Add mTLS proxy support for enterprise proxies

[dhawalseth]

Summary

Add mTLS (mutual TLS) proxy support for enterprise environments that require client certificate authentication for egress traffic (e.g., corporate proxies like Kraken, Zscaler, or other TLS-terminating proxies).

Motivation

Many enterprise environments route all egress traffic through proxies that require mutual TLS authentication. Currently, ARC only supports basic auth (username/password) for proxy authentication via credentialSecretRef. This PR adds the infrastructure to support mTLS by:

1. Mounting client certificates and CA certificates to listener and runner pods
2. Providing a clear configuration interface in Helm values
3. Extending the CRD schema to include TLS configuration

Changes

New ProxyTLSConfig type

type ProxyTLSConfig struct {
    // Secret with 'tls.crt' and 'tls.key' for client auth
    ClientCertSecretRef string `json:"clientCertSecretRef,omitempty"`
    
    // Secret with 'ca.crt' for server verification
    CACertSecretRef string `json:"caCertSecretRef,omitempty"`
    
    // ConfigMap with 'ca.crt' (alternative to secret)
    CACertConfigMapRef string `json:"caCertConfigMapRef,omitempty"`
    
    // Skip server cert verification (testing only)
    InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"`
}

Updated Helm Configuration

proxy:
  https:
    url: https://proxy.example.com:443
    tls:
      # Create with: kubectl create secret tls proxy-client-cert --cert=client.crt --key=client.key
      clientCertSecretRef: proxy-client-cert
      # Create with: kubectl create secret generic proxy-ca --from-file=ca.crt=ca.pem
      caCertSecretRef: proxy-ca-cert

Certificate Mount Paths

Certificates are mounted to pods at:

• /etc/proxy-tls/https-proxy/client/tls.crt - Client certificate
• /etc/proxy-tls/https-proxy/client/tls.key - Client private key
• /etc/proxy-tls/https-proxy/ca/ca.crt - CA certificate

Files Changed

• apis/actions.github.com/v1alpha1/autoscalingrunnerset_types.go - New ProxyTLSConfig type
• controllers/actions.github.com/resourcebuilder.go - Volume mount logic
• charts/gha-runner-scale-set/values.yaml - Configuration examples
• charts/gha-runner-scale-set/templates/autoscalingrunnerset.yaml - Template updates
• CRDs regenerated

Usage Example

# Create client certificate secret
kubectl create secret tls proxy-mtls-client \
  --cert=client.crt \
  --key=client.key \
  -n arc-runners

# Create CA certificate secret
kubectl create secret generic proxy-mtls-ca \
  --from-file=ca.crt=proxy-ca.pem \
  -n arc-runners

# Install with mTLS proxy config
helm install arc-runner-set oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set \
  --set githubConfigUrl="https://github.com/myorg" \
  --set githubConfigSecret="github-secret" \
  --set proxy.https.url="https://proxy.example.com:443" \
  --set proxy.https.tls.clientCertSecretRef="proxy-mtls-client" \
  --set proxy.https.tls.caCertSecretRef="proxy-mtls-ca"

Related PRs

This is part of a coordinated effort to add mTLS proxy support across the GitHub Actions ecosystem:

Repository	PR	Description
actions/scaleset	#101	Add WithTLSClientCertificate() HTTPOption for Go HTTP client
actions/runner	#4430	Add HTTPS_PROXY_CLIENT_CERT/KEY/CA_CERT environment variables

How it all fits together

1. This PR (ARC): Mounts certificates to listener/runner pods via Kubernetes secrets
2. scaleset PR: Listener uses mounted certs via WithTLSClientCertificate()
3. runner PR: Runner reads cert paths from environment variables set by ARC

Test Plan

• Unit tests for proxyTLSVolumesAndMounts() helper
• Helm template rendering tests with TLS config
• Integration test with mock mTLS proxy
• Manual verification of certificate mounts in pods

---

🤖 Generated with Claude Code