feat: use helm genCA to generate a certificate for the mutating web hook if no cert-manager is available (#1780)
This commit is contained in:
Cristian Calin
GitHub
parent
12c4d96250
commit
d29de8d454
16
README.md
16
README.md
|
|
@ -1574,6 +1574,10 @@ spec:
|
|||
|
||||
### Using without cert-manager
|
||||
|
||||
There are two methods of deploying without cert-manager, you can generate your own certificates or rely on helm to generate a CA and certificate each time you update the chart.
|
||||
|
||||
#### Using custom certificates
|
||||
|
||||
Assuming you are installing in the default namespace, ensure your certificate has SANs:
|
||||
|
||||
* `webhook-service.actions-runner-system.svc`
|
||||
|
|
@ -1601,6 +1605,18 @@ $ helm --upgrade install actions-runner-controller/actions-runner-controller \
|
|||
admissionWebHooks.caBundle=${CA_BUNDLE}
|
||||
```
|
||||
|
||||
#### Using helm to generate CA and certificates
|
||||
|
||||
Set the Helm chart values as follows:
|
||||
|
||||
```shell
|
||||
$ CA_BUNDLE=$(cat path/to/ca.pem | base64)
|
||||
$ helm --upgrade install actions-runner-controller/actions-runner-controller \
|
||||
certManagerEnabled=false
|
||||
```
|
||||
|
||||
This generates a temporary CA using the helm `genCA` function and issues a certificate for the webhook. Note that this approach rotates the CA and certificate each time `helm install` or `helm upgrade` are run. In effect, this will cause short interruptions to the mutating webhook while the ARC pods stabilize and use the new certificate each time `helm upgrade` is called for the chart. The outage can affect kube-api activity due to the way mutating webhooks are called.
|
||||
|
||||
### Setting up Windows Runners
|
||||
|
||||
The main two steps in enabling Windows self-hosted runners are:
|
||||
|
|
|
|||
|
|
@ -1,4 +1,8 @@
|
|||
|
||||
{{/*
|
||||
We will use a self managed CA if one is not provided by cert-manager
|
||||
*/}}
|
||||
{{- $ca := genCA "actions-runner-ca" 3650 }}
|
||||
{{- $cert := genSignedCert (printf "%s.%s.svc" (include "actions-runner-controller.webhookServiceName" .) .Release.Namespace) nil (list (printf "%s.%s.svc" (include "actions-runner-controller.webhookServiceName" .) .Release.Namespace)) 3650 $ca }}
|
||||
---
|
||||
apiVersion: admissionregistration.k8s.io/v1
|
||||
kind: MutatingWebhookConfiguration
|
||||
|
|
@ -20,6 +24,8 @@ webhooks:
|
|||
clientConfig:
|
||||
{{- if .Values.admissionWebHooks.caBundle }}
|
||||
caBundle: {{ quote .Values.admissionWebHooks.caBundle }}
|
||||
{{- else if not .Values.certManagerEnabled }}
|
||||
caBundle: {{ $ca.Cert | b64enc | quote }}
|
||||
{{- end }}
|
||||
service:
|
||||
name: {{ include "actions-runner-controller.webhookServiceName" . }}
|
||||
|
|
@ -48,6 +54,8 @@ webhooks:
|
|||
clientConfig:
|
||||
{{- if .Values.admissionWebHooks.caBundle }}
|
||||
caBundle: {{ .Values.admissionWebHooks.caBundle }}
|
||||
{{- else if not .Values.certManagerEnabled }}
|
||||
caBundle: {{ $ca.Cert | b64enc | quote }}
|
||||
{{- end }}
|
||||
service:
|
||||
name: {{ include "actions-runner-controller.webhookServiceName" . }}
|
||||
|
|
@ -76,6 +84,8 @@ webhooks:
|
|||
clientConfig:
|
||||
{{- if .Values.admissionWebHooks.caBundle }}
|
||||
caBundle: {{ .Values.admissionWebHooks.caBundle }}
|
||||
{{- else if not .Values.certManagerEnabled }}
|
||||
caBundle: {{ $ca.Cert | b64enc | quote }}
|
||||
{{- end }}
|
||||
service:
|
||||
name: {{ include "actions-runner-controller.webhookServiceName" . }}
|
||||
|
|
@ -104,6 +114,8 @@ webhooks:
|
|||
clientConfig:
|
||||
{{- if .Values.admissionWebHooks.caBundle }}
|
||||
caBundle: {{ .Values.admissionWebHooks.caBundle }}
|
||||
{{- else if not .Values.certManagerEnabled }}
|
||||
caBundle: {{ $ca.Cert | b64enc | quote }}
|
||||
{{- end }}
|
||||
service:
|
||||
name: {{ include "actions-runner-controller.webhookServiceName" . }}
|
||||
|
|
@ -145,6 +157,8 @@ webhooks:
|
|||
clientConfig:
|
||||
{{- if .Values.admissionWebHooks.caBundle }}
|
||||
caBundle: {{ .Values.admissionWebHooks.caBundle }}
|
||||
{{- else if not .Values.certManagerEnabled }}
|
||||
caBundle: {{ $ca.Cert | b64enc | quote }}
|
||||
{{- end }}
|
||||
service:
|
||||
name: {{ include "actions-runner-controller.webhookServiceName" . }}
|
||||
|
|
@ -173,6 +187,8 @@ webhooks:
|
|||
clientConfig:
|
||||
{{- if .Values.admissionWebHooks.caBundle }}
|
||||
caBundle: {{ .Values.admissionWebHooks.caBundle }}
|
||||
{{- else if not .Values.certManagerEnabled }}
|
||||
caBundle: {{ $ca.Cert | b64enc | quote }}
|
||||
{{- end }}
|
||||
service:
|
||||
name: {{ include "actions-runner-controller.webhookServiceName" . }}
|
||||
|
|
@ -201,6 +217,8 @@ webhooks:
|
|||
clientConfig:
|
||||
{{- if .Values.admissionWebHooks.caBundle }}
|
||||
caBundle: {{ .Values.admissionWebHooks.caBundle }}
|
||||
{{- else if not .Values.certManagerEnabled }}
|
||||
caBundle: {{ $ca.Cert | b64enc | quote }}
|
||||
{{- end }}
|
||||
service:
|
||||
name: {{ include "actions-runner-controller.webhookServiceName" . }}
|
||||
|
|
@ -219,3 +237,18 @@ webhooks:
|
|||
resources:
|
||||
- runnerreplicasets
|
||||
sideEffects: None
|
||||
{{ if not (or .Values.admissionWebHooks.caBundle .Values.certManagerEnabled) }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ include "actions-runner-controller.servingCertName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "actions-runner-controller.labels" . | nindent 4 }}
|
||||
type: kubernetes.io/tls
|
||||
data:
|
||||
tls.crt: {{ $cert.Cert | b64enc | quote }}
|
||||
tls.key: {{ $cert.Key | b64enc | quote }}
|
||||
ca.crt: {{ $ca.Cert | b64enc | quote }}
|
||||
{{- end }}
|
||||
|
|
|
|||
Loading…
Reference in New Issue