[autoscalers] Only use auth to download github files if needed (#7064)

This enables autoscalers to use a scale-config that's located in an
organization other than the one they're located in, as long as that
scale-config is located in a public repo (which all our scale configs
currently are).

Bug it fixes: The old code would create a github client to download the
scale-config.yml file, but `createGitHubClientForRunnerOrg` will fail if
you try to try to create a client for an org your app doesn't have
access to. Using a full blown git client for a public file also seems
unnecessary.

This version uses a normal http request to pull the raw file. So
authentication doesn't matter. (Aside: I considered keeping the old flow
as a backup path for if we ever want the scale config to live in a
public repo, but if and when that day comes I'd rather we add the logic
afresh than leave dead, unused code around in the script.)

Testing: Verified the getRunnerTypes functionality locally to ensure it
worked end-to-end without mocks.

---------

Co-authored-by: Jean Schmidt <[email protected]>

Author: ZainRizvi

terraform-aws-github-runner/modules/runners/lambdas/runners/src/scale-runners/gh-runners.test.ts

@@ -22,7 +22,6 @@ import { Config } from './config';
 import { Octokit } from '@octokit/rest';
 import { mocked } from 'ts-jest/utils';
 import { locallyCached, redisCached } from './cache';
-import nock from 'nock';
 
 const mockEC2 = {
   describeInstances: jest.fn(),
@@ -59,7 +58,6 @@ beforeEach(() => {
   jest.resetModules();
   jest.clearAllMocks();
   jest.restoreAllMocks();
-  nock.disableNetConnect();
 
   jest.spyOn(metrics, 'sendMetrics').mockImplementation(async () => {
     return;
@@ -860,54 +858,44 @@ runner_types:
   ]);
 
   it('gets the contents, twice', async () => {
-    const repo = { owner: 'owner', repo: 'repo' };
-    const token1 = 'token1';
-    const token2 = 'token2';
-    const repoId = 'mockReturnValueOnce1';
+    const fileRepo = { owner: 'owner', repo: 'repo' };
+    const authRepo = { owner: 'auth-owner', repo: 'auth-repo' };
     const mockCreateGithubAuth = mocked(createGithubAuth);
     const mockCreateOctoClient = mocked(createOctoClient);
     const getRepoInstallation = jest.fn().mockResolvedValue({
-      data: { id: repoId },
+      data: { id: 'mockReturnValueOnce1' },
     });
+    const scaleConfigBase64 = Buffer.from(scaleConfigYaml).toString('base64');
     const mockedOctokit = {
       apps: { getRepoInstallation: getRepoInstallation },
       repos: {
-        getContent: jest.fn().mockResolvedValue({
-          data: { content: Buffer.from(scaleConfigYaml).toString('base64') },
+        getContent: jest.fn().mockResolvedValueOnce({
           status: 200,
+          data: { content: scaleConfigBase64 },
         }),
       },
     };
 
-    mockCreateGithubAuth.mockResolvedValueOnce(token1);
+    mockCreateGithubAuth.mockResolvedValueOnce('token1');
     mockCreateOctoClient.mockReturnValueOnce(mockedOctokit as unknown as Octokit);
-    mockCreateGithubAuth.mockResolvedValueOnce(token2);
+    mockCreateGithubAuth.mockResolvedValueOnce('token2');
     mockCreateOctoClient.mockReturnValueOnce(mockedOctokit as unknown as Octokit);
 
     await resetGHRunnersCaches();
-    expect(await getRunnerTypes(repo, metrics)).toEqual(getRunnerTypeResponse);
-    expect(await getRunnerTypes(repo, metrics)).toEqual(getRunnerTypeResponse);
-
-    expect(mockCreateGithubAuth).toBeCalledTimes(2);
-    expect(mockCreateGithubAuth).toBeCalledWith(undefined, 'app', Config.Instance.ghesUrlApi, metrics);
-    expect(mockCreateGithubAuth).toBeCalledWith(repoId, 'installation', Config.Instance.ghesUrlApi, metrics);
-
-    expect(mockCreateOctoClient).toBeCalledTimes(2);
-    expect(mockCreateOctoClient).toBeCalledWith(token1, Config.Instance.ghesUrlApi);
-    expect(mockCreateOctoClient).toBeCalledWith(token2, Config.Instance.ghesUrlApi);
-
-    expect(getRepoInstallation).toBeCalledTimes(1);
-    expect(getRepoInstallation).toBeCalledWith({ ...repo });
+    expect(await getRunnerTypes(fileRepo, authRepo, metrics)).toEqual(getRunnerTypeResponse);
+    expect(await getRunnerTypes(fileRepo, authRepo, metrics)).toEqual(getRunnerTypeResponse);
 
