Skip to content

Instantly share code, notes, and snippets.

@joshjohanning

joshjohanning/actions-runner-controller-self-signed-certs.md

Last active June 28, 2022 23:06
Show Gist options
  • Save joshjohanning/944e1b2f1d0daf6e4fcef9eab90c22c0 to your computer and use it in GitHub Desktop.
Save joshjohanning/944e1b2f1d0daf6e4fcef9eab90c22c0 to your computer and use it in GitHub Desktop.
Download ZIP
self-signed certs for actions-runner-controller
Raw
actions-runner-controller-self-signed-certs.md
  1. Create RSA keys for CA cert, server cert - this will output ca-key.key and server-key.key
openssl genrsa -out ca.key 4096
openssl genrsa -out server.key 4096
  1. Create a ca.conf ca config file
basicConstraints = CA:TRUE
keyUsage = cRLSign, keyCertSign
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = US
ST = SomeState
L = SomeCity
O = SomeOrg
emailAddress = [email protected]
CN = actionrunners.yourorg.com
  1. Create the ca certificate with the config file - this will output ca.crt
openssl req -x509 -new -sha512 -nodes -key ./ca.key -days 7307 -out ./ca.crt -config ./ca.conf
  1. Optionally validate that the CA certificate created successfully
openssl x509 -noout -text -in ./ca.crt
  1. Create your server certificate config file - ie server.conf - all 3 alt names are needed - for the 3rd alt name, the actions-runner-system is the namespace - if you are installing into a different namespace, replace actions-runner-system with the namespace you are installing to (ie: default)
[req]
default_bits = 2048
prompt = no
default_md = sha256
x509_extensions = v3_req
distinguished_name = dn

[dn]
C = US
ST = SomeState
L = SomeCity
O = SomeOrg
emailAddress = [email protected]
CN = actionrunners.yourorg.com

[v3_req]
subjectAltName = @alt_names

[alt_names]
DNS.1 = webhook-service.actions-runner-system.svc
DNS.2 = webhook-service.actions-runner-system.svc.cluster.local
DNS.3 = actions-runner-controller-webhook.actions-runner-system.svc
  1. Create the server certificate signing request (csr) - this will outut server.csr
openssl req -new -key ./server.key -out ./server.csr -config ./server.conf
  1. Create your server certificate - this will output server.crt
openssl x509 -req -in ./server.csr -CA ./ca.crt -CAkey ./ca.key \
  -CAcreateserial -out ./server.crt -days 10000 \
  -extensions v3_req -extfile ./server.conf
  1. Optionally inspect your server cert to make sure it has the alt names
openssl x509 -noout -text -in ./server.crt
  1. Base64 the CA cert, copy to clipboard
CA_BUNDLE=$(cat ca.crt | base64)
echo $CA_BUNDLE | pbcopy
  1. Set the admissionWebHooks.caBundle value in the values.yaml to the base64 value of the ca cert - you may have to remove the extra {} under admissionWebHooks
admissionWebHooks:
  # {} # need to remove this
  caBundle: "Ci0tL..."
  1. In the values.yaml, ensure certManagerEnabled is set to false
certManagerEnabled: false
  1. Create your certificate secrets using kubectl - both of these are needed
kubectl create secret tls webhook-server-cert  -n actions-runner-system  --cert=./server.crt  --key=./server.key
kubectl create secret tls actions-runner-controller-serving-cert  -n actions-runner-system  --cert=./server.crt  --key=./server.key
  1. Run the helm upgrade command to install the controller
helm upgrade --install --namespace actions-runner-system --create-namespace --wait actions-runner-controller actions-runner-controller/actions-runner-controller --values ./values.yaml

  1. Ensure that your actions-runner-controller pod has started - if it fails, describe the pod and check the events

  2. Deploy your runners

kubectl apply -f runner.yaml --namespace default
  1. Ensure that your runner pods have started; check GitHub to see if your runners show there also
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment