Procedure for ARC on GHES #957
Replies: 5 comments 2 replies
-
I've also confirmed that if you're using Let's Encrypt, there's no need to pass the certificate to the controller and runners. It's already trusted. |
Beta Was this translation helpful? Give feedback.
-
With #952 merged (chart released soon) you no longer need to hand edit your |
Beta Was this translation helpful? Give feedback.
-
@toast-gear Thanks for getting this update done. I'm ready to test it out but am not sure how to properly pull the changes down having not worked with helm very much prior to this. If I do a helm update and helm pull, I still see the older deployment.yaml. I can pull the deployment.yaml from this repo and place it in my local helm copy but would prefer to understand the right way to do this.
|
Beta Was this translation helpful? Give feedback.
-
@brunocous Hi! 👋 Thanks for doing the work in this Issue. Can you provide an example for the formatting to be used in the values.yaml? I'm trying a few different ways, and they're all failing. I'm sure I'm not formatting it properly.
This is producing this error: cc @toast-gear |
Beta Was this translation helpful? Give feedback.
-
@gscho Thank you for getting that fixed and also for figuring out the settings to use in values.yml for the SSL dir and the GHES URL. I was able to get the ARC deployed successfully with the following settings in my values.yml:
@toast-gear Once you get a new helm release done, let me know and I'll update the documentation above. I have a couple of additional questions. The first is that we still can't seem to get this working using https for the webhook server load balancer. @gscho was able to see in the code that it binds to port 8000 so we have tried updating the values.yml service definition to look like this:
The instance successfully comes into the service in the load balancer, but when configuring the webhook in the repo to use https instead of http, the delivery response that comes back says "We couldn't deliver this payload: server gave HTTP response to HTTPS client" in the webhook deliveries section. The other question I have is regarding the mounting to the ssl certificate at /etc/ssl/certs for both the runner and controller. I believe there are already a bunch of certs in that directory before we're mounting our GHES certificate in that location. Are we impacting anything negatively by doing this such that it would make sense to mount it in a different location? |
Beta Was this translation helpful? Give feedback.
-
Hi, all. 👋 I was able to get ARC working with ephemeral, auto-scaling runners triggered via webhook on our internal release candidate GHES 3.3.0.rc1 using a self-signed certificate. The process is much simpler for getting ARC working on GHEC due to the fact that github.com is signed by DigiCert and is trusted by both the controller and the runners. In attempting to get ARC connected to GHES, there were problems with both the controller's and the runners' SSL connections back to the GHES appliance. With the help of our internal Actions team, we worked through how to get the cert from the GHES appliance to be made available on both the runner and the controller.
We'd like to use this discussion to figure out how to make the process more efficient and what changes may need to be made to the Helm chart(s). I haven't been able to test this yet with a GHES appliance enabled with Let's Encrypt as my GHES instances are deployed into AWS and it won't me allow to sign them with the AWS domain.
Here's the procedure:
Configuring the actions-runner-controller(ARC) for GHES 3.3.0.rc1
This procedure assumes you're using a self-signed certificate for your GHES appliance, and the commands are being executed from a laptop/workstation unless otherwise specified. The ARC will be deployed at the org level for an organization called harkonnens. I used EKS in AWS with an EKS node group for the Kubernetes cluster.
aws eks --region us-east-1 update-kubeconfig --name <EKS cluster name>
kubectl config set-context <context name>
helm repo add jetstack https://charts.jetstack.io
git clone [email protected]:actions-runner-controller/actions-runner-controller.git
helm repo update
helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --version v1.6.0 --set installCRDs=true
kubectl create ns actions-runner-system
kubectl create secret generic controller-manager -n actions-runner-system --from-literal=github_token=<PAT value>
kubectl create secret generic ghecert -n actions-runner-system --from-file=ghe.crt
(Secret for the GHES cert to be used by the actions-runner-controller)kubectl create secret generic ghecert --from-file=ghe.crt
(Secret for the GHES cert to be used by the runners which will be deployed into the default namespace)and
helm upgrade --install -f values.yaml -n actions-runner-system actions-runner-controller ./actions-runner-controller
Point the ARC at your GHES appliance.
17.
kubectl set env deploy -n actions-runner-system actions-runner-controller -c manager GITHUB_ENTERPRISE_URL=https://<hostname of your GHES appliance or load balancer> --namespace actions-runner-system
Tell the controller where to look for the GHES certificate
18.
kubectl set env deploy -n actions-runner-system actions-runner-controller -c manager SSL_CERT_DIR=/etc/ssl/certs --namespace actions-runner-system
kubectl apply -f runnerdeployment.yaml
If you look at the logs for the RunnerDeployment pod, you should now see it connected to GitHub and listening for jobs.
Create an hra.yaml with the following contents(tweak the settings as desired):
kubectl apply -f hra.yaml
One question I have is regarding the webhook server. The load balancer services that we spin up is listening on port 80. Will this support 443? I believe I've tried changing the values.yml to use 443 for the service, and the instance behind the load balancer never went into service.
Beta Was this translation helpful? Give feedback.
All reactions