extract and fix self signed certs
This commit is contained in:
Nikola Jokic
parent
79d88d5243
commit
9793473a0d
|
|
@ -69,3 +69,116 @@ Takes a map of user labels and removes the ones with "actions.github.com/" prefi
|
|||
{{- end }}
|
||||
|
||||
|
||||
{{/*
|
||||
GitHub Server TLS helper parts
|
||||
|
||||
These helpers centralize TLS env/volumeMount/volume snippets so that runner modes
|
||||
inject the certificate consistently.
|
||||
|
||||
Behavior:
|
||||
- If githubServerTLS.runnerMountPath is empty: emit nothing.
|
||||
- If runnerMountPath is set: require certificateFrom.configMapKeyRef.name + key.
|
||||
- Avoid duplicating user-provided env vars / volumeMounts.
|
||||
*/}}
|
||||
|
||||
{{- define "githubServerTLS.config" -}}
|
||||
{{- $tls := (default (dict) .Values.githubServerTLS) -}}
|
||||
{{- if and (not (empty $tls)) (not (kindIs "map" $tls)) -}}
|
||||
{{- fail "githubServerTLS must be a map/object" -}}
|
||||
{{- end -}}
|
||||
{{- toYaml $tls -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "githubServerTLS.mountPath" -}}
|
||||
{{- $tls := (include "githubServerTLS.config" .) | fromYaml -}}
|
||||
{{- (index $tls "runnerMountPath" | default "") -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "githubServerTLS.configMapName" -}}
|
||||
{{- $mountPath := include "githubServerTLS.mountPath" . -}}
|
||||
{{- if not (empty $mountPath) -}}
|
||||
{{- $tls := (include "githubServerTLS.config" .) | fromYaml -}}
|
||||
{{- required "githubServerTLS.certificateFrom.configMapKeyRef.name is required when githubServerTLS.runnerMountPath is set" (dig "certificateFrom" "configMapKeyRef" "name" "" $tls) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "githubServerTLS.certKey" -}}
|
||||
{{- $mountPath := include "githubServerTLS.mountPath" . -}}
|
||||
{{- if not (empty $mountPath) -}}
|
||||
{{- $tls := (include "githubServerTLS.config" .) | fromYaml -}}
|
||||
{{- required "githubServerTLS.certificateFrom.configMapKeyRef.key is required when githubServerTLS.runnerMountPath is set" (dig "certificateFrom" "configMapKeyRef" "key" "" $tls) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "githubServerTLS.certFilePath" -}}
|
||||
{{- $mountPath := include "githubServerTLS.mountPath" . -}}
|
||||
{{- if not (empty $mountPath) -}}
|
||||
{{- $key := include "githubServerTLS.certKey" . -}}
|
||||
{{- printf "%s/%s" (trimSuffix "/" $mountPath) $key -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "githubServerTLS.envItems" -}}
|
||||
{{- $root := .root -}}
|
||||
{{- $mountPath := include "githubServerTLS.mountPath" $root -}}
|
||||
{{- if not (empty $mountPath) -}}
|
||||
{{- $existing := (.existingEnv | default list) -}}
|
||||
{{- $hasNodeExtra := false -}}
|
||||
{{- $hasRunnerUpdate := false -}}
|
||||
{{- if kindIs "slice" $existing -}}
|
||||
{{- range $existing -}}
|
||||
{{- if and (kindIs "map" .) (eq ((index . "name") | default "") "NODE_EXTRA_CA_CERTS") -}}
|
||||
{{- $hasNodeExtra = true -}}
|
||||
{{- end -}}
|
||||
{{- if and (kindIs "map" .) (eq ((index . "name") | default "") "RUNNER_UPDATE_CA_CERTS") -}}
|
||||
{{- $hasRunnerUpdate = true -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- if not $hasNodeExtra -}}
