feat: create github k8s service account (#77)

Makefile

@@ -91,3 +91,6 @@ integration-test: ## Run integration tests
 
 validate: ## Run static checks
 	@ASDF_DEFAULT_TOOL_VERSIONS_FILENAME=$(CURDIR)/.tool-versions pre-commit run --color=always --show-diff-on-failure --all-files
+
+create-ci-service-account: ## Create a k8s service account that would be used by CI systems
+	@./scripts/create-ci-service-account.sh

README.md

@@ -163,3 +163,8 @@ make bootstrap
 ```
 
 You're now ready to contribute!
+
+## CI Process
+
+After deploying the cluster, you may wish to integrate it with a CI tool of choice.
+For more information on this subject, consult [CI Service Account Readme](manifests/ci-service-account/README.md)

manifests/ci-service-account/README.md

@@ -0,0 +1,29 @@
+# Service account for CI Bot
+
+There are various ways to integrate a CI system with kubernetes clusters. OpenID Connect is one option, cloud providers offer
+integration points with their identity and access management systems, etc. For this project however, we aim to be agnostic
+to these services and selected a solution that would be applicable to all by creating a k8s `ServiceAccount` and `ServiceAccountToken`.
+This is an optional configuration for a cluster and not the only valid solution to solve authentication and
+authorization patterns for a CI system.
+
+This cluster can deploy a `ServiceAccount` with the sole purpose of being utilized by the
+CI System to interact with the cluster.
+
+The `ServiceAccount` is associated with a `kubernetes.io/service-account-token`.
+Once this token is generated, the cluster administrator must export this token to the
+CI System as a secret.  Once done, the pipeline for the CI system can use this token to authenticate
+to the cluster.
+
+In the case of GitHub, follow the [official guide](https://docs.github.com/en/actions/security-guides/encrypted-secrets#about-encrypted-secrets)
+for creating a secret. Depending on your specific needs the secret could be applicable to a single repo,
+an environment, or the entire GitHub organization.
+
+### Deploy the Service Account
+
+There is a Makefile Goal that can be run against the cluster to create the aforementioned `ServiceAccount`, token,
+and permission sets. To run this, simply execute the following command:
+```bash
+$ make create-ci-service-account
+```
+
+The permission sets should be modified for your use case.

manifests/ci-service-account/ci-cluster-role-binding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: continuous-deployment
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: continuous-deployment
+subjects:
+  - kind: ServiceAccount
+    name: ci-bot
+    namespace: default

manifests/ci-service-account/ci-cluster-role.yaml

@@ -0,0 +1,25 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: continuous-deployment
+rules:
+  - apiGroups:
+      - ''
+      - apps
+      - networking.k8s.io
+    resources:
+      - namespaces
+      - deployments
+      - replicasets
+      - ingresses
+      - services
+      - secrets
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - get
+      - list
+      - patch
+      - update
+      - watch

manifests/ci-service-account/ci-service-account.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ci-bot

manifests/ci-service-account/ci-token.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ci-bot-token
+  annotations:
+    kubernetes.io/service-account.name: "ci-bot"
+type: kubernetes.io/service-account-token

scripts/create-ci-service-account.sh

@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+kubectl apply -f manifests/ci-service-account