public_git
/
actions-runner-controller
mirror of https://github.com/actions-runner-controller/actions-runner-controller.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add mTLS (mutual TLS) support for proxy connections 

This change adds support for mTLS authentication when connecting through
proxies that require client certificates (e.g., corporate proxies like Kraken).

Changes:
- Add ProxyTLSConfig type with fields for:
  - clientCertSecretRef: K8s secret with tls.crt and tls.key
  - caCertSecretRef: K8s secret with ca.crt
  - caCertConfigMapRef: ConfigMap with ca.crt (alternative)
  - insecureSkipVerify: Skip server cert verification (testing only)

- Update ProxyServerConfig to include optional TLS configuration

- Add proxyTLSVolumesAndMounts helper to create volumes and mounts
  for proxy TLS certificates

- Update listener pod creation to mount proxy TLS certs at
  /etc/proxy-tls/{http,https}-proxy/{client,ca}/

- Update runner pod creation to mount proxy TLS certs

- Update Helm values.yaml with mTLS configuration examples

- Update Helm templates to pass TLS config to CRD

- Regenerate CRDs with new ProxyTLSConfig schema

Note: This provides the infrastructure to mount certificates. The actual
TLS client configuration in ghalistener requires corresponding changes
in the github.com/actions/scaleset library to use these certificates.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Dhawal Seth 2026-05-18 23:23:06 -07:00
parent a762ab9b0b
commit 784aad7778
17 changed files with 1657 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
apis/actions.github.com/v1alpha1/autoscalingrunnerset_types.go
View File

@ -264,6 +264,38 @@ type ProxyServerConfig struct {
// +optional
CredentialSecretRef string `json:"credentialSecretRef,omitempty"`
// +optional
// TLS configures mTLS (mutual TLS) for the proxy connection.
// When set, the client will present a certificate to the proxy server.
TLS *ProxyTLSConfig `json:"tls,omitempty"`
}
// ProxyTLSConfig configures mTLS for proxy connections.
type ProxyTLSConfig struct {
// ClientCertSecretRef is a reference to a Kubernetes secret containing
// the client certificate and key for mTLS authentication.
// The secret must contain 'tls.crt' and 'tls.key' keys.
// +optional
ClientCertSecretRef string `json:"clientCertSecretRef,omitempty"`
// CACertSecretRef is a reference to a Kubernetes secret containing
// the CA certificate to verify the proxy server's certificate.
// The secret must contain a 'ca.crt' key.
// +optional
CACertSecretRef string `json:"caCertSecretRef,omitempty"`
// CACertConfigMapRef is a reference to a ConfigMap containing
// the CA certificate to verify the proxy server's certificate.
// The ConfigMap must contain a 'ca.crt' key.
// Alternative to CACertSecretRef when CA cert is not sensitive.
// +optional
CACertConfigMapRef string `json:"caCertConfigMapRef,omitempty"`
// InsecureSkipVerify disables server certificate verification.
// WARNING: This should only be used for testing.
// +optional
InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"`
}
type VaultConfig struct {

24
apis/actions.github.com/v1alpha1/zz_generated.deepcopy.go
View File

@ -696,12 +696,12 @@ func (in *ProxyConfig) DeepCopyInto(out *ProxyConfig) {
if in.HTTP != nil {
in, out := &in.HTTP, &out.HTTP
*out = new(ProxyServerConfig)
**out = **in
(*in).DeepCopyInto(*out)
}
if in.HTTPS != nil {
in, out := &in.HTTPS, &out.HTTPS
*out = new(ProxyServerConfig)
**out = **in
(*in).DeepCopyInto(*out)
}
if in.NoProxy != nil {
in, out := &in.NoProxy, &out.NoProxy
@ -723,6 +723,11 @@ func (in *ProxyConfig) DeepCopy() *ProxyConfig {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ProxyServerConfig) DeepCopyInto(out *ProxyServerConfig) {
*out = *in
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(ProxyTLSConfig)
**out = **in
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyServerConfig.
@ -735,6 +740,21 @@ func (in *ProxyServerConfig) DeepCopy() *ProxyServerConfig {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ProxyTLSConfig) DeepCopyInto(out *ProxyTLSConfig) {
*out = *in
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyTLSConfig.
func (in *ProxyTLSConfig) DeepCopy() *ProxyTLSConfig {
if in == nil {
return nil
}
out := new(ProxyTLSConfig)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ResourceMeta) DeepCopyInto(out *ResourceMeta) {
*out = *in

