feat: add extended proxy support (#62)

Author: eksrha

README.md

@@ -43,16 +43,94 @@ Available Tags:
 
 For the helm values see the [values.yaml](https://github.com/fullstack-devops/helm-charts/blob/main/charts/github-actions-runner/values.yaml), section `envValues`
 
-| Variable          | Type   | Default                  | Description                                                          |
-| ----------------- | ------ | ------------------------ | -------------------------------------------------------------------- |
-| `GH_URL`          | string | `https://github.com`     | For GitHub Enterprise support                                        |
-| `GH_API_ENDPOINT` | string | `https://api.github.com` | For GitHub Enterprise support eg.: `https://git.example.com/api/v3/` |
-| `KANIKO_ENABLED`  | bool   | `false`                  | enable builds with kaniko (works only with kaniko-sidecar)           |
+| Variable                 | Type   | Default                  | Description                                                               |
+| ------------------------ | ------ | ------------------------ | ------------------------------------------------------------------------- |
+| `GH_URL`                 | string | `https://github.com`     | For GitHub Enterprise support                                             |
+| `GH_API_ENDPOINT`        | string | `https://api.github.com` | For GitHub Enterprise support eg.: `https://git.example.com/api/v3/`      |
+| `KANIKO_ENABLED`         | bool   | `false`                  | enable builds with kaniko (works only with kaniko-sidecar)                |
+| `PROXY_PAC`              | string | -                        | proxy pac file url                                                        |
+| `PROXY_NTLM_CREDENTIALS` | string | -                        | (required when `PROXY_PAC` is set) credentials when connecting with proxy |
 
 ---
 
+## Proxy Support
+
+The way out ;)
+
+- Getting the Software to create the Credentials: https://github.com/samuong/alpaca/releases
+- Creating your NTML Cerdentials `alpaca -d <windows-domain (optional)> -u <windows-user> -H`
+- Set the env variables `PROXY_PAC` and `PROXY_NTLM_CREDENTIALS` in your container, pod or helm-chart
+- If you want to use the proxy service in your github-action checkout the examples
+
 ## Examples
 
+### Proxy in github actions
+
+#### for only one step
+
+```yaml
+name: Deploy from internet
+
+on:
+
+jobs:
+  add-helm-chart:
+    runs-on: [self-hosted, ansible] # look for default tags or your own
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: check helm chart
+        env:
+          http_proxy: http://localhost:3128
+          https_proxy: http://localhost:3128
+          no_proxy: "197.0.0.0/8,*.internal.net" # replace with you internal reachable adresses
+        run: |
+          helm repo add fs-devops https://fullstack-devops.github.io/helm-charts/
+          helm repo add sonatype https://sonatype.github.io/helm3-charts/
+
+      - name: do something here
+
+      - name: remove check helm chart
+        if: always()
+        run: |
+          helm repo remove fs-devops
+          helm repo remove sonatype
+```
+
+#### for whole workflow
+
+```yaml
+name: Deploy from internet
+
+on:
+
+env:
+  http_proxy: http://localhost:3128
+  https_proxy: http://localhost:3128
+  no_proxy: "197.0.0.0/8,*.internal.net" # replace with you internal reachable adresses
+
+jobs:
+  add-helm-chart:
+    runs-on: [self-hosted, ansible] # look for default tags or your own
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: check helm chart
+        run: |
+          helm repo add fs-devops https://fullstack-devops.github.io/helm-charts/
+          helm repo add sonatype https://sonatype.github.io/helm3-charts/
+
+      - name: do something here
+
+      - name: remove check helm chart
+        if: always()
+        run: |
+          helm repo remove fs-devops
+          helm repo remove sonatype
+```
+
 ### docker
 
 If you are using `docker` or `podman` the options and commands are basically the same.

images/base/helper-scripts/detect-setup.sh

@@ -1,7 +1,6 @@
 #!/bin/bash
 
 CA_FILE="/etc/ssl/certs/ca-certificates.crt"
-CUSTOM_CA_FILE="/etc/ssl/certs/custom/ca-certificates.crt"
 
 importCertOldJava () {
     alias=$(openssl x509 -noout -subject -in "$1" | awk -F= '{print $NF}' | sed -e 's/^[ \t]*//' | sed -e 's/ /_/g')
@@ -15,9 +14,8 @@ importCertNewJava () {
     keytool -importcert -alias $alias -cacerts -storepass changeit -file $1 -noprompt -trustcacerts
 }
 
-# merge custom ca file
-if [ -f "$CA_FILE" ]; then
-    cat $CUSTOM_CA_FILE >> $CA_FILE
+if test -r $CA_FILE; then 
+    echo "[WARN] no permissions on $CA_FILE"
 fi
 
 # yarn

images/base/helper-scripts/gh-entrypoint.sh

@@ -1,22 +1,44 @@
 #!/bin/bash
 
+echo "#####################"
+echo "Running entrypoint.sh"
+echo ""
+
 # connection details
-last_char="${GH_URL: -1}"
-[[ $last_char == "/" ]] && GH_URL="${GH_URL::-1}"
-readonly _GH_URL="${GH_URL:-https://github.com}"
+if [ -n "$GH_URL" ]; then
+    last_char="${GH_URL: -1}"
+    [[ $last_char == "/" ]] && GH_URL="${GH_URL::-1}"
+    readonly _GH_URL="$GH_URL"
+    echo "Using custom GitHub enterprise instance:           $_GH_URL"
+else
+    readonly _GH_URL="https://github.com"
+    echo "Using default GitHub instance:                     $_GH_URL"
+fi
 
-last_char="${GH_API_ENDPOINT: -1}"
-[[ $last_char == "/" ]] && GH_API_ENDPOINT="${GH_API_ENDPOINT::-1}"
-readonly _GH_API_ENDPOINT="${GH_API_ENDPOINT:-https://api.github.com}"
+if [ -n "$GH_API_ENDPOINT" ]; then
+    last_char="${GH_API_ENDPOINT: -1}"
+    [[ $last_char == "/" ]] && GH_API_ENDPOINT="${GH_API_ENDPOINT::-1}"
+    readonly _GH_API_ENDPOINT="$GH_API_ENDPOINT"
+    echo "Using custom api url:                              $_GH_API_ENDPOINT"
+else
+    # if GH_API_ENDPOINT not specified but GH_URL
+    if [ -n "$GH_URL" ]; then
+        readonly _GH_API_ENDPOINT="$_GH_URL/api/v3"
+        echo "Using custom GitHub instance with default api url: $_GH_API_ENDPOINT"
+    else
+        readonly _GH_API_ENDPOINT="https://api.github.com"
+        echo "Using default GitHub instance:                     $_GH_API_ENDPOINT"
+    fi
+fi
 
 # Org/ Repo details
 if [ -n "$GH_ORG" ]; then
     readonly RUNNER_URL="${_GH_URL}/${GH_ORG}"
     readonly RUNNER_REG_TOKEN_URL="${_GH_API_ENDPOINT}/orgs/${GH_ORG}/actions/runners/registration-token"
-elif [ -n "$GH_ORG" ] && [ -n "$GH_REPO" ]; then
+    elif [ -n "$GH_ORG" ] && [ -n "$GH_REPO" ]; then
     readonly RUNNER_URL="${_GH_URL}/${GH_ORG}/${GH_REPO}"
     readonly RUNNER_REG_TOKEN_URL="${_GH_API_ENDPOINT}/repos/${GH_ORG}/${GH_REPO}/actions/runners/registration-token"
-elif [ -n "$GH_ENTERPRISE" ]; then
+    elif [ -n "$GH_ENTERPRISE" ]; then
     readonly RUNNER_URL="${_GH_URL}/${GH_ENTERPRISE}"
     readonly RUNNER_REG_TOKEN_URL="${_GH_API_ENDPOINT}/enterprises/${GH_ENTERPRISEs}/actions/runners/registration-token"
 else
@@ -30,7 +52,7 @@ fi
 # access details
 if [ ! -z "$RUNNER_TOKEN" ]; then
     readonly REG_TOKEN=$RUNNER_TOKEN
-elif [ ! -z $GH_ACCESS_TOKEN ]; then
+    elif [ ! -z $GH_ACCESS_TOKEN ]; then
     readonly REG_TOKEN=$(curl -s -X POST -H "Accept: application/vnd.github.v3+json" -H "Authorization: token $GH_ACCESS_TOKEN" $RUNNER_REG_TOKEN_URL | jq .token --raw-output)
 else
     echo "Please provide one of the Environment Variables:"
@@ -40,43 +62,59 @@ fi
 
