From 664b750d23238ce9707a3fc8bcf4d12e09524cd6 Mon Sep 17 00:00:00 2001 From: Ravi Ojha Date: Thu, 3 Sep 2020 12:02:00 +0530 Subject: [PATCH] Initial commit --- Dockerfile | 12 ++++++++++ README.md | 66 +++++++++++++++++++++++++++++++++++++++++++++++++-- action.yaml | 9 +++++++ entrypoint.sh | 8 +++++++ 4 files changed, 93 insertions(+), 2 deletions(-) create mode 100644 Dockerfile create mode 100644 action.yaml create mode 100644 entrypoint.sh diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..8297651 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,12 @@ +FROM alpine:latest + +RUN apk add py-pip curl +RUN pip install awscli +RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl +RUN curl -o /usr/local/bin/aws-iam-authenticator https://amazon-eks.s3.us-west-2.amazonaws.com/1.17.7/2020-07-08/bin/linux/amd64/aws-iam-authenticator +RUN chmod +x /usr/local/bin/aws-iam-authenticator +RUN chmod +x ./kubectl +RUN mv ./kubectl /usr/bin/kubectl + +COPY entrypoint.sh /entrypoint.sh +ENTRYPOINT ["/entrypoint.sh"] diff --git a/README.md b/README.md index 825acdd..14c0419 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,64 @@ -# aws-kubectl -A github action to deploy on AWS EKS +# Github Action for Kubernetes CLI + +Action to provide `kubectl` on Github Actions. + +There are many such actions but we can't control what an action does when they update them. If their account gets compromised, every Github Action which uses their action are under threat because some AWS keys are provided to actions. + +Until AWS's official [action](https://github.com/aws-actions/amazon-eks-fargate) comes around we will have to use our own action to use kubectl. + + +## Usage + +`.github/workflows/deploy.yml` + +```yaml +on: + push: + branches: [master] + +name: deploy + +env: + AWS_DEFAULT_REGION: us-east-1 + +jobs: + deploy: + name: Deploy to AWS EKS Cluster + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ env.AWS_DEFAULT_REGION }} + + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v1 + + - name: Set new image on deployment + uses: LocalCoinSwap/aws-kubectl@v1 + env: + KUBE_CONFIG_DATA: ${{ secrets.YOUR_KUBE_CONFIG_DATA_KEY }} + ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} + ECR_REPOSITORY: your-app + IMAGE_TAG: ${{ github.sha }} + with: + args: set image deployment/$ECR_REPOSITORY $ECR_REPOSITORY=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG + +``` + +## Secrets + +`KUBE_CONFIG_DATA` – **required**: A base64-encoded kubeconfig file data. + +It's important that you verify what you encode. There could be many configs in the `$HOME/.kube/config` file on local systems. + +```bash +cat $HOME/.kube/config | base64 +``` diff --git a/action.yaml b/action.yaml new file mode 100644 index 0000000..af9b0d7 --- /dev/null +++ b/action.yaml @@ -0,0 +1,9 @@ +name: kubectl-aws-eks +description: "Action to provide kubectl on Github Actions." +author: 'LocalCoinSwap' +branding: + color: 'white' + icon: 'command' +runs: + using: 'docker' + image: 'Dockerfile' \ No newline at end of file diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100644 index 0000000..54ef73e --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,8 @@ +#!/bin/sh + +set -e + +echo "$KUBE_CONFIG_DATA" | base64 -d > /tmp/config +export KUBECONFIG=/tmp/config + +sh -c "kubectl $*"