|
||||
- name: NODE_EXTRA_CA_CERTS
|
||||
value: {{ include "githubServerTLS.certFilePath" $root | quote }}
|
||||
{{ end }}
|
||||
{{- if not $hasRunnerUpdate -}}
|
||||
- name: RUNNER_UPDATE_CA_CERTS
|
||||
value: "1"
|
||||
{{ end }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "githubServerTLS.volumeMountItem" -}}
|
||||
{{- $root := .root -}}
|
||||
{{- $mountPath := include "githubServerTLS.mountPath" $root -}}
|
||||
{{- if not (empty $mountPath) -}}
|
||||
{{- $existing := (.existingVolumeMounts | default list) -}}
|
||||
{{- $hasMount := false -}}
|
||||
{{- if kindIs "slice" $existing -}}
|
||||
{{- range $existing -}}
|
||||
{{- if and (kindIs "map" .) (eq ((index . "name") | default "") "github-server-tls-cert") -}}
|
||||
{{- $hasMount = true -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- if not $hasMount -}}
|
||||
- name: github-server-tls-cert
|
||||
mountPath: {{ $mountPath | quote }}
|
||||
readOnly: true
|
||||
{{ end }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "githubServerTLS.podVolumeItem" -}}
|
||||
{{- $mountPath := include "githubServerTLS.mountPath" . -}}
|
||||
{{- if not (empty $mountPath) -}}
|
||||
{{- $cmName := include "githubServerTLS.configMapName" . -}}
|
||||
{{- $key := include "githubServerTLS.certKey" . -}}
|
||||
- name: github-server-tls-cert
|
||||
configMap:
|
||||
name: {{ $cmName | quote }}
|
||||
items:
|
||||
- key: {{ $key | quote }}
|
||||
path: {{ $key | quote }}
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -1,10 +1,4 @@
|
|||
{{- define "runner-mode-dind.runner-container" -}}
|
||||
{{- $tlsConfig := (default (dict) .Values.githubServerTLS) -}}
|
||||
{{- $tlsMountPath := (index $tlsConfig "runnerMountPath" | default "") -}}
|
||||
{{- $tlsCertKey := "" -}}
|
||||
{{- if $tlsMountPath -}}
|
||||
{{- $tlsCertKey = required "githubServerTLS.certificateFrom.configMapKeyRef.key is required when githubServerTLS.runnerMountPath is set" (index $tlsConfig "certificateFrom" "configMapKeyRef" "key") -}}
|
||||
{{- end -}}
|
||||
name: runner
|
||||
image: {{ include "runner.image" . | quote }}
|
||||
command: {{ include "runner.command" . }}
|
||||
|
|
@ -15,22 +9,13 @@ env:
|
|||
{{- with .Values.runner.env }}
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- if $tlsMountPath }}
|
||||
- name: NODE_EXTRA_CA_CERTS
|
||||
value: {{ printf "%s/%s" (trimSuffix "/" $tlsMountPath) $tlsCertKey | quote }}
|
||||
- name: RUNNER_UPDATE_CA_CERTS
|
||||
value: "1"
|
||||
{{- end }}
|
||||
{{ include "githubServerTLS.envItems" (dict "root" $ "existingEnv" (.Values.runner.env | default list)) | nindent 2 }}
|
||||
volumeMounts:
|
||||
- name: work
|
||||
mountPath: /home/runner/_work
|
||||
- name: dind-sock
|
||||
mountPath: {{ include "runner-mode-dind.sock-mount-dir" . | quote }}
|
||||
{{- if $tlsMountPath }}
|
||||
- name: github-server-tls-cert
|
||||
mountPath: {{ $tlsMountPath | quote }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{ include "githubServerTLS.volumeMountItem" (dict "root" $ "existingVolumeMounts" (list)) | nindent 2 }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "runner-mode-dind.dind-container" -}}
|
||||
|
|
@ -63,26 +48,11 @@ volumeMounts:
|
|||
{{- end }}