 if [ -z ${RUNNER_HOME} ]; then
     echo "Environment variable 'RUNNER_HOME' is not set"
-    exit 1
+    exit 255
 fi
 
 if [ "$KANIKO_ENABLED" == "true" ]; then
     readonly GH_WORKDIR=$GH_KANIKO_WORKDIR
-    echo "Build container via Kaniko: enabled"
+    echo "Build container via Kaniko:                        enabled"
     GH_RUNNER_LABELS="${GH_RUNNER_LABELS},kaniko"
 else
     readonly GH_WORKDIR=$GH_RUNNER_WORKDIR
-    echo "Build container via Kaniko: disabled"
+    echo "Build container via Kaniko:                        disabled"
 fi
 
-echo "Connecting runner to:       $RUNNER_URL"
-echo "Individual Runner Name:     $HOSTNAME"
-echo "Runner Home:                $RUNNER_HOME"
+echo "Connecting runner to:                              $RUNNER_URL"
+echo "Individual Runner Name:                            $HOSTNAME"
+echo "Runner Home:                                       $RUNNER_HOME"
+echo ""
+
+# proxy support
+if [ -n "$PROXY_PAC" ]; then
+    echo "Using configured Proxy PAC"
+    if [ ! -n "$PROXY_NTLM_CREDENTIALS" ]; then
+        echo "Please provide the Environment Variable 'PROXY_NTLM_CREDENTIALS'"
+        exit 255
+    fi
+    NTLM_CREDENTIALS="$PROXY_NTLM_CREDENTIALS" alpaca -C "$PROXY_PAC" >/dev/null 2>&1 &
+    unset PROXY_NTLM_CREDENTIALS
+    echo $! >/tmp/proxy_pid
+fi
 
-echo "Running setup fpr installed software..."
+echo ""
+echo "Running setup for installed software..."
 /helper-scripts/detect-setup.sh
 
+echo "configure GitHub runner"
 ${RUNNER_HOME}/config.sh \
-    --name $HOSTNAME \
-    --token $REG_TOKEN \
-    --work $GH_WORKDIR \
-    --url "$RUNNER_URL" \
-    --labels $GH_RUNNER_LABELS \
-    --unattended \
-    --replace
-echo "Runner configured"
+--name $HOSTNAME \
+--token $REG_TOKEN \
+--work $GH_WORKDIR \
+--url "$RUNNER_URL" \
+--labels $GH_RUNNER_LABELS \
+--runnergroup ${GH_RUNNER_GROUP:-'default'} \
+--unattended \
+--replace
+echo "GitHub runner configured"
 
 cleanup() {
     echo "Removing runner..."
     if [ ! -z "$RUNNER_TOKEN" ]; then
-        readonly REG_TOKEN=$RUNNER_TOKEN
-    elif [ ! -z $GH_ACCESS_TOKEN ]; then
-        readonly REG_TOKEN=$(curl -s -X POST -H "Accept: application/vnd.github.v3+json" -H "Authorization: token $GH_ACCESS_TOKEN" $RUNNER_REG_TOKEN_URL | jq .token --raw-output)
+        readonly REG_TOKEN_RM=$RUNNER_TOKEN
+        elif [ ! -z $GH_ACCESS_TOKEN ]; then
+        readonly REG_TOKEN_RM=$(curl -s -X POST -H "Accept: application/vnd.github.v3+json" -H "Authorization: token $GH_ACCESS_TOKEN" $RUNNER_REG_TOKEN_URL | jq .token --raw-output)
     fi
-    ${RUNNER_HOME}/config.sh remove --token ${REG_TOKEN}
+    ${RUNNER_HOME}/config.sh remove --token ${REG_TOKEN_RM}
     exit 1
 }