Skip to content
/ setup-kubectl Public

Github actions workflow to setup `kubectl` with Kubernetes service account.

License

Apache-2.0 license
2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

justin0u0/setup-kubectl

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits

LICENSE

LICENSE

 
 

README.md

README.md

 
 

action.yml

action.yml

 
 

Repository files navigation

setup-kubectl

Github actions workflow to setup kubectl with Kubernetes service account.

Usage

See action.yml for detail.

With kubectl stable version:

- name: setup kubectl
  uses: justin0u0/setup-kubectl@v1
  with:
    kubectl-version: stable
    cluster-certificate-authority-data: ${{ secrets.KUBERNETES_CLUSTER_CLIENT_CERTIFICATE_AUTHORITY_DATA }}
    cluster-server: ${{ secrets.KUBERNETES_CLUSTER_SERVER }}
    credentials-token: ${{ secrets.KUBERNETES_CREDENTIALS_TOKEN }}

With kubectl specific version:

- name: setup kubectl
  uses: justin0u0/setup-kubectl@v1
  with:
    kubectl-version: v1.23.6
    cluster-certificate-authority-data: ${{ secrets.KUBERNETES_CLUSTER_CLIENT_CERTIFICATE_AUTHORITY_DATA }}
    cluster-server: ${{ secrets.KUBERNETES_CLUSTER_SERVER }}
    credentials-token: ${{ secrets.KUBERNETES_CREDENTIALS_TOKEN }}

Setup Service Account in Kubernetes

  1. Create ServiceAccount.

    cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
  name: github-actions
EOF

  2. Create Role and RoleBinding.

    • If the service account need to have cluster-wide access, use ClusterRole and ClusterRoleBinding.
    • Add necessary rules for the service account. For example, I only need the kubectl set image ,kubectl rollout status, kubectl create job and kubectl wait --for=condition=complete job/{job} commands, so the following rules are sufficient.
    cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: github-actions
rules:
- apiGroups:
  - apps
  - batch
  resources:
  - "*"
  verbs:
  - "get"
  - "list"
  - "watch"
  - "create"
  - "update"
  - "patch"
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: github-actions
subjects:
- kind: ServiceAccount
  name: github-actions
roleRef:
  kind: Role
  name: github-actions
  apiGroup: rbac.authorization.k8s.io
EOF

  3. Get the API server CA and the secret token of the service account.

    export SERVICE_ACCOUNT_NAME=github-actions
export NAMESPACE=default

# fetch the API server CA
kubectl get secret/$(kubectl get serviceaccount/github-actions -o json | jq -r '.secrets[0].name') -o json | jq -r '.data["ca.crt"]'

# fetch the secret token
kubectl get secret/$(kubectl get serviceaccount/github-actions -o json | jq -r '.secrets[0].name') -o json | jq -r '.data["token"]' | base64 -d

    Go to the Github repository secrets setting pages: Settings > Secrets > Actions > New Repository secret (or use environment secret).

    • Set KUBERNETES_CLUSTER_SERVER to the Kubernetes API server URL.
    • Set KUBERNETES_CLUSTER_CLIENT_CERTIFICATE_AUTHORITY_DATA with the API server CA. Note that the data should be base64 encoded.
    • Set KUBERNETES_CREDENTIALS_TOKEN with the secret token. Note that the token should NOT be base64 encoded.

    DO NOT add any newline character when setting the secrets.

About

Github actions workflow to setup `kubectl` with Kubernetes service account.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 4

v1.0.3 Latest
May 22, 2022
+ 3 releases

Packages

No packages published