+    // Verify the API was called only once due to caching
     expect(mockedOctokit.repos.getContent).toBeCalledTimes(1);
     expect(mockedOctokit.repos.getContent).toBeCalledWith({
-      ...repo,
+      ...fileRepo,
       path: Config.Instance.scaleConfigRepoPath,
     });
   });
 
   it('return is not 200', async () => {
-    const repo = { owner: 'owner', repo: 'repo' };
+    const fileRepo = { owner: 'owner', repo: 'repo_fail' };
+    const authRepo = { owner: 'auth-owner', repo: 'auth-repo' };
     const mockCreateGithubAuth = mocked(createGithubAuth);
     const mockCreateOctoClient = mocked(createOctoClient);
     const getRepoInstallation = jest.fn().mockResolvedValue({
@@ -916,9 +904,9 @@ runner_types:
     const mockedOctokit = {
       apps: { getRepoInstallation: getRepoInstallation },
       repos: {
-        getContent: jest.fn().mockResolvedValue({
-          data: { content: Buffer.from(scaleConfigYaml).toString('base64') },
+        getContent: jest.fn().mockResolvedValueOnce({
           status: 500,
+          data: {},
         }),
       },
     };
@@ -929,7 +917,43 @@ runner_types:
     mockCreateOctoClient.mockReturnValueOnce(mockedOctokit as unknown as Octokit);
 
     await resetGHRunnersCaches();
-    await expect(getRunnerTypes(repo, metrics)).rejects.toThrow(Error);
+    await expect(getRunnerTypes(fileRepo, authRepo, metrics)).rejects.toThrow(Error);
+  });
+
+  it('gets the contents using org client when enableOrganizationRunners is true', async () => {
+    const config = {
+      enableOrganizationRunners: true,
+    };
+    jest.spyOn(Config, 'Instance', 'get').mockImplementation(() => config as unknown as Config);
+
+    const fileRepo = { owner: 'owner', repo: 'repo' };
+    const authRepo = { owner: 'auth-owner', repo: 'auth-repo' };
+    const mockCreateGithubAuth = mocked(createGithubAuth);
+    const mockCreateOctoClient = mocked(createOctoClient);
+    const getOrgInstallation = jest.fn().mockResolvedValue({
+      data: { id: 'mockReturnValueOnce1' },
+    });
+    const scaleConfigBase64 = Buffer.from(scaleConfigYaml).toString('base64');
+    const mockedOctokit = {
+      apps: { getOrgInstallation: getOrgInstallation },
+      repos: {
+        getContent: jest.fn().mockResolvedValueOnce({
+          status: 200,
+          data: { content: scaleConfigBase64 },
+        }),
+      },
+    };
+
+    mockCreateGithubAuth.mockResolvedValueOnce('token1');
+    mockCreateOctoClient.mockReturnValueOnce(mockedOctokit as unknown as Octokit);
+    mockCreateGithubAuth.mockResolvedValueOnce('token2');
+    mockCreateOctoClient.mockReturnValueOnce(mockedOctokit as unknown as Octokit);
+
+    await resetGHRunnersCaches();
+    expect(await getRunnerTypes(fileRepo, authRepo, metrics)).toEqual(getRunnerTypeResponse);
+
+    // Verify org client was created
+    expect(getOrgInstallation).toBeCalledWith({ org: authRepo.owner });
   });
 });
 

terraform-aws-github-runner/modules/runners/lambdas/runners/src/scale-runners/gh-runners.ts

@@ -307,30 +307,33 @@ export async function getRunnerOrg(org: string, runnerID: string, metrics: Metri
   }
 }
 
