diff --git a/internal/runner/template_spec/testdata/expected/privileged_basic.yaml b/internal/runner/template_spec/testdata/expected/privileged_basic.yaml index e4a4465..e23d71b 100644 --- a/internal/runner/template_spec/testdata/expected/privileged_basic.yaml +++ b/internal/runner/template_spec/testdata/expected/privileged_basic.yaml @@ -1,4 +1,110 @@ apiVersion: v1 +kind: ConfigMap +metadata: + name: privileged-hook-extension-test-runner + namespace: arc-systems +data: + content: | + spec: + hostPID: true + hostIPC: true + securityContext: + runAsUser: 0 + runAsGroup: 0 + fsGroup: 0 + initContainers: + - name: setup-glibc-compat + image: ghcr.io/actions/actions-runner:latest + command: + - sh + - -c + args: + - for lib in ld-linux-x86-64.so.2 libc.so.6 libm.so.6 libpthread.so.0 libdl.so.2 librt.so.1 libstdc++.so.6 libgcc_s.so.1; do [ -f "/lib/x86_64-linux-gnu/$lib" ] && cp -L "/lib/x86_64-linux-gnu/$lib" /glibc-compat/; done; chmod 755 /glibc-compat/*; cp -r /home/runner/externals/* /externals/ + volumeMounts: + - name: glibc-compat + mountPath: /glibc-compat + - name: externals + mountPath: /externals + - name: prepare-github-workspace + image: ghcr.io/actions/actions-runner:latest + command: + - sh + - -c + args: + - set -e; echo 'Preparing GitHub workspace directories...'; cp -R /__w/_temp/_github_home /github/home 2>/dev/null || echo 'No _github_home to copy'; cp -R /__w/_temp/_github_workflow /github/workflow 2>/dev/null || echo 'No _github_workflow to copy'; echo 'GitHub workspace preparation complete' + volumeMounts: + - name: work + mountPath: /__w + - name: github + mountPath: /github + containers: + - name: $job + securityContext: + privileged: true + runAsUser: 0 + runAsGroup: 0 + allowPrivilegeEscalation: true + capabilities: + add: + - SYS_ADMIN + - NET_ADMIN + - SYS_PTRACE + - SYS_CHROOT + - SETFCAP + - SETPCAP + - NET_RAW + - IPC_LOCK + - SYS_RESOURCE + - MKNOD + - AUDIT_WRITE + - AUDIT_CONTROL + volumeMounts: + - name: sys + mountPath: /sys + - name: cgroup + mountPath: /sys/fs/cgroup + mountPropagation: Bidirectional + - name: proc + mountPath: /proc + - name: dev + mountPath: /dev + - name: dev-pts + mountPath: /dev/pts + - name: shm + mountPath: /dev/shm + - name: glibc-compat + mountPath: /lib64 + - name: glibc-compat + mountPath: /lib/x86_64-linux-gnu + volumes: + - name: sys + hostPath: + path: /sys + type: Directory + - name: cgroup + hostPath: + path: /sys/fs/cgroup + type: Directory + - name: proc + hostPath: + path: /proc + type: Directory + - name: dev + hostPath: + path: /dev + type: Directory + - name: dev-pts + hostPath: + path: /dev/pts + type: Directory + - name: shm + hostPath: + path: /dev/shm + type: Directory + - name: glibc-compat + emptyDir: {} +--- +apiVersion: v1 kind: ServiceAccount metadata: name: test-runner-gha-rs-kube-mode @@ -227,100 +333,6 @@ subjects: name: arc-gha-rs-controller namespace: arc-systems --- -apiVersion: v1 -kind: ConfigMap -metadata: - name: privileged-hook-extension-test-runner - namespace: arc-systems -data: - content: | - spec: - hostPID: true - hostIPC: true - securityContext: - runAsUser: 0 - runAsGroup: 0 - fsGroup: 0 - initContainers: - - name: setup-glibc-compat - image: ghcr.io/actions/actions-runner:latest - command: - - sh - - -c - args: - - for lib in ld-linux-x86-64.so.2 libc.so.6 libm.so.6 libpthread.so.0 libdl.so.2 librt.so.1 libstdc++.so.6 libgcc_s.so.1; do [ -f "/lib/x86_64-linux-gnu/$lib" ] && cp -L "/lib/x86_64-linux-gnu/$lib" /glibc-compat/; done; chmod 755 /glibc-compat/*; cp -r /home/runner/externals/* /externals/ - volumeMounts: - - name: glibc-compat - mountPath: /glibc-compat - - name: externals - mountPath: /externals - containers: - - name: $job - securityContext: - privileged: true - runAsUser: 0 - runAsGroup: 0 - allowPrivilegeEscalation: true - capabilities: - add: - - SYS_ADMIN - - NET_ADMIN - - SYS_PTRACE - - SYS_CHROOT - - SETFCAP - - SETPCAP - - NET_RAW - - IPC_LOCK - - SYS_RESOURCE - - MKNOD - - AUDIT_WRITE - - AUDIT_CONTROL - volumeMounts: - - name: sys - mountPath: /sys - - name: cgroup - mountPath: /sys/fs/cgroup - mountPropagation: Bidirectional - - name: proc - mountPath: /proc - - name: dev - mountPath: /dev - - name: dev-pts - mountPath: /dev/pts - - name: shm - mountPath: /dev/shm - - name: glibc-compat - mountPath: /lib64 - - name: glibc-compat - mountPath: /lib/x86_64-linux-gnu - volumes: - - name: sys - hostPath: - path: /sys - type: Directory - - name: cgroup - hostPath: - path: /sys/fs/cgroup - type: Directory - - name: proc - hostPath: - path: /proc - type: Directory - - name: dev - hostPath: - path: /dev - type: Directory - - name: dev-pts - hostPath: - path: /dev/pts - type: Directory - - name: shm - hostPath: - path: /dev/shm - type: Directory - - name: glibc-compat - emptyDir: {} ---- apiVersion: actions.github.com/v1alpha1 