support github auth mode and release v0.8.0 (#40)

* support github auth mode and release v0.8.0 * cosmetics * simplify role-setup * quote
evryfs · Jan 3, 2021 · a9a0f6d · a9a0f6d
1 parent 7faf059
commit a9a0f6d
Show file tree

Hide file tree

Showing 8 changed files with 59 additions and 89 deletions.
diff --git a/charts/github-actions-runner-operator/Chart.yaml b/charts/github-actions-runner-operator/Chart.yaml
@@ -30,11 +30,11 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 2.4.0
+version: 2.5.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: v0.7.0
+appVersion: v0.8.0
 
 kubeVersion: ">=1.16.0-0"
diff --git a/charts/github-actions-runner-operator/crds/garo.tietoevry.com_githubactionrunners.yaml b/charts/github-actions-runner-operator/crds/garo.tietoevry.com_githubactionrunners.yaml
@@ -43,6 +43,13 @@ spec:
           spec:
             description: GithubActionRunnerSpec defines the desired state of GithubActionRunner
             properties:
+              deletionOrder:
+                default: LeastRecent
+                description: What order to delete idle pods in
+                enum:
+                - MostRecent
+                - LeastRecent
+                type: string
               maxRunners:
                 description: Maximum pool-size. Must be greater or equal to minRunners
                 minimum: 1
@@ -6309,7 +6316,8 @@ spec:
                 description: Optional Github repository name, if repo scoped.
                 type: string
               tokenRef:
-                description: SecretKeySelector selects a key of a Secret.
+                description: PAT to un/register runners. Required if the operator
+                  is not running in github-application mode.
                 properties:
                   key:
                     description: The key of the secret to select from.  Must be a
@@ -6330,7 +6338,6 @@ spec:
             - minRunners
             - organization
             - podTemplateSpec
-            - tokenRef
             type: object
           status:
             description: GithubActionRunnerStatus defines the observed state of GithubActionRunner

diff --git a/charts/github-actions-runner-operator/templates/_helpers.tpl b/charts/github-actions-runner-operator/templates/_helpers.tpl
@@ -64,6 +64,10 @@ Create the name of the service account to use
 {{- end }}
 {{- end }}
 
+{{- define "github-actions-runner-operator.secretName" -}}
+{{- default (include "github-actions-runner-operator.fullname" .) .Values.githubapp.existingSecret }}
+{{- end }}
+
 {{/*
 Specifies the name watch namespace to use
 */}}

diff --git a/charts/github-actions-runner-operator/templates/deployment.yaml b/charts/github-actions-runner-operator/templates/deployment.yaml
@@ -2,41 +2,39 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "github-actions-runner-operator.fullname" . }}
-  labels:
-    {{- include "github-actions-runner-operator.labels" . | nindent 4 }}
+  labels: {{- include "github-actions-runner-operator.labels" . | nindent 4 }}
 spec:
   replicas: 1
   strategy:
     type: Recreate
   selector:
-    matchLabels:
-      {{- include "github-actions-runner-operator.selectorLabels" . | nindent 6 }}
+    matchLabels: {{- include "github-actions-runner-operator.selectorLabels" . | nindent 6 }}
   template:
     metadata:
-    {{- with .Values.podAnnotations }}
-      annotations:
-        {{- toYaml . | nindent 8 }}
-    {{- end }}
-      labels:
-        {{- include "github-actions-runner-operator.selectorLabels" . | nindent 8 }}
+      {{- with .Values.podAnnotations }}
+      annotations: {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels: {{- include "github-actions-runner-operator.selectorLabels" . | nindent 8 }}
     spec:
       {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
+      imagePullSecrets: {{- toYaml . | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "github-actions-runner-operator.serviceAccountName" . }}
-      securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
         - name: {{ .Chart.Name }}
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+          securityContext: {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           command:
             - /manager
           args:
             - --enable-leader-election
+          {{- if .Values.githubapp.enabled }}
+          envFrom:
+            - secretRef:
+                name: {{ include "github-actions-runner-operator.secretName" . }}
+          {{- end }}
           env:
             - name: WATCH_NAMESPACE
               value: {{ template "github-actions-runner-operator.watchNamespace" . }}
@@ -55,17 +53,13 @@ spec:
             httpGet:
               path: /readyz
               port: health-probe
-          resources:
-            {{- toYaml .Values.resources | nindent 12 }}
+          resources: {{- toYaml .Values.resources | nindent 12 }}
       {{- with .Values.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
+      nodeSelector: {{- toYaml . | nindent 8 }}
       {{- end }}
       {{- with .Values.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
+      affinity: {{- toYaml . | nindent 8 }}
       {{- end }}
       {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
+      tolerations: {{- toYaml . | nindent 8 }}
       {{- end }}
diff --git a/charts/github-actions-runner-operator/templates/role.yaml b/charts/github-actions-runner-operator/templates/role.yaml
@@ -14,72 +14,20 @@ rules:
   - ""
   resources:
   - pods
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - ""
-  resources:
   - secrets
+  - configmaps
+  - configmaps/status
   verbs:
-  - get
-  - list
-  - watch
+  - '*'
 - apiGroups:
   - garo.tietoevry.com
   resources:
   - githubactionrunners
   - githubactionrunners/finalizers
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - garo.tietoevry.com
-  resources:
   - githubactionrunners/status
   verbs:
-  - get
-  - delete
-  - patch
-  - update
+  - '*'
 # permissions to do leader election.
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-  - delete
-- apiGroups:
-  - ""
-  resources:
-  - configmaps/status
-  verbs:
-  - get
-  - update
-  - patch
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
-  - patch
 - apiGroups:
   - coordination.k8s.io
   resources:

diff --git a/charts/github-actions-runner-operator/templates/secret.yaml b/charts/github-actions-runner-operator/templates/secret.yaml
@@ -0,0 +1,13 @@
+{{- if .Values.githubapp.enabled }}
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: {{ include "github-actions-runner-operator.fullname" . }}
+  labels: {{- include "github-actions-runner-operator.labels" . | nindent 4 }}
+stringData:
+  GITHUB_APP_INTEGRATION_ID: {{ .Values.githubapp.integrationId | quote }}
+data:
+  GITHUB_APP_PRIVATE_KEY: |-
+    {{ .Values.githubapp.privateKey | b64enc }}
+{{- end }}
diff --git a/charts/github-actions-runner-operator/templates/serviceaccount.yaml b/charts/github-actions-runner-operator/templates/serviceaccount.yaml
@@ -3,10 +3,8 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "github-actions-runner-operator.serviceAccountName" . }}
-  labels:
-    {{- include "github-actions-runner-operator.labels" . | nindent 4 }}
+  labels: {{- include "github-actions-runner-operator.labels" . | nindent 4 }}
   {{- with .Values.serviceAccount.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
+  annotations: {{- toYaml . | nindent 4 }}
   {{- end }}
 {{- end }}
diff --git a/charts/github-actions-runner-operator/values.yaml b/charts/github-actions-runner-operator/values.yaml
@@ -6,7 +6,7 @@ image:
   repository: quay.io/evryfs/github-actions-runner-operator
   pullPolicy: IfNotPresent
   # Overrides the image tag whose default is the chart version.
-  tag: v0.7.0
+  tag: v0.8.0
 
 imagePullSecrets: []
 nameOverride: ""
@@ -59,3 +59,9 @@ nodeSelector: {}
 tolerations: []
 
 affinity: {}
+
+githubapp:
+  enabled: false
+  integrationId: ""
+  privateKey:
+  existingSecret: ""