Aws runners

arc/Makefile

@@ -23,13 +23,27 @@ runners:
 	# clean them up when the pod is killed, and we have argocd to take care
 	# of cleanup anyway.
 
+	$(eval RUNNER=system-exp-aws)
+	helm template \
+		oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set --version $(VERSION) \
+		--namespace $(NAMESPACE) \
+		--values runner/common-values.yaml --values runner/$(RUNNER)/values.yaml | yq 'del(.metadata.finalizers)' \
+		> runner/$(RUNNER)/generated-manifests.yaml
+
 	$(eval RUNNER=system-exp-merit)
 	helm template \
 		oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set --version $(VERSION) \
 		--namespace $(NAMESPACE) \
 		--values runner/common-values.yaml --values runner/$(RUNNER)/values.yaml | yq 'del(.metadata.finalizers)' \
 		> runner/$(RUNNER)/generated-manifests.yaml
 
+	$(eval RUNNER=system-dev-aws)
+	helm template \
+		oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set --version $(VERSION) \
+		--namespace $(NAMESPACE) \
+		--values runner/common-values.yaml --values runner/$(RUNNER)/values.yaml | yq 'del(.metadata.finalizers)' \
+		> runner/$(RUNNER)/generated-manifests.yaml
+
 	$(eval RUNNER=system-dev-merit)
 	helm template \
 		oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set --version $(VERSION) \

arc/runner/common-values.yaml

@@ -4,15 +4,6 @@ githubConfigSecret: arc-auth
 
 minRunners: 1
 
-containerMode:
-  type: "kubernetes"
-  kubernetesModeWorkVolumeClaim:
-    accessModes: ["ReadWriteOnce"]
-    storageClassName: "netapp-ontap-san-ext4"
-    resources:
-      requests:
-        storage: 5Gi
-
 template:
   spec:
     # https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/troubleshooting-actions-runner-controller-errors#error-access-to-the-path-homerunner_work_tool-is-denied

arc/runner/system-dev-aws/generated-manifests.yaml

@@ -0,0 +1,217 @@
+---
+# Source: gha-runner-scale-set/templates/kube_mode_serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: system-dev-aws-gha-rs-kube-mode
+  namespace: sys-actions
+  labels:
+    helm.sh/chart: gha-rs-0.9.3
+    app.kubernetes.io/name: system-dev-aws
+    app.kubernetes.io/instance: system-dev-aws
+    app.kubernetes.io/version: "0.9.3"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: gha-rs
+    actions.github.com/scale-set-name: system-dev-aws
+    actions.github.com/scale-set-namespace: sys-actions
+---
+# Source: gha-runner-scale-set/templates/kube_mode_role.yaml
+# default permission for runner pod service account in kubernetes mode (container hook)
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: system-dev-aws-gha-rs-kube-mode
+  namespace: sys-actions
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["get", "create"]
+  - apiGroups: [""]
+    resources: ["pods/log"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["get", "list", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "create", "delete"]
+---
+# Source: gha-runner-scale-set/templates/manager_role.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: system-dev-aws-gha-rs-manager
+  namespace: sys-actions
+  labels:
+    helm.sh/chart: gha-rs-0.9.3
+    app.kubernetes.io/name: system-dev-aws
+    app.kubernetes.io/instance: system-dev-aws
+    app.kubernetes.io/version: "0.9.3"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: gha-rs
+    actions.github.com/scale-set-name: system-dev-aws
+    actions.github.com/scale-set-namespace: sys-actions
+    app.kubernetes.io/component: manager-role
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - create
+      - delete
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - pods/status
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+  - apiGroups:
+      - ""
+    resources:
+      - serviceaccounts
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - rolebindings
+    verbs:
+      - create
+      - delete
+      - get
+      - patch
+      - update
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - roles
+    verbs:
+      - create
+      - delete
+      - get
+      - patch
+      - update
+---
+# Source: gha-runner-scale-set/templates/kube_mode_role_binding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: system-dev-aws-gha-rs-kube-mode
+  namespace: sys-actions
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: system-dev-aws-gha-rs-kube-mode
+subjects:
+  - kind: ServiceAccount
+    name: system-dev-aws-gha-rs-kube-mode
+    namespace: sys-actions
+---
+# Source: gha-runner-scale-set/templates/manager_role_binding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: system-dev-aws-gha-rs-manager
+  namespace: sys-actions
+  labels:
+    helm.sh/chart: gha-rs-0.9.3
+    app.kubernetes.io/name: system-dev-aws
+    app.kubernetes.io/instance: system-dev-aws
+    app.kubernetes.io/version: "0.9.3"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: gha-rs
+    actions.github.com/scale-set-name: system-dev-aws
+    actions.github.com/scale-set-namespace: sys-actions
+    app.kubernetes.io/component: manager-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: system-dev-aws-gha-rs-manager
+subjects:
+  - kind: ServiceAccount
+    name: arc-gha-rs-controller
+    namespace: sys-actions
+---
+# Source: gha-runner-scale-set/templates/autoscalingrunnerset.yaml
+apiVersion: actions.github.com/v1alpha1
+kind: AutoscalingRunnerSet
+metadata:
+  name: system-dev-aws
+  namespace: sys-actions
+  labels:
+    app.kubernetes.io/component: "autoscaling-runner-set"
+    helm.sh/chart: gha-rs-0.9.3
+    app.kubernetes.io/name: system-dev-aws
+    app.kubernetes.io/instance: system-dev-aws
+    app.kubernetes.io/version: "0.9.3"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: gha-rs
+    actions.github.com/scale-set-name: system-dev-aws
+    actions.github.com/scale-set-namespace: sys-actions
+  annotations:
+    actions.github.com/values-hash: ab387bab7a9422c73cd7554fb0e23d9b0ecc0bfa28564d8f5f00a55eb397725
+    actions.github.com/cleanup-manager-role-binding: system-dev-aws-gha-rs-manager
+    actions.github.com/cleanup-manager-role-name: system-dev-aws-gha-rs-manager
+    actions.github.com/cleanup-kubernetes-mode-role-binding-name: system-dev-aws-gha-rs-kube-mode
+    actions.github.com/cleanup-kubernetes-mode-role-name: system-dev-aws-gha-rs-kube-mode
+    actions.github.com/cleanup-kubernetes-mode-service-account-name: system-dev-aws-gha-rs-kube-mode
+spec:
+  githubConfigUrl: https://github.com/utilitywarehouse
+  githubConfigSecret: arc-auth
+  runnerScaleSetName: system-dev-aws
+  minRunners: 1
+  template:
+    spec:
+      securityContext:
+        fsGroup: 123
+      restartPolicy: Never
+      serviceAccountName: system-dev-aws-gha-rs-kube-mode
+      containers:
+        - name: runner
+          command:
+            - /home/runner/run.sh
+          image: ghcr.io/actions/actions-runner:latest
+          env:
+            - name: ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER
+              value: "false"
+            - name: ACTIONS_RUNNER_CONTAINER_HOOKS
+              value: /home/runner/k8s/index.js
+            - name: ACTIONS_RUNNER_POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+          volumeMounts:
+            - name: work
+              mountPath: /home/runner/_work
+      volumes:
+        - name: work
+          ephemeral:
+            volumeClaimTemplate:
+              spec:
+                accessModes:
+                  - ReadWriteOnce
+                resources:
+                  requests:
+                    storage: 5Gi
+                storageClassName: ebs-gp3-encrypted

arc/runner/system-dev-aws/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- generated-manifests.yaml

arc/runner/system-dev-aws/values.yaml

@@ -0,0 +1,10 @@
+runnerScaleSetName: system-dev-aws
+
+containerMode:
+  type: kubernetes
+  kubernetesModeWorkVolumeClaim:
+    accessModes: [ReadWriteOnce]
+    storageClassName: ebs-gp3-encrypted
+    resources:
+      requests:
+        storage: 5Gi

arc/runner/system-dev-merit/values.yaml

@@ -1 +1,10 @@
-runnerScaleSetName: "system-dev-merit"
+runnerScaleSetName: system-dev-merit
+
+containerMode:
+  type: kubernetes
+  kubernetesModeWorkVolumeClaim:
+    accessModes: [ReadWriteOnce]
+    storageClassName: netapp-ontap-san-ext4
+    resources:
+      requests:
+        storage: 5Gi