diff --git a/acceptance/deploy.sh b/acceptance/deploy.sh index 1fea1d5d..5c42944e 100755 --- a/acceptance/deploy.sh +++ b/acceptance/deploy.sh @@ -25,15 +25,16 @@ if [ "${tool}" == "helm" ]; then helm upgrade --install actions-runner-controller \ charts/actions-runner-controller \ -n actions-runner-system \ + --create-namespace \ --set syncPeriod=5m + kubectl -n actions-runner-system wait deploy/actions-runner-controller --for condition=available else kubectl apply \ -n actions-runner-system \ -f release/actions-runner-controller.yaml + kubectl -n actions-runner-system wait deploy/controller-manager --for condition=available fi -kubectl -n actions-runner-system wait deploy/controller-manager --for condition=available - # Adhocly wait for some time until actions-runner-controller's admission webhook gets ready sleep 20 diff --git a/charts/actions-runner-controller/templates/_helpers.tpl b/charts/actions-runner-controller/templates/_helpers.tpl index cd8f0aa8..26c8dfea 100644 --- a/charts/actions-runner-controller/templates/_helpers.tpl +++ b/charts/actions-runner-controller/templates/_helpers.tpl @@ -60,3 +60,39 @@ Create the name of the service account to use {{- default "default" .Values.serviceAccount.name }} {{- end }} {{- end }} + +{{- define "actions-runner-controller.leaderElectionRoleName" -}} +{{- include "actions-runner-controller.fullname" . }}-leader-election +{{- end }} + +{{- define "actions-runner-controller.authProxyRoleName" -}} +{{- include "actions-runner-controller.fullname" . }}-proxy +{{- end }} + +{{- define "actions-runner-controller.managerRoleName" -}} +{{- include "actions-runner-controller.fullname" . }}-manager +{{- end }} + +{{- define "actions-runner-controller.runnerEditorRoleName" -}} +{{- include "actions-runner-controller.fullname" . }}-runner-editor +{{- end }} + +{{- define "actions-runner-controller.runnerViewerRoleName" -}} +{{- include "actions-runner-controller.fullname" . }}-runner-viewer +{{- end }} + +{{- define "actions-runner-controller.webhookServiceName" -}} +{{- include "actions-runner-controller.fullname" . }}-webhook +{{- end }} + +{{- define "actions-runner-controller.authProxyServiceName" -}} +{{- include "actions-runner-controller.fullname" . }}-controller-manager-metrics-service +{{- end }} + +{{- define "actions-runner-controller.selfsignedIssuerName" -}} +{{- include "actions-runner-controller.fullname" . }}-selfsigned-issuer +{{- end }} + +{{- define "actions-runner-controller.servingCertName" -}} +{{- include "actions-runner-controller.fullname" . }}-serving-cert +{{- end }} diff --git a/charts/actions-runner-controller/templates/auth_proxy_role.yaml b/charts/actions-runner-controller/templates/auth_proxy_role.yaml new file mode 100644 index 00000000..7a12456f --- /dev/null +++ b/charts/actions-runner-controller/templates/auth_proxy_role.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "actions-runner-controller.authProxyRoleName" . }} +rules: +- apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: ["create"] +- apiGroups: ["authorization.k8s.io"] + resources: + - subjectaccessreviews + verbs: ["create"] diff --git a/charts/actions-runner-controller/templates/auth_proxy_role_binding.yaml b/charts/actions-runner-controller/templates/auth_proxy_role_binding.yaml new file mode 100644 index 00000000..f0dbbcfd --- /dev/null +++ b/charts/actions-runner-controller/templates/auth_proxy_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "actions-runner-controller.authProxyRoleName" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "actions-runner-controller.authProxyRoleName" . }} +subjects: +- kind: ServiceAccount + name: {{ include "actions-runner-controller.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} diff --git a/charts/actions-runner-controller/templates/auth_proxy_service.yaml b/charts/actions-runner-controller/templates/auth_proxy_service.yaml new file mode 100644 index 00000000..da703245 --- /dev/null +++ b/charts/actions-runner-controller/templates/auth_proxy_service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + {{- include "actions-runner-controller.labels" . | nindent 4 }} + name: {{ include "actions-runner-controller.authProxyServiceName" . }} + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: https + port: 8443 + targetPort: https + selector: + {{- include "actions-runner-controller.selectorLabels" . | nindent 4 }} diff --git a/charts/actions-runner-controller/templates/certificate.yaml b/charts/actions-runner-controller/templates/certificate.yaml new file mode 100644 index 00000000..60964635 --- /dev/null +++ b/charts/actions-runner-controller/templates/certificate.yaml @@ -0,0 +1,24 @@ +# The following manifests contain a self-signed issuer CR and a certificate CR. +# More document can be found at https://docs.cert-manager.io +# WARNING: Targets CertManager 0.11 check https://docs.cert-manager.io/en/latest/tasks/upgrading/index.html for breaking changes +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ include "actions-runner-controller.selfsignedIssuerName" . }} + namespace: {{ .Namespace }} +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "actions-runner-controller.servingCertName" . }} + namespace: {{ .Namespace }} +spec: + dnsNames: + - {{ include "actions-runner-controller.webhookServiceName" . }}.