From 2b39602b1c665181b4e37cafaab6da7639344bee Mon Sep 17 00:00:00 2001 From: Nikola Jokic Date: Fri, 14 Feb 2025 19:12:11 +0100 Subject: [PATCH 1/5] Add custom labels and annotations on all resources created by the chart --- .../templates/autoscalingrunnerset.yaml | 17 ++ .../templates/githubsecret.yaml | 18 ++ .../templates/kube_mode_role.yaml | 20 ++ .../templates/kube_mode_role_binding.yaml | 21 ++ .../templates/kube_mode_serviceaccount.yaml | 28 ++- .../templates/manager_role.yaml | 18 ++ .../templates/manager_role_binding.yaml | 18 ++ .../no_permission_serviceaccount.yaml | 18 ++ .../tests/template_test.go | 234 +++++++++++++++--- ...etes_mode_service_account_annotations.yaml | 8 - charts/gha-runner-scale-set/values.yaml | 65 ++++- 11 files changed, 414 insertions(+), 51 deletions(-) delete mode 100644 charts/gha-runner-scale-set/tests/values_kubernetes_mode_service_account_annotations.yaml diff --git a/charts/gha-runner-scale-set/templates/autoscalingrunnerset.yaml b/charts/gha-runner-scale-set/templates/autoscalingrunnerset.yaml index 39ebfef800..c5ad2e3806 100644 --- a/charts/gha-runner-scale-set/templates/autoscalingrunnerset.yaml +++ b/charts/gha-runner-scale-set/templates/autoscalingrunnerset.yaml @@ -1,3 +1,4 @@ +{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.autoscalingRunnerSet) }} apiVersion: actions.github.com/v1alpha1 kind: AutoscalingRunnerSet metadata: @@ -10,9 +11,25 @@ metadata: name: {{ include "gha-runner-scale-set.scale-set-name" . }} namespace: {{ .Release.Namespace }} labels: + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $hasCustomResourceMeta }} + {{- with .Values.resourceMeta.autoscalingRunnerSet.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} app.kubernetes.io/component: "autoscaling-runner-set" {{- include "gha-runner-scale-set.labels" . | nindent 4 }} annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $hasCustomResourceMeta }} + {{- with .Values.resourceMeta.autoscalingRunnerSet.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} actions.github.com/values-hash: {{ toJson .Values | sha256sum | trunc 63 }} {{- $containerMode := .Values.containerMode }} {{- if not (kindIs "string" .Values.githubConfigSecret) }} diff --git a/charts/gha-runner-scale-set/templates/githubsecret.yaml b/charts/gha-runner-scale-set/templates/githubsecret.yaml index 67282c182b..4cee466948 100644 --- a/charts/gha-runner-scale-set/templates/githubsecret.yaml +++ b/charts/gha-runner-scale-set/templates/githubsecret.yaml @@ -1,11 +1,29 @@ {{- if not (kindIs "string" .Values.githubConfigSecret) }} +{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.githubConfigSecret) }} apiVersion: v1 kind: Secret metadata: name: {{ include "gha-runner-scale-set.githubsecret" . }} namespace: {{ .Release.Namespace }} labels: + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $hasCustomResourceMeta }} + {{- with .Values.resourceMeta.githubConfigSecret.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} {{- include "gha-runner-scale-set.labels" . | nindent 4 }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $hasCustomResourceMeta }} + {{- with .Values.resourceMeta.githubConfigSecret.