github.com/google/syzkaller@v0.0.0-20240517125934-c0f1611a36d6/.github/arc_config/values.yaml (about) 1 # Copyright 2020 syzkaller project authors. All rights reserved. 2 # Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. 3 4 ## githubConfigUrl is the GitHub url for where you want to configure runners 5 ## ex: https://github.com/myorg/myrepo or https://github.com/myorg 6 githubConfigUrl: "https://github.com/google/syzkaller" 7 8 ## githubConfigSecret is the k8s secrets to use when auth with GitHub API. 9 ## You can choose to use GitHub App or a PAT token 10 githubConfigSecret: 11 ### GitHub Apps Configuration 12 ## NOTE: IDs MUST be strings, use quotes 13 #github_app_id: "" 14 #github_app_installation_id: "" 15 #github_app_private_key: | 16 17 ### GitHub PAT Configuration 18 github_token: "" 19 ## If you have a pre-define Kubernetes secret in the same namespace the gha-runner-scale-set is going to deploy, 20 ## you can also reference it via `githubConfigSecret: pre-defined-secret`. 21 ## You need to make sure your predefined secret has all the required secret data set properly. 22 ## For a pre-defined secret using GitHub PAT, the secret needs to be created like this: 23 ## > kubectl create secret generic pre-defined-secret --namespace=my_namespace --from-literal=github_token='ghp_your_pat' 24 ## For a pre-defined secret using GitHub App, the secret needs to be created like this: 25 ## > kubectl create secret generic pre-defined-secret --namespace=my_namespace --from-literal=github_app_id=123456 --from-literal=github_app_installation_id=654321 --from-literal=github_app_private_key='-----BEGIN CERTIFICATE-----*******' 26 # githubConfigSecret: pre-defined-secret 27 28 ## proxy can be used to define proxy settings that will be used by the 29 ## controller, the listener and the runner of this scale set. 30 # 31 # proxy: 32 # http: 33 # url: http://proxy.com:1234 34 # credentialSecretRef: proxy-auth # a secret with `username` and `password` keys 35 # https: 36 # url: http://proxy.com:1234 37 # credentialSecretRef: proxy-auth # a secret with `username` and `password` keys 38 # noProxy: 39 # - example.com 40 # - example.org 41 42 ## maxRunners is the max number of runners the autoscaling runner set will scale up to. 43 # maxRunners: 5 44 45 ## minRunners is the min number of idle runners. The target number of runners created will be 46 ## calculated as a sum of minRunners and the number of jobs assigned to the scale set. 47 # minRunners: 0 48 49 # runnerGroup: "default" 50 51 ## name of the runner scale set to create. Defaults to the helm release name 52 # runnerScaleSetName: "" 53 54 ## A self-signed CA certificate for communication with the GitHub server can be 55 ## provided using a config map key selector. If `runnerMountPath` is set, for 56 ## each runner pod ARC will: 57 ## - create a `github-server-tls-cert` volume containing the certificate 58 ## specified in `certificateFrom` 59 ## - mount that volume on path `runnerMountPath`/{certificate name} 60 ## - set NODE_EXTRA_CA_CERTS environment variable to that same path 61 ## - set RUNNER_UPDATE_CA_CERTS environment variable to "1" (as of version 62 ## 2.303.0 this will instruct the runner to reload certificates on the host) 63 ## 64 ## If any of the above had already been set by the user in the runner pod 65 ## template, ARC will observe those and not overwrite them. 66 ## Example configuration: 67 # 68 # githubServerTLS: 69 # certificateFrom: 70 # configMapKeyRef: 71 # name: config-map-name 72 # key: ca.crt 73 # runnerMountPath: /usr/local/share/ca-certificates/ 74 75 ## Container mode is an object that provides out-of-box configuration 76 ## for dind and kubernetes mode. Template will be modified as documented under the 77 ## template object. 78 ## 79 ## If any customization is required for dind or kubernetes mode, containerMode should remain 80 ## empty, and configuration should be applied to the template. 81 containerMode: 82 type: "kubernetes" ## type can be set to dind or kubernetes 83 ## the following is required when containerMode.type=kubernetes 84 kubernetesModeWorkVolumeClaim: 85 accessModes: ["ReadWriteOnce"] 86 # For local testing, use https://github.com/openebs/dynamic-localpv-provisioner/blob/develop/docs/quickstart.md to provide dynamic provision volume with storageClassName: openebs-hostpath 87 storageClassName: "openebs-hostpath" 88 resources: 89 requests: 90 storage: 1Gi 91 kubernetesModeServiceAccount: 92 annotations: 93 94 ## template is the PodSpec for each listener Pod 95 ## For reference: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#PodSpec 96 # listenerTemplate: 97 # spec: 98 # containers: 99 # # Use this section to append additional configuration to the listener container. 