{{ .Release.Namespace }}.svc + - {{ include "actions-runner-controller.webhookServiceName" . }}.{{ .Release.Namespace }}.svc.cluster.local + issuerRef: + kind: Issuer + name: {{ include "actions-runner-controller.selfsignedIssuerName" . }} + secretName: webhook-server-cert # this secret will not be prefixed, since it's not managed by kustomize diff --git a/charts/actions-runner-controller/templates/deployment.yaml b/charts/actions-runner-controller/templates/deployment.yaml index 4d868c11..6ac64a30 100644 --- a/charts/actions-runner-controller/templates/deployment.yaml +++ b/charts/actions-runner-controller/templates/deployment.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "actions-runner-controller.fullname" . }} + namespace: {{ .Release.Namespace }} labels: {{- include "actions-runner-controller.labels" . | nindent 4 }} spec: @@ -25,25 +26,68 @@ spec: securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - - name: {{ .Chart.Name }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (cat "v" .Chart.AppVersion | replace " " "") }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - ports: - - name: http - containerPort: 80 - protocol: TCP - livenessProbe: - httpGet: - path: / - port: http - readinessProbe: - httpGet: - path: / - port: http - resources: - {{- toYaml .Values.resources | nindent 12 }} + - args: + - "--metrics-addr=127.0.0.1:8080" + - "--enable-leader-election" + - "--sync-period={{ .Values.syncPeriod }}" + command: + - "/manager" + env: + - name: GITHUB_TOKEN + valueFrom: + secretKeyRef: + key: github_token + name: controller-manager + optional: true + - name: GITHUB_APP_ID + valueFrom: + secretKeyRef: + key: github_app_id + name: controller-manager + optional: true + - name: GITHUB_APP_INSTALLATION_ID + valueFrom: + secretKeyRef: + key: github_app_installation_id + name: controller-manager + optional: true + - name: GITHUB_APP_PRIVATE_KEY + value: /etc/actions-runner-controller/github_app_private_key + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (cat "v" .Chart.AppVersion | replace " " "") }}" + name: manager + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - mountPath: "/etc/actions-runner-controller" + name: controller-manager + readOnly: true + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - "--secure-listen-address=0.0.0.0:8443" + - "--upstream=http://127.0.0.1:8080/" + - "--logtostderr=true" + - "--v=10" + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.1 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + terminationGracePeriodSeconds: 10 + volumes: + - name: controller-manager + secret: + secretName: controller-manager + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/actions-runner-controller/templates/leader_election_role.yaml b/charts/actions-runner-controller/templates/leader_election_role.yaml new file mode 100644 index 00000000..9a2890cc --- /dev/null +++ b/charts/actions-runner-controller/templates/leader_election_role.yaml @@ -0,0 +1,33 @@ +# permissions to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "actions-runner-controller.leaderElectionRoleName" . }} + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create diff --git a/charts/actions-runner-controller/templates/leader_election_role_binding.yaml b/charts/actions-runner-controller/templates/leader_election_role_binding.yaml new file mode 100644 index 00000000..328e9dab --- /dev/null +++ b/charts/actions-runner-controller/templates/leader_election_role_binding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "actions-runner-controller.leaderElectionRoleName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "actions-runner-controller.leaderElectionRoleName" . }} +subjects: +- kind: ServiceAccount + name: {{ include "actions-runner-controller.