|
||||
|
||||
{{- define "runner-mode-dind.pod-volumes" -}}
|
||||
{{- $tlsConfig := (default (dict) .Values.githubServerTLS) -}}
|
||||
{{- $tlsMountPath := (index $tlsConfig "runnerMountPath" | default "") -}}
|
||||
{{- $tlsCMName := "" -}}
|
||||
{{- $tlsCertKey := "" -}}
|
||||
{{- if $tlsMountPath -}}
|
||||
{{- $tlsCMName = required "githubServerTLS.certificateFrom.configMapKeyRef.name is required when githubServerTLS.runnerMountPath is set" (index $tlsConfig "certificateFrom" "configMapKeyRef" "name") -}}
|
||||
{{- $tlsCertKey = required "githubServerTLS.certificateFrom.configMapKeyRef.key is required when githubServerTLS.runnerMountPath is set" (index $tlsConfig "certificateFrom" "configMapKeyRef" "key") -}}
|
||||
{{- end -}}
|
||||
- name: work
|
||||
emptyDir: {}
|
||||
- name: dind-sock
|
||||
emptyDir: {}
|
||||
{{- if $tlsMountPath }}
|
||||
- name: github-server-tls-cert
|
||||
configMap:
|
||||
name: {{ $tlsCMName | quote }}
|
||||
items:
|
||||
- key: {{ $tlsCertKey | quote }}
|
||||
path: {{ $tlsCertKey | quote }}
|
||||
{{- end }}
|
||||
{{ include "githubServerTLS.podVolumeItem" . }}
|
||||
{{- if .Values.runner.dind.copyExternals }}
|
||||
- name: dind-externals
|
||||
emptyDir: {}
|
||||
|
|
|
|||
|
|
@ -5,73 +5,29 @@ Container spec that is expanded for the runner container
|
|||
{{- if not .Values.runner.container }}
|
||||
{{ fail "You must provide a runner container specification in values.runner.container" }}
|
||||
{{- end }}
|
||||
{{- $tlsConfig := (default (dict) .Values.githubServerTLS) -}}
|
||||
{{- $tlsMountPath := (index $tlsConfig "runnerMountPath" | default "") -}}
|
||||
{{- $tlsCertKey := "" -}}
|
||||
{{- if $tlsMountPath -}}
|
||||
{{- $tlsCertKey = required "githubServerTLS.certificateFrom.configMapKeyRef.key is required when githubServerTLS.runnerMountPath is set" (index $tlsConfig "certificateFrom" "configMapKeyRef" "key") -}}
|
||||
{{- end -}}
|
||||
name: runner
|
||||
image: {{ .Values.runner.container.image | default "ghcr.io/actions/runner:latest" }}
|
||||
command: {{ toJson (default (list "/home/runner/run.sh") .Values.runner.container.command) }}
|
||||
|
||||
{{/* Merge/add TLS env vars without duplicating user-defined ones */}}
|
||||
{{ $setNodeExtraCaCerts := false }}
|
||||
{{ $setRunnerUpdateCaCerts := false }}
|
||||
{{ if $tlsMountPath }}
|
||||
{{ $setNodeExtraCaCerts = true }}
|
||||
{{ $setRunnerUpdateCaCerts = true }}
|
||||
{{ with .Values.runner.container.env }}
|
||||
{{ range . }}
|
||||
{{ if and (kindIs "map" .) (eq ((index . "name") | default "") "NODE_EXTRA_CA_CERTS") }}
|
||||
{{ $setNodeExtraCaCerts = false }}
|
||||
{{ end }}
|
||||
{{ if and (kindIs "map" .) (eq ((index . "name") | default "") "RUNNER_UPDATE_CA_CERTS") }}
|
||||
{{ $setRunnerUpdateCaCerts = false }}
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
{{ if or .Values.runner.container.env $setNodeExtraCaCerts $setRunnerUpdateCaCerts }}
|
||||
{{ $tlsEnvItems := include "githubServerTLS.envItems" (dict "root" $ "existingEnv" (.Values.runner.container.env | default list)) }}
|
||||
{{ if or .Values.runner.container.env $tlsEnvItems }}
|
||||
env:
|
||||
{{- with .Values.runner.container.env }}