+/**
+ Get runner types from scale-config.yml
+ */
 export async function getRunnerTypes(
-  repo: Repo,
+  filerepo: Repo,
+  authrepo: Repo,
   metrics: Metrics,
   filepath = Config.Instance.scaleConfigRepoPath,
 ): Promise<Map<string, RunnerType>> {
   const alphaNumericStr = /^[a-zA-Z0-9.-]+$/;
 
-  return await redisCached('ghRunners', `getRunnerTypes-${repo.owner}.${repo.repo}`, 10 * 60, 0.5, async () => {
+  return await redisCached('ghRunners', `getRunnerTypes-${filerepo.owner}.${filerepo.repo}`, 10 * 60, 0.5, async () => {
     let status = 'noRun';
     try {
-      status = 'doRun';
-      /* istanbul ignore next */
       const githubAppClient = Config.Instance.enableOrganizationRunners
-        ? await createGitHubClientForRunnerOrg(repo.owner, metrics)
-        : await createGitHubClientForRunnerRepo(repo, metrics);
+        ? await createGitHubClientForRunnerOrg(authrepo.owner, metrics)
+        : await createGitHubClientForRunnerRepo(authrepo, metrics);
 
       console.debug(
-        `[getRunnerTypes]: Fetching runner types from ${filepath} for https://github.com/${repo.owner}/${repo.repo}/`,
+        `[getRunnerTypes]: Fetching runner types from ${filepath} for ` +
+          `https://github.com/${filerepo.owner}/${filerepo.repo}/`,
       );
 
       const response = await expBackOff(() => {
         return metrics.trackRequest(metrics.reposGetContentGHCallSuccess, metrics.reposGetContentGHCallFailure, () => {
           return githubAppClient.repos.getContent({
-            ...repo,
+            ...filerepo,
             path: filepath,
           });
         });
@@ -340,7 +343,8 @@ export async function getRunnerTypes(
       const { content }: { content?: string } = { ...(response?.data || {}) } as { content?: string };
       if (response?.status != 200 || !content) {
         throw Error(
-          `Issue (${response.status}) retrieving '${filepath}' for https://github.com/${repo.owner}/${repo.repo}/`,
+          `Issue (${response.status}) retrieving '${filepath}' for ` +
+            `https://github.com/${filerepo.owner}/${filerepo.repo}/`,
         );
       }
 
@@ -440,7 +444,7 @@ export async function getRunnerTypes(
       return filteredResult;
     } catch (e) {
       console.error(
-        `[getRunnerTypes]: Error for path '${filepath}' for https://github.com/${repo.owner}/${repo.repo}/`,
+        `[getRunnerTypes]: Error for path '${filepath}' for https://github.com/${filerepo.owner}/${filerepo.repo}/`,
       );
       console.error(`[getRunnerTypes]: ${e}`);
       throw e;

terraform-aws-github-runner/modules/runners/lambdas/runners/src/scale-runners/scale-down.test.ts

@@ -156,7 +156,7 @@ describe('scale-down', () => {
   describe('org', () => {
     const environment = 'environment';
     const scaleConfigRepo = 'test-infra';
-    const theOrg = ' a-owner';
+    const theOrg = 'a-owner';
     const dateRef = moment(new Date());
     const runnerTypes = new Map([
       ['ignore-no-org-no-repo', { is_ephemeral: false } as RunnerType],
@@ -455,7 +455,11 @@ describe('scale-down', () => {
       expect(mockedListGithubRunnersOrg).toBeCalledWith(theOrg, metrics);
 
       expect(mockedGetRunnerTypes).toBeCalledTimes(9);
-      expect(mockedGetRunnerTypes).toBeCalledWith({ owner: theOrg, repo: scaleConfigRepo }, metrics);
+      expect(mockedGetRunnerTypes).toBeCalledWith(
+        { owner: theOrg, repo: scaleConfigRepo },
+        { owner: theOrg, repo: '' },
+        metrics,
+      );
 