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} diff --git a/charts/actions-runner-controller/templates/manager_role.yaml b/charts/actions-runner-controller/templates/manager_role.yaml new file mode 100644 index 00000000..6ab1995e --- /dev/null +++ b/charts/actions-runner-controller/templates/manager_role.yaml @@ -0,0 +1,165 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: {{ include "actions-runner-controller.managerRoleName" . }} +rules: +- apiGroups: + - actions.summerwind.dev + resources: + - horizontalrunnerautoscalers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - actions.summerwind.dev + resources: + - horizontalrunnerautoscalers/finalizers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - actions.summerwind.dev + resources: + - horizontalrunnerautoscalers/status + verbs: + - get + - patch + - update +- apiGroups: + - actions.summerwind.dev + resources: + - runnerdeployments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - actions.summerwind.dev + resources: + - runnerdeployments/finalizers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - actions.summerwind.dev + resources: + - runnerdeployments/status + verbs: + - get + - patch + - update +- apiGroups: + - actions.summerwind.dev + resources: + - runnerreplicasets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - actions.summerwind.dev + resources: + - runnerreplicasets/finalizers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - actions.summerwind.dev + resources: + - runnerreplicasets/status + verbs: + - get + - patch + - update +- apiGroups: + - actions.summerwind.dev + resources: + - runners + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - actions.summerwind.dev + resources: + - runners/finalizers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - actions.summerwind.dev + resources: + - runners/status + verbs: + - get + - patch + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - pods + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - pods/finalizers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch diff --git a/charts/actions-runner-controller/templates/manager_role_binding.yaml b/charts/actions-runner-controller/templates/manager_role_binding.yaml new file mode 100644 index 00000000..c51b4d97 --- /dev/null +++ b/charts/actions-runner-controller/templates/manager_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "actions-runner-controller.managerRoleName" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "actions-runner-controller.managerRoleName" . }} +subjects: +- kind: ServiceAccount + name: {{ include "actions-runner-controller.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} diff --git a/charts/actions-runner-controller/templates/runner_editor_role.yaml b/charts/actions-runner-controller/templates/runner_editor_role.yaml new file mode 100644 index 00000000..b10f6160 --- /dev/null +++ b/charts/actions-runner-controller/templates/runner_editor_role.yaml @@ -0,0 +1,26 @@ +# permissions to do edit runners. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "actions-runner-controller.runnerEditorRoleName" . }} +rules: +- apiGroups: + - actions.summerwind.dev + resources: + - runners + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - actions.summerwind.dev + resources: + - runners/status + verbs: + - get + - patch + - update diff --git a/charts/actions-runner-controller/templates/runner_viewer_role.yaml b/charts/actions-runner-controller/templates/runner_viewer_role.yaml new file mode 100644 index 00000000..485996c2 --- /dev/null +++ b/charts/actions-runner-controller/templates/runner_viewer_role.yaml @@ -0,0 +1,20 @@ +# permissions to do viewer runners. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "actions-runner-controller.runnerViewerRoleName" . }} +rules: +- apiGroups: + - actions.summerwind.dev + resources: + - runners + verbs: + - get + - list + - watch +- apiGroups: + - actions.summerwind.dev + resources: + - runners/status + verbs: + - get diff --git a/charts/actions-runner-controller/templates/serviceaccount.yaml b/charts/actions-runner-controller/templates/serviceaccount.yaml index 2edf8015..221ac163 100644 --- a/charts/actions-runner-controller/templates/serviceaccount.yaml +++ b/charts/actions-runner-controller/templates/serviceaccount.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "actions-runner-controller.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} labels: {{- include "actions-runner-controller.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} diff --git a/charts/actions-runner-controller/templates/tests/test-connection.yaml b/charts/actions-runner-controller/templates/tests/test-connection.yaml deleted file mode 100644 index 60b5fe6b..00000000 --- a/charts/actions-runner-controller/templates/tests/test-connection.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: "{{ include "actions-runner-controller.fullname" . }}-test-connection" - labels: - {{- include "actions-runner-controller.