From 9bb21aef1f635ba6bb38f325bf36a103e3477040 Mon Sep 17 00:00:00 2001 From: Felipe Galindo Sanchez Date: Tue, 14 Dec 2021 16:29:31 -0800 Subject: [PATCH] Add support for default image pull secret name (#921) Resolves #896 Co-authored-by: Yusuke Kuoka --- charts/actions-runner-controller/README.md | 1 + .../templates/deployment.yaml | 3 +++ charts/actions-runner-controller/values.yaml | 3 +++ controllers/runner_controller.go | 14 +++++++++-- controllers/runnerset_controller.go | 13 +++++----- main.go | 24 ++++++++++++++++--- 6 files changed, 47 insertions(+), 11 deletions(-) diff --git a/charts/actions-runner-controller/README.md b/charts/actions-runner-controller/README.md index 6bf5169cd3..2beb1242e7 100644 --- a/charts/actions-runner-controller/README.md +++ b/charts/actions-runner-controller/README.md @@ -31,6 +31,7 @@ All additional docs are kept in the `docs/` folder, this README is solely for do | `image.repository` | The "repository/image" of the controller container | summerwind/actions-runner-controller | | `image.tag` | The tag of the controller container | | | `image.actionsRunnerRepositoryAndTag` | The "repository/image" of the actions runner container | summerwind/actions-runner:latest | +| `image.actionsRunnerImagePullSecrets` | Optional image pull secrets to be included in the runner pod's ImagePullSecrets | | | `image.dindSidecarRepositoryAndTag` | The "repository/image" of the dind sidecar container | docker:dind | | `image.pullPolicy` | The pull policy of the controller image | IfNotPresent | | `metrics.serviceMonitor` | Deploy serviceMonitor kind for for use with prometheus-operator CRDs | false | diff --git a/charts/actions-runner-controller/templates/deployment.yaml b/charts/actions-runner-controller/templates/deployment.yaml index 3381353a89..594aaba769 100644 --- a/charts/actions-runner-controller/templates/deployment.yaml +++ b/charts/actions-runner-controller/templates/deployment.yaml @@ -46,6 +46,9 @@ spec: - "--sync-period={{ .Values.syncPeriod }}" - "--docker-image={{ .Values.image.dindSidecarRepositoryAndTag }}" - "--runner-image={{ .Values.image.actionsRunnerRepositoryAndTag }}" + {{- range .Values.image.actionsRunnerImagePullSecrets }} + - "--runner-image-pull-secret={{ . }}" + {{- end }} {{- if .Values.dockerRegistryMirror }} - "--docker-registry-mirror={{ .Values.dockerRegistryMirror }}" {{- end }} diff --git a/charts/actions-runner-controller/values.yaml b/charts/actions-runner-controller/values.yaml index 1a1a6724a6..d63fffb2a9 100644 --- a/charts/actions-runner-controller/values.yaml +++ b/charts/actions-runner-controller/values.yaml @@ -48,6 +48,9 @@ image: actionsRunnerRepositoryAndTag: "summerwind/actions-runner:latest" dindSidecarRepositoryAndTag: "docker:dind" pullPolicy: IfNotPresent + # The default image-pull secrets name for self-hosted runner container. + # It's added to spec.ImagePullSecrets of self-hosted runner pods. + actionsRunnerImagePullSecrets: [] imagePullSecrets: [] nameOverride: "" diff --git a/controllers/runner_controller.go b/controllers/runner_controller.go index 6af760e9b2..23dba62248 100644 --- a/controllers/runner_controller.go +++ b/controllers/runner_controller.go @@ -66,6 +66,7 @@ type RunnerReconciler struct { Scheme *runtime.Scheme GitHubClient *github.Client RunnerImage string + RunnerImagePullSecrets []string DockerImage string DockerRegistryMirror string Name string @@ -662,7 +663,7 @@ func (r *RunnerReconciler) newPod(runner v1alpha1.Runner) (corev1.Pod, error) { registrationOnly := metav1.HasAnnotation(runner.ObjectMeta, annotationKeyRegistrationOnly) - pod, err := newRunnerPod(template, runner.Spec.RunnerConfig, r.RunnerImage, r.DockerImage, r.DockerRegistryMirror, r.GitHubClient.GithubBaseURL, registrationOnly) + pod, err := newRunnerPod(template, runner.Spec.RunnerConfig, r.RunnerImage, r.RunnerImagePullSecrets, r.DockerImage, r.DockerRegistryMirror, r.GitHubClient.GithubBaseURL, registrationOnly) if err != nil { return pod, err } @@ -760,7 +761,7 @@ func mutatePod(pod *corev1.Pod, token string) *corev1.Pod { return updated } -func newRunnerPod(template corev1.Pod, runnerSpec v1alpha1.RunnerConfig, defaultRunnerImage, defaultDockerImage, defaultDockerRegistryMirror string, githubBaseURL string, registrationOnly bool) (corev1.Pod, error) { +func newRunnerPod(template corev1.Pod, runnerSpec v1alpha1.RunnerConfig, defaultRunnerImage string, defaultRunnerImagePullSecrets []string, defaultDockerImage, defaultDockerRegistryMirror string, githubBaseURL string, registrationOnly bool) (corev1.Pod, error) { var ( privileged bool = true dockerdInRunner bool = runnerSpec.DockerdWithinRunnerContainer != nil && *runnerSpec.DockerdWithinRunnerContainer @@ -903,6 +904,15 @@ func newRunnerPod(template corev1.Pod, runnerSpec v1alpha1.RunnerConfig, default }...) } + if len(pod.Spec.ImagePullSecrets) == 0 && len(defaultRunnerImagePullSecrets) > 0 { + // runner spec didn't provide custom values and default image pull secrets are provided + for _, imagePullSecret := range defaultRunnerImagePullSecrets { + pod.Spec.ImagePullSecrets = append(pod.Spec.ImagePullSecrets, corev1.LocalObjectReference{ + Name: imagePullSecret, + }) + } + } + if dockerRegistryMirror != "" && dockerdInRunner { runnerContainer.Env = append(runnerContainer.Env, []corev1.EnvVar{ { diff --git a/controllers/runnerset_controller.go b/controllers/runnerset_controller.go index 1fa28aa28b..c02a033128 100644 --- a/controllers/runnerset_controller.go +++ b/controllers/runnerset_controller.go @@ -51,11 +51,12 @@ type RunnerSetReconciler struct { Recorder record.EventRecorder Scheme *runtime.Scheme - CommonRunnerLabels []string - GitHubBaseURL string - RunnerImage string - DockerImage string - DockerRegistryMirror string + CommonRunnerLabels []string + GitHubBaseURL string + RunnerImage string + RunnerImagePullSecrets []string + DockerImage string + DockerRegistryMirror string } // +kubebuilder:rbac:groups=actions.summerwind.dev,resources=runnersets,verbs=get;list;watch;create;update;patch;delete @@ -259,7 +260,7 @@ func (r *RunnerSetReconciler) newStatefulSet(runnerSet *v1alpha1.RunnerSet) (*ap Spec: runnerSetWithOverrides.StatefulSetSpec.Template.Spec, } - pod, err := newRunnerPod(template, runnerSet.Spec.RunnerConfig, r.RunnerImage, r.DockerImage, r.DockerRegistryMirror, r.GitHubBaseURL, false) + pod, err := newRunnerPod(template, runnerSet.Spec.RunnerConfig, r.RunnerImage, r.RunnerImagePullSecrets, r.DockerImage, r.DockerRegistryMirror, r.GitHubBaseURL, false) if err != nil { return nil, err } diff --git a/main.go b/main.go index bec04a2dda..439555a15e 100644 --- a/main.go +++ b/main.go @@ -58,6 +58,17 @@ func init() { // +kubebuilder:scaffold:scheme } +type stringSlice []string + +func (i *stringSlice) String() string { + return fmt.Sprintf("%v", *i) +} + +func (i *stringSlice) Set(value string) error { + *i = append(*i, value) + return nil +} + func main() { var ( err error @@ -70,7 +81,9 @@ func main() { gitHubAPICacheDuration time.Duration - runnerImage string + runnerImage string + runnerImagePullSecrets stringSlice + dockerImage string dockerRegistryMirror string namespace string @@ -92,6 +105,7 @@ func main() { flag.StringVar(&leaderElectionId, "leader-election-id", "actions-runner-controller", "Controller id for leader election.") flag.StringVar(&runnerImage, "runner-image", defaultRunnerImage, "The image name of self-hosted runner container.") flag.StringVar(&dockerImage, "docker-image", defaultDockerImage, "The image name of docker sidecar container.") + flag.Var(&runnerImagePullSecrets, "runner-image-pull-secret", "The default image-pull secret name for self-hosted runner container.") flag.StringVar(&dockerRegistryMirror, "docker-registry-mirror", "", "The default Docker Registry Mirror used by runners.") flag.StringVar(&c.Token, "github-token", c.Token, "The personal access token of GitHub.") flag.Int64Var(&c.AppID, "github-app-id", c.AppID, "The application ID of GitHub App.") @@ -147,9 +161,11 @@ func main() { Log: log.WithName("runner"), Scheme: mgr.GetScheme(), GitHubClient: ghClient, - RunnerImage: runnerImage, DockerImage: dockerImage, DockerRegistryMirror: dockerRegistryMirror, + // Defaults for self-hosted runner containers + RunnerImage: runnerImage, + RunnerImagePullSecrets: runnerImagePullSecrets, } if err = runnerReconciler.SetupWithManager(mgr); err != nil { @@ -186,10 +202,12 @@ func main() { Log: log.WithName("runnerset"), Scheme: mgr.GetScheme(), CommonRunnerLabels: commonRunnerLabels, - RunnerImage: runnerImage, DockerImage: dockerImage, DockerRegistryMirror: dockerRegistryMirror, GitHubBaseURL: ghClient.GithubBaseURL, + // Defaults for self-hosted runner containers + RunnerImage: runnerImage, + RunnerImagePullSecrets: runnerImagePullSecrets, } if err = runnerSetReconciler.SetupWithManager(mgr); err != nil {