actions · stokkie90 · Apr 30, 2026 · Apr 30, 2026 · Apr 30, 2026
@@ -122,6 +122,40 @@ Hook extension ConfigMap name for kubernetes runner mode.
 If runner.kubernetesMode.extension.metadata.name is set, use it.
 Otherwise, default to a name derived from the scale set name.
 */}}
+{{/*
+Validate runner.container fields.
+
+Fails with a descriptive error if:
+- runner.container is set but is not a map/object
+- runner.container.env is set but is not a list
+- runner.container.volumeMounts is set but is not a list
+- runner.container.args is set but is not a list
+- runner.container.securityContext is set but is not a map/object
+- runner.container.volumes is set (unsupported; use runner.pod.spec.volumes)
+*/}}
+{{- define "runner.container.validate" -}}
+{{- $runner := (.Values.runner | default dict) -}}
+{{- $container := ($runner.container | default dict) -}}
+{{- if and (hasKey $runner "container") (not (kindIs "map" $container)) -}}
+  {{- fail "runner.container must be a map/object" -}}
+{{- end -}}
+{{- if and (hasKey $container "env") (not (kindIs "slice" $container.env)) -}}
+  {{- fail "runner.container.env must be a list" -}}
+{{- end -}}
+{{- if and (hasKey $container "volumeMounts") (not (kindIs "slice" $container.volumeMounts)) -}}
+  {{- fail "runner.container.volumeMounts must be a list" -}}
+{{- end -}}
+{{- if hasKey $container "volumes" -}}
+  {{- fail "runner.container.volumes is not supported; use runner.pod.spec.volumes" -}}
+{{- end -}}
+{{- if and (hasKey $container "args") (not (kindIs "slice" $container.args)) -}}
+  {{- fail "runner.container.args must be a list" -}}
+{{- end -}}
+{{- if and (hasKey $container "securityContext") (not (kindIs "map" $container.securityContext)) -}}
+  {{- fail "runner.container.securityContext must be a map/object" -}}
+{{- end -}}
+{{- end -}}
+
 {{- define "runner-mode-kubernetes.extension-name" -}}
 {{- $runner := (.Values.runner | default dict) -}}
 {{- $kubeMode := (index $runner "kubernetesMode" | default dict) -}}

@@ -1,4 +1,7 @@
 {{- define "runner-mode-dind.runner-container" -}}
+{{- include "runner.container.validate" . -}}
+{{- $runner := (.Values.runner | default dict) -}}
+{{- $container := ($runner.container | default dict) -}}
 name: runner
 image: {{ include "runner.image" . | quote }}
 command: {{ include "runner.command" . }}
@@ -15,7 +18,11 @@ volumeMounts:
     mountPath: /home/runner/_work
   - name: dind-sock
     mountPath: {{ include "runner-mode-dind.sock-mount-dir" . | quote }}
-  {{ include "githubServerTLS.volumeMountItem" (dict "root" $ "existingVolumeMounts" (list)) | nindent 2 }}
+  {{ include "githubServerTLS.volumeMountItem" (dict "root" $ "existingVolumeMounts" (list)) | nindent 2 -}}
+{{- $extra := omit $container "name" "image" "command" "env" "volumeMounts" -}}
+{{- if not (empty $extra) }}
+{{ toYaml $extra -}}
+{{- end -}}
 {{- end }}
 
 {{- define "runner-mode-dind.dind-container" -}}

@@ -1,5 +1,7 @@
 {{- define "runner-mode-kubernetes.runner-container" -}}
+{{- include "runner.container.validate" . -}}
 {{- $runner := (.Values.runner | default dict) -}}
+{{- $container := ($runner.container | default dict) -}}
 {{- $kubeMode := (index $runner "kubernetesMode" | default dict) -}}
 {{- $hookPath := (index $kubeMode "hookPath" | default "/home/runner/k8s/index.js") -}}
 {{- $extensionRef := (index $kubeMode "extensionRef" | default "") -}}
@@ -82,7 +84,11 @@ volumeMounts:
     subPath: extension
     readOnly: true
   {{- end }}
-  {{ include "githubServerTLS.volumeMountItem" (dict "root" $ "existingVolumeMounts" (list)) | nindent 2 }}
+  {{ include "githubServerTLS.volumeMountItem" (dict "root" $ "existingVolumeMounts" (list)) | nindent 2 -}}
+{{- $extra := omit $container "name" "image" "command" "env" "volumeMounts" -}}
+{{- if not (empty $extra) }}
+{{ toYaml $extra -}}
+{{- end -}}
 {{- end }}
 
 {{- define "runner-mode-kubernetes.pod-volumes" -}}

@@ -400,6 +400,171 @@ tests:
             name: cache
             mountPath: /cache
 
+  - it: should pass extra fields from runner.container to the runner container in dind mode
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+      runner:
+        mode: "dind"
+        container:
+          securityContext:
+            runAsUser: 1000
+          resources:
+            limits:
+              cpu: "250m"
+              memory: "64Mi"
+          imagePullPolicy: Always
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].name
+          value: runner
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.runAsUser
+          value: 1000
+      - equal:
+          path: spec.template.spec.containers[0].resources.limits.cpu
+          value: 250m
+      - equal:
+          path: spec.template.spec.containers[0].resources.limits.memory
+          value: 64Mi
+      - equal:
+          path: spec.template.spec.containers[0].imagePullPolicy
+          value: Always
+
+  - it: should silently ignore runner.container.name in dind mode
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+      runner:
+        mode: "dind"
+        container:
+          name: not-runner
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].name
+          value: runner
+
+  - it: should fail when runner.container is not a map in dind mode
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+      runner:
+        mode: "dind"
+        container: "invalid"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - failedTemplate:
+          errorMessage: runner.container must be a map/object
+
+  - it: should fail when runner.container.env is not a list in dind mode
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+      runner:
+        mode: "dind"
+        container:
+          env: "not-a-list"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - failedTemplate:
+          errorMessage: runner.container.env must be a list
+
+  - it: should fail when runner.container.volumeMounts is not a list in dind mode
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+      runner:
+        mode: "dind"
+        container:
+          volumeMounts: "not-a-list"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - failedTemplate:
+          errorMessage: runner.container.volumeMounts must be a list
+
+  - it: should fail when runner.container.volumes is set in dind mode
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+      runner:
+        mode: "dind"
+        container:
+          volumes:
+            - name: cache
+              emptyDir: {}
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - failedTemplate:
+          errorMessage: runner.container.volumes is not supported; use runner.pod.spec.volumes
+
+  - it: should fail when runner.container.args is not a list in dind mode
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+      runner:
+        mode: "dind"
+        container:
+          args: "not-a-list"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - failedTemplate:
+          errorMessage: runner.container.args must be a list
+
+  - it: should fail when runner.container.securityContext is not a map in dind mode
+    set:
+      scaleset.name: "test"
+      auth.url: "https://github.com/org"
+      auth.githubToken: "gh_token12345"
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+      runner:
+        mode: "dind"
+        container:
+          securityContext: "not-a-map"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - failedTemplate:
+          errorMessage: runner.container.securityContext must be a map/object
+
   - it: should fail when runner.dind.container.volumes is provided
     set:
       scaleset.name: "test"