From 5b92c412a41756fb96cea416b3b7b0c02e45ea25 Mon Sep 17 00:00:00 2001 From: Yusuke Kuoka Date: Thu, 17 Feb 2022 09:16:16 +0900 Subject: [PATCH] chart: Allow using different secrets for controller-manager and gh-webhook-server (#1122) * chart: Allow using different secrets for controller-manager and gh-webhook-server As it is entirely possible to do so because they are two different K8s deployments. It may provide better scalability because then each component gets its own GitHub API quota. --- acceptance/deploy.sh | 10 ++++++++++ charts/actions-runner-controller/README.md | 3 ++- .../actions-runner-controller/templates/_helpers.tpl | 4 ++++ .../templates/githubwebhook.deployment.yaml | 10 +++++----- charts/actions-runner-controller/values.yaml | 1 + 5 files changed, 22 insertions(+), 6 deletions(-) diff --git a/acceptance/deploy.sh b/acceptance/deploy.sh index d602dea8..45538ad7 100755 --- a/acceptance/deploy.sh +++ b/acceptance/deploy.sh @@ -25,6 +25,16 @@ else exit 1 fi +if [ -n "${WEBHOOK_GITHUB_TOKEN}" ]; then + kubectl -n actions-runner-system delete secret \ + github-webhook-server || : + kubectl -n actions-runner-system create secret generic \ + github-webhook-server \ + --from-literal=github_token=${WEBHOOK_GITHUB_TOKEN:?WEBHOOK_GITHUB_TOKEN must not be empty} +else + echo 'Skipped deploying secret "github-webhook-server". Set WEBHOOK_GITHUB_TOKEN to deploy.' 1>&2 +fi + tool=${ACCEPTANCE_TEST_DEPLOYMENT_TOOL} if [ "${tool}" == "helm" ]; then diff --git a/charts/actions-runner-controller/README.md b/charts/actions-runner-controller/README.md index 40b76bb9..77bbe38b 100644 --- a/charts/actions-runner-controller/README.md +++ b/charts/actions-runner-controller/README.md @@ -75,9 +75,10 @@ All additional docs are kept in the `docs/` folder, this README is solely for do | `admissionWebHooks.caBundle` | Base64-encoded PEM bundle containing the CA that signed the webhook's serving certificate | | | `githubWebhookServer.logLevel` | Set the log level of the githubWebhookServer container | | | `githubWebhookServer.replicaCount` | Set the number of webhook server pods | 1 | -| `githubWebhookServer.useRunnerGroupsVisibility` | Enable supporting runner groups with custom visibility. This will incur in extra API calls and may blow up your budget | false | +| `githubWebhookServer.useRunnerGroupsVisibility` | Enable supporting runner groups with custom visibility. This will incur in extra API calls and may blow up your budget. Currently, you also need to set `githubWebhookServer.secret.enabled` to enable this feature. | false | | `githubWebhookServer.syncPeriod` | Set the period in which the controller reconciles the resources | 10m | | `githubWebhookServer.enabled` | Deploy the webhook server pod | false | +| `githubWebhookServer.secret.enabled` | Passes the webhook hook secret to the github-webhook-server | false | | `githubWebhookServer.secret.create` | Deploy the webhook hook secret | false | | `githubWebhookServer.secret.name` | Set the name of the webhook hook secret | github-webhook-server | | `githubWebhookServer.secret.github_webhook_secret_token` | Set the webhook secret token value | | diff --git a/charts/actions-runner-controller/templates/_helpers.tpl b/charts/actions-runner-controller/templates/_helpers.tpl index 3bbe94cf..8d54b024 100644 --- a/charts/actions-runner-controller/templates/_helpers.tpl +++ b/charts/actions-runner-controller/templates/_helpers.tpl @@ -68,6 +68,10 @@ Create the name of the service account to use {{- default (include "actions-runner-controller.fullname" .) .Values.authSecret.name -}} {{- end }} +{{- define "actions-runner-controller.githubWebhookServerSecretName" -}} +{{- default (include "actions-runner-controller.fullname" .) .Values.githubWebhookServer.secret.name -}} +{{- end }} + {{- define "actions-runner-controller.leaderElectionRoleName" -}} {{- include "actions-runner-controller.fullname" . }}-leader-election {{- end }} diff --git a/charts/actions-runner-controller/templates/githubwebhook.deployment.yaml b/charts/actions-runner-controller/templates/githubwebhook.deployment.yaml index 176ee346..3776fb09 100644 --- a/charts/actions-runner-controller/templates/githubwebhook.deployment.yaml +++ b/charts/actions-runner-controller/templates/githubwebhook.deployment.yaml @@ -69,30 +69,30 @@ spec: - name: GITHUB_UPLOAD_URL value: {{ .Values.githubUploadURL }} {{- end }} - {{- if and .Values.githubWebhookServer.useRunnerGroupsVisibility .Values.authSecret.enabled }} + {{- if and .Values.githubWebhookServer.useRunnerGroupsVisibility .Values.githubWebhookServer.secret.enabled }} - name: GITHUB_TOKEN valueFrom: secretKeyRef: key: github_token - name: {{ include "actions-runner-controller.secretName" . }} + name: {{ include "actions-runner-controller.githubWebhookServerSecretName" . }} optional: true - name: GITHUB_APP_ID valueFrom: secretKeyRef: key: github_app_id - name: {{ include "actions-runner-controller.secretName" . }} + name: {{ include "actions-runner-controller.githubWebhookServerSecretName" . }} optional: true - name: GITHUB_APP_INSTALLATION_ID valueFrom: secretKeyRef: key: github_app_installation_id - name: {{ include "actions-runner-controller.secretName" . }} + name: {{ include "actions-runner-controller.githubWebhookServerSecretName" . }} optional: true - name: GITHUB_APP_PRIVATE_KEY valueFrom: secretKeyRef: key: github_app_private_key - name: {{ include "actions-runner-controller.secretName" . }} + name: {{ include "actions-runner-controller.githubWebhookServerSecretName" . }} optional: true {{- if .Values.authSecret.github_basicauth_username }} - name: GITHUB_BASICAUTH_USERNAME diff --git a/charts/actions-runner-controller/values.yaml b/charts/actions-runner-controller/values.yaml index e39e896a..ebbba393 100644 --- a/charts/actions-runner-controller/values.yaml +++ b/charts/actions-runner-controller/values.yaml @@ -171,6 +171,7 @@ githubWebhookServer: syncPeriod: 10m useRunnerGroupsVisibility: false secret: + enabled: false create: false name: "github-webhook-server" ### GitHub Webhook Configuration