Allow provide pre-defined kubernetes secret when helm-install AutoScalingRunnerSet (#2234)

charts/auto-scaling-runner-set/templates/_helpers.tpl

@@ -51,8 +51,16 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
 {{- define "auto-scaling-runner-set.githubsecret" -}}
+  {{- if kindIs "string" .Values.githubConfigSecret }}
+    {{- if not (empty .Values.githubConfigSecret) }}
+{{- .Values.githubConfigSecret }}
+    {{- else}}
+{{- fail "Values.githubConfigSecret is required for setting auth with GitHub server." }}
+    {{- end }}
+  {{- else }}
 {{- include "auto-scaling-runner-set.fullname" . }}-github-secret
   {{- end }}
+{{- end }}
 
 {{- define "auto-scaling-runner-set.noPermissionServiceAccountName" -}}
 {{- include "auto-scaling-runner-set.fullname" . }}-no-permission-service-account

charts/auto-scaling-runner-set/templates/githubsecret.yaml

@@ -1,3 +1,4 @@
+{{- if not (kindIs "string" .Values.githubConfigSecret) }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -35,3 +36,4 @@ data:
   {{- if and $hasAppId (or (not $hasInstallationId) (not $hasPrivateKey)) }}
     {{- fail "A valid .Values.githubConfigSecret is required for setting auth with GitHub server, provide .Values.githubConfigSecret.github_app_installation_id and .Values.githubConfigSecret.github_app_private_key." }}
   {{- end }}
+{{- end}}

charts/auto-scaling-runner-set/tests/template_test.go

@@ -124,6 +124,28 @@ func TestTemplateRenderedGitHubSecretErrorWithMissingAppInput(t *testing.T) {
 	assert.ErrorContains(t, err, "provide .Values.githubConfigSecret.github_app_installation_id and .Values.githubConfigSecret.github_app_private_key")
 }
 
+func TestTemplateNotRenderedGitHubSecretWithPredefinedSecret(t *testing.T) {
+	t.Parallel()
+
+	// Path to the helm chart we will test
+	helmChartPath, err := filepath.Abs("../../auto-scaling-runner-set")
+	require.NoError(t, err)
+
+	releaseName := "test-runners"
+	namespaceName := "test-" + strings.ToLower(random.UniqueId())
+
+	options := &helm.Options{
+		SetValues: map[string]string{
+			"githubConfigUrl":    "https://github.com/actions",
+			"githubConfigSecret": "pre-defined-secret",
+		},
+		KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName),
+	}
+
+	_, err = helm.RenderTemplateE(t, options, helmChartPath, releaseName, []string{"templates/githubsecret.yaml"})
+	assert.ErrorContains(t, err, "could not find template templates/githubsecret.yaml in chart", "secret should not be rendered since a pre-defined secret is provided")
+}
+
 func TestTemplateRenderedSetServiceAccountToNoPermission(t *testing.T) {
 	t.Parallel()
 
@@ -631,3 +653,59 @@ func TestTemplateRenderedAutoScalingRunnerSet_EnableKubernetesMode(t *testing.T)
 	assert.Equal(t, "work", ars.Spec.Template.Spec.Volumes[0].Name)
 	assert.NotNil(t, ars.Spec.Template.Spec.Volumes[0].Ephemeral, "Template.Spec should have 1 ephemeral volume")
 }
+
+func TestTemplateRenderedAutoScalingRunnerSet_UsePredefinedSecret(t *testing.T) {
+	t.Parallel()
+
+	// Path to the helm chart we will test
+	helmChartPath, err := filepath.Abs("../../auto-scaling-runner-set")
+	require.NoError(t, err)
+
+	releaseName := "test-runners"
+	namespaceName := "test-" + strings.ToLower(random.UniqueId())
+
+	options := &helm.Options{
+		SetValues: map[string]string{
+			"githubConfigUrl":    "https://github.com/actions",
+			"githubConfigSecret": "pre-defined-secrets",
+		},
+		KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName),
+	}
+
+	output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/autoscalingrunnerset.yaml"})
+
+	var ars v1alpha1.AutoscalingRunnerSet
+	helm.UnmarshalK8SYaml(t, output, &ars)
+
+	assert.Equal(t, namespaceName, ars.Namespace)
+	assert.Equal(t, "test-runners", ars.Name)
+
+	assert.Equal(t, "auto-scaling-runner-set", ars.Labels["app.kubernetes.io/name"])
+	assert.Equal(t, "test-runners", ars.Labels["app.kubernetes.io/instance"])
+	assert.Equal(t, "https://github.com/actions", ars.Spec.GitHubConfigUrl)
+	assert.Equal(t, "pre-defined-secrets", ars.Spec.GitHubConfigSecret)
+}
+
+func TestTemplateRenderedAutoScalingRunnerSet_ErrorOnEmptyPredefinedSecret(t *testing.T) {
+	t.Parallel()
+
+	// Path to the helm chart we will test
+	helmChartPath, err := filepath.Abs("../../auto-scaling-runner-set")
+	require.NoError(t, err)
+
+	releaseName := "test-runners"
+	namespaceName := "test-" + strings.ToLower(random.UniqueId())
+
+	options := &helm.Options{
+		SetValues: map[string]string{
+			"githubConfigUrl":    "https://github.com/actions",
+			"githubConfigSecret": "",
+		},
+		KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName),
+	}
+
+	_, err = helm.RenderTemplateE(t, options, helmChartPath, releaseName, []string{"templates/autoscalingrunnerset.yaml"})
+	require.Error(t, err)
+
+	assert.ErrorContains(t, err, "Values.githubConfigSecret is required for setting auth with GitHub server")
+}

charts/auto-scaling-runner-set/values.yaml

@@ -13,6 +13,14 @@ githubConfigSecret:
 
   ### GitHub PAT Configuration
   github_token: ""
+## If you have a pre-define Kubernetes secret in the same namespace the auto-scaling-runner-set is going to deploy,
+## you can also reference it via `githubConfigSecret: pre-defined-secret`.
+## You need to make sure your predefined secret has all the required secret data set properly.
+##   For a pre-defined secret using GitHub PAT, the secret needs to be created like this:
+##   > kubectl create secret generic pre-defined-secret --namespace=my_namespace --from-literal=github_token='ghp_your_pat'
+##   For a pre-defined secret using GitHub App, the secret needs to be created like this:
+##   > kubectl create secret generic pre-defined-secret --namespace=my_namespace --from-literal=github_app_id=123456 --from-literal=github_app_installation_id=654321 --from-literal=github_app_private_key='-----BEGIN CERTIFICATE-----*******'
+# githubConfigSecret: pre-defined-secret
 
 ## maxRunners is the max number of runners the auto scaling runner set will scale up to.
 # maxRunners: 5