diff --git a/charts/gha-runner-scale-set-experimental/templates/_helpers.tpl b/charts/gha-runner-scale-set-experimental/templates/_helpers.tpl index abfaccca..4a4b8c29 100644 --- a/charts/gha-runner-scale-set-experimental/templates/_helpers.tpl +++ b/charts/gha-runner-scale-set-experimental/templates/_helpers.tpl @@ -69,3 +69,116 @@ Takes a map of user labels and removes the ones with "actions.github.com/" prefi {{- end }} +{{/* +GitHub Server TLS helper parts + +These helpers centralize TLS env/volumeMount/volume snippets so that runner modes +inject the certificate consistently. + +Behavior: +- If githubServerTLS.runnerMountPath is empty: emit nothing. +- If runnerMountPath is set: require certificateFrom.configMapKeyRef.name + key. +- Avoid duplicating user-provided env vars / volumeMounts. +*/}} + +{{- define "githubServerTLS.config" -}} +{{- $tls := (default (dict) .Values.githubServerTLS) -}} +{{- if and (not (empty $tls)) (not (kindIs "map" $tls)) -}} + {{- fail "githubServerTLS must be a map/object" -}} +{{- end -}} +{{- toYaml $tls -}} +{{- end -}} + +{{- define "githubServerTLS.mountPath" -}} +{{- $tls := (include "githubServerTLS.config" .) | fromYaml -}} +{{- (index $tls "runnerMountPath" | default "") -}} +{{- end -}} + +{{- define "githubServerTLS.configMapName" -}} +{{- $mountPath := include "githubServerTLS.mountPath" . -}} +{{- if not (empty $mountPath) -}} +{{- $tls := (include "githubServerTLS.config" .) | fromYaml -}} +{{- required "githubServerTLS.certificateFrom.configMapKeyRef.name is required when githubServerTLS.runnerMountPath is set" (dig "certificateFrom" "configMapKeyRef" "name" "" $tls) -}} +{{- end -}} +{{- end -}} + +{{- define "githubServerTLS.certKey" -}} +{{- $mountPath := include "githubServerTLS.mountPath" . -}} +{{- if not (empty $mountPath) -}} +{{- $tls := (include "githubServerTLS.config" .) | fromYaml -}} +{{- required "githubServerTLS.certificateFrom.configMapKeyRef.key is required when githubServerTLS.runnerMountPath is set" (dig "certificateFrom" "configMapKeyRef" "key" "" $tls) -}} +{{- end -}} +{{- end -}} + +{{- define "githubServerTLS.certFilePath" -}} +{{- $mountPath := include "githubServerTLS.mountPath" . -}} +{{- if not (empty $mountPath) -}} +{{- $key := include "githubServerTLS.certKey" . -}} +{{- printf "%s/%s" (trimSuffix "/" $mountPath) $key -}} +{{- end -}} +{{- end -}} + +{{- define "githubServerTLS.envItems" -}} +{{- $root := .root -}} +{{- $mountPath := include "githubServerTLS.mountPath" $root -}} +{{- if not (empty $mountPath) -}} +{{- $existing := (.existingEnv | default list) -}} +{{- $hasNodeExtra := false -}} +{{- $hasRunnerUpdate := false -}} +{{- if kindIs "slice" $existing -}} + {{- range $existing -}} + {{- if and (kindIs "map" .) (eq ((index . "name") | default "") "NODE_EXTRA_CA_CERTS") -}} + {{- $hasNodeExtra = true -}} + {{- end -}} + {{- if and (kindIs "map" .) (eq ((index . "name") | default "") "RUNNER_UPDATE_CA_CERTS") -}} + {{- $hasRunnerUpdate = true -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- if not $hasNodeExtra -}} +- name: NODE_EXTRA_CA_CERTS + value: {{ include "githubServerTLS.certFilePath" $root | quote }} +{{ end }} +{{- if not $hasRunnerUpdate -}} +- name: RUNNER_UPDATE_CA_CERTS + value: "1" +{{ end }} +{{- end -}} +{{- end -}} + +{{- define "githubServerTLS.volumeMountItem" -}} +{{- $root := .root -}} +{{- $mountPath := include "githubServerTLS.mountPath" $root -}} +{{- if not (empty $mountPath) -}} +{{- $existing := (.existingVolumeMounts | default list) -}} +{{- $hasMount := false -}} +{{- if kindIs "slice" $existing -}} + {{- range $existing -}} + {{- if and (kindIs "map" .) (eq ((index . "name") | default "") "github-server-tls-cert") -}} + {{- $hasMount = true -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- if not $hasMount -}} +- name: github-server-tls-cert + mountPath: {{ $mountPath | quote }} + readOnly: true +{{ end }} +{{- end -}} +{{- end -}} + +{{- define "githubServerTLS.podVolumeItem" -}} +{{- $mountPath := include "githubServerTLS.mountPath" . -}} +{{- if not (empty $mountPath) -}} +{{- $cmName := include "githubServerTLS.configMapName" . -}} +{{- $key := include "githubServerTLS.certKey" . -}} +- name: github-server-tls-cert + configMap: + name: {{ $cmName | quote }} + items: + - key: {{ $key | quote }} + path: {{ $key | quote }} +{{ end }} +{{ end }} + + diff --git a/charts/gha-runner-scale-set-experimental/templates/_mode_dind.tpl b/charts/gha-runner-scale-set-experimental/templates/_mode_dind.tpl index e58a134b..fbb66622 100644 --- a/charts/gha-runner-scale-set-experimental/templates/_mode_dind.tpl +++ b/charts/gha-runner-scale-set-experimental/templates/_mode_dind.tpl @@ -1,10 +1,4 @@ {{- define "runner-mode-dind.runner-container" -}} -{{- $tlsConfig := (default (dict) .Values.githubServerTLS) -}} -{{- $tlsMountPath := (index $tlsConfig "runnerMountPath" | default "") -}} -{{- $tlsCertKey := "" -}} -{{- if $tlsMountPath -}} - {{- $tlsCertKey = required "githubServerTLS.certificateFrom.configMapKeyRef.key is required when githubServerTLS.runnerMountPath is set" (index $tlsConfig "certificateFrom" "configMapKeyRef" "key") -}} -{{- end -}} name: runner image: {{ include "runner.image" . | quote }} command: {{ include "runner.command" . }} @@ -15,22 +9,13 @@ env: {{- with .Values.runner.env }} {{- toYaml . | nindent 2 }} {{- end }} - {{- if $tlsMountPath }} - - name: NODE_EXTRA_CA_CERTS - value: {{ printf "%s/%s" (trimSuffix "/" $tlsMountPath) $tlsCertKey | quote }} - - name: RUNNER_UPDATE_CA_CERTS - value: "1" - {{- end }} + {{ include "githubServerTLS.envItems" (dict "root" $ "existingEnv" (.Values.runner.env | default list)) | nindent 2 }} volumeMounts: - name: work mountPath: /home/runner/_work - name: dind-sock mountPath: {{ include "runner-mode-dind.sock-mount-dir" . | quote }} - {{- if $tlsMountPath }} - - name: github-server-tls-cert - mountPath: {{ $tlsMountPath | quote }} - readOnly: true - {{- end }} + {{ include "githubServerTLS.volumeMountItem" (dict "root" $ "existingVolumeMounts" (list)) | nindent 2 }} {{- end }} {{- define "runner-mode-dind.dind-container" -}} @@ -63,26 +48,11 @@ volumeMounts: {{- end }} {{- define "runner-mode-dind.pod-volumes" -}} -{{- $tlsConfig := (default (dict) .Values.githubServerTLS) -}} -{{- $tlsMountPath := (index $tlsConfig "runnerMountPath" | default "") -}} -{{- $tlsCMName := "" -}} -{{- $tlsCertKey := "" -}} -{{- if $tlsMountPath -}} - {{- $tlsCMName = required "githubServerTLS.certificateFrom.configMapKeyRef.name is required when githubServerTLS.runnerMountPath is set" (index $tlsConfig "certificateFrom" "configMapKeyRef" "name") -}} - {{- $tlsCertKey = required "githubServerTLS.certificateFrom.configMapKeyRef.key is required when githubServerTLS.runnerMountPath is set" (index $tlsConfig "certificateFrom" "configMapKeyRef" "key") -}} -{{- end -}} - name: work emptyDir: {} - name: dind-sock emptyDir: {} -{{- if $tlsMountPath }} -- name: github-server-tls-cert - configMap: - name: {{ $tlsCMName | quote }} - items: - - key: {{ $tlsCertKey | quote }} - path: {{ $tlsCertKey | quote }} -{{- end }} +{{ include "githubServerTLS.podVolumeItem" . }} {{- if .Values.runner.dind.copyExternals }} - name: dind-externals emptyDir: {} diff --git a/charts/gha-runner-scale-set-experimental/templates/_mode_empty.tpl b/charts/gha-runner-scale-set-experimental/templates/_mode_empty.tpl index b8408b24..e1a720a3 100644 --- a/charts/gha-runner-scale-set-experimental/templates/_mode_empty.tpl +++ b/charts/gha-runner-scale-set-experimental/templates/_mode_empty.tpl @@ -5,73 +5,29 @@ Container spec that is expanded for the runner container {{- if not .Values.runner.container }} {{ fail "You must provide a runner container specification in values.runner.container" }} {{- end }} -{{- $tlsConfig := (default (dict) .Values.githubServerTLS) -}} -{{- $tlsMountPath := (index $tlsConfig "runnerMountPath" | default "") -}} -{{- $tlsCertKey := "" -}} -{{- if $tlsMountPath -}} - {{- $tlsCertKey = required "githubServerTLS.certificateFrom.configMapKeyRef.key is required when githubServerTLS.runnerMountPath is set" (index $tlsConfig "certificateFrom" "configMapKeyRef" "key") -}} -{{- end -}} name: runner image: {{ .Values.runner.container.image | default "ghcr.io/actions/runner:latest" }} command: {{ toJson (default (list "/home/runner/run.sh") .Values.runner.container.command) }} -{{/* Merge/add TLS env vars without duplicating user-defined ones */}} -{{ $setNodeExtraCaCerts := false }} -{{ $setRunnerUpdateCaCerts := false }} -{{ if $tlsMountPath }} - {{ $setNodeExtraCaCerts = true }} - {{ $setRunnerUpdateCaCerts = true }} - {{ with .Values.runner.container.env }} - {{ range . }} - {{ if and (kindIs "map" .) (eq ((index . "name") | default "") "NODE_EXTRA_CA_CERTS") }} - {{ $setNodeExtraCaCerts = false }} - {{ end }} - {{ if and (kindIs "map" .) (eq ((index . "name") | default "") "RUNNER_UPDATE_CA_CERTS") }} - {{ $setRunnerUpdateCaCerts = false }} - {{ end }} - {{ end }} - {{ end }} -{{ end }} -{{ if or .Values.runner.container.env $setNodeExtraCaCerts $setRunnerUpdateCaCerts }} +{{ $tlsEnvItems := include "githubServerTLS.envItems" (dict "root" $ "existingEnv" (.Values.runner.container.env | default list)) }} +{{ if or .Values.runner.container.env $tlsEnvItems }} env: {{- with .Values.runner.container.env }} {{- toYaml . | nindent 2 }} {{- end }} - {{- if $setNodeExtraCaCerts }} - - name: NODE_EXTRA_CA_CERTS - value: {{ printf "%s/%s" (trimSuffix "/" $tlsMountPath) $tlsCertKey | quote }} - {{- end }} - {{- if $setRunnerUpdateCaCerts }} - - name: RUNNER_UPDATE_CA_CERTS - value: "1" - {{- end }} +{{ $tlsEnvItems | nindent 2 }} {{ end }} -{{/* Merge/add TLS volumeMount without duplicating user-defined ones */}} -{{ $setTLSVolumeMount := false }} -{{ if $tlsMountPath }} - {{ $setTLSVolumeMount = true }} - {{ with .Values.runner.container.volumeMounts }} - {{ range . }} - {{ if and (kindIs "map" .) (eq ((index . "name") | default "") "github-server-tls-cert") }} - {{ $setTLSVolumeMount = false }} - {{ end }} - {{ end }} - {{ end }} -{{ end }} -{{ if or .Values.runner.container.volumeMounts $setTLSVolumeMount }} +{{ $tlsVolumeMountItem := include "githubServerTLS.volumeMountItem" (dict "root" $ "existingVolumeMounts" (.Values.runner.container.volumeMounts | default list)) }} +{{ if or .Values.runner.container.volumeMounts $tlsVolumeMountItem }} volumeMounts: {{- with .Values.runner.container.volumeMounts }} {{- toYaml . | nindent 2 }} {{- end }} - {{- if $setTLSVolumeMount }} - - name: github-server-tls-cert - mountPath: {{ $tlsMountPath | quote }} - readOnly: true - {{- end }} +{{ $tlsVolumeMountItem | nindent 2 }} {{ end }} -{{ $extra := omit .Values.runner.container "name" "image" "command" "env" "volumeMounts" -}} +{{ $extra := omit .Values.runner.container "name" "image" "command" "env" "volumeMounts" }} {{- if not (empty $extra) -}} {{ toYaml $extra }} {{- end -}} diff --git a/charts/gha-runner-scale-set-experimental/templates/_mode_kubernetes.tpl b/charts/gha-runner-scale-set-experimental/templates/_mode_kubernetes.tpl index 294aee09..38d8bfa8 100644 --- a/charts/gha-runner-scale-set-experimental/templates/_mode_kubernetes.tpl +++ b/charts/gha-runner-scale-set-experimental/templates/_mode_kubernetes.tpl @@ -1,12 +1,6 @@ {{- define "runner-mode-kubernetes.runner-container" -}} {{- $runner := (.Values.runner | default dict) -}} {{- $kubeMode := (index $runner "kubernetesMode" | default