindent 12 }} volumeMounts: - mountPath: "/etc/actions-runner-controller" - name: controller-manager + name: secret readOnly: true - mountPath: /tmp - name: tmp + name: tmp - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true @@ -93,14 +94,14 @@ spec: - containerPort: 8443 name: https resources: - {{- toYaml .Values.resources | nindent 12 }} + {{- toYaml .Values.resources | nindent 12 }} securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- toYaml .Values.securityContext | nindent 12 }} terminationGracePeriodSeconds: 10 volumes: - - name: controller-manager + - name: secret secret: - secretName: controller-manager + secretName: {{ include "actions-runner-controller.secretName" . }} - name: cert secret: defaultMode: 420 diff --git a/charts/actions-runner-controller/templates/githubwebhook.deployment.yaml b/charts/actions-runner-controller/templates/githubwebhook.deployment.yaml index 5f437f1f..d751e036 100644 --- a/charts/actions-runner-controller/templates/githubwebhook.deployment.yaml +++ b/charts/actions-runner-controller/templates/githubwebhook.deployment.yaml @@ -7,6 +7,7 @@ metadata: labels: {{- include "actions-runner-controller.labels" . | nindent 4 }} spec: + replicas: {{ .Values.githubWebhookServer.replicaCount }} selector: matchLabels: {{- include "actions-runner-controller-github-webhook-server.selectorLabels" . | nindent 6 }} @@ -40,13 +41,13 @@ spec: valueFrom: secretKeyRef: key: github_webhook_secret_token - name: github-webhook-server + name: {{- include "actions-runner-controller-github-webhook-server.secretName" . }} optional: true {{- range $key, $val := .Values.githubWebhookServer.env }} - name: {{ $key }} value: {{ $val | quote }} {{- end }} - image: "{{ .Values.githubWebhookServer.image.repository }}:{{ .Values.githubWebhookServer.image.tag | default (cat "v" .Chart.AppVersion | replace " " "") }}" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" name: github-webhook-server imagePullPolicy: {{ .Values.image.pullPolicy }} ports: @@ -69,14 +70,10 @@ spec: - containerPort: 8443 name: https resources: - {{- toYaml .Values.resources | nindent 12 }} + {{- toYaml .Values.resources | nindent 12 }} securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- toYaml .Values.securityContext | nindent 12 }} terminationGracePeriodSeconds: 10 - volumes: - - name: github-webhook-server - secret: - secretName: github-webhook-server {{- with .Values.githubWebhookServer.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/actions-runner-controller/templates/githubwebhook.ingress.yaml b/charts/actions-runner-controller/templates/githubwebhook.ingress.yaml new file mode 100644 index 00000000..fcfd767d --- /dev/null +++ b/charts/actions-runner-controller/templates/githubwebhook.ingress.yaml @@ -0,0 +1,41 @@ +{{- if .Values.githubWebhookServer.ingress.enabled -}} +{{- $fullName := include "actions-runner-controller-github-webhook-server.fullname" . -}} +{{- $svcPort := .Values.githubWebhookServer.service.port -}} +{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "actions-runner-controller.labels" . | nindent 4 }} + {{- with .Values.githubWebhookServer.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if .Values.githubWebhookServer.ingress.tls }} + tls: + {{- range .Values.githubWebhookServer.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.githubWebhookServer.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + backend: + serviceName: {{ $fullName }} + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/actions-runner-controller/templates/githubwebhook.secrets.yaml b/charts/actions-runner-controller/templates/githubwebhook.secrets.yaml index 8a415abd..fdf4ba0b 100644 --- a/charts/actions-runner-controller/templates/githubwebhook.secrets.yaml +++ b/charts/actions-runner-controller/templates/githubwebhook.secrets.yaml @@ -1,16 +1,16 @@ {{- if .Values.githubWebhookServer.enabled }} -{{- if .Values.githubWebhookServer.secret.enabled }} +{{- if .Values.githubWebhookServer.secret.create }} apiVersion: v1 kind: Secret metadata: - name: github-webhook-server + name: {{- include "actions-runner-controller-github-webhook-server.secretName" . }} namespace: {{ .Release.Namespace }} labels: {{- include "actions-runner-controller.labels" . | nindent 4 }} type: Opaque data: -{{- range $k, $v := .Values.githubWebhookServer.secret }} - {{ $k }}: {{ $v | toString | b64enc }} -{{- end }} +{{- if .Values.githubWebhookServer.secret.github_webhook_secret_token }} + github_webhook_secret_token: {{ .Values.githubWebhookServer.secret.github_webhook_secret_token | toString | b64enc }} +{{- end }} {{- end }} {{- end }} diff --git a/charts/actions-runner-controller/templates/manager_secrets.yaml b/charts/actions-runner-controller/templates/manager_secrets.yaml index de98f5f7..3eb481c3 100644 --- a/charts/actions-runner-controller/templates/manager_secrets.yaml +++ b/charts/actions-runner-controller/templates/manager_secrets.yaml @@ -1,14 +1,23 @@ -{{- if or .Values.authSecret.enabled }} +{{- if .Values.authSecret.create }} apiVersion: v1 kind: Secret metadata: - name: controller-manager + name: {{ include "actions-runner-controller.secretName" . }} namespace: {{ .Release.Namespace }} labels: {{- include "actions-runner-controller.labels" . | nindent 4 }} type: Opaque data: -{{- range $k, $v := .Values.authSecret }} - {{ $k }}: {{ $v | toString | b64enc }} -{{- end }} -{{- end }} \ No newline at end of file +{{- if .Values.authSecret.github_app_id }} + github_app_id: {{ .Values.authSecret.github_app_id | toString | b64enc }} +{{- end }} +{{- if .Values.authSecret.github_app_installation_id }} + github_app_installation_id: {{ .Values.authSecret.github_app_installation_id | toString | b64enc }} +{{- end }} +{{- if .Values.authSecret.github_app_private_key }} + github_app_private_key: {{ .Values.authSecret.github_app_private_key | toString | b64enc }} +{{- end }} +{{- if .Values.authSecret.github_token }} + github_token: {{ .Values.authSecret.github_token | toString | b64enc }} +{{- end }} +{{- end }} diff --git a/charts/actions-runner-controller/templates/webhook_configs.yaml b/charts/actions-runner-controller/templates/webhook_configs.yaml index 2cc512e8..47ab3ef0 100644 --- a/charts/actions-runner-controller/templates/webhook_configs.yaml +++ b/charts/actions-runner-controller/templates/webhook_configs.yaml @@ -1,6 +1,10 @@ --- +{{- if semverCompare ">=1.16-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: admissionregistration.k8s.io/v1 +{{- else -}} apiVersion: admissionregistration.k8s.io/v1beta1 +{{- end }} kind: MutatingWebhookConfiguration metadata: creationTimestamp: null @@ -64,7 +68,11 @@ webhooks: - runnerreplicasets --- +{{- if semverCompare ">=1.16-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: admissionregistration.k8s.io/v1 +{{- else -}} apiVersion: admissionregistration.k8s.io/v1beta1 +{{- end }} kind: ValidatingWebhookConfiguration metadata: creationTimestamp: null diff --git a/charts/actions-runner-controller/values.yaml b/charts/actions-runner-controller/values.yaml index 12fc6965..511139a6 100644 --- a/charts/actions-runner-controller/values.yaml +++ b/charts/actions-runner-controller/values.yaml @@ -11,7 +11,8 @@ syncPeriod: 10m # Only 1 authentication method can be deployed at a time # Uncomment the configuration you are applying and fill in the details authSecret: - enabled: false + create: true + name: "controller-manager" ### GitHub Apps Configuration #github_app_id: "" #github_app_installation_id: "" @@ -21,8 +22,7 @@ authSecret: image: repository: summerwind/actions-runner-controller - # Overrides the manager image tag whose default is the chart appVersion if the tag key is commented out - tag: "latest" + tag: "v0.17.0" dindSidecarRepositoryAndTag: "docker:dind" pullPolicy: IfNotPresent @@ -46,10 +46,12 @@ serviceAccount: podAnnotations: {} -podSecurityContext: {} +podSecurityContext: + {} # fsGroup: 2000 -securityContext: {} +securityContext: + {} # capabilities: # drop: # - ALL @@ -61,20 +63,8 @@ service: type: ClusterIP port: 443 -ingress: - enabled: false - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: chart-example.local - paths: [] - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - -resources: {} +resources: + {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following @@ -104,7 +94,8 @@ affinity: {} # PriorityClass: system-cluster-critical priorityClassName: "" -env: {} +env: + {} # http_proxy: "proxy.com:8080" # https_proxy: "proxy.com:8080" # no_proxy: "" @@ -115,14 +106,10 @@ githubWebhookServer: replicaCount: 1 syncPeriod: 10m secret: - enabled: false + create: true + name: "github-webhook-server" ### GitHub Webhook Configuration #github_webhook_secret_token: "" - image: - repository: summerwind/actions-runner-controller - # Overrides the manager image tag whose default is the chart appVersion if the tag key is commented out - tag: "latest" - pullPolicy: IfNotPresent imagePullSecrets: [] nameOverride: "" fullnameOverride: "" @@ -144,10 +131,23 @@ githubWebhookServer: affinity: {} priorityClassName: "" service: - type: NodePort + type: ClusterIP ports: - - port: 80 - targetPort: http - protocol: TCP - name: http - #nodePort: someFixedPortForUseWithTerraformCdkCfnEtc + - port: 80 + targetPort: http + protocol: TCP + name: http + #nodePort: someFixedPortForUseWithTerraformCdkCfnEtc + ingress: + enabled: false + annotations: + {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: [] + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local