From debf53c64079b01212069946f95d9805282e7fbc Mon Sep 17 00:00:00 2001 From: Yusuke Kuoka Date: Wed, 23 Mar 2022 10:28:12 +0900 Subject: [PATCH 01/24] Fix missing pip bin path (/home/runner/.local/bin) (#1263) Fixes #1261 --- runner/Dockerfile | 3 +++ runner/Dockerfile.dindrunner | 3 +++ 2 files changed, 6 insertions(+) diff --git a/runner/Dockerfile b/runner/Dockerfile index 720b41ec..1913a491 100644 --- a/runner/Dockerfile +++ b/runner/Dockerfile @@ -116,6 +116,9 @@ COPY entrypoint.sh / ENV PATH="${PATH}:${HOME}/.local/bin" ENV ImageOS=ubuntu20 +RUN echo "PATH=${PATH}" > /etc/environment \ + && echo "ImageOS=${ImageOS}" >> /etc/environment + USER runner ENTRYPOINT ["/usr/local/bin/dumb-init", "--"] diff --git a/runner/Dockerfile.dindrunner b/runner/Dockerfile.dindrunner index 00ad5e1f..c1c06e49 100644 --- a/runner/Dockerfile.dindrunner +++ b/runner/Dockerfile.dindrunner @@ -118,6 +118,9 @@ VOLUME /var/lib/docker ENV PATH="${PATH}:${HOME}/.local/bin" ENV ImageOS=ubuntu20 +RUN echo "PATH=${PATH}" > /etc/environment \ + && echo "ImageOS=${ImageOS}" >> /etc/environment + # No group definition, as that makes it harder to run docker. USER runner From ee7484ac91f7b64efe4d7f926e11bf1c1c3765e2 Mon Sep 17 00:00:00 2001 From: Endre Karlson Date: Wed, 23 Mar 2022 12:39:58 +0100 Subject: [PATCH 02/24] Use container name to detect runner container in Pod --- controllers/runner_pod_controller.go | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/controllers/runner_pod_controller.go b/controllers/runner_pod_controller.go index 3a631671..9e9ed9c4 100644 --- a/controllers/runner_pod_controller.go +++ b/controllers/runner_pod_controller.go @@ -18,6 +18,7 @@ package controllers import ( "context" + "errors" "fmt" "time" @@ -64,9 +65,19 @@ func (r *RunnerPodReconciler) Reconcile(ctx context.Context, req ctrl.Request) ( return ctrl.Result{}, nil } + var envvars []corev1.EnvVar + for _, container := range runnerPod.Spec.Containers { + if container.Name == "runner" { + envvars = container.Env + } + } + + if len(envvars) == 0 { + return ctrl.Result{}, errors.New("Could not determine env vars for runner Pod") + } + var enterprise, org, repo string - envvars := runnerPod.Spec.Containers[0].Env for _, e := range envvars { switch e.Name { case EnvVarEnterprise: From af8d8f7e1da4b32d837428f013b7b68510347343 Mon Sep 17 00:00:00 2001 From: Naka Masato Date: Fri, 25 Mar 2022 09:24:13 +0900 Subject: [PATCH 03/24] Update runnerdeployment_webhook.go (#1271) --- api/v1alpha1/runnerdeployment_webhook.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/api/v1alpha1/runnerdeployment_webhook.go b/api/v1alpha1/runnerdeployment_webhook.go index 3f5626fe..91a034d6 100644 --- a/api/v1alpha1/runnerdeployment_webhook.go +++ b/api/v1alpha1/runnerdeployment_webhook.go @@ -26,7 +26,7 @@ import ( ) // log is for logging in this package. -var runenrDeploymentLog = logf.Log.WithName("runnerdeployment-resource") +var runnerDeploymentLog = logf.Log.WithName("runnerdeployment-resource") func (r *RunnerDeployment) SetupWebhookWithManager(mgr ctrl.Manager) error { return ctrl.NewWebhookManagedBy(mgr). @@ -49,13 +49,13 @@ var _ webhook.Validator = &RunnerDeployment{} // ValidateCreate implements webhook.Validator so a webhook will be registered for the type func (r *RunnerDeployment) ValidateCreate() error { - runenrDeploymentLog.Info("validate resource to be created", "name", r.Name) + runnerDeploymentLog.Info("validate resource to be created", "name", r.Name) return r.Validate() } // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type func (r *RunnerDeployment) ValidateUpdate(old runtime.Object) error { - runenrDeploymentLog.Info("validate resource to be updated", "name", r.Name) + runnerDeploymentLog.Info("validate resource to be updated", "name", r.Name) return r.Validate() } From 1f8a23c12961fdfa46bd32f572bee4b0a9c7740b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Foray?= Date: Sun, 27 Mar 2022 12:52:39 +0200 Subject: [PATCH 04/24] fix(chart): add namespace selector to webhooks when in singleNamespace mode (#1237) * fix(chart): add namespace selector to webhooks when in singleNamespace mode * docs: expand multi controller setup Co-authored-by: Callum Tait <15716903+toast-gear@users.noreply.github.com> --- README.md | 12 ++++--- .../templates/webhook_configs.yaml | 35 +++++++++++++++++++ 2 files changed, 42 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 6d5d0b45..a50250df 100644 --- a/README.md +++ b/README.md @@ -226,14 +226,16 @@ By default the controller will look for runners in all namespaces, the watch nam This feature is configured via the controller's `--watch-namespace` flag. When a namespace is provided via this flag, the controller will only monitor runners in that namespace. -If you plan on installing all instances of the controller stack into a single namespace you will need to make the names of the resources unique to each stack. In the case of Helm this can be done by giving each install a unique release name, or via the `fullnameOverride` properties. +You can deploy multiple controllers either in a single shared namespace, or in a unique namespace per controller. -Alternatively, you can install each controller stack into its own unique namespace (relative to other controller stacks in the cluster), avoiding the need to uniquely prefix resources. +If you plan on installing all instances of the controller stack into a single namespace there are a few things you need to do for this to work. -When you go to the route of sharing the namespace while giving each a unique Helm release name, you must also ensure the following values are configured correctly: +1. All resources per stack must have a unique, in the case of Helm this can be done by giving each install a unique release name, or via the `fullnameOverride` properties. +2. `authSecret.name` needs be unique per stack when each stack is tied to runners in different GitHub organizations and repositories AND you want your GitHub credentials to narrowly scoped. +3. `leaderElectionId` needs to be unique per stack. If this is not unique to the stack the controller tries to race onto the leader election lock and resulting in only one stack working concurrently. Your controller will be stuck with a log message something like this `attempting to acquire leader lease arc-controllers/actions-runner-controller...