Skip to content

Commit e0feb3b

Browse files
khaykinglebkhaykingleb
authored
Fix orphan no-permission ServiceAccount in kubernetes-novolume mode (#4455)
1 parent 74cfc38 commit e0feb3b

File tree

2 files changed

+41
-1
lines changed

2 files changed

+41
-1
lines changed

charts/gha-runner-scale-set/templates/no_permission_serviceaccount.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.noPermissionServiceAccount) }}
22
{{- $containerMode := .Values.containerMode }}
3-
{{- if and (ne $containerMode.type "kubernetes") (not .Values.template.spec.serviceAccountName) }}
3+
{{- if and (ne $containerMode.type "kubernetes") (ne $containerMode.type "kubernetes-novolume") (not .Values.template.spec.serviceAccountName) }}
44
apiVersion: v1
55
kind: ServiceAccount
66
metadata:

charts/gha-runner-scale-set/tests/template_test.go

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -335,6 +335,46 @@ func TestTemplateRenderedSetServiceAccountToKubeNoVolumeMode(t *testing.T) {
335335
assert.Equal(t, expectedServiceAccountName, ars.Annotations[actionsgithubcom.AnnotationKeyKubernetesModeServiceAccountName])
336336
}
337337

338+
func TestTemplateRenderedNoPermissionServiceAccountNotRenderedInKubernetesModes(t *testing.T) {
339+
t.Parallel()
340+
341+
for _, mode := range []string{"kubernetes", "kubernetes-novolume"} {
342+
t.Run("containerMode "+mode, func(t *testing.T) {
343+
helmChartPath, err := filepath.Abs("../../gha-runner-scale-set")
344+
require.NoError(t, err)
345+
346+
releaseName := "test-runners"
347+
namespaceName := "test-" + strings.ToLower(random.UniqueId())
348+
349+
options := &helm.Options{
350+
Logger: logger.Discard,
351+
SetValues: map[string]string{
352+
"githubConfigUrl": "https://github.com/actions",
353+
"githubConfigSecret.github_token": "gh_token12345",
354+
"controllerServiceAccount.name": "arc",
355+
"controllerServiceAccount.namespace": "arc-system",
356+
"containerMode.type": mode,
357+
},
358+
KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName),
359+
}
360+
361+
_, err = helm.RenderTemplateE(
362+
t,
363+
options,
364+
helmChartPath,
365+
releaseName,
366+
[]string{"templates/no_permission_serviceaccount.yaml"},
367+
)
368+
assert.ErrorContains(
369+
t,
370+
err,
371+
"could not find template templates/no_permission_serviceaccount.yaml in chart",
372+
"no permission service account should not be rendered in "+mode+" mode",
373+
)
374+
})
375+
}
376+
}
377+
338378
func TestTemplateRenderedUserProvideSetServiceAccount(t *testing.T) {
339379
t.Parallel()
340380

0 commit comments

Comments
 (0)