## githubConfigUrl is the GitHub url for where you want to configure runners ## ex: https://github.com/myorg/myrepo or https://github.com/myorg githubConfigUrl: "" ## githubConfigSecret is the k8s secrets to use when auth with GitHub API. ## You can choose to use GitHub App or a PAT token githubConfigSecret: ### GitHub Apps Configuration ## NOTE: IDs MUST be strings, use quotes #github_app_id: "" #github_app_installation_id: "" #github_app_private_key: | ### GitHub PAT Configuration github_token: "" ## If you have a pre-define Kubernetes secret in the same namespace the gha-runner-scale-set is going to deploy, ## you can also reference it via `githubConfigSecret: pre-defined-secret`. ## You need to make sure your predefined secret has all the required secret data set properly. ## For a pre-defined secret using GitHub PAT, the secret needs to be created like this: ## > kubectl create secret generic pre-defined-secret --namespace=my_namespace --from-literal=github_token='ghp_your_pat' ## For a pre-defined secret using GitHub App, the secret needs to be created like this: ## > kubectl create secret generic pre-defined-secret --namespace=my_namespace --from-literal=github_app_id=123456 --from-literal=github_app_installation_id=654321 --from-literal=github_app_private_key='-----BEGIN CERTIFICATE-----*******' # githubConfigSecret: pre-defined-secret ## proxy can be used to define proxy settings that will be used by the ## controller, the listener and the runner of this scale set. # # proxy: # http: # url: http://proxy.com:1234 # credentialSecretRef: proxy-auth # a secret with `username` and `password` keys # https: # url: http://proxy.com:1234 # credentialSecretRef: proxy-auth # a secret with `username` and `password` keys # noProxy: # - example.com # - example.org ## maxRunners is the max number of runners the autoscaling runner set will scale up to. # maxRunners: 5 ## minRunners is the min number of runners the autoscaling runner set will scale down to. # minRunners: 0 # runnerGroup: "default" ## name of the runner scale set to create. Defaults to the helm release name # runnerScaleSetName: "" ## A self-signed CA certificate for communication with the GitHub server can be ## provided using a config map key selector. If `runnerMountPath` is set, for ## each runner pod ARC will: ## - create a `github-server-tls-cert` volume containing the certificate ## specified in `certificateFrom` ## - mount that volume on path `runnerMountPath`/{certificate name} ## - set NODE_EXTRA_CA_CERTS environment variable to that same path ## - set RUNNER_UPDATE_CA_CERTS environment variable to "1" (as of version ## 2.303.0 this will instruct the runner to reload certificates on the host) ## ## If any of the above had already been set by the user in the runner pod ## template, ARC will observe those and not overwrite them. ## Example configuration: # # githubServerTLS: # certificateFrom: # configMapKeyRef: # name: config-map-name # key: ca.crt # runnerMountPath: /usr/local/share/ca-certificates/ ## Container mode is an object that provides out-of-box configuration ## for dind and kubernetes mode. Template will be modified as documented under the ## template object. ## ## If any customization is required for dind or kubernetes mode, containerMode should remain ## empty, and configuration should be applied to the template. # containerMode: # type: "dind" ## type can be set to dind or kubernetes # ## the following is required when containerMode.type=kubernetes # kubernetesModeWorkVolumeClaim: # accessModes: ["ReadWriteOnce"] # # For local testing, use https://github.com/openebs/dynamic-localpv-provisioner/blob/develop/docs/quickstart.md to provide dynamic provision volume with storageClassName: openebs-hostpath # storageClassName: "dynamic-blob-storage" # resources: # requests: # storage: 1Gi ## template is the PodSpec for each listener Pod ## For reference: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#PodSpec # listenerTemplate: # spec: # containers: # # Use this section to append additional configuration to the listener container. # # If you change the name of the container, the configuration will not be applied to the listener, # # and it will be treated as a side-car container. # - name: listener # securityContext: # runAsUser: 1000 # # Use this section to add the configuration of a side-car container. # # Comment it out or remove it if you don't need it. # # Spec for this container will be applied as is without any modifications. # - name: side-car # image: example-sidecar ## template is the PodSpec for each runner Pod ## For reference: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#PodSpec template: ## template.spec will be modified if you change the container mode ## with containerMode.type=dind, we will populate the template.spec with following pod spec ## template: ## spec: ## initContainers: ## - name: init-dind-externals ## image: ghcr.io/actions/actions-runner:latest ## command: ["cp", "-r", "-v", "/home/runner/externals/.", "/home/runner/tmpDir/"] ## volumeMounts: ## - name: dind-externals ## mountPath: /home/runner/tmpDir ## containers: ## - name: runner ## image: ghcr.io/actions/actions-runner:latest ## command: ["/home/runner/run.sh"] ## env: ## - name: DOCKER_HOST ## value: tcp://localhost:2376 ## - name: DOCKER_TLS_VERIFY ## value: "1" ## - name: DOCKER_CERT_PATH ## value: /certs/client ## volumeMounts: ## - name: work ## mountPath: /home/runner/_work ## - name: dind-cert ## mountPath: /certs/client ## readOnly: true ## - name: dind ## image: docker:dind ## securityContext: ## privileged: true ## volumeMounts: ## - name: work ## mountPath: /home/runner/_work ## - name: dind-cert ## mountPath: /certs/client ## - name: dind-externals ## mountPath: /home/runner/externals ## volumes: ## - name: work ## emptyDir: {} ## - name: dind-cert ## emptyDir: {} ## - name: dind-externals ## emptyDir: {} ###################################################################################################### ## with containerMode.type=kubernetes, we will populate the template.spec with following pod spec ## template: ## spec: ## containers: ## - name: runner ## image: ghcr.io/actions/actions-runner:latest ## command: ["/home/runner/run.sh"] ## env: ## - name: ACTIONS_RUNNER_CONTAINER_HOOKS ## value: /home/runner/k8s/index.js ## - name: ACTIONS_RUNNER_POD_NAME ## valueFrom: ## fieldRef: ## fieldPath: metadata.name ## - name: ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER ## value: "true" ## volumeMounts: ## - name: work ## mountPath: /home/runner/_work ## volumes: ## - name: work ## ephemeral: ## volumeClaimTemplate: ## spec: ## accessModes: [ "ReadWriteOnce" ] ## storageClassName: "local-path" ## resources: ## requests: ## storage: 1Gi spec: containers: - name: runner image: ghcr.io/actions/actions-runner:latest command: ["/home/runner/run.sh"] ## Optional controller service account that needs to have required Role and RoleBinding ## to operate this gha-runner-scale-set installation. ## The helm chart will try to find the controller deployment and its service account at installation time. ## In case the helm chart can't find the right service account, you can explicitly pass in the following value ## to help it finish RoleBinding with the right service account. ## Note: if your controller is installed to only watch a single namespace, you have to pass these values explicitly. # controllerServiceAccount: # namespace: arc-system # name: test-arc-gha-runner-scale-set-controller