` +4. The stacks MutatingWebhookConfiguration must include a namespace selector for the stacks the corresponding runners, this is again part of the helm chart and so is already taken care of if you are deploying using the chart. -- `authSecret.name` needs be unique per stack when each stack is tied to runners in different GitHub organizations and repositories AND you want your GitHub credentials to narrowly scoped. -- `leaderElectionId` needs to be unique per stack. If this is not unique to the stack the controller tries to race onto the leader election lock and resulting in only one stack working concurrently. +Alternatively, you can install each controller stack into its own unique namespace (relative to other controller stacks in the cluster), avoiding these potential pitfalls. ## Usage diff --git a/charts/actions-runner-controller/templates/webhook_configs.yaml b/charts/actions-runner-controller/templates/webhook_configs.yaml index 93be277f..264d294f 100644 --- a/charts/actions-runner-controller/templates/webhook_configs.yaml +++ b/charts/actions-runner-controller/templates/webhook_configs.yaml @@ -12,6 +12,11 @@ metadata: webhooks: - admissionReviewVersions: - v1beta1 + {{- if .Values.scope.singleNamespace }} + namespaceSelector: + matchLabels: + name: {{ default .Release.Namespace .Values.scope.watchNamespace }} + {{- end }} clientConfig: {{- if .Values.admissionWebHooks.caBundle }} caBundle: {{ quote .Values.admissionWebHooks.caBundle }} @@ -35,6 +40,11 @@ webhooks: sideEffects: None - admissionReviewVersions: - v1beta1 + {{- if .Values.scope.singleNamespace }} + namespaceSelector: + matchLabels: + name: {{ default .Release.Namespace .Values.scope.watchNamespace }} + {{- end }} clientConfig: {{- if .Values.admissionWebHooks.caBundle }} caBundle: {{ .Values.admissionWebHooks.caBundle }} @@ -58,6 +68,11 @@ webhooks: sideEffects: None - admissionReviewVersions: - v1beta1 + {{- if .Values.scope.singleNamespace }} + namespaceSelector: + matchLabels: + name: {{ default .Release.Namespace .Values.scope.watchNamespace }} + {{- end }} clientConfig: {{- if .Values.admissionWebHooks.caBundle }} caBundle: {{ .Values.admissionWebHooks.caBundle }} @@ -81,6 +96,11 @@ webhooks: sideEffects: None - admissionReviewVersions: - v1beta1 + {{- if .Values.scope.singleNamespace }} + namespaceSelector: + matchLabels: + name: {{ default .Release.Namespace .Values.scope.watchNamespace }} + {{- end }} clientConfig: {{- if .Values.admissionWebHooks.caBundle }} caBundle: {{ .Values.admissionWebHooks.caBundle }} @@ -117,6 +137,11 @@ metadata: webhooks: - admissionReviewVersions: - v1beta1 + {{- if .Values.scope.singleNamespace }} + namespaceSelector: + matchLabels: + name: {{ default .Release.Namespace .Values.scope.watchNamespace }} + {{- end }} clientConfig: {{- if .Values.admissionWebHooks.caBundle }} caBundle: {{ .Values.admissionWebHooks.caBundle }} @@ -140,6 +165,11 @@ webhooks: sideEffects: None - admissionReviewVersions: - v1beta1 + {{- if .Values.scope.singleNamespace }} + namespaceSelector: + matchLabels: + name: {{ default .Release.Namespace .Values.scope.watchNamespace }} + {{- end }} clientConfig: {{- if .Values.admissionWebHooks.caBundle }} caBundle: {{ .Values.admissionWebHooks.caBundle }} @@ -163,6 +193,11 @@ webhooks: sideEffects: None - admissionReviewVersions: - v1beta1 + {{- if .Values.scope.singleNamespace }} + namespaceSelector: + matchLabels: + name: {{ default .Release.Namespace .Values.scope.watchNamespace }} + {{- end }} clientConfig: {{- if .Values.admissionWebHooks.caBundle }} caBundle: {{ .Values.admissionWebHooks.caBundle }} From 1b327a0721c588a628e3f1a8ca9d7962565ba072 Mon Sep 17 00:00:00 2001 From: Rolf Ahrenberg Date: Sun, 27 Mar 2022 14:14:56 +0300 Subject: [PATCH 05/24] refactor: use const envvars (#1251) --- controllers/pod_runner_token_injector.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/controllers/pod_runner_token_injector.go b/controllers/pod_runner_token_injector.go index a186b432..5c7dd487 100644 --- a/controllers/pod_runner_token_injector.go +++ b/controllers/pod_runner_token_injector.go @@ -59,9 +59,9 @@ func (t *PodRunnerTokenInjector) Handle(ctx context.Context, req admission.Reque return newEmptyResponse() } - enterprise, okEnterprise := getEnv(runnerContainer, "RUNNER_ENTERPRISE") - repo, okRepo := getEnv(runnerContainer, "RUNNER_REPO") - org, okOrg := getEnv(runnerContainer, "RUNNER_ORG") + enterprise, okEnterprise := getEnv(runnerContainer, EnvVarEnterprise) + repo, okRepo := getEnv(runnerContainer, EnvVarRepo) + org, okOrg := getEnv(runnerContainer, EnvVarOrg) if !okRepo || !okOrg || !okEnterprise { return newEmptyResponse() } From 459beeafb983a65632b15511bbc3532eed4e2297 Mon Sep 17 00:00:00 2001 From: Callum Tait <15716903+toast-gear@users.noreply.github.com> Date: Sun, 27 Mar 2022 14:15:42 +0100 Subject: [PATCH 06/24] docs: remove the nonsense --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index a50250df..e4541115 100644 --- a/README.md +++ b/README.md @@ -232,10 +232,10 @@ If you plan on installing all instances of the controller stack into a single na 1. All resources per stack must have a unique, in the case of Helm this can be done by giving each install a unique release name, or via the `fullnameOverride` properties. 2. `authSecret.name` needs be unique per stack when each stack is tied to runners in different GitHub organizations and repositories AND you want your GitHub credentials to narrowly scoped. -3. `leaderElectionId` needs to be unique per stack. If this is not unique to the stack the controller tries to race onto the leader election lock and resulting in only one stack working concurrently. Your controller will be stuck with a log message something like this `attempting to acquire leader lease arc-controllers/actions-runner-controller...` -4. The stacks MutatingWebhookConfiguration must include a namespace selector for the stacks the corresponding runners, this is again part of the helm chart and so is already taken care of if you are deploying using the chart. +3. `leaderElectionId` needs to be unique per stack. If this is not unique to the stack the controller tries to race onto the leader election lock resulting in only one stack working concurrently. Your controller will be stuck with a log message something like this `attempting to acquire leader lease arc-controllers/actions-runner-controller...