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} finalizers: - actions.github.com/cleanup-protection data: diff --git a/charts/gha-runner-scale-set/templates/kube_mode_role.yaml b/charts/gha-runner-scale-set/templates/kube_mode_role.yaml index e82d7b7713..1180546ebb 100644 --- a/charts/gha-runner-scale-set/templates/kube_mode_role.yaml +++ b/charts/gha-runner-scale-set/templates/kube_mode_role.yaml @@ -1,4 +1,5 @@ {{- $containerMode := .Values.containerMode }} +{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.kubernetesModeRole) }} {{- if and (eq $containerMode.type "kubernetes") (not .Values.template.spec.serviceAccountName) }} # default permission for runner pod service account in kubernetes mode (container hook) apiVersion: rbac.authorization.k8s.io/v1 @@ -6,6 +7,25 @@ kind: Role metadata: name: {{ include "gha-runner-scale-set.kubeModeRoleName" . }} namespace: {{ .Release.Namespace }} + labels: + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $hasCustomResourceMeta }} + {{- with .Values.resourceMeta.kubernetesModeRole.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- include "gha-runner-scale-set.labels" . | nindent 4 }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $hasCustomResourceMeta }} + {{- with .Values.resourceMeta.kubernetesModeRole.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} finalizers: - actions.github.com/cleanup-protection rules: diff --git a/charts/gha-runner-scale-set/templates/kube_mode_role_binding.yaml b/charts/gha-runner-scale-set/templates/kube_mode_role_binding.yaml index 060b9399e5..9c7f0f41bb 100644 --- a/charts/gha-runner-scale-set/templates/kube_mode_role_binding.yaml +++ b/charts/gha-runner-scale-set/templates/kube_mode_role_binding.yaml @@ -1,10 +1,31 @@ {{- $containerMode := .Values.containerMode }} +{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.kubernetesModeRoleBinding) }} {{- if and (eq $containerMode.type "kubernetes") (not .Values.template.spec.serviceAccountName) }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ include "gha-runner-scale-set.kubeModeRoleBindingName" . }} namespace: {{ .Release.Namespace }} + labels: + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $hasCustomResourceMeta }} + {{- with .Values.resourceMeta.kubernetesModeRoleBinding.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- include "gha-runner-scale-set.labels" . | nindent 4 }} + + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $hasCustomResourceMeta }} + {{- with .Values.resourceMeta.kubernetesModeRoleBinding.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} finalizers: - actions.github.com/cleanup-protection roleRef: diff --git a/charts/gha-runner-scale-set/templates/kube_mode_serviceaccount.yaml b/charts/gha-runner-scale-set/templates/kube_mode_serviceaccount.yaml index d0fa4b085c..f68ce25bff 100644 --- a/charts/gha-runner-scale-set/templates/kube_mode_serviceaccount.yaml +++ b/charts/gha-runner-scale-set/templates/kube_mode_serviceaccount.yaml @@ -1,18 +1,34 @@ {{- $containerMode := .Values.containerMode }} +{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.kubernetesModeServiceAccount) }} {{- if and (eq $containerMode.type "kubernetes") (not .Values.template.spec.serviceAccountName) }} apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "gha-runner-scale-set.kubeModeServiceAccountName" . }} namespace: {{ .Release.Namespace }} - {{- if .Values.containerMode.kubernetesModeServiceAccount }} - {{- with .Values.containerMode.kubernetesModeServiceAccount.annotations }} + + {{- if or .Values.annotations $hasCustomResourceMeta }} annotations: - {{- toYaml . | nindent 4 }} + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $hasCustomResourceMeta }} + {{- with .Values.resourceMeta.kubernetesModeServiceAccount.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} {{- end }} - {{- end }} - finalizers: - - actions.github.com/cleanup-protection labels: + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $hasCustomResourceMeta }} + {{- with .Values.resourceMeta.kubernetesModeServiceAccount.