120
charts/gha-runner-scale-set-controller-experimental/crds/actions.github.com_autoscalinglisteners.yaml
View File

@ -192,6 +192,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string
@ -200,6 +230,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string
@ -8782,6 +8842,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string
@ -8790,6 +8880,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string

120
charts/gha-runner-scale-set-controller-experimental/crds/actions.github.com_autoscalingrunnersets.yaml
View File

@ -8366,6 +8366,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string
@ -8374,6 +8404,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string
@ -16518,6 +16578,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string
@ -16526,6 +16616,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string

120
charts/gha-runner-scale-set-controller-experimental/crds/actions.github.com_ephemeralrunners.yaml
View File

@ -143,6 +143,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string
@ -151,6 +181,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string
@ -8268,6 +8328,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string
@ -8276,6 +8366,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string

120
charts/gha-runner-scale-set-controller-experimental/crds/actions.github.com_ephemeralrunnersets.yaml
View File

@ -146,6 +146,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string
@ -154,6 +184,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string
@ -8271,6 +8331,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string
@ -8279,6 +8369,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string

120
charts/gha-runner-scale-set-controller/crds/actions.github.com_autoscalinglisteners.yaml
View File

@ -192,6 +192,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string
@ -200,6 +230,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string
@ -8782,6 +8842,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string
@ -8790,6 +8880,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string

120
charts/gha-runner-scale-set-controller/crds/actions.github.com_autoscalingrunnersets.yaml
View File

@ -8366,6 +8366,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string
@ -8374,6 +8404,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string
@ -16518,6 +16578,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string
@ -16526,6 +16616,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string

120
charts/gha-runner-scale-set-controller/crds/actions.github.com_ephemeralrunners.yaml
View File

@ -143,6 +143,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string
@ -151,6 +181,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string
@ -8268,6 +8328,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string
@ -8276,6 +8366,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string

120
charts/gha-runner-scale-set-controller/crds/actions.github.com_ephemeralrunnersets.yaml
View File

@ -146,6 +146,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string
@ -154,6 +184,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string
@ -8271,6 +8331,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string
@ -8279,6 +8369,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string

30
charts/gha-runner-scale-set/templates/autoscalingrunnerset.yaml
View File

@ -124,6 +124,21 @@ spec:
{{- if .Values.proxy.http.credentialSecretRef }}
credentialSecretRef: {{ .Values.proxy.http.credentialSecretRef }}
{{- end }}
{{- if .Values.proxy.http.tls }}
tls:
{{- if .Values.proxy.http.tls.clientCertSecretRef }}
clientCertSecretRef: {{ .Values.proxy.http.tls.clientCertSecretRef }}
{{- end }}
{{- if .Values.proxy.http.tls.caCertSecretRef }}
caCertSecretRef: {{ .Values.proxy.http.tls.caCertSecretRef }}
{{- end }}
{{- if .Values.proxy.http.tls.caCertConfigMapRef }}
caCertConfigMapRef: {{ .Values.proxy.http.tls.caCertConfigMapRef }}
{{- end }}
{{- if .Values.proxy.http.tls.insecureSkipVerify }}
insecureSkipVerify: {{ .Values.proxy.http.tls.insecureSkipVerify }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.proxy.https }}
https:
@ -131,6 +146,21 @@ spec:
{{- if .Values.proxy.https.credentialSecretRef }}
credentialSecretRef: {{ .Values.proxy.https.credentialSecretRef }}
{{- end }}
{{- if .Values.proxy.https.tls }}
tls:
{{- if .Values.proxy.https.tls.clientCertSecretRef }}
clientCertSecretRef: {{ .Values.proxy.https.tls.clientCertSecretRef }}
{{- end }}
{{- if .Values.proxy.https.tls.caCertSecretRef }}
caCertSecretRef: {{ .Values.proxy.https.tls.caCertSecretRef }}
{{- end }}
{{- if .Values.proxy.https.tls.caCertConfigMapRef }}
caCertConfigMapRef: {{ .Values.proxy.https.tls.caCertConfigMapRef }}
{{- end }}
{{- if .Values.proxy.https.tls.insecureSkipVerify }}
insecureSkipVerify: {{ .Values.proxy.https.tls.insecureSkipVerify }}
{{- end }}
{{- end }}
{{- end }}
{{- if and .Values.proxy.noProxy (kindIs "slice" .Values.proxy.noProxy) }}
noProxy: {{ .Values.proxy.noProxy | toYaml | nindent 6}}

