Skip to content

Repo sync #38878

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jun 12, 2025
Merged

Repo sync #38878

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 1 addition & 3 deletions ...s-with-actions-runner-controller/about-support-for-actions-runner-controller.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,12 +39,10 @@ While ARC may be deployed successfully with different tooling and configurations
* Installation tooling other than Helm
* Service account and/or template spec customization

If you're uncertain if the issue is out of scope, open a ticket and we're happy to help you determine the best way to proceed.

For more information about contacting {% data variables.contact.github_support %}, see [AUTOTITLE](/support/contacting-github-support).

> [!NOTE]
> * OpenShift clusters are currently unsupported.
> * OpenShift clusters are in public preview. See guidance from [Red Hat](https://developers.redhat.com/articles/2025/02/17/how-securely-deploy-github-arc-openshift#arc_architecture) for configuration recommendations.
> * ARC is only supported on GitHub Enterprise Server versions 3.9 and greater.

## Working with {% data variables.contact.github_support %} for Actions Runner Controller
Expand Down
102 changes: 102 additions & 0 deletions ...sted-runners-with-actions-runner-controller/authenticating-to-the-github-api.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,108 @@ ARC can use {% data variables.product.pat_v1_plural %} to register self-hosted r

{% data reusables.actions.actions-runner-controller-helm-chart-options %}

## Authenticating ARC with vault secrets

> [!NOTE]
> Vault integration is currently available in public preview with support for Azure Key Vault.

Starting with gha-runner-scale-set version 0.12.0, ARC supports retrieving GitHub credentials from an external vault. Vault integration is configured per runner scale set. This means you can run some scale sets using Kubernetes secrets while others use vault-based secrets, depending on your security and operational requirements.

### Enabling Vault Integration

To enable vault integration for a runner scale set:

1. **Set the `githubConfigSecret` field** in your `values.yaml` file to the name of the secret key stored in your vault. This value must be a string.
1. **Uncomment and configure the `keyVault` section** in your `values.yaml` file with the appropriate provider and access details.
1. **Provide the required certificate** (`.pfx`) to both the controller and the listener. You can do this by:
*Rebuilding the controller image with the certificate included, or
*Mounting the certificate as a volume in both the controller and the listener using the `listenerTemplate` and `controllerManager` fields.

### Secret Format

The secret stored in Azure Key Vault must be in JSON format. The structure depends on the type of authentication you are using:

#### Example: GitHub Token

```json
{
"github_token": "TOKEN"
}
```

#### Example: GitHub App

```json
{
"github_app_id": "APP_ID_OR_CLIENT_ID",
"github_app_installation_id": "INSTALLATION_ID",
"github_app_private_key": "PRIVATE_KEY"
}
```

### Configuring `values.yaml` for Vault Integration

The certificate is stored as a .pfx file and mounted to the container at /akv/cert.pfx. Below is an example of how to configure the keyVault section to use this certificate for authentication:

```yaml
keyVault:
type: "azure_key_vault"
proxy:
https:
url: "PROXY_URL"
credentialSecretRef: "PROXY_CREDENTIALS_SECRET_NAME"
http: {}
noProxy: []
azureKeyVault:
clientId: <AZURE_CLIENT_ID>
tenantId: <AZURE_TENANT_ID>
url: <AZURE_VAULT_URL>
certificatePath: "/akv/cert.pfx"
```

### Providing the Certificate to the Controller and Listener

ARC requires a `.pfx` certificate to authenticate with the vault. This certificate must be made available to both the controller and the listener components during controller installation.
You can do this by mounting the certificate as a volume using the `controllerManager` and `listenerTemplate` fields in your `values.yaml` file:

```yaml
volumes:
- name: cert-volume
secret:
secretName: my-cert-secret
volumeMounts:
- mountPath: /akv
name: cert-volume
readOnly: true

listenerTemplate:
volumeMounts:
- name: cert-volume
mountPath: /akv/certs
readOnly: true
volumes:
- name: cert-volume
secret:
secretName: my-cert-secret
```

The code below is an example of a scale set `values.yml` file.

```yaml
listenerTemplate:
spec:
containers:
- name: listener
volumeMounts:
- name: cert-volume
mountPath: /akv
readOnly: true
volumes:
- name: cert-volume
secret:
secretName: my-cert-secret
```

## Legal notice

{% data reusables.actions.actions-runner-controller-legal-notice %}
Loading