# Default values for actions-runner-controller.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

labels: {}

replicaCount: 1

webhookPort: 9443
syncPeriod: 1m
defaultScaleDownDelay: 10m

enableLeaderElection: true
# Specifies the controller id for leader election.
# Must be unique if more than one controller installed onto the same namespace.
#leaderElectionId: "actions-runner-controller"

# The URL of your GitHub Enterprise server, if you're using one.
#githubEnterpriseServerURL: https://github.example.com

# Override GitHub URLs in case of using proxy APIs
#githubURL: ""
#githubUploadURL: ""
#runnerGithubURL: ""

# Only 1 authentication method can be deployed at a time
# Uncomment the configuration you are applying and fill in the details
#
# If authSecret.enabled=true these values are inherited to actions-runner-controller's controller-manager container's env.
#
# Do set authSecret.enabled=false and set env if you want full control over
# the GitHub authn related envvars of the container.
# See https://github.com/actions/actions-runner-controller/pull/937 for more details.
authSecret:
  enabled: true
  create: false
  name: "controller-manager"
  annotations: {}
  ### GitHub Apps Configuration
  ## NOTE: IDs MUST be strings, use quotes
  #github_app_id: ""
  #github_app_installation_id: ""
  #github_app_private_key: |
  ### GitHub PAT Configuration
  #github_token: ""
  ### Basic auth for github API proxy
  #github_basicauth_username: ""
  #github_basicauth_password: ""

# http(s) should be specified for dockerRegistryMirror, e.g.: dockerRegistryMirror="https://<your-docker-registry-mirror>"
dockerRegistryMirror: ""
image:
  repository: "summerwind/actions-runner-controller"
  actionsRunnerRepositoryAndTag: "summerwind/actions-runner:latest"
  dindSidecarRepositoryAndTag: "docker:dind"
  pullPolicy: IfNotPresent
  # The default image-pull secrets name for self-hosted runner container.
  # It's added to spec.ImagePullSecrets of self-hosted runner pods.
  actionsRunnerImagePullSecrets: []

imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""

runner:
  statusUpdateHook:
    enabled: false

rbac:
  {}
  # # This allows ARC to dynamically create a ServiceAccount and a Role for each Runner pod that uses "kubernetes" container mode,
  # # by extending ARC's manager role to have the same permissions required by the pod runs the runner agent in "kubernetes" container mode.
  # # Without this, Kubernetes blocks ARC to create the role to prevent a priviledge escalation.
  # # See https://github.com/actions/actions-runner-controller/pull/1268/files#r917327010
  # allowGrantingKubernetesContainerModePermissions: true

serviceAccount:
  # Specifies whether a service account should be created
  create: true
  # Annotations to add to the service account
  annotations: {}
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""

podAnnotations: {}

podLabels: {}

podSecurityContext:
  {}
  # fsGroup: 2000

securityContext:
  {}
  # capabilities:
  #   drop:
  #   - ALL
  # readOnlyRootFilesystem: true
  # runAsNonRoot: true
  # runAsUser: 1000

# Webhook service resource
service:
  type: ClusterIP
  port: 443
  annotations: {}

# Metrics service resource
metrics:
  serviceAnnotations: {}
  serviceMonitor: false
  serviceMonitorLabels: {}
  port: 8443
  proxy:
    enabled: true
    image:
      repository: quay.io/brancz/kube-rbac-proxy
      tag: v0.13.1

resources:
  {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  # limits:
  #   cpu: 100m
  #   memory: 128Mi
  # requests:
  #   cpu: 100m
  #   memory: 128Mi

nodeSelector: {}

tolerations: []

affinity: {}

# Only one of minAvailable or maxUnavailable can be set
podDisruptionBudget:
  enabled: false
  # minAvailable: 1
  # maxUnavailable: 3

# Leverage a PriorityClass to ensure your pods survive resource shortages
# ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
# PriorityClass: system-cluster-critical
priorityClassName: ""

env:
  {}
  # specify additional environment variables for the controller pod.
  # It's possible to specify either key vale pairs e.g.:
  # http_proxy: "proxy.com:8080"
  # https_proxy: "proxy.com:8080"
  # no_proxy: ""

  # or a list of complete environment variable definitions e.g.:
  # - name: GITHUB_APP_INSTALLATION_ID
  #   valueFrom:
  #     secretKeyRef:
  #       key: some_key_in_the_secret
  #       name: some-secret-name
  #       optional: true

## specify additional volumes to mount in the manager container, this can be used
## to specify additional storage of material or to inject files from ConfigMaps
## into the running container
additionalVolumes: []

## specify where the additional volumes are mounted in the manager container
additionalVolumeMounts: []

scope:
  # If true, the controller will only watch custom resources in a single namespace
  singleNamespace: false
  # If `scope.singleNamespace=true`, the controller will only watch custom resources in this namespace
  # The default value is "", which means the namespace of the controller
  watchNamespace: ""

certManagerEnabled: true

admissionWebHooks:
  {}
  #caBundle: "Ci0tLS0tQk...<base64-encoded PEM bundle containing the CA that signed the webhook's serving certificate>...tLS0K"

# There may be alternatives to setting `hostNetwork: true`, see
# https://github.com/actions/actions-runner-controller/issues/1005#issuecomment-993097155
#hostNetwork: true