16
charts/gha-runner-scale-set/values.yaml
View File

@ -45,14 +45,28 @@ githubConfigSecret:
## proxy can be used to define proxy settings that will be used by the
## controller, the listener and the runner of this scale set.
##
## For basic auth, use credentialSecretRef pointing to a secret with `username` and `password` keys.
## For mTLS (mutual TLS), use the tls section with client certificate configuration.
#
# proxy:
# http:
# url: http://proxy.com:1234
# credentialSecretRef: proxy-auth # a secret with `username` and `password` keys
# https:
# url: http://proxy.com:1234
# url: https://proxy.com:1234
# credentialSecretRef: proxy-auth # a secret with `username` and `password` keys
# ## mTLS configuration for proxies that require client certificate authentication
# tls:
# ## Secret containing client certificate and key (must have 'tls.crt' and 'tls.key' keys)
# ## You can create this with: kubectl create secret tls proxy-client-cert --cert=client.crt --key=client.key
# clientCertSecretRef: proxy-client-cert
# ## Secret containing CA certificate to verify proxy server (must have 'ca.crt' key)
# caCertSecretRef: proxy-ca-cert
# ## Or use a ConfigMap for the CA cert (must have 'ca.crt' key)
# # caCertConfigMapRef: proxy-ca-configmap
# ## Skip server certificate verification (NOT recommended for production)
# # insecureSkipVerify: false
# noProxy:
# - example.com
# - example.org

120
config/crd/bases/actions.github.com_autoscalinglisteners.yaml
View File

@ -192,6 +192,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string
@ -200,6 +230,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string
@ -8782,6 +8842,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string
@ -8790,6 +8880,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string

120
config/crd/bases/actions.github.com_autoscalingrunnersets.yaml
View File

@ -8366,6 +8366,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string
@ -8374,6 +8404,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string
@ -16518,6 +16578,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string
@ -16526,6 +16616,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string

120
config/crd/bases/actions.github.com_ephemeralrunners.yaml
View File

@ -143,6 +143,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string
@ -151,6 +181,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string
@ -8268,6 +8328,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string
@ -8276,6 +8366,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string

120
config/crd/bases/actions.github.com_ephemeralrunnersets.yaml
View File

@ -146,6 +146,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string
@ -154,6 +184,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string
@ -8271,6 +8331,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string
@ -8279,6 +8369,36 @@ spec:
properties:
credentialSecretRef:
type: string
tls:
description: |-
TLS configures mTLS (mutual TLS) for the proxy connection.
When set, the client will present a certificate to the proxy server.
properties:
caCertConfigMapRef:
description: |-
CACertConfigMapRef is a reference to a ConfigMap containing
the CA certificate to verify the proxy server's certificate.
The ConfigMap must contain a 'ca.crt' key.
Alternative to CACertSecretRef when CA cert is not sensitive.
type: string
caCertSecretRef:
description: |-
CACertSecretRef is a reference to a Kubernetes secret containing
the CA certificate to verify the proxy server's certificate.
The secret must contain a 'ca.crt' key.
type: string
clientCertSecretRef:
description: |-
ClientCertSecretRef is a reference to a Kubernetes secret containing
the client certificate and key for mTLS authentication.
The secret must contain 'tls.crt' and 'tls.key' keys.
type: string
insecureSkipVerify:
description: |-
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for testing.
type: boolean
type: object
url:
description: Required
type: string

136
controllers/actions.github.com/resourcebuilder.go
View File

@ -75,6 +75,89 @@ func SetListenerEntrypoint(entrypoint string) {
}
}
// proxyTLSVolumesAndMounts returns volumes and volume mounts for proxy mTLS configuration.
// It creates volumes for client certificates and CA certificates if configured.
func proxyTLSVolumesAndMounts(proxy *v1alpha1.ProxyConfig) ([]corev1.Volume, []corev1.VolumeMount) {
if proxy == nil {
return nil, nil
}
var volumes []corev1.Volume
var mounts []corev1.VolumeMount
// Helper to add TLS volumes for a proxy server config
addTLSConfig := func(prefix string, tls *v1alpha1.ProxyTLSConfig) {
if tls == nil {
return
}
// Client certificate secret
if tls.ClientCertSecretRef != "" {
volName := prefix + "-client-cert"
volumes = append(volumes, corev1.Volume{
Name: volName,
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: tls.ClientCertSecretRef,
},
},
})
mounts = append(mounts, corev1.VolumeMount{
Name: volName,
MountPath: "/etc/proxy-tls/" + prefix + "/client",
ReadOnly: true,
})
}
// CA certificate from secret
if tls.CACertSecretRef != "" {
volName := prefix + "-ca-cert"
volumes = append(volumes, corev1.Volume{
Name: volName,
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: tls.CACertSecretRef,
},
},
})
mounts = append(mounts, corev1.VolumeMount{
Name: volName,
MountPath: "/etc/proxy-tls/" + prefix + "/ca",
ReadOnly: true,
})
}
// CA certificate from configmap
if tls.CACertConfigMapRef != "" {
volName := prefix + "-ca-configmap"
volumes = append(volumes, corev1.Volume{
Name: volName,
VolumeSource: corev1.VolumeSource{
ConfigMap: &corev1.ConfigMapVolumeSource{
LocalObjectReference: corev1.LocalObjectReference{
Name: tls.CACertConfigMapRef,
},
},
},
})
mounts = append(mounts, corev1.VolumeMount{
Name: volName,
MountPath: "/etc/proxy-tls/" + prefix + "/ca-cm",
ReadOnly: true,
})
}
}
if proxy.HTTP != nil {
addTLSConfig("http-proxy", proxy.HTTP.TLS)
}
if proxy.HTTPS != nil {
addTLSConfig("https-proxy", proxy.HTTPS.TLS)
}
return volumes, mounts
}
type SecretResolver interface {
GetAppConfig(ctx context.Context, obj object.ActionsGitHubObject) (*appconfig.AppConfig, error)
GetActionsService(ctx context.Context, obj object.ActionsGitHubObject) (multiclient.Client, error)
@ -266,6 +349,32 @@ func (b *ResourceBuilder) newScaleSetListenerPod(autoscalingListener *v1alpha1.A
ports = append(ports, port)
}
// Base volume mounts
volumeMounts := []corev1.VolumeMount{
{
Name: "listener-config",
MountPath: "/etc/gha-listener",
ReadOnly: true,
},
}
// Base volumes
volumes := []corev1.Volume{
{
Name: "listener-config",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: podConfig.Name,
},
},
},
}
// Add proxy mTLS volumes and mounts if configured
proxyTLSVolumes, proxyTLSMounts := proxyTLSVolumesAndMounts(autoscalingListener.Spec.Proxy)
volumes = append(volumes, proxyTLSVolumes...)
volumeMounts = append(volumeMounts, proxyTLSMounts...)
terminationGracePeriodSeconds := int64(60)
podSpec := corev1.PodSpec{
ServiceAccountName: serviceAccount.Name,
@ -280,26 +389,11 @@ func (b *ResourceBuilder) newScaleSetListenerPod(autoscalingListener *v1alpha1.A
Command: []string{
scaleSetListenerEntrypoint,
},
Ports: ports,
VolumeMounts: []corev1.VolumeMount{
{
Name: "listener-config",
MountPath: "/etc/gha-listener",
ReadOnly: true,
},
},
},
},
Volumes: []corev1.Volume{
{
Name: "listener-config",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: podConfig.Name,
},
},
Ports: ports,
VolumeMounts: volumeMounts,
},
},
Volumes: volumes,
ImagePullSecrets: autoscalingListener.Spec.ImagePullSecrets,
RestartPolicy: corev1.RestartPolicyNever,
TerminationGracePeriodSeconds: &terminationGracePeriodSeconds,
@ -697,6 +791,10 @@ func (b *ResourceBuilder) newEphemeralRunnerPod(runner *v1alpha1.EphemeralRunner
newPod.Spec = runner.Spec.Spec
newPod.Spec.Containers = make([]corev1.Container, 0, len(runner.Spec.Spec.Containers))
// Add proxy mTLS volumes if configured
proxyTLSVolumes, proxyTLSMounts := proxyTLSVolumesAndMounts(runner.Spec.Proxy)
newPod.Spec.Volumes = append(newPod.Spec.Volumes, proxyTLSVolumes...)
for _, c := range runner.Spec.Spec.Containers {
if c.Name == v1alpha1.EphemeralRunnerContainerName {
c.Env = append(
@ -722,6 +820,8 @@ func (b *ResourceBuilder) newEphemeralRunnerPod(runner *v1alpha1.EphemeralRunner
},
)
c.Env = append(c.Env, envs...)
// Add proxy mTLS volume mounts to runner container
c.VolumeMounts = append(c.VolumeMounts, proxyTLSMounts...)
}
newPod.Spec.Containers = append(newPod.Spec.Containers, c)