dict) -}} -{{- $tlsConfig := (default (dict) .Values.githubServerTLS) -}} -{{- $tlsMountPath := (index $tlsConfig "runnerMountPath" | default "") -}} -{{- $tlsCertKey := "" -}} -{{- if $tlsMountPath -}} - {{- $tlsCertKey = required "githubServerTLS.certificateFrom.configMapKeyRef.key is required when githubServerTLS.runnerMountPath is set" (index $tlsConfig "certificateFrom" "configMapKeyRef" "key") -}} -{{- end -}} {{- $hookPath := (index $kubeMode "hookPath" | default "/home/runner/k8s/index.js") -}} {{- $extensionRef := (index $kubeMode "extensionRef" | default "") -}} {{- $extension := (index $kubeMode "extension" | default dict) -}} @@ -58,23 +52,7 @@ name: runner image: {{ include "runner.image" . | quote }} command: {{ include "runner.command" . }} -{{ $setNodeExtraCaCerts := false -}} -{{ $setRunnerUpdateCaCerts := false -}} -{{ $userEnv := (.Values.runner.env | default list) -}} -{{ if $tlsMountPath -}} - {{- $setNodeExtraCaCerts = true -}} - {{- $setRunnerUpdateCaCerts = true -}} - {{- if kindIs "slice" $userEnv -}} - {{- range $userEnv -}} - {{- if and (kindIs "map" .) (eq ((index . "name") | default "") "NODE_EXTRA_CA_CERTS") -}} - {{- $setNodeExtraCaCerts = false -}} - {{- end -}} - {{- if and (kindIs "map" .) (eq ((index . "name") | default "") "RUNNER_UPDATE_CA_CERTS") -}} - {{- $setRunnerUpdateCaCerts = false -}} - {{- end -}} - {{- end -}} - {{- end -}} -{{ end -}} +{{ $tlsEnvItems := include "githubServerTLS.envItems" (dict "root" $ "existingEnv" (.Values.runner.env | default list)) }} env: - name: ACTIONS_RUNNER_CONTAINER_HOOKS value: {{ $hookPath | quote }} @@ -91,14 +69,7 @@ env: {{- with .Values.runner.env }} {{- toYaml . | nindent 2 }} {{- end }} - {{- if $setNodeExtraCaCerts }} - - name: NODE_EXTRA_CA_CERTS - value: {{ printf "%s/%s" (trimSuffix "/" $tlsMountPath) $tlsCertKey | quote }} - {{- end }} - {{- if $setRunnerUpdateCaCerts }} - - name: RUNNER_UPDATE_CA_CERTS - value: "1" - {{- end }} + {{ $tlsEnvItems | nindent 2 }} volumeMounts: - name: work mountPath: /home/runner/_work @@ -108,24 +79,12 @@ volumeMounts: subPath: extension readOnly: true {{- end }} - {{- if $tlsMountPath }} - - name: github-server-tls-cert - mountPath: {{ $tlsMountPath | quote }} - readOnly: true - {{- end }} + {{ include "githubServerTLS.volumeMountItem" (dict "root" $ "existingVolumeMounts" (list)) | nindent 2 }} {{- end }} {{- define "runner-mode-kubernetes.pod-volumes" -}} {{- $runner := (.Values.runner | default dict) -}} {{- $kubeMode := (index $runner "kubernetesMode" | default dict) -}} -{{- $tlsConfig := (default (dict) .Values.githubServerTLS) -}} -{{- $tlsMountPath := (index $tlsConfig "runnerMountPath" | default "") -}} -{{- $tlsConfigMapName := "" -}} -{{- $tlsCertKey := "" -}} -{{- if $tlsMountPath -}} - {{- $tlsConfigMapName = required "githubServerTLS.certificateFrom.configMapKeyRef.name is required when githubServerTLS.runnerMountPath is set" (index $tlsConfig "certificateFrom" "configMapKeyRef" "name") -}} - {{- $tlsCertKey = required "githubServerTLS.certificateFrom.configMapKeyRef.key is required when githubServerTLS.runnerMountPath is set" (index $tlsConfig "certificateFrom" "configMapKeyRef" "key") -}} -{{- end -}} {{- $extensionRef := (index $kubeMode "extensionRef" | default "") -}} {{- $extension := (index $kubeMode "extension" | default dict) -}} {{- $extensionYamlRaw := "" -}} @@ -169,14 +128,7 @@ volumeMounts: name: {{ if not (empty $extensionRef) }}{{ $extensionRef | quote }}{{ else }}{{ include "runner-mode-kubernetes.extension-name" . | quote }}{{ end }} {{- end }} -{{- if $tlsMountPath }} -- name: github-server-tls-cert - configMap: - name: {{ $tlsConfigMapName | quote }} - items: - - key: {{ $tlsCertKey | quote }} - path: {{ $tlsCertKey | quote }} -{{- end }} +{{ include "githubServerTLS.podVolumeItem" . }} {{- end }}