## specify log format for actions runner controller.  Valid options are "text" and "json"
logFormat: text

githubWebhookServer:
  enabled: false
  replicaCount: 1
  useRunnerGroupsVisibility: false
  ## specify log format for github webhook server.  Valid options are "text" and "json"
  logFormat: text
  secret:
    enabled: false
    create: false
    name: "github-webhook-server"
    ### GitHub Webhook Configuration
    github_webhook_secret_token: ""
    ### GitHub Apps Configuration
    ## NOTE: IDs MUST be strings, use quotes
    #github_app_id: ""
    #github_app_installation_id: ""
    #github_app_private_key: |
    ### GitHub PAT Configuration
    #github_token: ""
  imagePullSecrets: []
  nameOverride: ""
  fullnameOverride: ""
  serviceAccount:
    # Specifies whether a service account should be created
    create: true
    # Annotations to add to the service account
    annotations: {}
    # The name of the service account to use.
    # If not set and create is true, a name is generated using the fullname template
    name: ""
  podAnnotations: {}
  podLabels: {}
  podSecurityContext: {}
  # fsGroup: 2000
  securityContext: {}
  resources: {}
  nodeSelector: {}
  tolerations: []
  affinity: {}
  priorityClassName: ""
  service:
    type: ClusterIP
    annotations: {}
    ports:
      - port: 80
        targetPort: http
        protocol: TCP
        name: http
        #nodePort: someFixedPortForUseWithTerraformCdkCfnEtc
    loadBalancerSourceRanges: []
  ingress:
    enabled: false
    ingressClassName: ""
    annotations: {}
      # kubernetes.io/ingress.class: nginx
      # kubernetes.io/tls-acme: "true"
    hosts:
      - host: chart-example.local
        paths: []
        #  - path: /*
        #    pathType: ImplementationSpecific
        # Extra paths that are not automatically connected to the server. This is useful when working with annotation based services.
        extraPaths: []
        # - path: /*
        #   backend:
        #     serviceName: ssl-redirect
        #     servicePort: use-annotation
        ## for Kubernetes >=1.19 (when "networking.k8s.io/v1" is used)
        # - path: /*
        #   pathType: Prefix
        #   backend:
        #     service:
        #       name: ssl-redirect
        #       port:
        #         name: use-annotation
    tls: []
    #  - secretName: chart-example-tls
    #    hosts:
    #      - chart-example.local

  # Only one of minAvailable or maxUnavailable can be set
  podDisruptionBudget:
    enabled: false
    # minAvailable: 1
    # maxUnavailable: 3
  # queueLimit: 100
  terminationGracePeriodSeconds: 10
  lifecycle: {}
  # specify additional environment variables for the webhook server pod.
  # It's possible to specify either key vale pairs e.g.:
  # my_env_var: "some value"
  # my_other_env_var: "other value"

  # or a list of complete environment variable definitions e.g.:
  # - name: GITHUB_WEBHOOK_SECRET_TOKEN
  #   valueFrom:
  #     secretKeyRef:
  #       key: GITHUB_WEBHOOK_SECRET_TOKEN
  #       name: prod-gha-controller-webhook-token
  #       optional: true
  env: {}

actionsMetrics:
  serviceAnnotations: {}
  # Set serviceMonitor=true to create a service monitor
  # as a part of the helm release.
  # Do note that you also need actionsMetricsServer.enabled=true
  # to deploy the actions-metrics-server whose k8s service is referenced by the service monitor.
  serviceMonitor: false
  serviceMonitorLabels: {}
  port: 8443
  proxy:
    enabled: true
    image:
      repository: quay.io/brancz/kube-rbac-proxy
      tag: v0.13.1

actionsMetricsServer:
  enabled: false
  # DO NOT CHANGE THIS!
  # See the thread below for more context.
  # https://github.com/actions/actions-runner-controller/pull/1814#discussion_r974758924
  replicaCount: 1
  ## specify log format for actions metrics server.  Valid options are "text" and "json"
  logFormat: text
  secret:
    enabled: false
    create: false
    name: "actions-metrics-server"
    ### GitHub Webhook Configuration
    github_webhook_secret_token: ""
    ### GitHub Apps Configuration
    ## NOTE: IDs MUST be strings, use quotes
    #github_app_id: ""
    #github_app_installation_id: ""
    #github_app_private_key: |
    ### GitHub PAT Configuration
    #github_token: ""
  imagePullSecrets: []
  nameOverride: ""
  fullnameOverride: ""
  serviceAccount:
    # Specifies whether a service account should be created
    create: true
    # Annotations to add to the service account
    annotations: {}
    # The name of the service account to use.
    # If not set and create is true, a name is generated using the fullname template
    name: ""
  podAnnotations: {}
  podLabels: {}
  podSecurityContext: {}
  # fsGroup: 2000
  securityContext: {}
  resources: {}
  nodeSelector: {}
  tolerations: []
  affinity: {}
  priorityClassName: ""
  service:
    type: ClusterIP
    annotations: {}
    ports:
      - port: 80
        targetPort: http
        protocol: TCP
        name: http
        #nodePort: someFixedPortForUseWithTerraformCdkCfnEtc
    loadBalancerSourceRanges: []
  ingress:
    enabled: false
    ingressClassName: ""
    annotations: {}
      # kubernetes.io/ingress.class: nginx
      # kubernetes.io/tls-acme: "true"
    hosts:
      - host: chart-example.local
        paths: []
        #  - path: /*
        #    pathType: ImplementationSpecific
        # Extra paths that are not automatically connected to the server. This is useful when working with annotation based services.
        extraPaths: []
        # - path: /*
        #   backend:
        #     serviceName: ssl-redirect
        #     servicePort: use-annotation
        ## for Kubernetes >=1.19 (when "networking.k8s.io/v1" is used)
        # - path: /*
        #   pathType: Prefix
        #   backend:
        #     service:
        #       name: ssl-redirect
        #       port:
        #         name: use-annotation
    tls: []
    #  - secretName: chart-example-tls
    #    hosts:
    #      - chart-example.local
  terminationGracePeriodSeconds: 10
  lifecycle: {}