kind: AutoscalingRunnerSet metadata: diff --git a/internal/runner/template_spec/testdata/expected/privileged_multi_cache.yaml b/internal/runner/template_spec/testdata/expected/privileged_multi_cache.yaml index 0c3ac48..d6b394b 100644 --- a/internal/runner/template_spec/testdata/expected/privileged_multi_cache.yaml +++ b/internal/runner/template_spec/testdata/expected/privileged_multi_cache.yaml @@ -1,4 +1,122 @@ apiVersion: v1 +kind: ConfigMap +metadata: + name: privileged-hook-extension-test-runner + namespace: arc-systems +data: + content: | + spec: + hostPID: true + hostIPC: true + securityContext: + runAsUser: 0 + runAsGroup: 0 + fsGroup: 0 + initContainers: + - name: setup-glibc-compat + image: ghcr.io/actions/actions-runner:latest + command: + - sh + - -c + args: + - for lib in ld-linux-x86-64.so.2 libc.so.6 libm.so.6 libpthread.so.0 libdl.so.2 librt.so.1 libstdc++.so.6 libgcc_s.so.1; do [ -f "/lib/x86_64-linux-gnu/$lib" ] && cp -L "/lib/x86_64-linux-gnu/$lib" /glibc-compat/; done; chmod 755 /glibc-compat/*; cp -r /home/runner/externals/* /externals/ + volumeMounts: + - name: glibc-compat + mountPath: /glibc-compat + - name: externals + mountPath: /externals + - name: prepare-github-workspace + image: ghcr.io/actions/actions-runner:latest + command: + - sh + - -c + args: + - set -e; echo 'Preparing GitHub workspace directories...'; cp -R /__w/_temp/_github_home /github/home 2>/dev/null || echo 'No _github_home to copy'; cp -R /__w/_temp/_github_workflow /github/workflow 2>/dev/null || echo 'No _github_workflow to copy'; echo 'GitHub workspace preparation complete' + volumeMounts: + - name: work + mountPath: /__w + - name: github + mountPath: /github + containers: + - name: $job + securityContext: + privileged: true + runAsUser: 0 + runAsGroup: 0 + allowPrivilegeEscalation: true + capabilities: + add: + - SYS_ADMIN + - NET_ADMIN + - SYS_PTRACE + - SYS_CHROOT + - SETFCAP + - SETPCAP + - NET_RAW + - IPC_LOCK + - SYS_RESOURCE + - MKNOD + - AUDIT_WRITE + - AUDIT_CONTROL + volumeMounts: + - name: sys + mountPath: /sys + - name: cgroup + mountPath: /sys/fs/cgroup + mountPropagation: Bidirectional + - name: proc + mountPath: /proc + - name: dev + mountPath: /dev + - name: dev-pts + mountPath: /dev/pts + - name: shm + mountPath: /dev/shm + - name: glibc-compat + mountPath: /lib64 + - name: glibc-compat + mountPath: /lib/x86_64-linux-gnu + - name: cache-0 + mountPath: /var/lib/docker + - name: cache-1 + mountPath: /nix/store + volumes: + - name: sys + hostPath: + path: /sys + type: Directory + - name: cgroup + hostPath: + path: /sys/fs/cgroup + type: Directory + - name: proc + hostPath: + path: /proc + type: Directory + - name: dev + hostPath: + path: /dev + type: Directory + - name: dev-pts + hostPath: + path: /dev/pts + type: Directory + - name: shm + hostPath: + path: /dev/shm + type: Directory + - name: glibc-compat + emptyDir: {} + - name: cache-0 + hostPath: + path: /var/lib/docker + type: DirectoryOrCreate + - name: cache-1 + hostPath: + path: /nix/store + type: DirectoryOrCreate +--- +apiVersion: v1 kind: ServiceAccount metadata: name: test-runner-gha-rs-kube-mode @@ -227,112 +345,6 @@ subjects: name: arc-gha-rs-controller namespace: arc-systems --- -apiVersion: v1 -kind: ConfigMap -metadata: - name: privileged-hook-extension-test-runner - namespace: arc-systems -data: - content: | - spec: - hostPID: true - hostIPC: true - securityContext: - runAsUser: 0 - runAsGroup: 0 - fsGroup: 0 - initContainers: - - name: setup-glibc-compat - image: ghcr.io/actions/actions-runner:latest - command: - - sh - - -c - args: - - for lib in ld-linux-x86-64.so.2 libc.so.6 libm.so.6 libpthread.so.0 libdl.so.2 librt.so.1 libstdc++.so.6 libgcc_s.so.1; do [ -f "/lib/x86_64-linux-gnu/$lib" ] && cp -L "/lib/x86_64-linux-gnu/$lib" /glibc-compat/; done; chmod 755 /glibc-compat/*; cp -r /home/runner/externals/* /externals/ - volumeMounts: - - name: glibc-compat - mountPath: /glibc-compat - - name: externals - mountPath: /externals - containers: - - name: $job - securityContext: - privileged: true - runAsUser: 0 - runAsGroup: 0 - allowPrivilegeEscalation: true - capabilities: - add: - - SYS_ADMIN - - NET_ADMIN - - SYS_PTRACE - - SYS_CHROOT - - SETFCAP - - SETPCAP - - NET_RAW - - IPC_LOCK - - SYS_RESOURCE - - MKNOD - - AUDIT_WRITE - - AUDIT_CONTROL - volumeMounts: - - name: sys - mountPath: /sys - - name: cgroup - mountPath: /sys/fs/cgroup - mountPropagation: Bidirectional - - name: proc - mountPath: /proc - - name: dev - mountPath: /dev - - name: dev-pts - mountPath: /dev/pts - - name: shm - mountPath: /dev/shm - - name: glibc-compat - mountPath: /lib64 - - name: glibc-compat - mountPath: /lib/x86_64-linux-gnu - - name: cache-0 - mountPath: /var/lib/docker - - name: cache-1 - mountPath: /nix/store - volumes: - - name: sys - hostPath: - path: /sys - type: Directory - - name: cgroup - hostPath: - path: /sys/fs/cgroup - type: Directory - - name: proc - hostPath: - path: /proc - type: Directory - - name: dev - hostPath: - path: /dev - type: Directory - - name: dev-pts - hostPath: - path: /dev/pts - type: Directory - - name: shm - hostPath: - path: /dev/shm - type: Directory - - name: glibc-compat - emptyDir: {} - - name: cache-0 - hostPath: - path: /var/lib/docker - type: DirectoryOrCreate - - name: cache-1 - hostPath: - path: /nix/store - type: DirectoryOrCreate ---- apiVersion: actions.github.com/v1alpha1 kind: AutoscalingRunnerSet metadata: diff --git a/pkg/templates/templates/controller/overlay.yaml b/pkg/templates/templates/controller/overlay.yaml index 131a65c..cc23191 100644 --- a/pkg/templates/templates/controller/overlay.yaml +++ b/pkg/templates/templates/controller/overlay.yaml @@ -1,10 +1,13 @@ #@ load("@ytt:overlay", "overlay") -#! Add create/delete/get permissions for roles and rolebindings -#! The ARC controller needs these to dynamically create roles for listener pods -#! Original upstream only has: list, watch, patch for roles; list, watch for rolebindings +#! Add create/delete/get/patch permissions for roles, rolebindings, and serviceaccounts +#! The ARC controller needs these to: +#! - Dynamically create roles for listener pods +#! - Remove finalizers during cleanup (requires patch permission) +#! Original upstream only has: list, watch, patch for roles; list, watch for rolebindings; list, watch for serviceaccounts #! We need: create, delete, get, list, patch, watch for roles -#! create, delete, get, list, watch for rolebindings +#! create, delete, get, list, patch, watch for rolebindings +#! create, delete, get, list, patch, watch for serviceaccounts #@overlay/match by=overlay.subset({"kind": "ClusterRole", "metadata": {"name": "arc-controller-gha-rs-controller"}}) --- rules: @@ -16,8 +19,19 @@ rules: - delete - get - list + - patch - watch #@overlay/match by=overlay.subset({"resources": ["roles"]}) +- + #@overlay/replace + verbs: + - create + - delete + - get + - list + - patch + - watch +#@overlay/match by=overlay.subset({"resources": ["serviceaccounts"]}) - #@overlay/replace verbs: diff --git a/pkg/templates/templates/overlay.yaml b/pkg/templates/templates/overlay.yaml index d142ede..cfe2e4a 100644 --- a/pkg/templates/templates/overlay.yaml +++ b/pkg/templates/templates/overlay.yaml @@ -16,13 +16,14 @@ #@ spec["hostIPC"] = True #@ spec["securityContext"] = {"runAsUser": 0, "runAsGroup": 0, "fsGroup": 0} #@ -#@ # Build init container to set up glibc compatibility layer AND copy node externals. -#@ # This enables Nixery images to run GitHub Actions' node binary which requires glibc. -#@ # We copy glibc libs from the actions-runner image (Ubuntu-based) which has FHS-compatible -#@ # library paths hardcoded in the dynamic linker. This avoids needing apt-get install. -#@ # We also copy the node externals from /home/runner/externals to /__e since the job -#@ # container runs in a separate pod and doesn't share filesystem with the runner. -#@ initContainer = { +#@ # Build init containers: +#@ # 1. Setup glibc compatibility layer AND copy node externals. +#@ # This enables Nixery images to run GitHub Actions' node binary which requires glibc. +#@ # We copy glibc libs from the actions-runner image (Ubuntu-based) which has FHS-compatible +#@ # library paths hardcoded in the dynamic linker. This avoids needing apt-get install. +#@ # We also copy the node externals from /home/runner/externals to /__e since the job +#@ # container runs in a separate pod and doesn't share filesystem with the runner. +#@ glibcInitContainer = { #@ "name": "setup-glibc-compat", #@ "image": "ghcr.io/actions/actions-runner:latest", #@ "command": ["sh", "-c"], @@ -37,7 +38,32 @@ #@ {"name": "externals", "mountPath": "/externals"} #@ ] #@ } -#@ spec["initContainers"] = [initContainer] +#@ +#@ # 2. Prepare GitHub workspace directories. +#@ # The GitHub Actions runner-container-hooks package has a bug where the prepare script +#@ # only runs when userMountVolumes are defined. This init container explicitly copies +#@ # the GitHub workspace directories from /__w/_temp/ to /github/ before the main +#@ # container starts, ensuring /github/workflow/event.json exists for actions like +#@ # Docker Buildx that require GITHUB_EVENT_PATH. +#@ # See: https://github.com/rkoster/deskrun/issues/28 +#@ githubWorkspaceInitContainer = { +#@ "name": "prepare-github-workspace", +#@ "image": "ghcr.io/actions/actions-runner:latest", +#@ "command": ["sh", "-c"], +#@ "args": [ +#@ "set -e; " + +#@ "echo 'Preparing GitHub workspace directories...'; " + +#@ "cp -R /__w/_temp/_github_home /github/home 2>/dev/null || echo 'No _github_home to copy'; " + +#@ "cp -R /__w/_temp/_github_workflow /github/workflow 2>/dev/null || echo 'No _github_workflow to copy'; " + +#@ "echo 'GitHub workspace preparation complete'" +#@ ], +#@ "volumeMounts": [ +#@ {"name": "work", "mountPath": "/__w"}, +#@ {"name": "github", "mountPath": "/github"} +#@ ] +#@ } +#@ +#@ spec["initContainers"] = [glibcInitContainer, githubWorkspaceInitContainer] #@ #@ # Build container spec #@ container = {} @@ -76,10 +102,6 @@ #@ volumeMounts.append({"name": "cache-" + str(i), "mountPath": cachePath.target}) #@ end #@ -#@ # Note: externals (/__e), work (/__w), and github (/github) volumes are automatically -#@ # added by the k8s-novolume hooks, so we don't include them here to avoid duplicates. -#@ # The hooks handle all GitHub workspace paths including /github/workflow/event.json -#@ #@ container["volumeMounts"] = volumeMounts #@ #@ # Build volumes diff --git a/pkg/templates/templates/scale-set/bases/privileged.yaml b/pkg/templates/templates/scale-set/bases/privileged.yaml index 9c63112..98b0ce2 100644 --- a/pkg/templates/templates/scale-set/bases/privileged.yaml +++ b/pkg/templates/templates/scale-set/bases/privileged.yaml @@ -1,3 +1,13 @@ +#! Placeholder ConfigMap for privileged mode hook extension +#! This ConfigMap is populated by the overlay with the actual hook extension spec +apiVersion: v1 +kind: ConfigMap +metadata: + name: privileged-hook-extension-arc-runner + namespace: arc-systems +data: + content: "" +--- --- #! Source: gha-runner-scale-set/templates/kube_mode_serviceaccount.yaml apiVersion: v1 @@ -210,15 +220,6 @@ subjects: namespace: arc-systems --- -#! Source: hook-extension-configmap -apiVersion: v1 -kind: ConfigMap -metadata: - name: privileged-hook-extension-arc-runner - namespace: arc-systems -data: - content: "" ---- #! Source: gha-runner-scale-set/templates/autoscalingrunnerset.yaml apiVersion: actions.github.com/v1alpha1 kind: AutoscalingRunnerSet diff --git a/pkg/templates/testdata/expected/controller_basic.yaml b/pkg/templates/testdata/expected/controller_basic.yaml index 4fa8dad..a0607b1 100644 --- a/pkg/templates/testdata/expected/controller_basic.yaml +++ b/pkg/templates/testdata/expected/controller_basic.yaml @@ -137,7 +137,11 @@ rules: resources: - serviceaccounts verbs: + - create + - delete + - get - list + - patch - watch - apiGroups: - rbac.authorization.k8s.io @@ -148,6 +152,7 @@ rules: - delete - get - list + - patch - watch - apiGroups: - rbac.authorization.k8s.io diff --git a/pkg/templates/testdata/expected/privileged_basic.yaml b/pkg/templates/testdata/expected/privileged_basic.yaml index e4a4465..e23d71b 100644 --- a/pkg/templates/testdata/expected/privileged_basic.yaml +++ b/pkg/templates/testdata/expected/privileged_basic.yaml @@ -1,4 +1,110 @@ apiVersion: v1 +kind: ConfigMap +metadata: + name: privileged-hook-extension-test-runner + namespace: arc-systems +data: + content: | + spec: + hostPID: true + hostIPC: true + securityContext: + runAsUser: 0 + runAsGroup: 0 + fsGroup: 0 + initContainers: + - name: setup-glibc-compat + image: ghcr.io/actions/actions-runner:latest + command: + - sh + - -c + args: + - for lib in ld-linux-x86-64.so.2 libc.so.6 libm.so.6 libpthread.so.0 libdl.so.2 librt.so.1 libstdc++.so.6 libgcc_s.so.1; do [ -f "/lib/x86_64-linux-gnu/$lib" ] && cp -L "/lib/x86_64-linux-gnu/$lib" /glibc-compat/; done; chmod 755 /glibc-compat/*; cp -r /home/runner/externals/* /externals/ + volumeMounts: + - name: glibc-compat + mountPath: /glibc-compat + - name: externals + mountPath: /externals + - name: prepare-github-workspace + image: ghcr.io/actions/actions-runner:latest + command: + - sh + - -c + args: + - set -e; echo 'Preparing GitHub workspace directories...'; cp -R /__w/_temp/_github_home /github/home 2>/dev/null || echo 'No _github_home to copy'; cp -R /__w/_temp/_github_workflow /github/workflow 2>/dev/null || echo 'No _github_workflow to copy'; echo 'GitHub workspace preparation complete' + volumeMounts: + - name: work + mountPath: /__w + - name: github + mountPath: /github + containers: + - name: $job + securityContext: + privileged: true + runAsUser: 0 + runAsGroup: 0 + allowPrivilegeEscalation: true + capabilities: + add: + - SYS_ADMIN + - NET_ADMIN + - SYS_PTRACE + - SYS_CHROOT + - SETFCAP + - SETPCAP + - NET_RAW + - IPC_LOCK + - SYS_RESOURCE + - MKNOD + - AUDIT_WRITE + - AUDIT_CONTROL + volumeMounts: + - name: sys + mountPath: /sys + - name: cgroup + mountPath: /sys/fs/cgroup + mountPropagation: Bidirectional + - name: proc + mountPath: /proc + - name: dev + mountPath: /dev + - name: dev-pts + mountPath: /dev/pts + - name: shm + mountPath: /dev/shm + - name: glibc-compat + mountPath: /lib64 + - name: glibc-compat + mountPath: /lib/x86_64-linux-gnu + volumes: + - name: sys + hostPath: + path: /sys + type: Directory + - name: cgroup + hostPath: + path: /sys/fs/cgroup + type: Directory + - name: proc + hostPath: + path: /proc + type: Directory + - name: dev + hostPath: + path: /dev + type: Directory + - name: dev-pts + hostPath: + path: /dev/pts + type: Directory + - name: shm + hostPath: + path: /dev/shm + type: Directory + - name: glibc-compat + emptyDir: {} +--- +apiVersion: v1 kind: ServiceAccount metadata: name: test-runner-gha-rs-kube-mode @@ -227,100 +333,6 @@ subjects: name: arc-gha-rs-controller namespace: arc-systems --- -apiVersion: v1 -kind: ConfigMap -metadata: - name: privileged-hook-extension-test-runner - namespace: arc-systems -data: - content: | - spec: - hostPID: true - hostIPC: true - securityContext: - runAsUser: 0 - runAsGroup: 0 - fsGroup: 0 - initContainers: - - name: setup-glibc-compat - image: ghcr.io/actions/actions-runner:latest - command: - - sh - - -c - args: - - for lib in ld-linux-x86-64.so.2 libc.so.6 libm.so.6 libpthread.so.0 libdl.so.2 librt.so.1 libstdc++.so.6 libgcc_s.so.1; do [ -f "/lib/x86_64-linux-gnu/$lib" ] && cp -L "/lib/x86_64-linux-gnu/$lib" /glibc-compat/; done; chmod 755 /glibc-compat/*; cp -r /home/runner/externals/* /externals/ - volumeMounts: - - name: glibc-compat - mountPath: /glibc-compat - - name: externals - mountPath: /externals - containers: - - name: $job - securityContext: - privileged: true - runAsUser: 0 - runAsGroup: 0 - allowPrivilegeEscalation: true - capabilities: - add: - - SYS_ADMIN - - NET_ADMIN - - SYS_PTRACE - - SYS_CHROOT - - SETFCAP - - SETPCAP - - NET_RAW - - IPC_LOCK - - SYS_RESOURCE - - MKNOD - - AUDIT_WRITE - - AUDIT_CONTROL - volumeMounts: - - name: sys - mountPath: /sys - - name: cgroup - mountPath: /sys/fs/cgroup - mountPropagation: Bidirectional - - name: proc - mountPath: /proc - - name: dev - mountPath: /dev - - name: dev-pts - mountPath: /dev/pts - - name: shm - mountPath: /dev/shm - - name: glibc-compat - mountPath: /lib64 - - name: glibc-compat - mountPath: /lib/x86_64-linux-gnu - volumes: - - name: sys - hostPath: - path: /sys - type: Directory - - name: cgroup - hostPath: - path: /sys/fs/cgroup - type: Directory - - name: proc - hostPath: - path: /proc - type: Directory - - name: dev - hostPath: - path: /dev - type: Directory - - name: dev-pts - hostPath: - path: /dev/pts - type: Directory - - name: shm - hostPath: - path: /dev/shm - type: Directory - - name: glibc-compat - emptyDir: {} ---- apiVersion: actions.github.com/v1alpha1 kind: AutoscalingRunnerSet metadata: diff --git a/pkg/templates/testdata/expected/privileged_emptydir_cache.yaml b/pkg/templates/testdata/expected/privileged_emptydir_cache.yaml index 31bdfdd..7abb1df 100644 --- a/pkg/templates/testdata/expected/privileged_emptydir_cache.yaml +++ b/pkg/templates/testdata/expected/privileged_emptydir_cache.yaml @@ -1,4 +1,116 @@ apiVersion: v1 +kind: ConfigMap +metadata: + name: privileged-hook-extension-test-runner + namespace: arc-systems +data: + content: | + spec: + hostPID: true + hostIPC: true + securityContext: + runAsUser: 0 + runAsGroup: 0 + fsGroup: 0 + initContainers: + - name: setup-glibc-compat + image: ghcr.io/actions/actions-runner:latest + command: + - sh + - -c + args: + - for lib in ld-linux-x86-64.so.2 libc.so.6 libm.so.6 libpthread.so.0 libdl.so.2 librt.so.1 libstdc++.so.6 libgcc_s.so.1; do [ -f "/lib/x86_64-linux-gnu/$lib" ] && cp -L "/lib/x86_64-linux-gnu/$lib" /glibc-compat/; done; chmod 755 /glibc-compat/*; cp -r /home/runner/externals/* /externals/ + volumeMounts: + - name: glibc-compat + mountPath: /glibc-compat + - name: externals + mountPath: /externals + - name: prepare-github-workspace + image: ghcr.io/actions/actions-runner:latest + command: + - sh + - -c + args: + - set -e; echo 'Preparing GitHub workspace directories...'; cp -R /__w/_temp/_github_home /github/home 2>/dev/null || echo 'No _github_home to copy'; cp -R /__w/_temp/_github_workflow /github/workflow 2>/dev/null || echo 'No _github_workflow to copy'; echo 'GitHub workspace preparation complete' + volumeMounts: + - name: work + mountPath: /__w + - name: github + mountPath: /github + containers: + - name: $job + securityContext: + privileged: true + runAsUser: 0 + runAsGroup: 0 + allowPrivilegeEscalation: true + capabilities: + add: + - SYS_ADMIN + - NET_ADMIN + - SYS_PTRACE + - SYS_CHROOT + - SETFCAP + - SETPCAP + - NET_RAW + - IPC_LOCK + - SYS_RESOURCE + - MKNOD + - AUDIT_WRITE + - AUDIT_CONTROL + volumeMounts: + - name: sys + mountPath: /sys + - name: cgroup + mountPath: /sys/fs/cgroup + mountPropagation: Bidirectional + - name: proc + mountPath: /proc + - name: dev + mountPath: /dev + - name: dev-pts + mountPath: /dev/pts + - name: shm + mountPath: /dev/shm + - name: glibc-compat + mountPath: /lib64 + - name: glibc-compat + mountPath: /lib/x86_64-linux-gnu + - name: cache-0 + mountPath: /var/lib/docker + volumes: + - name: sys + hostPath: + path: /sys + type: Directory + - name: cgroup + hostPath: + path: /sys/fs/cgroup + type: Directory + - name: proc + hostPath: + path: /proc + type: Directory + - name: dev + hostPath: + path: /dev + type: Directory + - name: dev-pts + hostPath: + path: /dev/pts + type: Directory + - name: shm + hostPath: + path: /dev/shm + type: Directory + - name: glibc-compat + emptyDir: {} + - name: cache-0 + hostPath: + path: /tmp/github-runner-cache/test-runner-1/cache-0 + type: DirectoryOrCreate +--- +apiVersion: v1 kind: ServiceAccount metadata: name: test-runner-gha-rs-kube-mode @@ -227,106 +339,6 @@ subjects: name: arc-gha-rs-controller namespace: arc-systems --- -apiVersion: v1 -kind: ConfigMap -metadata: - name: privileged-hook-extension-test-runner - namespace: arc-systems -data: - content: | - spec: - hostPID: true - hostIPC: true - securityContext: - runAsUser: 0 - runAsGroup: 0 - fsGroup: 0 - initContainers: - - name: setup-glibc-compat - image: ghcr.io/actions/actions-runner:latest - command: - - sh - - -c - args: - - for lib in ld-linux-x86-64.so.2 libc.so.6 libm.so.6 libpthread.so.0 libdl.so.2 librt.so.1 libstdc++.so.6 libgcc_s.so.1; do [ -f "/lib/x86_64-linux-gnu/$lib" ] && cp -L "/lib/x86_64-linux-gnu/$lib" /glibc-compat/; done; chmod 755 /glibc-compat/*; cp -r /home/runner/externals/* /externals/ - volumeMounts: - - name: glibc-compat - mountPath: /glibc-compat - - name: externals - mountPath: /externals - containers: - - name: $job - securityContext: - privileged: true - runAsUser: 0 - runAsGroup: 0 - allowPrivilegeEscalation: true - capabilities: - add: - - SYS_ADMIN - - NET_ADMIN - - SYS_PTRACE - - SYS_CHROOT - - SETFCAP - - SETPCAP - - NET_RAW - - IPC_LOCK - - SYS_RESOURCE - - MKNOD - - AUDIT_WRITE - - AUDIT_CONTROL - volumeMounts: - - name: sys - mountPath: /sys - - name: cgroup - mountPath: /sys/fs/cgroup - mountPropagation: Bidirectional - - name: proc - mountPath: /proc - - name: dev - mountPath: /dev - - name: dev-pts - mountPath: /dev/pts - - name: shm - mountPath: /dev/shm - - name: glibc-compat - mountPath: /lib64 - - name: glibc-compat - mountPath: /lib/x86_64-linux-gnu - - name: cache-0 - mountPath: /var/lib/docker - volumes: - - name: sys - hostPath: - path: /sys - type: Directory - - name: cgroup - hostPath: - path: /sys/fs/cgroup - type: Directory - - name: proc - hostPath: - path: /proc - type: Directory - - name: dev - hostPath: - path: /dev - type: Directory - - name: dev-pts - hostPath: - path: /dev/pts - type: Directory - - name: shm - hostPath: - path: /dev/shm - type: Directory - - name: glibc-compat - emptyDir: {} - - name: cache-0 - hostPath: - path: /tmp/github-runner-cache/test-runner-1/cache-0 - type: DirectoryOrCreate ---- apiVersion: actions.github.com/v1alpha1 kind: AutoscalingRunnerSet metadata: diff --git a/pkg/templates/testdata/expected/privileged_multi_cache.yaml b/pkg/templates/testdata/expected/privileged_multi_cache.yaml index 0c3ac48..d6b394b 100644 --- a/pkg/templates/testdata/expected/privileged_multi_cache.yaml +++ b/pkg/templates/testdata/expected/privileged_multi_cache.yaml @@ -1,4 +1,122 @@ apiVersion: v1 +kind: ConfigMap +metadata: + name: privileged-hook-extension-test-runner + namespace: arc-systems +data: + content: | + spec: + hostPID: true + hostIPC: true + securityContext: + runAsUser: 0 + runAsGroup: 0 + fsGroup: 0 + initContainers: + - name: setup-glibc-compat + image: ghcr.io/actions/actions-runner:latest + command: + - sh + - -c + args: + - for lib in ld-linux-x86-64.so.2 libc.so.6 libm.so.6 libpthread.so.0 libdl.so.2 librt.so.1 libstdc++.so.6 libgcc_s.so.1; do [ -f "/lib/x86_64-linux-gnu/$lib" ] && cp -L "/lib/x86_64-linux-gnu/$lib" /glibc-compat/; done; chmod 755 /glibc-compat/*; cp -r /home/runner/externals/* /externals/ + volumeMounts: + - name: glibc-compat + mountPath: /glibc-compat + - name: externals + mountPath: /externals + - name: prepare-github-workspace + image: ghcr.io/actions/actions-runner:latest + command: + - sh + - -c + args: + - set -e; echo 'Preparing GitHub workspace directories...'; cp -R /__w/_temp/_github_home /github/home 2>/dev/null || echo 'No _github_home to copy'; cp -R /__w/_temp/_github_workflow /github/workflow 2>/dev/null || echo 'No _github_workflow to copy'; echo 'GitHub workspace preparation complete' + volumeMounts: + - name: work + mountPath: /__w + - name: github + mountPath: /github + containers: + - name: $job + securityContext: + privileged: true + runAsUser: 0 + runAsGroup: 0 + allowPrivilegeEscalation: true + capabilities: + add: + - SYS_ADMIN + - NET_ADMIN + - SYS_PTRACE + - SYS_CHROOT + - SETFCAP + - SETPCAP + - NET_RAW + - IPC_LOCK + - SYS_RESOURCE + - MKNOD + - AUDIT_WRITE + - AUDIT_CONTROL + volumeMounts: + - name: sys + mountPath: /sys + - name: cgroup + mountPath: /sys/fs/cgroup + mountPropagation: Bidirectional + - name: proc + mountPath: /proc + - name: dev + mountPath: /dev + - name: dev-pts + mountPath: /dev/pts + - name: shm + mountPath: /dev/shm + - name: glibc-compat + mountPath: /lib64 + - name: glibc-compat + mountPath: /lib/x86_64-linux-gnu + - name: cache-0 + mountPath: /var/lib/docker + - name: cache-1 + mountPath: /nix/store + volumes: + - name: sys + hostPath: + path: /sys + type: Directory + - name: cgroup + hostPath: + path: /sys/fs/cgroup + type: Directory + - name: proc + hostPath: + path: /proc + type: Directory + - name: dev + hostPath: + path: /dev + type: Directory + - name: dev-pts + hostPath: + path: /dev/pts + type: Directory + - name: shm + hostPath: + path: /dev/shm + type: Directory + - name: glibc-compat + emptyDir: {} + - name: cache-0 + hostPath: + path: /var/lib/docker + type: DirectoryOrCreate + - name: cache-1 + hostPath: + path: /nix/store + type: DirectoryOrCreate +--- +apiVersion: v1 kind: ServiceAccount metadata: name: test-runner-gha-rs-kube-mode @@ -227,112 +345,6 @@ subjects: name: arc-gha-rs-controller namespace: arc-systems --- -apiVersion: v1 -kind: ConfigMap -metadata: - name: privileged-hook-extension-test-runner - namespace: arc-systems -data: - content: | - spec: - hostPID: true - hostIPC: true - securityContext: - runAsUser: 0 - runAsGroup: 0 - fsGroup: 0 - initContainers: - - name: setup-glibc-compat - image: ghcr.io/actions/actions-runner:latest - command: - - sh - - -c - args: - - for lib in ld-linux-x86-64.so.2 libc.so.6 libm.so.6 libpthread.so.0 libdl.so.2 librt.so.1 libstdc++.so.6 libgcc_s.so.1; do [ -f "/lib/x86_64-linux-gnu/$lib" ] && cp -L "/lib/x86_64-linux-gnu/$lib" /glibc-compat/; done; chmod 755 /glibc-compat/*; cp -r /home/runner/externals/* /externals/ - volumeMounts: - - name: glibc-compat - mountPath: /glibc-compat - - name: externals - mountPath: /externals - containers: - - name: $job - securityContext: - privileged: true - runAsUser: 0 - runAsGroup: 0 - allowPrivilegeEscalation: true - capabilities: - add: - - SYS_ADMIN - - NET_ADMIN - - SYS_PTRACE - - SYS_CHROOT - - SETFCAP - - SETPCAP - - NET_RAW - - IPC_LOCK - - SYS_RESOURCE - - MKNOD - - AUDIT_WRITE - - AUDIT_CONTROL - volumeMounts: - - name: sys - mountPath: /sys - - name: cgroup - mountPath: /sys/fs/cgroup - mountPropagation: Bidirectional - - name: proc - mountPath: /proc - - name: dev - mountPath: /dev - - name: dev-pts - mountPath: /dev/pts - - name: shm - mountPath: /dev/shm - - name: glibc-compat - mountPath: /lib64 - - name: glibc-compat - mountPath: /lib/x86_64-linux-gnu - - name: cache-0 - mountPath: /var/lib/docker - - name: cache-1 - mountPath: /nix/store - volumes: - - name: sys - hostPath: - path: /sys - type: Directory - - name: cgroup - hostPath: - path: /sys/fs/cgroup - type: Directory - - name: proc - hostPath: - path: /proc - type: Directory - - name: dev - hostPath: - path: /dev - type: Directory - - name: dev-pts - hostPath: - path: /dev/pts - type: Directory - - name: shm - hostPath: - path: /dev/shm - type: Directory - - name: glibc-compat - emptyDir: {} - - name: cache-0 - hostPath: - path: /var/lib/docker - type: DirectoryOrCreate - - name: cache-1 - hostPath: - path: /nix/store - type: DirectoryOrCreate ---- apiVersion: actions.github.com/v1alpha1 kind: AutoscalingRunnerSet metadata: diff --git a/pkg/templates/testdata/expected/privileged_single_cache.yaml b/pkg/templates/testdata/expected/privileged_single_cache.yaml index 4c0b5a4..45faa3f 100644 --- a/pkg/templates/testdata/expected/privileged_single_cache.yaml +++ b/pkg/templates/testdata/expected/privileged_single_cache.yaml @@ -1,4 +1,116 @@ apiVersion: v1 +kind: ConfigMap +metadata: + name: privileged-hook-extension-test-runner + namespace: arc-systems +data: + content: | + spec: + hostPID: true + hostIPC: true + securityContext: + runAsUser: 0 + runAsGroup: 0 + fsGroup: 0 + initContainers: + - name: setup-glibc-compat + image: ghcr.io/actions/actions-runner:latest + command: + - sh + - -c + args: + - for lib in ld-linux-x86-64.so.2 libc.so.6 libm.so.6 libpthread.so.0 libdl.so.2 librt.so.1 libstdc++.so.6 libgcc_s.so.1; do [ -f "/lib/x86_64-linux-gnu/$lib" ] && cp -L "/lib/x86_64-linux-gnu/$lib" /glibc-compat/; done; chmod 755 /glibc-compat/*; cp -r /home/runner/externals/* /externals/ + volumeMounts: + - name: glibc-compat + mountPath: /glibc-compat + - name: externals + mountPath: /externals + - name: prepare-github-workspace + image: ghcr.io/actions/actions-runner:latest + command: + - sh + - -c + args: + - set -e; echo 'Preparing GitHub workspace directories...'; cp -R /__w/_temp/_github_home /github/home 2>/dev/null || echo 'No _github_home to copy'; cp -R /__w/_temp/_github_workflow /github/workflow 2>/dev/null || echo 'No _github_workflow to copy'; echo 'GitHub workspace preparation complete' + volumeMounts: + - name: work + mountPath: /__w + - name: github + mountPath: /github + containers: + - name: $job + securityContext: + privileged: true + runAsUser: 0 + runAsGroup: 0 + allowPrivilegeEscalation: true + capabilities: + add: + - SYS_ADMIN + - NET_ADMIN + - SYS_PTRACE + - SYS_CHROOT + - SETFCAP + - SETPCAP + - NET_RAW + - IPC_LOCK + - SYS_RESOURCE + - MKNOD + - AUDIT_WRITE + - AUDIT_CONTROL + volumeMounts: + - name: sys + mountPath: /sys + - name: cgroup + mountPath: /sys/fs/cgroup + mountPropagation: Bidirectional + - name: proc + mountPath: /proc + - name: dev + mountPath: /dev + - name: dev-pts + mountPath: /dev/pts + - name: shm + mountPath: /dev/shm + - name: glibc-compat + mountPath: /lib64 + - name: glibc-compat + mountPath: /lib/x86_64-linux-gnu + - name: cache-0 + mountPath: /var/lib/docker + volumes: + - name: sys + hostPath: + path: /sys + type: Directory + - name: cgroup + hostPath: + path: /sys/fs/cgroup + type: Directory + - name: proc + hostPath: + path: /proc + type: Directory + - name: dev + hostPath: + path: /dev + type: Directory + - name: dev-pts + hostPath: + path: /dev/pts + type: Directory + - name: shm + hostPath: + path: /dev/shm + type: Directory + - name: glibc-compat + emptyDir: {} + - name: cache-0 + hostPath: + path: /var/lib/docker + type: DirectoryOrCreate +--- +apiVersion: v1 kind: ServiceAccount metadata: name: test-runner-gha-rs-kube-mode @@ -227,106 +339,6 @@ subjects: name: arc-gha-rs-controller namespace: arc-systems --- -apiVersion: v1 -kind: ConfigMap -metadata: - name: privileged-hook-extension-test-runner - namespace: arc-systems -data: - content: | - spec: - hostPID: true - hostIPC: true - securityContext: - runAsUser: 0 - runAsGroup: 0 - fsGroup: 0 - initContainers: - - name: setup-glibc-compat - image: ghcr.io/actions/actions-runner:latest - command: - - sh - - -c - args: - - for lib in ld-linux-x86-64.so.2 libc.so.6 libm.so.6 libpthread.so.0 libdl.so.2 librt.so.1 libstdc++.so.6 libgcc_s.so.1; do [ -f "/lib/x86_64-linux-gnu/$lib" ] && cp -L "/lib/x86_64-linux-gnu/$lib" /glibc-compat/; done; chmod 755 /glibc-compat/*; cp -r /home/runner/externals/* /externals/ - volumeMounts: - - name: glibc-compat - mountPath: /glibc-compat - - name: externals - mountPath: /externals - containers: - - name: $job - securityContext: - privileged: true - runAsUser: 0 - runAsGroup: 0 - allowPrivilegeEscalation: true - capabilities: - add: - - SYS_ADMIN - - NET_ADMIN - - SYS_PTRACE - - SYS_CHROOT - - SETFCAP - - SETPCAP - - NET_RAW - - IPC_LOCK - - SYS_RESOURCE - - MKNOD - - AUDIT_WRITE - - AUDIT_CONTROL - volumeMounts: - - name: sys - mountPath: /sys - - name: cgroup - mountPath: /sys/fs/cgroup - mountPropagation: Bidirectional - - name: proc - mountPath: /proc - - name: dev - mountPath: /dev - - name: dev-pts - mountPath: /dev/pts - - name: shm - mountPath: /dev/shm - - name: glibc-compat - mountPath: /lib64 - - name: glibc-compat - mountPath: /lib/x86_64-linux-gnu - - name: cache-0 - mountPath: /var/lib/docker - volumes: - - name: sys - hostPath: - path: /sys - type: Directory - - name: cgroup - hostPath: - path: /sys/fs/cgroup - type: Directory - - name: proc - hostPath: - path: /proc - type: Directory - - name: dev - hostPath: - path: /dev - type: Directory - - name: dev-pts - hostPath: - path: /dev/pts - type: Directory - - name: shm - hostPath: - path: /dev/shm - type: Directory - - name: glibc-compat - emptyDir: {} - - name: cache-0 - hostPath: - path: /var/lib/docker - type: DirectoryOrCreate ---- apiVersion: actions.github.com/v1alpha1 kind: AutoscalingRunnerSet metadata: diff --git a/scripts/generate-base-templates.sh b/scripts/generate-base-templates.sh index 73fbb57..65d6fe2 100755 --- a/scripts/generate-base-templates.sh +++ b/scripts/generate-base-templates.sh @@ -48,6 +48,20 @@ echo " -> $OUTPUT_DIR/dind.yaml" # Generate Privileged mode template (kubernetes-novolume) # This is used for cached-privileged-kubernetes mode echo " Generating privileged mode template..." +# First, add a placeholder ConfigMap for hook extension (will be overlayed with actual content) +cat > "$OUTPUT_DIR/privileged.yaml" << 'EOF' +#! Placeholder ConfigMap for privileged mode hook extension +#! This ConfigMap is populated by the overlay with the actual hook extension spec +apiVersion: v1 +kind: ConfigMap +metadata: + name: privileged-hook-extension-arc-runner + namespace: arc-systems +data: + content: "" +--- +EOF +# Then append the helm-generated template helm template arc-runner "$UPSTREAM_DIR/gha-runner-scale-set" \ "${COMMON_VALUES[@]}" \ --set containerMode.type=kubernetes \ @@ -55,7 +69,7 @@ helm template arc-runner "$UPSTREAM_DIR/gha-runner-scale-set" \ --set containerMode.kubernetesModeWorkVolumeClaim.storageClassName=standard \ --set containerMode.kubernetesModeWorkVolumeClaim.resources.requests.storage=1Gi \ | sed 's/^# Source:/#! Source:/g' \ - > "$OUTPUT_DIR/privileged.yaml" + >> "$OUTPUT_DIR/privileged.yaml" echo " -> $OUTPUT_DIR/privileged.yaml" echo ""