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- if $setNodeExtraCaCerts }}
|
||||
- name: NODE_EXTRA_CA_CERTS
|
||||
value: {{ printf "%s/%s" (trimSuffix "/" $tlsMountPath) $tlsCertKey | quote }}
|
||||
{{- end }}
|
||||
{{- if $setRunnerUpdateCaCerts }}
|
||||
- name: RUNNER_UPDATE_CA_CERTS
|
||||
value: "1"
|
||||
{{- end }}
|
||||
{{ $tlsEnvItems | nindent 2 }}
|
||||
{{ end }}
|
||||
|
||||
{{/* Merge/add TLS volumeMount without duplicating user-defined ones */}}
|
||||
{{ $setTLSVolumeMount := false }}
|
||||
{{ if $tlsMountPath }}
|
||||
{{ $setTLSVolumeMount = true }}
|
||||
{{ with .Values.runner.container.volumeMounts }}
|
||||
{{ range . }}
|
||||
{{ if and (kindIs "map" .) (eq ((index . "name") | default "") "github-server-tls-cert") }}
|
||||
{{ $setTLSVolumeMount = false }}
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
{{ if or .Values.runner.container.volumeMounts $setTLSVolumeMount }}
|
||||
{{ $tlsVolumeMountItem := include "githubServerTLS.volumeMountItem" (dict "root" $ "existingVolumeMounts" (.Values.runner.container.volumeMounts | default list)) }}
|
||||
{{ if or .Values.runner.container.volumeMounts $tlsVolumeMountItem }}
|
||||
volumeMounts:
|
||||
{{- with .Values.runner.container.volumeMounts }}
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- if $setTLSVolumeMount }}
|
||||
- name: github-server-tls-cert
|
||||
mountPath: {{ $tlsMountPath | quote }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{ $tlsVolumeMountItem | nindent 2 }}
|
||||
{{ end }}
|
||||
|
||||
{{ $extra := omit .Values.runner.container "name" "image" "command" "env" "volumeMounts" -}}
|
||||
{{ $extra := omit .Values.runner.container "name" "image" "command" "env" "volumeMounts" }}
|
||||
{{- if not (empty $extra) -}}
|
||||
{{ toYaml $extra }}
|
||||
{{- end -}}
|
||||
|
|
|
|||
|
|
@ -1,12 +1,6 @@
|
|||
{{- define "runner-mode-kubernetes.runner-container" -}}
|
||||
{{- $runner := (.Values.runner | default dict) -}}
|
||||
{{- $kubeMode := (index $runner "kubernetesMode" | default dict) -}}
|
||||
{{- $tlsConfig := (default (dict) .Values.githubServerTLS) -}}
|
||||
{{- $tlsMountPath := (index $tlsConfig "runnerMountPath" | default "") -}}
|
||||
{{- $tlsCertKey := "" -}}
|
||||
{{- if $tlsMountPath -}}
|
||||
{{- $tlsCertKey = required "githubServerTLS.certificateFrom.configMapKeyRef.key is required when githubServerTLS.runnerMountPath is set" (index $tlsConfig "certificateFrom" "configMapKeyRef" "key") -}}
|
||||
{{- end -}}
|
||||
{{- $hookPath := (index $kubeMode "hookPath" | default "/home/runner/k8s/index.js") -}}
|
||||
{{- $extensionRef := (index $kubeMode "extensionRef" | default "") -}}
|
||||
{{- $extension := (index $kubeMode "extension" | default dict) -}}
|
||||
|
|
@ -58,23 +52,7 @@ name: runner
|
|||
image: {{ include "runner.image" . | quote }}
|
||||
command: {{ include "runner.command" . }}
|
||||
|
||||
{{ $setNodeExtraCaCerts := false -}}
|
||||
{{ $setRunnerUpdateCaCerts := false -}}
|
||||
{{ $userEnv := (.Values.runner.env | default list) -}}
|
||||
{{ if $tlsMountPath -}}
|
||||
{{- $setNodeExtraCaCerts = true -}}
|
||||
{{- $setRunnerUpdateCaCerts = true -}}
|
||||
{{- if kindIs "slice" $userEnv -}}
|
||||
{{- range $userEnv -}}
|
||||
