Improvements on github actions runner

maddevsio · Aug 22, 2024 · 89098e0 · 89098e0
1 parent 9e20f6a
commit 89098e0
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 18 deletions.
diff --git a/terraform/modules/k8s-addons/eks-fargate-app.tf b/terraform/modules/k8s-addons/eks-fargate-app.tf
@@ -6,7 +6,7 @@ locals {
   }
 }
 
-resource "kubectl_manifest" "fargate_app_serice" {
+resource "kubectl_manifest" "fargate_app_service" {
   count = local.fargate_app.enabled ? 1 : 0
 
   yaml_body = <<EOF
@@ -113,7 +113,7 @@ EOF
 
   depends_on = [
     module.fargate_namespace,
-    kubectl_manifest.fargate_app_serice,
+    kubectl_manifest.fargate_app_service,
     helm_release.ingress_nginx
   ]
 }
diff --git a/terraform/modules/k8s-addons/eks-gha-runner-scale-set.tf b/terraform/modules/k8s-addons/eks-gha-runner-scale-set.tf
@@ -8,7 +8,7 @@ locals {
   }
   kube_github_runner_github_token = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "github_pat_token", "")
   service_account_name            = "gha-runner-scale-set-gha-rs-no-permission"
-  eks_oidc_provider_url = replace(local.eks_oidc_provider_arn, "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/", "")
+  eks_oidc_provider_url           = replace(local.eks_oidc_provider_arn, "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/", "")
 
   gha_runner_scale_set_values = <<VALUES
 githubConfigUrl: "https://github.com/madopsio/madactions"
@@ -27,6 +27,7 @@ containerMode:
 
 template:
   spec:
+    serviceAccountName: ${local.service_account_name}
     containers:
       - name: runner
         image: ghcr.io/actions/actions-runner:latest
@@ -40,35 +41,51 @@ template:
       nodegroup: ci
 
 controllerServiceAccount:
-  namespace: github-runner
+  namespace: ${local.gha_runner_scale_set.namespace}
   name: gha-runner-scale-set-controller-gha-rs-controller
 VALUES
 }
 
+resource "kubectl_manifest" "github_runner_service_account" {
+  count = local.gha_runner_scale_set.enabled ? 1 : 0
+
+  yaml_body = <<EOF
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    eks.amazonaws.com/role-arn: arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${local.gha_runner_scale_set.name}-role
+  finalizers:
+  - actions.github.com/cleanup-protection
+  labels:
+    actions.github.com/scale-set-name: gha-runner-scale-set
+    actions.github.com/scale-set-namespace: ${local.gha_runner_scale_set.namespace}
+    app.kubernetes.io/instance: gha-runner-scale-set
+    app.kubernetes.io/name: gha-runner-scale-set
+    app.kubernetes.io/part-of: gha-rs
+  name: ${local.service_account_name}
+  namespace: ${local.gha_runner_scale_set.namespace}
+EOF
+
+  depends_on = [module.gha_runner_scale_set_controller_namespace]
+}
+
 resource "helm_release" "gha_runner_scale_set" {
   count = local.gha_runner_scale_set.enabled ? 1 : 0
 
   name        = local.gha_runner_scale_set.name
   chart       = local.gha_runner_scale_set.chart
   version     = local.gha_runner_scale_set.chart_version
-  namespace   = module.gha_runner_scale_set_controller_namespace[count.index].name
+  namespace   = local.gha_runner_scale_set.namespace
   max_history = var.helm_release_history_size
 
   values = [
     local.gha_runner_scale_set_values
   ]
-  depends_on = [module.gha_runner_scale_set_controller_namespace]
-}
-
-resource "null_resource" "k8s_service_account_patch" {
-  count = local.gha_runner_scale_set.enabled ? 1 : 0
-  provisioner "local-exec" {
-    command = <<EOH
-      kubectl patch serviceaccount ${local.service_account_name} -n ${module.gha_runner_scale_set_controller_namespace[0].name} \
-      -p '{"metadata": {"annotations": {"eks.amazonaws.com/role-arn": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/gha-runner-scale-set-role"}}}'
-    EOH
-  }
-   depends_on = [ helm_release.gha_runner_scale_set ]
+  depends_on = [
+    module.gha_runner_scale_set_controller_namespace,
+    kubectl_manifest.github_runner_service_account
+  ]
 }
 
 resource "aws_iam_role" "github_actions_runner_role" {
@@ -93,7 +110,7 @@ data "aws_iam_policy_document" "github_actions_runner_assume_role_policy" {
     condition {
       test     = "StringEquals"
       variable = "${local.eks_oidc_provider_url}:sub"
-      values   = ["system:serviceaccount:${module.gha_runner_scale_set_controller_namespace[0].name}:${local.service_account_name}"]
+      values   = ["system:serviceaccount:${local.gha_runner_scale_set.namespace}:${local.service_account_name}"]
     }
   }
 }