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} {{- include "gha-runner-scale-set.labels" . | nindent 4 }} + + finalizers: + - actions.github.com/cleanup-protection {{- end }} diff --git a/charts/gha-runner-scale-set/templates/manager_role.yaml b/charts/gha-runner-scale-set/templates/manager_role.yaml index f6a1e49383..260e3c7861 100644 --- a/charts/gha-runner-scale-set/templates/manager_role.yaml +++ b/charts/gha-runner-scale-set/templates/manager_role.yaml @@ -1,11 +1,29 @@ +{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.managerRole) }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ include "gha-runner-scale-set.managerRoleName" . }} namespace: {{ .Release.Namespace }} labels: + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $hasCustomResourceMeta }} + {{- with .Values.resourceMeta.managerRole.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} {{- include "gha-runner-scale-set.labels" . | nindent 4 }} app.kubernetes.io/component: manager-role + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $hasCustomResourceMeta }} + {{- with .Values.resourceMeta.managerRole.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} finalizers: - actions.github.com/cleanup-protection rules: diff --git a/charts/gha-runner-scale-set/templates/manager_role_binding.yaml b/charts/gha-runner-scale-set/templates/manager_role_binding.yaml index ce212f77e2..7b69cde131 100644 --- a/charts/gha-runner-scale-set/templates/manager_role_binding.yaml +++ b/charts/gha-runner-scale-set/templates/manager_role_binding.yaml @@ -1,11 +1,29 @@ +{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.managerRoleBinding) }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ include "gha-runner-scale-set.managerRoleBindingName" . }} namespace: {{ .Release.Namespace }} labels: + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $hasCustomResourceMeta }} + {{- with .Values.resourceMeta.managerRoleBinding.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} {{- include "gha-runner-scale-set.labels" . | nindent 4 }} app.kubernetes.io/component: manager-role-binding + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $hasCustomResourceMeta }} + {{- with .Values.resourceMeta.managerRoleBinding.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} finalizers: - actions.github.com/cleanup-protection roleRef: diff --git a/charts/gha-runner-scale-set/templates/no_permission_serviceaccount.yaml b/charts/gha-runner-scale-set/templates/no_permission_serviceaccount.yaml index f7c9700f1a..9e0356b4df 100644 --- a/charts/gha-runner-scale-set/templates/no_permission_serviceaccount.yaml +++ b/charts/gha-runner-scale-set/templates/no_permission_serviceaccount.yaml @@ -1,4 +1,5 @@ {{- $containerMode := .Values.containerMode }} +{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.noPermissionServiceAccount) }} {{- if and (ne $containerMode.type "kubernetes") (not .Values.template.spec.serviceAccountName) }} apiVersion: v1 kind: ServiceAccount @@ -6,7 +7,24 @@ metadata: name: {{ include "gha-runner-scale-set.noPermissionServiceAccountName" . }} namespace: {{ .Release.Namespace }} labels: + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $hasCustomResourceMeta }} + {{- with .Values.resourceMeta.noPermissionServiceAccount.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} {{- include "gha-runner-scale-set.labels" . | nindent 4 }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $hasCustomResourceMeta }} + {{- with .Values.resourceMeta.noPermissionServiceAccount.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} finalizers: - actions.github.com/cleanup-protection {{- end }} diff --git a/charts/gha-runner-scale-set/tests/template_test.go b/charts/gha-runner-scale-set/tests/template_test.go index 070f1ef191..be21010be8 100644 --- a/charts/gha-runner-scale-set/tests/template_test.go +++ b/charts/gha-runner-scale-set/tests/template_test.go @@ -742,37 +742,6 @@ func TestTemplateRenderedAutoScalingRunnerSet_DinD_ExtraInitContainers(t *testin assert.Equal(t, "ls", ars.Spec.Template.Spec.InitContainers[2].Command[0], "InitContainers[2] Command[0] should be ls") } -func TestTemplateRenderedKubernetesModeServiceAccountAnnotations(t *testing.T) { - t.Parallel() - - // Path to the helm chart we will test - helmChartPath, err := filepath.Abs("../../gha-runner-scale-set") - require.NoError(t, err) - - testValuesPath, err := filepath.Abs("../tests/values_kubernetes_mode_service_account_annotations.yaml") - require.NoError(t, err) - - releaseName := "test-runners" - namespaceName := "test-" + strings.ToLower(random.UniqueId()) - - options := &helm.Options{ - Logger: logger.Discard, - SetValues: map[string]string{ - "controllerServiceAccount.name": "arc", - "controllerServiceAccount.namespace": "arc-system", - }, - ValuesFiles: []string{testValuesPath}, - KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName), - } - - output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/kube_mode_serviceaccount.yaml"}) - - var sa corev1.ServiceAccount - helm.UnmarshalK8SYaml(t, output, &sa) - - assert.Equal(t, "arn:aws:iam::123456789012:role/sample-role", sa.Annotations["eks.amazonaws.com/role-arn"], "Annotations should be arn:aws:iam::123456789012:role/sample-role") -} - func TestTemplateRenderedAutoScalingRunnerSet_DinD_ExtraVolumes(t *testing.T) { t.Parallel() @@ -2143,3 +2112,206 @@ func TestAutoscalingRunnerSetAnnotationValuesHash(t *testing.T) { assert.NotEqual(t, firstHash, secondHash) assert.LessOrEqual(t, len(secondHash), 63) } + +func TestCustomLabels(t *testing.T) { + t.Parallel() + + // Path to the helm chart we will test + helmChartPath, err := filepath.Abs("../../gha-runner-scale-set") + require.NoError(t, err) + + releaseName := "test-runners" + namespaceName := "test-" + strings.ToLower(random.UniqueId()) + + options := &helm.Options{ + Logger: logger.Discard, + SetValues: map[string]string{ + "githubConfigUrl": "https://github.com/actions", + "githubConfigSecret.github_token": "gh_token12345", + "controllerServiceAccount.name": "arc", + "containerMode.type": "kubernetes", + "controllerServiceAccount.namespace": "arc-system", + `labels.argocd\.argoproj\.io/sync-wave`: `"1"`, + `labels.app\.kubernetes\.io/part-of`: "no-override", // this shouldn't be overwritten + "resourceMeta.autoscalingRunnerSet.labels.ars-custom": "ars-custom-value", + "resourceMeta.githubConfigSecret.labels.gh-custom": "gh-custom-value", + "resourceMeta.kubernetesModeRole.labels.kmr-custom": "kmr-custom-value", + "resourceMeta.kubernetesModeRoleBinding.labels.kmrb-custom": "kmrb-custom-value", + "resourceMeta.kubernetesModeServiceAccount.labels.kmsa-custom": "kmsa-custom-value", + "resourceMeta.managerRole.labels.mr-custom": "mr-custom-value", + "resourceMeta.managerRoleBinding.labels.mrb-custom": "mrb-custom-value", + }, + KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName), + } + + output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/githubsecret.yaml"}) + + const targetLabel = "argocd.argoproj.io/sync-wave" + const wantCustomValue = `"1"` + const reservedLabel = "app.kubernetes.io/part-of" + const wantReservedValue = "gha-rs" + + var githubSecret corev1.Secret + helm.UnmarshalK8SYaml(t, output, &githubSecret) + assert.Equal(t, wantCustomValue, githubSecret.Labels[targetLabel]) + assert.Equal(t, wantReservedValue, githubSecret.Labels[reservedLabel]) + assert.Equal(t, "gh-custom-value", githubSecret.Labels["gh-custom"]) + + output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/kube_mode_role.yaml"}) + var role rbacv1.Role + helm.UnmarshalK8SYaml(t, output, &role) + assert.Equal(t, wantCustomValue, role.Labels[targetLabel]) + assert.Equal(t, wantReservedValue, role.Labels[reservedLabel]) + assert.Equal(t, "kmr-custom-value", role.Labels["kmr-custom"]) + + output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/kube_mode_role_binding.yaml"}) + var roleBinding rbacv1.RoleBinding + helm.UnmarshalK8SYaml(t, output, &roleBinding) + assert.Equal(t, wantCustomValue, roleBinding.Labels[targetLabel]) + assert.Equal(t, wantReservedValue, roleBinding.Labels[reservedLabel]) + assert.Equal(t, "kmrb-custom-value", roleBinding.Labels["kmrb-custom"]) + + output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/autoscalingrunnerset.yaml"}) + var ars v1alpha1.AutoscalingRunnerSet + helm.UnmarshalK8SYaml(t, output, &ars) + assert.Equal(t, wantCustomValue, ars.Labels[targetLabel]) + assert.Equal(t, wantReservedValue, ars.Labels[reservedLabel]) + assert.Equal(t, "ars-custom-value", ars.Labels["ars-custom"]) + + output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/kube_mode_serviceaccount.yaml"}) + var serviceAccount corev1.ServiceAccount + helm.UnmarshalK8SYaml(t, output, &serviceAccount) + assert.Equal(t, wantCustomValue, serviceAccount.Labels[targetLabel]) + assert.Equal(t, wantReservedValue, serviceAccount.Labels[reservedLabel]) + assert.Equal(t, "kmsa-custom-value", serviceAccount.Labels["kmsa-custom"]) + + output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/manager_role.yaml"}) + var managerRole rbacv1.Role + helm.UnmarshalK8SYaml(t, output, &managerRole) + assert.Equal(t, wantCustomValue, managerRole.Labels[targetLabel]) + assert.Equal(t, wantReservedValue, managerRole.Labels[reservedLabel]) + assert.Equal(t, "mr-custom-value", managerRole.Labels["mr-custom"]) + + output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/manager_role_binding.yaml"}) + var managerRoleBinding rbacv1.RoleBinding + helm.UnmarshalK8SYaml(t, output, &managerRoleBinding) + assert.Equal(t, wantCustomValue, managerRoleBinding.Labels[targetLabel]) + assert.Equal(t, wantReservedValue, managerRoleBinding.Labels[reservedLabel]) + assert.Equal(t, "mrb-custom-value", managerRoleBinding.Labels["mrb-custom"]) + + options = &helm.Options{ + Logger: logger.Discard, + SetValues: map[string]string{ + "githubConfigUrl": "https://github.com/actions", + "githubConfigSecret.github_token": "gh_token12345", + "controllerServiceAccount.name": "arc", + "controllerServiceAccount.namespace": "arc-system", + `labels.argocd\.argoproj\.io/sync-wave`: `"1"`, + "resourceMeta.noPermissionServiceAccount.labels.npsa-custom": "npsa-custom-value", + }, + KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName), + } + + output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/no_permission_serviceaccount.yaml"}) + var noPermissionServiceAccount corev1.ServiceAccount + helm.UnmarshalK8SYaml(t, output, &noPermissionServiceAccount) + assert.Equal(t, wantCustomValue, noPermissionServiceAccount.Labels[targetLabel]) + assert.Equal(t, wantReservedValue, noPermissionServiceAccount.Labels[reservedLabel]) + assert.Equal(t, "npsa-custom-value", noPermissionServiceAccount.Labels["npsa-custom"]) +} + +func TestCustomAnnotations(t *testing.T) { + t.Parallel() + + // Path to the helm chart we will test + helmChartPath, err := filepath.Abs("../../gha-runner-scale-set") + require.NoError(t, err) + + releaseName := "test-runners" + namespaceName := "test-" + strings.ToLower(random.UniqueId()) + + options := &helm.Options{ + Logger: logger.Discard, + SetValues: map[string]string{ + "githubConfigUrl": "https://github.com/actions", + "githubConfigSecret.github_token": "gh_token12345", + "containerMode.type": "kubernetes", + "controllerServiceAccount.name": "arc", + "controllerServiceAccount.namespace": "arc-system", + `annotations.argocd\.argoproj\.io/sync-wave`: `"1"`, + "resourceMeta.autoscalingRunnerSet.annotations.ars-custom": "ars-custom-value", + "resourceMeta.githubConfigSecret.annotations.gh-custom": "gh-custom-value", + "resourceMeta.kubernetesModeRole.annotations.kmr-custom": "kmr-custom-value", + "resourceMeta.kubernetesModeRoleBinding.annotations.kmrb-custom": "kmrb-custom-value", + "resourceMeta.kubernetesModeServiceAccount.annotations.kmsa-custom": "kmsa-custom-value", + "resourceMeta.managerRole.annotations.mr-custom": "mr-custom-value", + "resourceMeta.managerRoleBinding.annotations.mrb-custom": "mrb-custom-value", + }, + KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName), + } + + const targetAnnotations = "argocd.argoproj.io/sync-wave" + const wantCustomValue = `"1"` + + output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/githubsecret.yaml"}) + + var githubSecret corev1.Secret + helm.UnmarshalK8SYaml(t, output, &githubSecret) + assert.Equal(t, wantCustomValue, githubSecret.Annotations[targetAnnotations]) + assert.Equal(t, "gh-custom-value", githubSecret.Annotations["gh-custom"]) + + output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/kube_mode_role.yaml"}) + var role rbacv1.Role + helm.UnmarshalK8SYaml(t, output, &role) + assert.Equal(t, wantCustomValue, role.Annotations[targetAnnotations]) + assert.Equal(t, "kmr-custom-value", role.Annotations["kmr-custom"]) + + output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/kube_mode_role_binding.yaml"}) + var roleBinding rbacv1.RoleBinding + helm.UnmarshalK8SYaml(t, output, &roleBinding) + assert.Equal(t, wantCustomValue, roleBinding.Annotations[targetAnnotations]) + assert.Equal(t, "kmrb-custom-value", roleBinding.Annotations["kmrb-custom"]) + + output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/autoscalingrunnerset.yaml"}) + var ars v1alpha1.AutoscalingRunnerSet + helm.UnmarshalK8SYaml(t, output, &ars) + assert.Equal(t, wantCustomValue, ars.Annotations[targetAnnotations]) + assert.Equal(t, "ars-custom-value", ars.Annotations["ars-custom"]) + + output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/kube_mode_serviceaccount.yaml"}) + var serviceAccount corev1.ServiceAccount + helm.UnmarshalK8SYaml(t, output, &serviceAccount) + assert.Equal(t, wantCustomValue, serviceAccount.Annotations[targetAnnotations]) + assert.Equal(t, "kmsa-custom-value", serviceAccount.Annotations["kmsa-custom"]) + + output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/manager_role.yaml"}) + var managerRole rbacv1.Role + helm.UnmarshalK8SYaml(t, output, &managerRole) + assert.Equal(t, wantCustomValue, managerRole.Annotations[targetAnnotations]) + assert.Equal(t, "mr-custom-value", managerRole.Annotations["mr-custom"]) + + output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/manager_role_binding.yaml"}) + var managerRoleBinding rbacv1.RoleBinding + helm.UnmarshalK8SYaml(t, output, &managerRoleBinding) + assert.Equal(t, wantCustomValue, managerRoleBinding.Annotations[targetAnnotations]) + assert.Equal(t, "mrb-custom-value", managerRoleBinding.Annotations["mrb-custom"]) + + options = &helm.Options{ + Logger: logger.Discard, + SetValues: map[string]string{ + "githubConfigUrl": "https://github.com/actions", + "githubConfigSecret.github_token": "gh_token12345", + "controllerServiceAccount.name": "arc", + "controllerServiceAccount.namespace": "arc-system", + `annotations.argocd\.argoproj\.io/sync-wave`: `"1"`, + "resourceMeta.noPermissionServiceAccount.annotations.npsa-custom": "npsa-custom-value", + }, + KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName), + } + + output = helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/no_permission_serviceaccount.yaml"}) + var noPermissionServiceAccount corev1.ServiceAccount + helm.UnmarshalK8SYaml(t, output, &noPermissionServiceAccount) + assert.Equal(t, wantCustomValue, noPermissionServiceAccount.Annotations[targetAnnotations]) + assert.Equal(t, "npsa-custom-value", noPermissionServiceAccount.Annotations["npsa-custom"]) +} diff --git a/charts/gha-runner-scale-set/tests/values_kubernetes_mode_service_account_annotations.yaml b/charts/gha-runner-scale-set/tests/values_kubernetes_mode_service_account_annotations.yaml deleted file mode 100644 index cf0cc375a6..0000000000 --- a/charts/gha-runner-scale-set/tests/values_kubernetes_mode_service_account_annotations.yaml +++ /dev/null @@ -1,8 +0,0 @@ -githubConfigUrl: https://github.com/actions/actions-runner-controller -githubConfigSecret: - github_token: test -containerMode: - type: kubernetes - kubernetesModeServiceAccount: - annotations: - eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/sample-role diff --git a/charts/gha-runner-scale-set/values.yaml b/charts/gha-runner-scale-set/values.yaml index db3256b2fc..0dcef1575f 100644 --- a/charts/gha-runner-scale-set/values.yaml +++ b/charts/gha-runner-scale-set/values.yaml @@ -4,15 +4,15 @@ githubConfigUrl: "" ## githubConfigSecret is the k8s secret information to use when authenticating via the GitHub API. ## You can choose to supply: -## A) a PAT token, -## B) a GitHub App, or +## A) a PAT token, +## B) a GitHub App, or ## C) a pre-defined Kubernetes secret. ## The syntax for each of these variations is documented below. ## (Variation A) When using a PAT token, the syntax is as follows: githubConfigSecret: - # Example: + # Example: # github_token: "ghp_sampleSampleSampleSampleSampleSample" - github_token: "" + github_token: "" # ## (Variation B) When using a GitHub App, the syntax is as follows: # githubConfigSecret: @@ -100,8 +100,7 @@ githubConfigSecret: # resources: # requests: # storage: 1Gi -# kubernetesModeServiceAccount: -# annotations: +# ## listenerTemplate is the PodSpec for each listener Pod ## For reference: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#PodSpec @@ -216,3 +215,57 @@ template: # controllerServiceAccount: # namespace: arc-system # name: test-arc-gha-runner-scale-set-controller + +## Optional annotations and labels applied to all resources created by helm installation +## +## Annotations applied to all resources created by this helm chart. Annotations will not override the default ones, so make sure +## the custom annotation is not reserved. +# annotations: +# key: value +## +## Labels applied to all resources created by this helm chart. Labels will not override the default ones, so make sure +## the custom label is not reserved. +# labels: +# key: value + +# resourceMeta: +# autoscalingRunnerSet: +# labels: +# key: value +# annotations: +# key: value +# githubConfigSecret: +# labels: +# key: value +# annotations: +# key: value +# kubernetesModeRole: +# labels: +# key: value +# annotations: +# key: value +# kubernetesModeRoleBinding: +# labels: +# key: value +# annotations: +# key: value +# kubernetesModeServiceAccount: +# labels: +# key: value +# annotations: +# key: value +# managerRole: +# labels: +# key: value +# annotations: +# key: value +# managerRoleBinding: +# labels: +# key: value +# annotations: +# key: value +# noPermissionServiceAccount: +# labels: +# key: value +# annotations: +# key: value From c350e190cdaa693fa1ed816d736d3790c7950cd7 Mon Sep 17 00:00:00 2001 From: Nikola Jokic Date: Tue, 18 Feb 2025 10:27:17 +0100 Subject: [PATCH 2/5] rerun From 501af67aa125881408077aa12798a83e4cb3fca5 Mon Sep 17 00:00:00 2001 From: Nikola Jokic Date: Tue, 18 Feb 2025 10:34:10 +0100 Subject: [PATCH 3/5] Document in chart resourceMeta --- charts/gha-runner-scale-set/values.