` +4. The MutatingWebhookConfiguration in each stack must include a namespace selector for that stacks corresponding runners namespace, this is already configured in the helm chart. -Alternatively, you can install each controller stack into its own unique namespace (relative to other controller stacks in the cluster), avoiding these potential pitfalls. +Alternatively, you can install each controller stack into a unique namespace (relative to other controller stacks in the cluster), avoiding these potential pitfalls. ## Usage From ecc8b4472abbc14f5695607eff6528c3b5165d6e Mon Sep 17 00:00:00 2001 From: Callum Tait <15716903+toast-gear@users.noreply.github.com> Date: Tue, 29 Mar 2022 07:46:44 +0100 Subject: [PATCH 07/24] chore: bump chart to latest (#1280) --- charts/actions-runner-controller/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/actions-runner-controller/Chart.yaml b/charts/actions-runner-controller/Chart.yaml index 48cfc29b..a87f1b48 100644 --- a/charts/actions-runner-controller/Chart.yaml +++ b/charts/actions-runner-controller/Chart.yaml @@ -15,10 +15,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.17.0 +version: 0.17.1 # Used as the default manager tag value when no tag property is provided in the values.yaml -appVersion: 0.22.0 +appVersion: 0.22.1 home: https://github.com/actions-runner-controller/actions-runner-controller From a95983fb983904f7f0f73d4b7ff521b5c68a7161 Mon Sep 17 00:00:00 2001 From: Michael Goodness Date: Tue, 29 Mar 2022 05:00:55 -0500 Subject: [PATCH 08/24] feat(kustomize): add github-webhook-server overlay (#1198) * feat(kustomize): add github-webhook-server overlay * chore(kustomize): add image to github-webhook-server overlay * feat(kustomize): drop sync-period --- README.md | 2 +- .../gh-webhook-server-auth-proxy-patch.yaml | 23 ++++ config/default/kustomization.yaml | 25 ++-- config/default/manager_auth_proxy_patch.yaml | 1 - config/github-webhook-server/deployment.yaml | 37 ++++++ .../github-webhook-server/kustomization.yaml | 12 ++ config/github-webhook-server/rbac.yaml | 113 ++++++++++++++++++ config/github-webhook-server/service.yaml | 16 +++ 8 files changed, 218 insertions(+), 11 deletions(-) create mode 100644 config/default/gh-webhook-server-auth-proxy-patch.yaml create mode 100644 config/github-webhook-server/deployment.yaml create mode 100644 config/github-webhook-server/kustomization.yaml create mode 100644 config/github-webhook-server/rbac.yaml create mode 100644 config/github-webhook-server/service.yaml diff --git a/README.md b/README.md index e4541115..3cf93ddb 100644 --- a/README.md +++ b/README.md @@ -668,7 +668,7 @@ The primary benefit of autoscaling on Webhook compared to the pull driven scalin > You can learn the implementation details in [#282](https://github.com/actions-runner-controller/actions-runner-controller/pull/282) -To enable this feature, you firstly need to install the webhook server, currently, only our Helm chart has the ability install it: +To enable this feature, you first need to install the GitHub webhook server. To install via our Helm chart, _[see the values documentation for all configuration options](https://github.com/actions-runner-controller/actions-runner-controller/blob/master/charts/actions-runner-controller/README.md)_ ```console diff --git a/config/default/gh-webhook-server-auth-proxy-patch.yaml b/config/default/gh-webhook-server-auth-proxy-patch.yaml new file mode 100644 index 00000000..6d01f5da --- /dev/null +++ b/config/default/gh-webhook-server-auth-proxy-patch.yaml @@ -0,0 +1,23 @@ +# This patch injects an HTTP proxy sidecar container that performs RBAC +# authorization against the Kubernetes API using SubjectAccessReviews. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: github-webhook-server +spec: + template: + spec: + containers: + - name: kube-rbac-proxy + image: quay.io/brancz/kube-rbac-proxy:v0.10.0 + args: + - '--secure-listen-address=0.0.0.0:8443' + - '--upstream=http://127.0.0.1:8080/' + - '--logtostderr=true' + - '--v=10' + ports: + - containerPort: 8443 + name: https + - name: github-webhook-server + args: + - '--metrics-addr=127.0.0.1:8080' diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index d44cfad5..4539475e 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -20,19 +20,22 @@ bases: - ../webhook # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required. - ../certmanager -# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. +# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. #- ../prometheus +# [GH_WEBHOOK_SERVER] To enable the GitHub webhook server, uncomment all sections with 'GH_WEBHOOK_SERVER'. +#- ../github-webhook-server patchesStrategicMerge: - # Protect the /metrics endpoint by putting it behind auth. - # Only one of manager_auth_proxy_patch.yaml and - # manager_prometheus_metrics_patch.yaml should be enabled. +# Protect the /metrics endpoint by putting it behind auth. +# Only one of manager_auth_proxy_patch.yaml and +# manager_prometheus_metrics_patch.yaml should be enabled. - manager_auth_proxy_patch.yaml - # If you want your controller-manager to expose the /metrics - # endpoint w/o any authn/z, uncomment the following line and - # comment manager_auth_proxy_patch.yaml. - # Only one of manager_auth_proxy_patch.yaml and - # manager_prometheus_metrics_patch.yaml should be enabled. + +# If you want your controller-manager to expose the /metrics +# endpoint w/o any authn/z, uncomment the following line and +# comment manager_auth_proxy_patch.yaml. +# Only one of manager_auth_proxy_patch.yaml and +# manager_prometheus_metrics_patch.yaml should be enabled. #- manager_prometheus_metrics_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml @@ -43,6 +46,10 @@ patchesStrategicMerge: # 'CERTMANAGER' needs to be enabled to use ca injection - webhookcainjection_patch.yaml +# [GH_WEBHOOK_SERVER] To enable the GitHub webhook server, uncomment all sections with 'GH_WEBHOOK_SERVER'. +# Protect the GitHub webhook server metrics endpoint by putting it behind auth. +# - gh-webhook-server-auth-proxy-patch.yaml + # the following config is for teaching kustomize how to do var substitution vars: # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml index 558812ec..2703a9af 100644 --- a/config/default/manager_auth_proxy_patch.yaml +++ b/config/default/manager_auth_proxy_patch.yaml @@ -23,4 +23,3 @@ spec: args: - "--metrics-addr=127.0.0.1:8080" - "--enable-leader-election" - - "--sync-period=10m" diff --git a/config/github-webhook-server/deployment.yaml b/config/github-webhook-server/deployment.yaml new file mode 100644 index 00000000..b1fe967d --- /dev/null +++ b/config/github-webhook-server/deployment.yaml @@ -0,0 +1,37 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: github-webhook-server + app.kubernetes.io/part-of: actions-runner-controller + name: github-webhook-server +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: github-webhook-server + app.kubernetes.io/part-of: actions-runner-controller + template: + metadata: + labels: + app.kubernetes.io/component: github-webhook-server + app.kubernetes.io/part-of: actions-runner-controller + spec: + containers: + - name: github-webhook-server + image: controller:latest + command: + - '/github-webhook-server' + env: + - name: GITHUB_WEBHOOK_SECRET_TOKEN + valueFrom: + secretKeyRef: + key: github_webhook_secret_token + name: github-webhook-server + optional: true + ports: + - containerPort: 8000 + name: http + protocol: TCP + serviceAccountName: github-webhook-server + terminationGracePeriodSeconds: 10 diff --git a/config/github-webhook-server/kustomization.yaml b/config/github-webhook-server/kustomization.yaml new file mode 100644 index 00000000..b7c92d42 --- /dev/null +++ b/config/github-webhook-server/kustomization.yaml @@ -0,0 +1,12 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +images: + - name: controller + newName: summerwind/actions-runner-controller + newTag: latest + +resources: + - deployment.yaml + - rbac.yaml + - service.yaml diff --git a/config/github-webhook-server/rbac.yaml b/config/github-webhook-server/rbac.yaml new file mode 100644 index 00000000..685e8c71 --- /dev/null +++ b/config/github-webhook-server/rbac.yaml @@ -0,0 +1,113 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: github-webhook-server + app.kubernetes.io/part-of: actions-runner-controller + name: github-webhook-server +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: github-webhook-server + app.kubernetes.io/part-of: actions-runner-controller + name: github-webhook-server +rules: + - apiGroups: + - actions.summerwind.dev + resources: + - horizontalrunnerautoscalers + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - actions.summerwind.dev + resources: + - horizontalrunnerautoscalers/finalizers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - actions.summerwind.dev + resources: + - horizontalrunnerautoscalers/status + verbs: + - get + - patch + - update + - apiGroups: + - actions.summerwind.dev + resources: + - runnersets + verbs: + - get + - list + - watch + - apiGroups: + - actions.summerwind.dev + resources: + - runnerdeployments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - actions.summerwind.dev + resources: + - runnerdeployments/finalizers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - actions.summerwind.dev + resources: + - runnerdeployments/status + verbs: + - get + - patch + - update + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: github-webhook-server + app.kubernetes.io/part-of: actions-runner-controller + name: github-webhook-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: github-webhook-server +subjects: + - kind: ServiceAccount + name: github-webhook-server diff --git a/config/github-webhook-server/service.yaml b/config/github-webhook-server/service.yaml new file mode 100644 index 00000000..00f28a06 --- /dev/null +++ b/config/github-webhook-server/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: github-webhook-server + app.kubernetes.io/part-of: actions-runner-controller + name: github-webhook-server +spec: + ports: + - port: 80 + targetPort: http + protocol: TCP + name: http + selector: + app.kubernetes.io/component: github-webhook-server + app.kubernetes.io/part-of: actions-runner-controller From 13e7b440a805da6af0f692bb5ababb940a46cd9d Mon Sep 17 00:00:00 2001 From: Milan Aleks <42142708+milanmayr@users.noreply.github.com> Date: Tue, 29 Mar 2022 05:05:24 -0500 Subject: [PATCH 09/24] chore: typo fix in runner Dockerfile [skip ci] (#1270) --- runner/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/runner/Dockerfile b/runner/Dockerfile index 1913a491..5b0b353e 100644 --- a/runner/Dockerfile +++ b/runner/Dockerfile @@ -83,7 +83,7 @@ ENV HOME=/home/runner # # If you're willing to uncomment the following line, you'd also need to comment-out the # && curl -L -o runner.tar.gz https://github.com/actions/runner/releases/download/v${RUNNER_VERSION}/actions-runner-linux-${ARCH}-${RUNNER_VERSION}.tar.gz \ -# line in the next `RUN` command in this Dockerfile, to avoid overwiding this runner.tar.gz with a remote one. +# line in the next `RUN` command in this Dockerfile, to avoid overwiting this runner.tar.gz with a remote one. # COPY actions-runner-linux-x64-2.280.3.tar.gz /runnertmp/runner.tar.gz From d72c396ff190d196fa0817c2e12eff5a860167aa Mon Sep 17 00:00:00 2001 From: Callum Tait <15716903+toast-gear@users.noreply.github.com> Date: Tue, 29 Mar 2022 16:57:58 +0100 Subject: [PATCH 10/24] docs: slight correction for a multi controller env --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 3cf93ddb..b08a4f02 100644 --- a/README.md +++ b/README.md @@ -233,9 +233,9 @@ If you plan on installing all instances of the controller stack into a single na 1. All resources per stack must have a unique, in the case of Helm this can be done by giving each install a unique release name, or via the `fullnameOverride` properties. 2. `authSecret.name` needs be unique per stack when each stack is tied to runners in different GitHub organizations and repositories AND you want your GitHub credentials to narrowly scoped. 3. `leaderElectionId` needs to be unique per stack. If this is not unique to the stack the controller tries to race onto the leader election lock resulting in only one stack working concurrently. Your controller will be stuck with a log message something like this `attempting to acquire leader lease arc-controllers/actions-runner-controller...` -4. The MutatingWebhookConfiguration in each stack must include a namespace selector for that stacks corresponding runners namespace, this is already configured in the helm chart. +4. The MutatingWebhookConfiguration in each stack must include a namespace selector for that stacks corresponding runner namespace, this is already configured in the helm chart. -Alternatively, you can install each controller stack into a unique namespace (relative to other controller stacks in the cluster), avoiding these potential pitfalls. +Alternatively, you can install each controller stack into a unique namespace (relative to other controller stacks in the cluster). Implementing ARC this way avoids the first, second and third pitfalls (you still need to set the corresponding namespace selector for each stacks mutating webhook) ## Usage From 7e8d80689bd9cdc3dd55be9a31a5a1aaff450d61 Mon Sep 17 00:00:00 2001 From: toast-gear Date: Wed, 30 Mar 2022 09:53:59 +0100 Subject: [PATCH 11/24] docs: add limitations to runnersets + reorder --- README.md | 34 ++++++++++++++++++---------------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index a50250df..d08f17bf 100644 --- a/README.md +++ b/README.md @@ -19,6 +19,7 @@ ToC: - [Enterprise Runners](#enterprise-runners) - [RunnerDeployments](#runnerdeployments) - [RunnerSets](#runnersets) + - [Persistent Runners](#persistent-runners) - [Autoscaling](#autoscaling) - [Anti-Flapping Configuration](#anti-flapping-configuration) - [Pull Driven Scaling](#pull-driven-scaling) @@ -32,7 +33,7 @@ ToC: - [Runner Groups](#runner-groups) - [Runner Entrypoint Features](#runner-entrypoint-features) - [Using IRSA (IAM Roles for Service Accounts) in EKS](#using-irsa-iam-roles-for-service-accounts-in-eks) - - [Persistent Runners](#persistent-runners) + - [Software Installed in the Runner Image](#software-installed-in-the-runner-image) - [Using without cert-manager](#using-without-cert-manager) - [Troubleshooting](#troubleshooting) @@ -367,6 +368,8 @@ example-runnerdeploy2475ht2qbr mumoshu/actions-runner-controller-ci Running > This feature requires controller version => [v0.20.0](https://github.com/actions-runner-controller/actions-runner-controller/releases/tag/v0.20.0) +__Ensure you see the limitations before using this kind!!!!!__ + For scenarios where you require the advantages of a `StatefulSet`, for example persistent storage, ARC implements a runner based on Kubernete's StatefulSets, the RunnerSet. A basic `RunnerSet` would look like this: @@ -450,6 +453,20 @@ Under the hood, `RunnerSet` relies on Kubernetes's `StatefulSet` and Mutating We **Limitations** * For autoscaling the `RunnerSet` kind only supports pull driven scaling or the `workflow_job` event for webhook driven scaling. +* Whilst RunnerSets support all runner modes as well as autoscaling, currently PVs are **NOT** automatically cleaned up as they are still bound to their respective PVCs when a runner is deleted by the controller. This has **major** implications when using RunnerSets in the standard runner mode, `ephemeral: true`, see [persistent runners](#persistent-runners) for more details. As a result of this, using the default configuration, you will get a build up of PVCs and PVs if you deploy RunnerSets as ephemeral runners without some sort of custom solution for cleaning up the PVCs. +### Persistent Runners + +Every runner managed by ARC is "ephemeral" by default. The life of an ephemeral runner managed by ARC looks like this- ARC creates a runner pod for the runner. As it's an ephemeral runner, the `--ephemeral` flag is passed to the `actions/runner` agent that runs within the `runner` container of the runner pod. + +`--ephemeral` is an `actions/runner` feature that instructs the runner to stop and de-register itself after the first job run. + +Once the ephemeral runner has completed running a workflow job, it stops with a status code of 0, hence the runner pod is marked as completed, removed by ARC. + +As it's removed after a workflow job run, the runner pod is never reused across multiple GitHub Actions workflow jobs, providing you a clean environment per each workflow job. + +Although not generally recommended, it's possible to disable passing `--ephemeral` flag by explicitly setting `ephemeral: false` in the `RunnerDeployment` or `RunnerSet` spec. When disabled, your runner becomes "persistent". A persistent runner does not stop after workflow job ends, and in this mode `actions/runner` is known to clean only runner's work dir after each job. That means your runner's environment, including various actions cache, docker images stored in the `dind` and layer cache, is retained across multiple workflow job runs. + +Persistent runners are available as an option for some edge cases however they are not preferred as they can create challenges around providing a deterministic and secure environment. ### Autoscaling @@ -1311,21 +1328,6 @@ spec: securityContext: fsGroup: 1000 ``` - -### Persistent Runners - -Every runner managed by ARC is "ephemeral" by default. The life of an ephemeral runner managed by ARC looks like this- ARC creates a runner pod for the runner. As it's an ephemeral runner, the `--ephemeral` flag is passed to the `actions/runner` agent that runs within the `runner` container of the runner pod. - -`--ephemeral` is an `actions/runner` feature that instructs the runner to stop and de-register itself after the first job run. - -Once the ephemeral runner has completed running a workflow job, it stops with a status code of 0, hence the runner pod is marked as completed, removed by ARC. - -As it's removed after a workflow job run, the runner pod is never reused across multiple GitHub Actions workflow jobs, providing you a clean environment per each workflow job. - -Although not recommended, it's possible to disable passing `--ephemeral` flag by explicitly setting `ephemeral: false` in the `RunnerDeployment` or `RunnerSet` spec. When disabled, your runner becomes "persistent". A persistent runner does not stop after workflow job ends, and in this mode `actions/runner` is known to clean only runner's work dir after each job. That means your runner's environment, including various actions cache, docker images stored in the `dind` and layer cache, is retained across multiple workflow job runs. - -Persistent runners are available as an option for some edge cases however they are not preferred as they can create challenges around providing a deterministic and secure environment. - ### Software Installed in the Runner Image **Cloud Tooling**
