public/custom_act_runner
1
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
custom_act_runner/createServiceAccount.sh
ties e5cb2c0c4f
All checks were successful
Build docker container / Build image (push) Successful in 13s
Details
Update createServiceAccount.sh
2024-09-06 10:46:58 +00:00

137 lines
3.5 KiB
Bash
Raw Permalink Blame History

#!/bin/bash
NAMESPACE="default"
HELM_OUTPUT=""
if [ -e "Chart.yaml" ]; then
NAMESPACE=$(yq e '.chart_template.namespace' values.yaml)
helm dependency build .
HELM_OUTPUT=$(helm template -g --set-json="chart_template.subchartData=$(yq '.dependencies[] | select(.condition == "subchart")' Chart.yaml -ojson | jq -rc)" .)
else
HELM_OUTPUT=$(cat ./*.yaml)
NAMESPACE=$(cat ./*.yaml | yq -ojson | jq -r 'select(.metadata.namespace) | .metadata.namespace' | head -n1)
fi
SA_NAME="${NAMESPACE}-cicd"
resources=$(echo "$HELM_OUTPUT" | yq -o=json | jq -rc '{apiVersion, kind}' | sort | uniq)
cat <<EOFFF
################################################
# Create a kubconfig for automatic deployments #
################################################
# Step 1: Set kubeconfig
export KUBECONFIG=
# Step 2: Create Service Account
cat <<EOF | kubectl apply --force -f -
EOFFF
# Print ServiceAccount YAML
cat <<EOF
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: $SA_NAME
namespace: $NAMESPACE
---
EOF
# Print Role YAML header
cat <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: $SA_NAME
namespace: $NAMESPACE
rules:
EOF
# Loop through unique apiVersion and kind pairs and append rules to the Role YAML
echo "$resources" | while IFS= read -r resource; do
apiGroup=$(echo "$resource" | jq -r '.apiVersion' | awk -F'/' '{print $1}')
kind=$(echo "$resource" | jq -r '.kind' | tr '[:upper:]' '[:lower:]')
if [[ $apiGroup == "v1" ]]; then
apiGroup=""
fi
# Append rule for the current resource
cat <<EOF
- apiGroups: ["$apiGroup"]
resources:
- ${kind}s
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
EOF
done
# Print RoleBinding YAML
cat <<EOF
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: $SA_NAME
namespace: $NAMESPACE
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: $SA_NAME
subjects:
- kind: ServiceAccount
name: $SA_NAME
namespace: $NAMESPACE
---
EOF
# Print Secret to create a token for the ServiceAccount
cat <<EOF
apiVersion: v1
kind: Secret
metadata:
name: ${SA_NAME}-token
namespace: $NAMESPACE
annotations:
kubernetes.io/service-account.name: $SA_NAME
type: kubernetes.io/service-account-token
EOF
# echo "$GITHUB_CONTEXT" | jq #>>> https://git.ties.one/ties/n8n/actions/runs/60
NEW_KUBECONFIG="kubeconfig-${NAMESPACE}-cicd.yaml"
URL=$(echo "$GITHUB_CONTEXT" | jq -r '.event.repository.html_url')
cat <<EOFFF
---
EOF
# Step 3: generate kubeconfig
CURRENT_CLUSTER=\$(kubectl config view --minify -o jsonpath='{.clusters[0].name}')
TOKEN=\$(kubectl get secret "${NAMESPACE}-cicd-token" -n "$NAMESPACE" -o jsonpath="{.data.token}" | base64 --decode)
cp \$KUBECONFIG $NEW_KUBECONFIG
kubectl config --kubeconfig=$NEW_KUBECONFIG unset contexts
kubectl config --kubeconfig=$NEW_KUBECONFIG unset users
kubectl config --kubeconfig=$NEW_KUBECONFIG set-credentials "${NAMESPACE}-cicd" --token="\$TOKEN"
kubectl config --kubeconfig=$NEW_KUBECONFIG set-cluster \$CURRENT_CLUSTER --server="https://kubernetes.default.svc.cluster.local"
kubectl config --kubeconfig=$NEW_KUBECONFIG set-context "${NAMESPACE}-cicd-context" --cluster=\$CURRENT_CLUSTER --user="${NAMESPACE}-cicd"
kubectl config --kubeconfig=$NEW_KUBECONFIG use-context "${NAMESPACE}-cicd-context"
echo "---"
cat $NEW_KUBECONFIG
rm $NEW_KUBECONFIG
# Step 4: copy kubeconfig to KUBECONFIG_DATA secret in $URL/settings/actions/secrets
# Step 5: edit $URL/src/branch/main/.gitea/workflows/deploy.yaml
# Done!
EOFFF
Reference in New Issue View Git Blame Copy Permalink