{{- if and (kindIs "map" .) (eq ((index . "name") | default "") "NODE_EXTRA_CA_CERTS") -}}
|
||||
{{- $setNodeExtraCaCerts = false -}}
|
||||
{{- end -}}
|
||||
{{- if and (kindIs "map" .) (eq ((index . "name") | default "") "RUNNER_UPDATE_CA_CERTS") -}}
|
||||
{{- $setRunnerUpdateCaCerts = false -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{ end -}}
|
||||
{{ $tlsEnvItems := include "githubServerTLS.envItems" (dict "root" $ "existingEnv" (.Values.runner.env | default list)) }}
|
||||
env:
|
||||
- name: ACTIONS_RUNNER_CONTAINER_HOOKS
|
||||
value: {{ $hookPath | quote }}
|
||||
|
|
@ -91,14 +69,7 @@ env:
|
|||
{{- with .Values.runner.env }}
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- if $setNodeExtraCaCerts }}
|
||||
- name: NODE_EXTRA_CA_CERTS
|
||||
value: {{ printf "%s/%s" (trimSuffix "/" $tlsMountPath) $tlsCertKey | quote }}
|
||||
{{- end }}
|
||||
{{- if $setRunnerUpdateCaCerts }}
|
||||
- name: RUNNER_UPDATE_CA_CERTS
|
||||
value: "1"
|
||||
{{- end }}
|
||||
{{ $tlsEnvItems | nindent 2 }}
|
||||
volumeMounts:
|
||||
- name: work
|
||||
mountPath: /home/runner/_work
|
||||
|
|
@ -108,24 +79,12 @@ volumeMounts:
|
|||
subPath: extension
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- if $tlsMountPath }}
|
||||
- name: github-server-tls-cert
|
||||
mountPath: {{ $tlsMountPath | quote }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{ include "githubServerTLS.volumeMountItem" (dict "root" $ "existingVolumeMounts" (list)) | nindent 2 }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "runner-mode-kubernetes.pod-volumes" -}}
|
||||
{{- $runner := (.Values.runner | default dict) -}}
|
||||
{{- $kubeMode := (index $runner "kubernetesMode" | default dict) -}}
|
||||
{{- $tlsConfig := (default (dict) .Values.githubServerTLS) -}}
|
||||
{{- $tlsMountPath := (index $tlsConfig "runnerMountPath" | default "") -}}
|
||||
{{- $tlsConfigMapName := "" -}}
|
||||
{{- $tlsCertKey := "" -}}
|
||||
{{- if $tlsMountPath -}}
|
||||
{{- $tlsConfigMapName = required "githubServerTLS.certificateFrom.configMapKeyRef.name is required when githubServerTLS.runnerMountPath is set" (index $tlsConfig "certificateFrom" "configMapKeyRef" "name") -}}
|
||||
{{- $tlsCertKey = required "githubServerTLS.certificateFrom.configMapKeyRef.key is required when githubServerTLS.runnerMountPath is set" (index $tlsConfig "certificateFrom" "configMapKeyRef" "key") -}}
|
||||
{{- end -}}
|
||||
{{- $extensionRef := (index $kubeMode "extensionRef" | default "") -}}
|
||||
{{- $extension := (index $kubeMode "extension" | default dict) -}}
|
||||
{{- $extensionYamlRaw := "" -}}
|
||||
|
|
@ -169,14 +128,7 @@ volumeMounts:
|
|||
name: {{ if not (empty $extensionRef) }}{{ $extensionRef | quote }}{{ else }}{{ include "runner-mode-kubernetes.extension-name" . | quote }}{{ end }}
|
||||
{{- end }}
|
||||
|
||||
{{- if $tlsMountPath }}
|
||||
- name: github-server-tls-cert
|
||||
configMap:
|
||||
name: {{ $tlsConfigMapName | quote }}
|
||||
items:
|
||||
- key: {{ $tlsCertKey | quote }}
|
||||
path: {{ $tlsCertKey | quote }}
|
||||
{{- end }}
|
||||
{{ include "githubServerTLS.podVolumeItem" . }}
|
||||
|
||||
{{- end }}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue