Azure Key Vault integration to resolve secrets #4090
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nikola-jokic
force-pushed
the
nikola-jokic/key-vault
branch
from
f9c41ce to
f946cfd
Compare
nikola-jokic
force-pushed
the
nikola-jokic/key-vault
branch
from
323eb91 to
74ed8e6
Compare
…toscaling listener controller to search for app config instead of secret
nikola-jokic
added
the
gha-runner-scale-set
nikola-jokic
requested review from
mumoshu,
toast-gear,
rentziass and
a team
as code owners
There was a problem hiding this comment.
Pull Request Overview
This PR integrates Azure Key Vault as a new source for GitHub App credentials and refactors related configuration and CRD definitions.
- Updated the config reading flow to support context and vault lookups.
- Refactored naming from GitHubServerTLSConfig to TLSConfig and introduced vaultConfig support in charts and CRDs.
- Added tests and updated error messages for vault configuration and app credentials validation.
Reviewed Changes
Copilot reviewed 48 out of 48 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| cmd/ghalistener/main.go | Updates to context management and usage of the new config reading API |
| cmd/ghalistener/config/config.go | Modified config reading to support vault integration and pointer usage |
| cmd/ghalistener/config/config_validation_test.go | Updated expected error strings and added vault config tests |
| cmd/ghalistener/config/config_client_test.go | Added AppConfig to client configuration tests |
| cmd/ghalistener/app/app.go | Changed to use pointer for config and added config validation |
| charts/gha-runner-scale-set/values.yaml | Revised secret and vault configuration documentation in values file |
| charts/gha-runner-scale-set/templates/autoscalingrunnerset.yaml | Introduced vaultConfig block and error handling for unsupported vault types |
| CRD files | Added vaultConfig fields to CRDs |
| apis/actions.github.com/v1alpha1/* | Updated TLSConfig naming, deepcopy methods, and accessor methods; updated AppConfig integration |
Comments suppressed due to low confidence (1)
apis/actions.github.com/v1alpha1/ephemeralrunner_types.go:117
- Replacing the 'GitHubServerTLS' field with 'VaultConfig' in EphemeralRunnerSpec is inconsistent with the accessor method that expects a TLSConfig. This mismatch can lead to nil dereferences; please restore or correctly rename the field to maintain consistency.
- GitHubServerTLS *GitHubServerTLSConfig `json:"githubServerTLS,omitempty"`
charts/gha-runner-scale-set/templates/autoscalingrunnerset.yaml
Outdated
Show resolved
Hide resolved
rentziass
approved these changes
Jun 11, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds the ability to use Azure Key Vault when resolving GitHub secrets. It would be beneficial to users who don't want to use kuberenetes secrets with GitHub PAT or App credentials.
Other secrets, such as proxy credentials, listener configuration, and runner JIT tokens, are still stored as kubernetes secrets.