From d9627141dcb40019da875b0b2dc9ba1d9176bfda Mon Sep 17 00:00:00 2001
From: Tingluo Huang <tingluohuang@github.com>
Date: Wed, 15 Feb 2023 14:29:52 -0500
Subject: [PATCH] Fix helm chart when containerMode.type=dind. (#2291)

---
 .../templates/_helpers.tpl                    | 13 +++++-----
 .../tests/template_test.go                    | 26 +++++++++++++++++++
 2 files changed, 33 insertions(+), 6 deletions(-)

diff --git a/charts/auto-scaling-runner-set/templates/_helpers.tpl b/charts/auto-scaling-runner-set/templates/_helpers.tpl
index d4ca939f..2ec151f6 100644
--- a/charts/auto-scaling-runner-set/templates/_helpers.tpl
+++ b/charts/auto-scaling-runner-set/templates/_helpers.tpl
@@ -208,18 +208,18 @@ env:
           {{- end }}
         {{- end }}
       {{- end }}
-      {{- if $setDockerHost }}
+    {{- end }}
+    {{- if $setDockerHost }}
   - name: DOCKER_HOST
     value: tcp://localhost:2376
-      {{- end }}
-      {{- if $setDockerTlsVerify }}
+    {{- end }}
+    {{- if $setDockerTlsVerify }}
   - name: DOCKER_TLS_VERIFY
     value: "1"
-      {{- end }}
-      {{- if $setDockerCertPath }}
+    {{- end }}
+    {{- if $setDockerCertPath }}
   - name: DOCKER_CERT_PATH
     value: /certs/client
-      {{- end }}
     {{- end }}
     {{- $mountWork := 1 }}
     {{- $mountDindCert := 1 }}
@@ -247,6 +247,7 @@ volumeMounts:
     {{- if $mountDindCert }}
   - name: dind-cert
     mountPath: /certs/client
+    readOnly: true
     {{- end }}
   {{- end }}
 {{- end }}
diff --git a/charts/auto-scaling-runner-set/tests/template_test.go b/charts/auto-scaling-runner-set/tests/template_test.go
index 954b8d29..f1f28588 100644
--- a/charts/auto-scaling-runner-set/tests/template_test.go
+++ b/charts/auto-scaling-runner-set/tests/template_test.go
@@ -594,9 +594,35 @@ func TestTemplateRenderedAutoScalingRunnerSet_EnableDinD(t *testing.T) {
 	assert.Len(t, ars.Spec.Template.Spec.Containers, 2, "Template.Spec should have 2 container")
 	assert.Equal(t, "runner", ars.Spec.Template.Spec.Containers[0].Name)
 	assert.Equal(t, "ghcr.io/actions/actions-runner:latest", ars.Spec.Template.Spec.Containers[0].Image)
+	assert.Len(t, ars.Spec.Template.Spec.Containers[0].Env, 3, "The runner container should have 3 env vars, DOCKER_HOST, DOCKER_TLS_VERIFY and DOCKER_CERT_PATH")
+	assert.Equal(t, "DOCKER_HOST", ars.Spec.Template.Spec.Containers[0].Env[0].Name)
+	assert.Equal(t, "tcp://localhost:2376", ars.Spec.Template.Spec.Containers[0].Env[0].Value)
+	assert.Equal(t, "DOCKER_TLS_VERIFY", ars.Spec.Template.Spec.Containers[0].Env[1].Name)
+	assert.Equal(t, "1", ars.Spec.Template.Spec.Containers[0].Env[1].Value)
+	assert.Equal(t, "DOCKER_CERT_PATH", ars.Spec.Template.Spec.Containers[0].Env[2].Name)
+	assert.Equal(t, "/certs/client", ars.Spec.Template.Spec.Containers[0].Env[2].Value)
+
+	assert.Len(t, ars.Spec.Template.Spec.Containers[0].VolumeMounts, 2, "The runner container should have 2 volume mounts, dind-cert and work")
+	assert.Equal(t, "work", ars.Spec.Template.Spec.Containers[0].VolumeMounts[0].Name)
+	assert.Equal(t, "/actions-runner/_work", ars.Spec.Template.Spec.Containers[0].VolumeMounts[0].MountPath)
+	assert.False(t, ars.Spec.Template.Spec.Containers[0].VolumeMounts[0].ReadOnly)
+
+	assert.Equal(t, "dind-cert", ars.Spec.Template.Spec.Containers[0].VolumeMounts[1].Name)
+	assert.Equal(t, "/certs/client", ars.Spec.Template.Spec.Containers[0].VolumeMounts[1].MountPath)
+	assert.True(t, ars.Spec.Template.Spec.Containers[0].VolumeMounts[1].ReadOnly)
 
 	assert.Equal(t, "dind", ars.Spec.Template.Spec.Containers[1].Name)
 	assert.Equal(t, "docker:dind", ars.Spec.Template.Spec.Containers[1].Image)
+	assert.True(t, *ars.Spec.Template.Spec.Containers[1].SecurityContext.Privileged)
+	assert.Len(t, ars.Spec.Template.Spec.Containers[1].VolumeMounts, 3, "The dind container should have 3 volume mounts, dind-cert, work and externals")
+	assert.Equal(t, "work", ars.Spec.Template.Spec.Containers[1].VolumeMounts[0].Name)
+	assert.Equal(t, "/actions-runner/_work", ars.Spec.Template.Spec.Containers[1].VolumeMounts[0].MountPath)
+
+	assert.Equal(t, "dind-cert", ars.Spec.Template.Spec.Containers[1].VolumeMounts[1].Name)
+	assert.Equal(t, "/certs/client", ars.Spec.Template.Spec.Containers[1].VolumeMounts[1].MountPath)
+
+	assert.Equal(t, "dind-externals", ars.Spec.Template.Spec.Containers[1].VolumeMounts[2].Name)
+	assert.Equal(t, "/actions-runner/externals", ars.Spec.Template.Spec.Containers[1].VolumeMounts[2].MountPath)
 }
 
 func TestTemplateRenderedAutoScalingRunnerSet_EnableKubernetesMode(t *testing.T) {