       expect(mockedRemoveGithubRunnerOrg).toBeCalledTimes(5);
       {
@@ -797,7 +801,7 @@ describe('scale-down', () => {
       expect(mockedListGithubRunnersRepo).toBeCalledWith(repo, metrics);
 
       expect(mockedGetRunnerTypes).toBeCalledTimes(9);
-      expect(mockedGetRunnerTypes).toBeCalledWith(repo, metrics);
+      expect(mockedGetRunnerTypes).toBeCalledWith(repo, repo, metrics);
 
       expect(mockedRemoveGithubRunnerRepo).toBeCalledTimes(5);
       {
@@ -1253,10 +1257,19 @@ describe('scale-down', () => {
 
         mockedGetRunnerTypes.mockResolvedValueOnce(new Map([[runnerType, {} as RunnerType]]));
 
-        expect(await isEphemeralRunner({ runnerType: runnerType, org: owner } as RunnerInfo, metrics)).toEqual(false);
+        expect(
+          await isEphemeralRunner(
+            { runnerType: runnerType, org: owner, repo: `${owner}/${scaleConfigRepo}` } as RunnerInfo,
+            metrics,
+          ),
+        ).toEqual(false);
 
         expect(mockedGetRunnerTypes).toBeCalledTimes(1);
-        expect(mockedGetRunnerTypes).toBeCalledWith({ owner: owner, repo: scaleConfigRepo }, metrics);
+        expect(mockedGetRunnerTypes).toBeCalledWith(
+          { owner: owner, repo: scaleConfigRepo },
+          { owner: owner, repo: scaleConfigRepo },
+          metrics,
+        );
       });
 
       it('org in runner, is_ephemeral === false', async () => {
@@ -1265,10 +1278,19 @@ describe('scale-down', () => {
 
         mockedGetRunnerTypes.mockResolvedValueOnce(new Map([[runnerType, { is_ephemeral: false } as RunnerType]]));
 
-        expect(await isEphemeralRunner({ runnerType: runnerType, org: owner } as RunnerInfo, metrics)).toEqual(false);
+        expect(
+          await isEphemeralRunner(
+            { runnerType: runnerType, org: owner, repo: `${owner}/${scaleConfigRepo}` } as RunnerInfo,
+            metrics,
+          ),
+        ).toEqual(false);
 
         expect(mockedGetRunnerTypes).toBeCalledTimes(1);
-        expect(mockedGetRunnerTypes).toBeCalledWith({ owner: owner, repo: scaleConfigRepo }, metrics);
+        expect(mockedGetRunnerTypes).toBeCalledWith(
+          { owner: owner, repo: scaleConfigRepo },
+          { owner: owner, repo: scaleConfigRepo },
+          metrics,
+        );
       });
 
       it('org not in runner, is_ephemeral === true', async () => {
@@ -1282,7 +1304,11 @@ describe('scale-down', () => {
         ).toEqual(true);
 
         expect(mockedGetRunnerTypes).toBeCalledTimes(1);
-        expect(mockedGetRunnerTypes).toBeCalledWith({ owner: owner, repo: scaleConfigRepo }, metrics);
+        expect(mockedGetRunnerTypes).toBeCalledWith(
+          { owner: owner, repo: scaleConfigRepo },
+          { owner: owner, repo: 'a-repo' },
+          metrics,
+        );
       });
     });
 
@@ -1316,7 +1342,7 @@ describe('scale-down', () => {
           ).toEqual(false);
 
           expect(mockedGetRunnerTypes).toBeCalledTimes(1);
-          expect(mockedGetRunnerTypes).toBeCalledWith(runnerRepo, metrics);
+          expect(mockedGetRunnerTypes).toBeCalledWith(runnerRepo, runnerRepo, metrics);
         });
 
         it('is_ephemeral === true', async () => {
@@ -1329,7 +1355,7 @@ describe('scale-down', () => {
           ).toEqual(true);
 
           expect(mockedGetRunnerTypes).toBeCalledTimes(1);
-          expect(mockedGetRunnerTypes).toBeCalledWith(runnerRepo, metrics);
+          expect(mockedGetRunnerTypes).toBeCalledWith(runnerRepo, runnerRepo, metrics);
         });
 
         it('is_ephemeral === false', async () => {
@@ -1342,7 +1368,7 @@ describe('scale-down', () => {
           ).toEqual(false);
 
           expect(mockedGetRunnerTypes).toBeCalledTimes(1);
-          expect(mockedGetRunnerTypes).toBeCalledWith(runnerRepo, metrics);
+          expect(mockedGetRunnerTypes).toBeCalledWith(runnerRepo, runnerRepo, metrics);
         });
       });
 
@@ -1374,7 +1400,7 @@ describe('scale-down', () => {
           ).toEqual(false);
 
           expect(mockedGetRunnerTypes).toBeCalledTimes(1);
-          expect(mockedGetRunnerTypes).toBeCalledWith(centralRepo, metrics);
+          expect(mockedGetRunnerTypes).toBeCalledWith(centralRepo, runnerRepo, metrics);
         });
 
         it('is_ephemeral === true', async () => {
@@ -1387,7 +1413,7 @@ describe('scale-down', () => {
           ).toEqual(true);
 
           expect(mockedGetRunnerTypes).toBeCalledTimes(1);
-          expect(mockedGetRunnerTypes).toBeCalledWith(centralRepo, metrics);
+          expect(mockedGetRunnerTypes).toBeCalledWith(centralRepo, runnerRepo, metrics);
         });
 
         it('is_ephemeral === false', async () => {
@@ -1400,7 +1426,7 @@ describe('scale-down', () => {
           ).toEqual(false);
 
           expect(mockedGetRunnerTypes).toBeCalledTimes(1);
-          expect(mockedGetRunnerTypes).toBeCalledWith(centralRepo, metrics);
+          expect(mockedGetRunnerTypes).toBeCalledWith(centralRepo, runnerRepo, metrics);
         });
       });
     });

terraform-aws-github-runner/modules/runners/lambdas/runners/src/scale-runners/scale-down.ts

@@ -268,7 +268,11 @@ export async function isEphemeralRunner(ec2runner: RunnerInfo, metrics: ScaleDow
     return false;
   }
 
-  const runnerTypes = await getRunnerTypes(backwardCompatibleGetRepoForgetRunnerTypes(ec2runner), metrics);
+  const runnerTypes = await getRunnerTypes(
+    backwardCompatibleGetRepoForgetRunnerTypes(ec2runner),
+    ec2runner.repo ? getRepo(ec2runner.repo as string) : { owner: ec2runner.org as string, repo: '' },
+    metrics,
+  );
   return runnerTypes.get(ec2runner.runnerType)?.is_ephemeral ?? false;
 }
 
@@ -278,7 +282,11 @@ export async function minRunners(ec2runner: RunnerInfo, metrics: ScaleDownMetric
     return Config.Instance.minAvailableRunners;
   }
 
-  const runnerTypes = await getRunnerTypes(backwardCompatibleGetRepoForgetRunnerTypes(ec2runner), metrics);
+  const runnerTypes = await getRunnerTypes(
+    backwardCompatibleGetRepoForgetRunnerTypes(ec2runner),
+    ec2runner.repo ? getRepo(ec2runner.repo as string) : { owner: ec2runner.org as string, repo: '' },
+    metrics,
+  );
   return runnerTypes.get(ec2runner.runnerType)?.min_available ?? Config.Instance.minAvailableRunners;
 }
 

terraform-aws-github-runner/modules/runners/lambdas/runners/src/scale-runners/scale-up-chron.ts

@@ -14,8 +14,12 @@ export async function scaleUpChron(metrics: ScaleUpChronMetrics): Promise<void>
   // 3. For each runner queued for longer than the minimum delay, try to scale it up
 
   try {
+    const repo = getRepo(Config.Instance.scaleConfigOrg, Config.Instance.scaleConfigRepo);
     const validRunnerTypes = await getRunnerTypes(
-      getRepo(Config.Instance.scaleConfigOrg, Config.Instance.scaleConfigRepo),
+      // For scaleUpChron, we don't have a situation where the auth repo is different from the config repo
+      // so we can just pass the same repo for both parameters
+      repo,
+      repo,
       metrics,
       Config.Instance.scaleConfigRepoPath,
     );