Installing helm chart with helm-generated certificates

[zzzz465]

Is your feature request related to a problem? Please describe.

I'm using actions-runner-controller with cert-manager for a while. and for some reason, cert-manager occasionally keeps being broken. due to how the cert-manager works, it's hard to recover issues. so I want to install actions-runner-controller with self-signed certificates instead of generated certificates from cert-manager. with helm template functions like genSignedCert, genCA, we can use generated certificates by helm, not using cert-manager one. as #834 already exists, but I wanted to handle this issue without any additional steps.

I'm already using helm in this way, but before making a PR I wanted to check my idea if it's acceptable.

Describe the solution you'd like

1. (via values.yaml) accepts whether or not to enable self-signed certificates
2. generates certificates using helm template function genCA, genSignedCert
3. apply resources to webhook admission resources (templates/webhook_configs.yaml)

Additional context

• possible duplicated issue: https://github.com/actions-runner-controller/actions-runner-controller/issues/1029
• renewal of the certificate is managed by the user, or just give it 10 years to expire ¯_(ツ)_/¯

[mumoshu]

@zzzz465 Hey!

Those helm template functions works poorly in a declarative setup(deployments with terraform, helmfile, helmwave, perhaps argocd, etc) so I don't think that will be the standard.

But as ARC being a community-driven project, I'd say I might merge your pull request, if it has significantly good documentation that makes it easy for us maintainers to keep the feature maintained and supported! (99% of new github issues we receive these days are just questions and requests for usage which we don't have much resource to afford so...

[mumoshu]

Well, can you just do that without relying on genCA, genSignedCert, by providing certificates and keys to the chart template? If possible, that would be much preferred method for me.

[zzzz465]

@mumoshu thank you for your response.

Those helm template functions works poorly in a declarative setup(deployments with terraform, helmfile, helmwave, perhaps argocd, etc) so I don't think that will be the standard.

I'm running actions-runner-controller in my single cluster dedicated for CI/CD, deployed with argoCD. in my circumstance, certificates are only needed to enable mTLS for webhook server, so the cert doesn't have to be maintained declaratively. it just only needs to be rendered and been delivered to the right place.

Well, can you just do that without relying on genCA, genSignedCert, by providing certificates and keys to the chart template? If possible, that would be much preferred method for me.

the goal is, to deploy the controller without any other solution's help but argoCD. I couldn't find any way to generate CA, Cert, and pass it as chart template values using argoCD. it would be great if there's actually a way to achieve this.

[mumoshu]

@zzzz465 Yeah I hear you, I'm just saying it doesn't look like a right way "to me".

Just wondering, but have you tried building a PoC around your idea? Even Argo CD's own documentation says use of chart template functions to dynamically generate data doesn't work well with Argo CD

https://argo-cd.readthedocs.io/en/stable/user-guide/helm/#random-data (I believe this holds to genCA and genSignedCert too)

[zzzz465]

@mumoshu sorry for the late response. I wasn't in a good condition.

I made a PoC on branch feature/gen-cert-1 please check this repo. thank you.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[fijimunkii]

@zzzz465 nice PoC, that works for me!

[github-actions[bot]]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.