From d29de8d454e3d4ba0aa3935786058c18c10e4d2e Mon Sep 17 00:00:00 2001 From: Cristian Calin <6627509+cristicalin@users.noreply.github.com> Date: Fri, 23 Sep 2022 04:21:00 +0300 Subject: [PATCH] feat: use helm genCA to generate a certificate for the mutating web hook if no cert-manager is available (#1780) --- README.md | 16 +++++++++ .../templates/_helpers.tpl | 2 +- .../templates/webhook_configs.yaml | 35 ++++++++++++++++++- 3 files changed, 51 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index cc45169d..c68ff9f6 100644 --- a/README.md +++ b/README.md @@ -1574,6 +1574,10 @@ spec: ### Using without cert-manager +There are two methods of deploying without cert-manager, you can generate your own certificates or rely on helm to generate a CA and certificate each time you update the chart. + +#### Using custom certificates + Assuming you are installing in the default namespace, ensure your certificate has SANs: * `webhook-service.actions-runner-system.svc` @@ -1601,6 +1605,18 @@ $ helm --upgrade install actions-runner-controller/actions-runner-controller \ admissionWebHooks.caBundle=${CA_BUNDLE} ``` +#### Using helm to generate CA and certificates + +Set the Helm chart values as follows: + +```shell +$ CA_BUNDLE=$(cat path/to/ca.pem | base64) +$ helm --upgrade install actions-runner-controller/actions-runner-controller \ + certManagerEnabled=false +``` + +This generates a temporary CA using the helm `genCA` function and issues a certificate for the webhook. Note that this approach rotates the CA and certificate each time `helm install` or `helm upgrade` are run. In effect, this will cause short interruptions to the mutating webhook while the ARC pods stabilize and use the new certificate each time `helm upgrade` is called for the chart. The outage can affect kube-api activity due to the way mutating webhooks are called. + ### Setting up Windows Runners The main two steps in enabling Windows self-hosted runners are: diff --git a/charts/actions-runner-controller/templates/_helpers.tpl b/charts/actions-runner-controller/templates/_helpers.tpl index 8d54b024..68570f03 100644 --- a/charts/actions-runner-controller/templates/_helpers.tpl +++ b/charts/actions-runner-controller/templates/_helpers.tpl @@ -114,4 +114,4 @@ Create the name of the service account to use {{- define "actions-runner-controller.pdbName" -}} {{- include "actions-runner-controller.fullname" . | trunc 59 }}-pdb -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/actions-runner-controller/templates/webhook_configs.yaml b/charts/actions-runner-controller/templates/webhook_configs.yaml index 264d294f..ec8194d7 100644 --- a/charts/actions-runner-controller/templates/webhook_configs.yaml +++ b/charts/actions-runner-controller/templates/webhook_configs.yaml @@ -1,4 +1,8 @@ - +{{/* +We will use a self managed CA if one is not provided by cert-manager +*/}} +{{- $ca := genCA "actions-runner-ca" 3650 }} +{{- $cert := genSignedCert (printf "%s.%s.svc" (include "actions-runner-controller.webhookServiceName" .) .Release.Namespace) nil (list (printf "%s.%s.svc" (include "actions-runner-controller.webhookServiceName" .) .Release.Namespace)) 3650 $ca }} --- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration @@ -20,6 +24,8 @@ webhooks: clientConfig: {{- if .Values.admissionWebHooks.caBundle }} caBundle: {{ quote .Values.admissionWebHooks.caBundle }} + {{- else if not .Values.certManagerEnabled }} + caBundle: {{ $ca.Cert | b64enc | quote }} {{- end }} service: name: {{ include "actions-runner-controller.webhookServiceName" . }} @@ -48,6 +54,8 @@ webhooks: clientConfig: {{- if .Values.admissionWebHooks.caBundle }} caBundle: {{ .Values.admissionWebHooks.caBundle }} + {{- else if not .Values.certManagerEnabled }} + caBundle: {{ $ca.Cert | b64enc | quote }} {{- end }} service: name: {{ include "actions-runner-controller.webhookServiceName" . }} @@ -76,6 +84,8 @@ webhooks: clientConfig: {{- if .Values.admissionWebHooks.caBundle }} caBundle: {{ .Values.admissionWebHooks.caBundle }} + {{- else if not .Values.certManagerEnabled }} + caBundle: {{ $ca.Cert | b64enc | quote }} {{- end }} service: name: {{ include "actions-runner-controller.webhookServiceName" . }} @@ -104,6 +114,8 @@ webhooks: clientConfig: {{- if .Values.admissionWebHooks.caBundle }} caBundle: {{ .Values.admissionWebHooks.caBundle }} + {{- else if not .Values.certManagerEnabled }} + caBundle: {{ $ca.Cert | b64enc | quote }} {{- end }} service: name: {{ include "actions-runner-controller.webhookServiceName" . }} @@ -145,6 +157,8 @@ webhooks: clientConfig: {{- if .Values.admissionWebHooks.caBundle }} caBundle: {{ .Values.admissionWebHooks.caBundle }} + {{- else if not .Values.certManagerEnabled }} + caBundle: {{ $ca.Cert | b64enc | quote }} {{- end }} service: name: {{ include "actions-runner-controller.webhookServiceName" . }} @@ -173,6 +187,8 @@ webhooks: clientConfig: {{- if .Values.admissionWebHooks.caBundle }} caBundle: {{ .Values.admissionWebHooks.caBundle }} + {{- else if not .Values.certManagerEnabled }} + caBundle: {{ $ca.Cert | b64enc | quote }} {{- end }} service: name: {{ include "actions-runner-controller.webhookServiceName" . }} @@ -201,6 +217,8 @@ webhooks: clientConfig: {{- if .Values.admissionWebHooks.caBundle }} caBundle: {{ .Values.admissionWebHooks.caBundle }} + {{- else if not .Values.certManagerEnabled }} + caBundle: {{ $ca.Cert | b64enc | quote }} {{- end }} service: name: {{ include "actions-runner-controller.webhookServiceName" . }} @@ -219,3 +237,18 @@ webhooks: resources: - runnerreplicasets sideEffects: None +{{ if not (or .Values.admissionWebHooks.caBundle .Values.certManagerEnabled) }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "actions-runner-controller.servingCertName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "actions-runner-controller.labels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ $cert.Cert | b64enc | quote }} + tls.key: {{ $cert.Key | b64enc | quote }} + ca.crt: {{ $ca.Cert | b64enc | quote }} +{{- end }}