From 98567dadc96d1d97b3e3504db0964bd3d24d3941 Mon Sep 17 00:00:00 2001 From: toast-gear Date: Wed, 30 Mar 2022 09:59:32 +0100 Subject: [PATCH 12/24] docs: fix index --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index d08f17bf..909c62dd 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,6 @@ ToC: - [Runner Groups](#runner-groups) - [Runner Entrypoint Features](#runner-entrypoint-features) - [Using IRSA (IAM Roles for Service Accounts) in EKS](#using-irsa-iam-roles-for-service-accounts-in-eks) - - [Software Installed in the Runner Image](#software-installed-in-the-runner-image) - [Using without cert-manager](#using-without-cert-manager) - [Troubleshooting](#troubleshooting) From 88d17c798882e0ca01212e4315839a24963ef2c0 Mon Sep 17 00:00:00 2001 From: toast-gear Date: Wed, 30 Mar 2022 10:00:34 +0100 Subject: [PATCH 13/24] docs: use the right font --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 909c62dd..82191a84 100644 --- a/README.md +++ b/README.md @@ -367,7 +367,7 @@ example-runnerdeploy2475ht2qbr mumoshu/actions-runner-controller-ci Running > This feature requires controller version => [v0.20.0](https://github.com/actions-runner-controller/actions-runner-controller/releases/tag/v0.20.0) -__Ensure you see the limitations before using this kind!!!!!__ +_Ensure you see the limitations before using this kind!!!!!_ For scenarios where you require the advantages of a `StatefulSet`, for example persistent storage, ARC implements a runner based on Kubernete's StatefulSets, the RunnerSet. From fd0092d13fe5122a79d614bcbe37788e0856be4d Mon Sep 17 00:00:00 2001 From: toast-gear Date: Wed, 30 Mar 2022 10:02:33 +0100 Subject: [PATCH 14/24] chore: new line for consistency --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 82191a84..20f5129b 100644 --- a/README.md +++ b/README.md @@ -453,6 +453,7 @@ Under the hood, `RunnerSet` relies on Kubernetes's `StatefulSet` and Mutating We * For autoscaling the `RunnerSet` kind only supports pull driven scaling or the `workflow_job` event for webhook driven scaling. * Whilst RunnerSets support all runner modes as well as autoscaling, currently PVs are **NOT** automatically cleaned up as they are still bound to their respective PVCs when a runner is deleted by the controller. This has **major** implications when using RunnerSets in the standard runner mode, `ephemeral: true`, see [persistent runners](#persistent-runners) for more details. As a result of this, using the default configuration, you will get a build up of PVCs and PVs if you deploy RunnerSets as ephemeral runners without some sort of custom solution for cleaning up the PVCs. + ### Persistent Runners Every runner managed by ARC is "ephemeral" by default. The life of an ephemeral runner managed by ARC looks like this- ARC creates a runner pod for the runner. As it's an ephemeral runner, the `--ephemeral` flag is passed to the `actions/runner` agent that runs within the `runner` container of the runner pod. From d26c8d6529b46281e72af46f24b6f9c34ee3d832 Mon Sep 17 00:00:00 2001 From: toast-gear Date: Wed, 30 Mar 2022 10:26:08 +0100 Subject: [PATCH 15/24] docs: add autoscaling also causes problems --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 20f5129b..c80dd811 100644 --- a/README.md +++ b/README.md @@ -452,7 +452,7 @@ Under the hood, `RunnerSet` relies on Kubernetes's `StatefulSet` and Mutating We **Limitations** * For autoscaling the `RunnerSet` kind only supports pull driven scaling or the `workflow_job` event for webhook driven scaling. -* Whilst RunnerSets support all runner modes as well as autoscaling, currently PVs are **NOT** automatically cleaned up as they are still bound to their respective PVCs when a runner is deleted by the controller. This has **major** implications when using RunnerSets in the standard runner mode, `ephemeral: true`, see [persistent runners](#persistent-runners) for more details. As a result of this, using the default configuration, you will get a build up of PVCs and PVs if you deploy RunnerSets as ephemeral runners without some sort of custom solution for cleaning up the PVCs. +* Whilst RunnerSets support all runner modes as well as autoscaling, currently PVs are **NOT** automatically cleaned up as they are still bound to their respective PVCs when a runner is deleted by the controller. This has **major** implications when using RunnerSets in the standard runner mode, `ephemeral: true`, see [persistent runners](#persistent-runners) for more details. As a result of this, using the default configuration or implementing autoscaling, you will get a build up of PVCs and PVs if you deploy RunnerSets as ephemeral runners without some sort of custom solution for cleaning up the PVCs. ### Persistent Runners From 7a750b928510c8a382389094947aedb5ff7fcdb9 Mon Sep 17 00:00:00 2001 From: toast-gear Date: Wed, 30 Mar 2022 10:35:32 +0100 Subject: [PATCH 16/24] docs: wording --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c80dd811..399735a6 100644 --- a/README.md +++ b/README.md @@ -452,7 +452,7 @@ Under the hood, `RunnerSet` relies on Kubernetes's `StatefulSet` and Mutating We **Limitations** * For autoscaling the `RunnerSet` kind only supports pull driven scaling or the `workflow_job` event for webhook driven scaling. -* Whilst RunnerSets support all runner modes as well as autoscaling, currently PVs are **NOT** automatically cleaned up as they are still bound to their respective PVCs when a runner is deleted by the controller. This has **major** implications when using RunnerSets in the standard runner mode, `ephemeral: true`, see [persistent runners](#persistent-runners) for more details. As a result of this, using the default configuration or implementing autoscaling, you will get a build up of PVCs and PVs if you deploy RunnerSets as ephemeral runners without some sort of custom solution for cleaning up the PVCs. +* Whilst `RunnerSets` support all runner modes as well as autoscaling, currently PVs are **NOT** automatically cleaned up as they are still bound to their respective PVCs when a runner is deleted by the controller. This has **major** implications when using `RunnerSets` in the standard runner mode, `ephemeral: true`, see [persistent runners](#persistent-runners) for more details. As a result of this, using the default ephemeral configuration or implementing autoscaling for your `RunnerSets`, you will get a build up of PVCs and PVs if you deploy RunnerSets as ephemeral runners without some sort of custom solution for cleaning up the PVCs. ### Persistent Runners From eb02f6f26e072f37f075fa58f34df5aa2c57f9ef Mon Sep 17 00:00:00 2001 From: toast-gear Date: Wed, 30 Mar 2022 10:36:34 +0100 Subject: [PATCH 17/24] docs: redundant words --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 399735a6..cc3f0afd 100644 --- a/README.md +++ b/README.md @@ -452,7 +452,7 @@ Under the hood, `RunnerSet` relies on Kubernetes's `StatefulSet` and Mutating We **Limitations** * For autoscaling the `RunnerSet` kind only supports pull driven scaling or the `workflow_job` event for webhook driven scaling. -* Whilst `RunnerSets` support all runner modes as well as autoscaling, currently PVs are **NOT** automatically cleaned up as they are still bound to their respective PVCs when a runner is deleted by the controller. This has **major** implications when using `RunnerSets` in the standard runner mode, `ephemeral: true`, see [persistent runners](#persistent-runners) for more details. As a result of this, using the default ephemeral