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/charts/gha-runner-scale-set/values.yaml b/charts/gha-runner-scale-set/values.yaml index 0dcef1575f..65882c062b 100644 --- a/charts/gha-runner-scale-set/values.yaml +++ b/charts/gha-runner-scale-set/values.yaml @@ -228,6 +228,12 @@ template: # labels: # key: value +## If you want more fine-grained control over annotations applied to particular resource created by this chart, +## you can use `resourceMeta`. +## Order of applying labels and annotations is: +## 1. Apply labels/annotations globally, using `annotations` and `labels` field +## 2. Apply `resourceMeta` labels/annotations +## 3. Apply reserved labels/annotations # resourceMeta: # autoscalingRunnerSet: # labels: From f2cf119fc3e21b01c93c3c634df19e54acda231b Mon Sep 17 00:00:00 2001 From: Nikola Jokic Date: Tue, 18 Feb 2025 11:37:17 +0100 Subject: [PATCH 4/5] push has custom resource meta to the top --- .../templates/no_permission_serviceaccount.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/gha-runner-scale-set/templates/no_permission_serviceaccount.yaml b/charts/gha-runner-scale-set/templates/no_permission_serviceaccount.yaml index 9e0356b4df..06d4a1cb11 100644 --- a/charts/gha-runner-scale-set/templates/no_permission_serviceaccount.yaml +++ b/charts/gha-runner-scale-set/templates/no_permission_serviceaccount.yaml @@ -1,5 +1,5 @@ -{{- $containerMode := .Values.containerMode }} {{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.noPermissionServiceAccount) }} +{{- $containerMode := .Values.containerMode }} {{- if and (ne $containerMode.type "kubernetes") (not .Values.template.spec.serviceAccountName) }} apiVersion: v1 kind: ServiceAccount From 51401b8179a8253b74d4c2aa8152a4f0c33beff6 Mon Sep 17 00:00:00 2001 From: Nikola Jokic Date: Mon, 3 Mar 2025 12:44:28 +0100 Subject: [PATCH 5/5] Remove kube score and bump helm version used for linting --- .github/workflows/gha-validate-chart.yaml | 18 +----------------- 1 file changed, 1 insertion(+), 17 deletions(-) diff --git a/.github/workflows/gha-validate-chart.yaml b/.github/workflows/gha-validate-chart.yaml index 70a67de2fc..a33fd74e4e 100644 --- a/.github/workflows/gha-validate-chart.yaml +++ b/.github/workflows/gha-validate-chart.yaml @@ -18,7 +18,7 @@ on: workflow_dispatch: env: KUBE_SCORE_VERSION: 1.16.1 - HELM_VERSION: v3.8.0 + HELM_VERSION: v3.17.0 permissions: contents: read @@ -46,22 +46,6 @@ jobs: with: version: ${{ env.HELM_VERSION }} - - name: Set up kube-score - run: | - wget https://github.com/zegl/kube-score/releases/download/v${{ env.KUBE_SCORE_VERSION }}/kube-score_${{ env.KUBE_SCORE_VERSION }}_linux_amd64 -O kube-score - chmod 755 kube-score - - - name: Kube-score generated manifests - run: helm template --values charts/.ci/values-kube-score.yaml charts/* | ./kube-score score - - --ignore-test pod-networkpolicy - --ignore-test deployment-has-poddisruptionbudget - --ignore-test deployment-has-host-podantiaffinity - --ignore-test container-security-context - --ignore-test pod-probes - --ignore-test container-image-tag - --enable-optional-test container-security-context-privileged - --enable-optional-test container-security-context-readonlyrootfilesystem - # python is a requirement for the chart-testing action below (supports yamllint among other tests) - uses: actions/setup-python@v5 with: