-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: create github k8s service account (#77)
- Loading branch information
Showing
8 changed files
with
88 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
# Service account for CI Bot | ||
|
||
There are various ways to integrate a CI system with kubernetes clusters. OpenID Connect is one option, cloud providers offer | ||
integration points with their identity and access management systems, etc. For this project however, we aim to be agnostic | ||
to these services and selected a solution that would be applicable to all by creating a k8s `ServiceAccount` and `ServiceAccountToken`. | ||
This is an optional configuration for a cluster and not the only valid solution to solve authentication and | ||
authorization patterns for a CI system. | ||
|
||
This cluster can deploy a `ServiceAccount` with the sole purpose of being utilized by the | ||
CI System to interact with the cluster. | ||
|
||
The `ServiceAccount` is associated with a `kubernetes.io/service-account-token`. | ||
Once this token is generated, the cluster administrator must export this token to the | ||
CI System as a secret. Once done, the pipeline for the CI system can use this token to authenticate | ||
to the cluster. | ||
|
||
In the case of GitHub, follow the [official guide](https://docs.github.com/en/actions/security-guides/encrypted-secrets#about-encrypted-secrets) | ||
for creating a secret. Depending on your specific needs the secret could be applicable to a single repo, | ||
an environment, or the entire GitHub organization. | ||
|
||
### Deploy the Service Account | ||
|
||
There is a Makefile Goal that can be run against the cluster to create the aforementioned `ServiceAccount`, token, | ||
and permission sets. To run this, simply execute the following command: | ||
```bash | ||
$ make create-ci-service-account | ||
``` | ||
|
||
The permission sets should be modified for your use case. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: continuous-deployment | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: continuous-deployment | ||
subjects: | ||
- kind: ServiceAccount | ||
name: ci-bot | ||
namespace: default |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: continuous-deployment | ||
rules: | ||
- apiGroups: | ||
- '' | ||
- apps | ||
- networking.k8s.io | ||
resources: | ||
- namespaces | ||
- deployments | ||
- replicasets | ||
- ingresses | ||
- services | ||
- secrets | ||
verbs: | ||
- create | ||
- delete | ||
- deletecollection | ||
- get | ||
- list | ||
- patch | ||
- update | ||
- watch |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: ci-bot |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
apiVersion: v1 | ||
kind: Secret | ||
metadata: | ||
name: ci-bot-token | ||
annotations: | ||
kubernetes.io/service-account.name: "ci-bot" | ||
type: kubernetes.io/service-account-token |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
#!/usr/bin/env bash | ||
|
||
kubectl apply -f manifests/ci-service-account |