configuration or implementing autoscaling for your `RunnerSets`, you will get a build up of PVCs and PVs if you deploy RunnerSets as ephemeral runners without some sort of custom solution for cleaning up the PVCs. +* Whilst `RunnerSets` support all runner modes as well as autoscaling, currently PVs are **NOT** automatically cleaned up as they are still bound to their respective PVCs when a runner is deleted by the controller. This has **major** implications when using `RunnerSets` in the standard runner mode, `ephemeral: true`, see [persistent runners](#persistent-runners) for more details. As a result of this, using the default ephemeral configuration or implementing autoscaling for your `RunnerSets`, you will get a build up of PVCs and PVs without some sort of custom solution for cleaning up. ### Persistent Runners From e46df413a12089e65587157881545ef2e1a516df Mon Sep 17 00:00:00 2001 From: Bernardo Meurer Date: Wed, 30 Mar 2022 04:18:18 -0700 Subject: [PATCH 18/24] refactor(runner/entrypoint): check for externalstmp (#1277) * refactor(runner/entrypoint): check for externalstmp [skip ci] Co-authored-by: Callum Tait <15716903+toast-gear@users.noreply.github.com> --- runner/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/runner/entrypoint.sh b/runner/entrypoint.sh index ba46e645..cb2c5344 100755 --- a/runner/entrypoint.sh +++ b/runner/entrypoint.sh @@ -151,7 +151,7 @@ cat .runner # https://api.github.com/repos/USER/REPO/actions/runners/171 if [ -z "${UNITTEST:-}" ]; then - mkdir ./externals + mkdir -p ./externals # Hack due to the DinD volumes mv ./externalstmp/* ./externals/ fi From b80d9b0cdc97a5c68fa1c5b9101f17db02df5a3d Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 30 Mar 2022 13:24:26 +0100 Subject: [PATCH 19/24] chore(deps): update helm/chart-releaser-action action to v1.4.0 (#1287) Co-authored-by: Renovate Bot --- .github/workflows/on-push-master-publish-chart.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/on-push-master-publish-chart.yml b/.github/workflows/on-push-master-publish-chart.yml index d55bc5e2..cea1b4ea 100644 --- a/.github/workflows/on-push-master-publish-chart.yml +++ b/.github/workflows/on-push-master-publish-chart.yml @@ -114,7 +114,7 @@ jobs: git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - name: Run chart-releaser - uses: helm/chart-releaser-action@v1.3.0 + uses: helm/chart-releaser-action@v1.4.0 env: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" From 971c54bf5cbae9ab1ac2b4c7bdce784c277d5cd1 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Wed, 30 Mar 2022 15:38:33 +0000 Subject: [PATCH 20/24] chore(deps): update dependency actions/runner to v2.289.2 --- .github/workflows/runners.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/runners.yml b/.github/workflows/runners.yml index 26be32e5..cce9b42e 100644 --- a/.github/workflows/runners.yml +++ b/.github/workflows/runners.yml @@ -15,7 +15,7 @@ on: - '!**.md' env: - RUNNER_VERSION: 2.289.1 + RUNNER_VERSION: 2.289.2 DOCKER_VERSION: 20.10.12 DOCKERHUB_USERNAME: summerwind From 14f9e7229ebe2061c35f5bbf60981a9ffe7a4ce9 Mon Sep 17 00:00:00 2001 From: Callum Tait <15716903+toast-gear@users.noreply.github.com> Date: Fri, 1 Apr 2022 15:49:15 +0100 Subject: [PATCH 21/24] docs: highlight why persistent are not ideal --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index cc3f0afd..635499ee 100644 --- a/README.md +++ b/README.md @@ -464,7 +464,7 @@ Once the ephemeral runner has completed running a workflow job, it stops with a As it's removed after a workflow job run, the runner pod is never reused across multiple GitHub Actions workflow jobs, providing you a clean environment per each workflow job. -Although not generally recommended, it's possible to disable passing `--ephemeral` flag by explicitly setting `ephemeral: false` in the `RunnerDeployment` or `RunnerSet` spec. When disabled, your runner becomes "persistent". A persistent runner does not stop after workflow job ends, and in this mode `actions/runner` is known to clean only runner's work dir after each job. That means your runner's environment, including various actions cache, docker images stored in the `dind` and layer cache, is retained across multiple workflow job runs. +Although not generally recommended, it's possible to disable passing `--ephemeral` flag by explicitly setting `ephemeral: false` in the `RunnerDeployment` or `RunnerSet` spec. When disabled, your runner becomes "persistent". A persistent runner does not stop after workflow job ends, and in this mode `actions/runner` is known to clean only runner's work dir after each job. Whilst this can seem helpful it creates a non-deterministic environment which is not ideal for a CI/CD environment. Between runs your actions cache, docker images stored in the `dind` and layer cache, globally installed packages etc are retained across multiple workflow job runs which can cause issues which are hard to debug and inconsistent. Persistent runners are available as an option for some edge cases however they are not preferred as they can create challenges around providing a deterministic and secure environment. From b614dcf54b2771b90aea4726176f7cdf4be9c9b4 Mon Sep 17 00:00:00 2001 From: Yusuke Kuoka Date: Sun, 3 Apr 2022 09:59:35 +0900 Subject: [PATCH 22/24] Make the hard-coded runner startup timeout to avoid race on token expiration longer (#1296) Ref #1295 --- github/github.go | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/github/github.go b/github/github.go index 6def3f50..b037d8ba 100644 --- a/github/github.go +++ b/github/github.go @@ -153,8 +153,18 @@ func (c *Client) GetRegistrationToken(ctx context.Context, enterprise, org, repo key := getRegistrationKey(org, repo, enterprise) rt, ok := c.regTokens[key] - // we like to give runners a chance that are just starting up and may miss the expiration date by a bit - runnerStartupTimeout := 3 * time.Minute + // We'd like to allow the runner just starting up to miss the expiration date by a bit. + // Note that this means that we're going to cache Creation Registraion Token API response longer than the + // recommended cache duration. + // + // https://docs.github.com/en/rest/reference/actions#create-a-registration-token-for-a-repository + // https://docs.github.com/en/rest/reference/actions#create-a-registration-token-for-an-organization + // https://docs.github.com/en/rest/reference/actions#create-a-registration-token-for-an-enterprise + // https://docs.github.com/en/rest/overview/resources-in-the-rest-api#conditional-requests + // + // This is currently set to 30 minutes as the result of the discussion took place at the following issue: + // https://github.com/actions-runner-controller/actions-runner-controller/issues/1295 + runnerStartupTimeout := 30 * time.Minute if ok && rt.GetExpiresAt().After(time.Now().Add(runnerStartupTimeout)) { return rt, nil From 631a70a35ff54f9f5e0e233b96b1ddc19e581634 Mon Sep 17 00:00:00 2001 From: Yusuke Kuoka Date: Sun, 3 Apr 2022 11:12:44 +0900 Subject: [PATCH 23/24] Fix runner pod to be cleaned up earlier regardless of the sync period (#1299) Ref #1291 --- api/v1alpha1/runner_types.go | 3 +++ .../crds/actions.summerwind.dev_runners.yaml | 3 +++ .../bases/actions.summerwind.dev_runners.yaml | 3 +++ controllers/runner_controller.go | 17 +++++++++++++++- test/e2e/e2e_test.go | 20 ++++++++++++++----- 5 files changed, 40 insertions(+), 6 deletions(-) diff --git a/api/v1alpha1/runner_types.go b/api/v1alpha1/runner_types.go index 25437987..5ced5fcc 100644 --- a/api/v1alpha1/runner_types.go +++ b/api/v1alpha1/runner_types.go @@ -181,6 +181,9 @@ func (rs *RunnerSpec) ValidateRepository() error { // RunnerStatus defines the observed state of Runner type RunnerStatus struct { + // Turns true only if the runner pod is ready. + // +optional + Ready bool `json:"ready"` // +optional Registration RunnerStatusRegistration `json:"registration"` // +optional diff --git a/charts/actions-runner-controller/crds/actions.summerwind.dev_runners.yaml b/charts/actions-runner-controller/crds/actions.summerwind.dev_runners.yaml index 3f85eb1d..01bf48e4 100644 --- a/charts/actions-runner-controller/crds/actions.summerwind.dev_runners.yaml +++ b/charts/actions-runner-controller/crds/actions.summerwind.dev_runners.yaml @@ -5126,6 +5126,9 @@ spec: type: string phase: type: string + ready: + description: Turns true only if the runner pod is ready. + type: boolean reason: type: string registration: diff --git a/config/crd/bases/actions.summerwind.dev_runners.yaml b/config/crd/bases/actions.summerwind.dev_runners.yaml index 3f85eb1d..01bf48e4 100644 --- a/config/crd/bases/actions.summerwind.dev_runners.yaml +++ b/config/crd/bases/actions.summerwind.dev_runners.yaml @@ -5126,6 +5126,9 @@ spec: type: string phase: type: string + ready: + description: Turns true only if the runner pod is ready. + type: boolean reason: type: string registration: diff --git a/controllers/runner_controller.go b/controllers/runner_controller.go index 907bcc9f..78bfb951 100644 --- a/controllers/runner_controller.go +++ b/controllers/runner_controller.go @@ -132,7 +132,9 @@ func (r *RunnerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctr phase = "Created" } - if runner.Status.Phase != phase { + ready := runnerPodReady(&pod) + + if runner.Status.Phase != phase || runner.Status.Ready != ready { if pod.Status.Phase == corev1.PodRunning { // Seeing this message, you can expect the runner to become `Running` soon. log.V(1).Info( @@ -143,6 +145,7 @@ func (r *RunnerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctr updated := runner.DeepCopy() updated.Status.Phase = phase + updated.Status.Ready = ready updated.Status.Reason = pod.Status.Reason updated.Status.Message = pod.Status.Message @@ -155,6 +158,18 @@ func (r *RunnerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctr return ctrl.Result{}, nil } +func runnerPodReady(pod *corev1.Pod) bool { + for _, c := range pod.Status.Conditions { + if c.Type != corev1.PodReady { + continue + } + + return c.Status == corev1.ConditionTrue + } + + return false +} + func runnerContainerExitCode(pod *corev1.Pod) *int32 { for _, status := range pod.Status.ContainerStatuses { if status.Name != containerName { diff --git a/test/e2e/e2e_test.go b/test/e2e/e2e_test.go index 293051c3..0d6791c3 100644 --- a/test/e2e/e2e_test.go +++ b/test/e2e/e2e_test.go @@ -37,13 +37,23 @@ var ( }, { Dockerfile: "../../runner/Dockerfile", - Args: []testing.BuildArg{}, - Image: runnerImage, + Args: []testing.BuildArg{ + { + Name: "RUNNER_VERSION", + Value: "2.289.2", + }, + }, + Image: runnerImage, }, { Dockerfile: "../../runner/Dockerfile.dindrunner", - Args: []testing.BuildArg{}, - Image: runnerDindImage, + Args: []testing.BuildArg{ + { + Name: "RUNNER_VERSION", + Value: "2.289.2", + }, + }, + Image: runnerDindImage, }, } @@ -58,7 +68,7 @@ var ( } commonScriptEnv = []string{ - "SYNC_PERIOD=" + "10s", + "SYNC_PERIOD=" + "30m", "NAME=" + controllerImageRepo, "VERSION=" + controllerImageTag, "RUNNER_TAG=" + runnerImageTag, From 1d9347f4181ac65c9be53b3aaf469ec877137bae Mon Sep 17 00:00:00 2001 From: Yusuke Kuoka Date: Sun, 3 Apr 2022 18:15:39 +0900 Subject: [PATCH 24/24] chore: bump chart to latest (#1300) * chore: bump chart to latest Bumps the chart version along with the controller version. We bump the patch number for the chart as the release for the controller is a patch release. That's the same handling as we've done in the previous version https://github.com/actions-runner-controller/actions-runner-controller/commit/ecc8b4472abbc14f5695607eff6528c3b5165d6e As always, be sure to upgrade CRDs before updating the controller version! Otherwise it can break in interesting ways. * docs: expand on CRD upgrade requirement Co-authored-by: Callum Tait <15716903+toast-gear@users.noreply.github.com> --- charts/actions-runner-controller/Chart.yaml | 4 ++-- charts/actions-runner-controller/docs/UPGRADING.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/actions-runner-controller/Chart.yaml b/charts/actions-runner-controller/Chart.yaml index a87f1b48..9e89d500 100644 --- a/charts/actions-runner-controller/Chart.yaml +++ b/charts/actions-runner-controller/Chart.yaml @@ -15,10 +15,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.17.1 +version: 0.17.2 # Used as the default manager tag value when no tag property is provided in the values.yaml -appVersion: 0.22.1 +appVersion: 0.22.2 home: https://github.com/actions-runner-controller/actions-runner-controller diff --git a/charts/actions-runner-controller/docs/UPGRADING.md b/charts/actions-runner-controller/docs/UPGRADING.md index d749849d..9cd22207 100644 --- a/charts/actions-runner-controller/docs/UPGRADING.md +++ b/charts/actions-runner-controller/docs/UPGRADING.md @@ -18,7 +18,7 @@ Due to the above you can't just do a `helm upgrade` to release the latest versio ## Steps -1. Upgrade CRDs +1. Upgrade CRDs, this isn't optional, the CRDs you are using must be those that correspond with the version of the controller you are installing ```shell # REMEMBER TO UPDATE THE CHART_VERSION TO RELEVANT CHART VERISON!!!!