100 # # If you change the name of the container, the configuration will not be applied to the listener, 101 # # and it will be treated as a side-car container. 102 # - name: listener 103 # securityContext: 104 # runAsUser: 1000 105 # # Use this section to add the configuration of a side-car container. 106 # # Comment it out or remove it if you don't need it. 107 # # Spec for this container will be applied as is without any modifications. 108 # - name: side-car 109 # image: example-sidecar 110 111 ## template is the PodSpec for each runner Pod 112 ## For reference: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#PodSpec 113 template: 114 ## template.spec will be modified if you change the container mode 115 ## with containerMode.type=dind, we will populate the template.spec with following pod spec 116 ## template: 117 ## spec: 118 ## initContainers: 119 ## - name: init-dind-externals 120 ## image: ghcr.io/actions/actions-runner:latest 121 ## command: ["cp", "-r", "-v", "/home/runner/externals/.", "/home/runner/tmpDir/"] 122 ## volumeMounts: 123 ## - name: dind-externals 124 ## mountPath: /home/runner/tmpDir 125 ## containers: 126 ## - name: runner 127 ## image: ghcr.io/actions/actions-runner:latest 128 ## command: ["/home/runner/run.sh"] 129 ## env: 130 ## - name: DOCKER_HOST 131 ## value: unix:///run/docker/docker.sock 132 ## volumeMounts: 133 ## - name: work 134 ## mountPath: /home/runner/_work 135 ## - name: dind-sock 136 ## mountPath: /run/docker 137 ## readOnly: true 138 ## - name: dind 139 ## image: docker:dind 140 ## args: 141 ## - dockerd 142 ## - --host=unix:///run/docker/docker.sock 143 ## - --group=$(DOCKER_GROUP_GID) 144 ## env: 145 ## - name: DOCKER_GROUP_GID 146 ## value: "123" 147 ## securityContext: 148 ## privileged: true 149 ## volumeMounts: 150 ## - name: work 151 ## mountPath: /home/runner/_work 152 ## - name: dind-sock 153 ## mountPath: /run/docker 154 ## - name: dind-externals 155 ## mountPath: /home/runner/externals 156 ## volumes: 157 ## - name: work 158 ## emptyDir: {} 159 ## - name: dind-sock 160 ## emptyDir: {} 161 ## - name: dind-externals 162 ## emptyDir: {} 163 ###################################################################################################### 164 ## with containerMode.type=kubernetes, we will populate the template.spec with following pod spec 165 ## template: 166 ## spec: 167 ## containers: 168 ## - name: runner 169 ## image: ghcr.io/actions/actions-runner:latest 170 ## command: ["/home/runner/run.sh"] 171 ## env: 172 ## - name: ACTIONS_RUNNER_CONTAINER_HOOKS 173 ## value: /home/runner/k8s/index.js 174 ## - name: ACTIONS_RUNNER_POD_NAME 175 ## valueFrom: 176 ## fieldRef: 177 ## fieldPath: metadata.name 178 ## - name: ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER 179 ## value: "true" 180 ## volumeMounts: 181 ## - name: work 182 ## mountPath: /home/runner/_work 183 ## volumes: 184 ## - name: work 185 ## ephemeral: 186 ## volumeClaimTemplate: 187 ## spec: 188 ## accessModes: [ "ReadWriteOnce" ] 189 ## storageClassName: "local-path" 190 ## resources: 191 ## requests: 192 ## storage: 1Gi 193 spec: 194 containers: 195 - name: runner 196 image: ghcr.io/actions/actions-runner:latest 197 command: ["/home/runner/run.sh"] 198 resources: 199 requests: 200 cpu: 31 201 202 ## Optional controller service account that needs to have required Role and RoleBinding 203 ## to operate this gha-runner-scale-set installation. 204 ## The helm chart will try to find the controller deployment and its service account at installation time. 205 ## In case the helm chart can't find the right service account, you can explicitly pass in the following value 206 ## to help it finish RoleBinding with the right service account. 207 ## Note: if your controller is installed to only watch a single namespace, you have to pass these values explicitly. 208 # controllerServiceAccount: 209 # namespace: arc-system 210 # name: test-arc-gha-runner-scale-set-controller