Create a IAM user to be used in the pipeline. (Say a user with usernae: deploy)
Assign the following policies to that user:
eks:DescribeClustereks:ListClusters
deploy.yaml
name: Deploy
on:
push:
branches:
- main
env:
REGION_NAME: region-name
CLUSTER_NAME: cluster-name
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Setup helmfile
uses: mamezou-tech/setup-helmfile@v0.9.0
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.REGION_NAME }}
- name: Configure Kubeconfig
run: |
mkdir $HOME/.kube
echo "${{ secrets.KUBECONFIG }}" | base64 -d > $HOME/.kube/config
chmod 600 $HOME/.kube/config
- name: Apply Helmfile
run: |
export KUBECONFIG=$HOME/.kube/config
helmfile applyThe KubeConfig is to be generated as the user created for the pipeline purposes and
The content of the .kube/config file need to be added to the GH secrets as a base64 encoded string.
All other secrets should be added appropriately.
Steps:
- Add the user created for the pipeline to the config map
kubectl edit configmap aws-auth -n kube-systemapiVersion: v1 data: ... mapUsers: | ... - userarn: arn:aws:iam::<the-account-id>:user/<the-username> username: <the-username>
- Create a ClusterRole and ClusterRoleBinding
cluster-role.yaml
crb.yaml
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: github-action-eks-user-role rules: - apiGroups: ['*'] resources: ["deployments","pods", "secrets"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: github-action-eks-user-binding subjects: - kind: User name: <the-username> apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: github-action-eks-user-role apiGroup: rbac.authorization.k8s.io
kubectl apply -f cluster-role.yaml kubectl apply -f crb.yaml