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": test -spec: - containers: - - name: wget - image: busybox - command: ['wget'] - args: ['{{ include "actions-runner-controller.fullname" . }}:{{ .Values.service.port }}'] - restartPolicy: Never diff --git a/charts/actions-runner-controller/templates/webhook_configs.yaml b/charts/actions-runner-controller/templates/webhook_configs.yaml new file mode 100644 index 00000000..2cc512e8 --- /dev/null +++ b/charts/actions-runner-controller/templates/webhook_configs.yaml @@ -0,0 +1,128 @@ + +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + creationTimestamp: null + name: {{ include "actions-runner-controller.fullname" . }}-mutating-webhook-configuration + annotations: + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "actions-runner-controller.servingCertName" . }} +webhooks: +- clientConfig: + caBundle: Cg== + service: + name: {{ include "actions-runner-controller.webhookServiceName" . }} + namespace: {{ .Release.Namespace }} + path: /mutate-actions-summerwind-dev-v1alpha1-runner + failurePolicy: Fail + name: mutate.runner.actions.summerwind.dev + rules: + - apiGroups: + - actions.summerwind.dev + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - runners +- clientConfig: + caBundle: Cg== + service: + name: {{ include "actions-runner-controller.webhookServiceName" . }} + namespace: {{ .Release.Namespace }} + path: /mutate-actions-summerwind-dev-v1alpha1-runnerdeployment + failurePolicy: Fail + name: mutate.runnerdeployment.actions.summerwind.dev + rules: + - apiGroups: + - actions.summerwind.dev + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - runnerdeployments +- clientConfig: + caBundle: Cg== + service: + name: {{ include "actions-runner-controller.webhookServiceName" . }} + namespace: {{ .Release.Namespace }} + path: /mutate-actions-summerwind-dev-v1alpha1-runnerreplicaset + failurePolicy: Fail + name: mutate.runnerreplicaset.actions.summerwind.dev + rules: + - apiGroups: + - actions.summerwind.dev + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - runnerreplicasets + +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + creationTimestamp: null + name: {{ include "actions-runner-controller.fullname" . }}-validating-webhook-configuration + annotations: + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "actions-runner-controller.servingCertName" . }} +webhooks: +- clientConfig: + caBundle: Cg== + service: + name: {{ include "actions-runner-controller.webhookServiceName" . }} + namespace: {{ .Release.Namespace }} + path: /validate-actions-summerwind-dev-v1alpha1-runner + failurePolicy: Fail + name: validate.runner.actions.summerwind.dev + rules: + - apiGroups: + - actions.summerwind.dev + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - runners +- clientConfig: + caBundle: Cg== + service: + name: {{ include "actions-runner-controller.webhookServiceName" . }} + namespace: {{ .Release.Namespace }} + path: /validate-actions-summerwind-dev-v1alpha1-runnerdeployment + failurePolicy: Fail + name: validate.runnerdeployment.actions.summerwind.dev + rules: + - apiGroups: + - actions.summerwind.dev + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - runnerdeployments +- clientConfig: + caBundle: Cg== + service: + name: {{ include "actions-runner-controller.webhookServiceName" . }} + namespace: {{ .Release.Namespace }} + path: /validate-actions-summerwind-dev-v1alpha1-runnerreplicaset + failurePolicy: Fail + name: validate.runnerreplicaset.actions.summerwind.dev + rules: + - apiGroups: + - actions.summerwind.dev + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - runnerreplicasets diff --git a/charts/actions-runner-controller/templates/service.yaml b/charts/actions-runner-controller/templates/webhook_service.yaml similarity index 62% rename from charts/actions-runner-controller/templates/service.yaml rename to charts/actions-runner-controller/templates/webhook_service.yaml index 422789c0..e633a69f 100644 --- a/charts/actions-runner-controller/templates/service.yaml +++ b/charts/actions-runner-controller/templates/webhook_service.yaml @@ -1,15 +1,16 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "actions-runner-controller.fullname" . }} + name: {{ include "actions-runner-controller.webhookServiceName" . }} + namespace: {{ .Release.Namespace }} labels: {{- include "actions-runner-controller.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} ports: - - port: {{ .Values.service.port }} - targetPort: http + - port: 443 + targetPort: 9443 protocol: TCP - name: http + name: https selector: {{- include "actions-runner-controller.selectorLabels" . | nindent 4 }} diff --git a/charts/actions-runner-controller/values.yaml b/charts/actions-runner-controller/values.yaml index c6e079d2..702e61bd 100644 --- a/charts/actions-runner-controller/values.yaml +++ b/charts/actions-runner-controller/values.yaml @@ -4,6 +4,8 @@ replicaCount: 1 +syncPeriod: 10m + image: repository: summerwind/actions-runner-controller pullPolicy: IfNotPresent @@ -38,7 +40,7 @@ securityContext: {} service: type: ClusterIP - port: 80 + port: 443 ingress: enabled: false