From 0d360cf49d62a795a910c83207e019905129e395 Mon Sep 17 00:00:00 2001 From: Steffen Neubauer Date: Tue, 11 Jun 2024 14:37:17 +0200 Subject: [PATCH] improvement: remove kubeconfig inputs The Kubeconfig inputs turned out to confuse some of our users. Let's move the responsibility to set up the Kubeconfig to the user, just like we do with Garden itself. This makes the action easier to understand if you already know how to use Garden. See also https://discord.com/channels/817392104711651328/1245455859694178334 --- .github/workflows/test-garden.yaml | 11 ++----- README.md | 47 +++++++++++++----------------- action.yaml | 34 +++------------------ 3 files changed, 28 insertions(+), 64 deletions(-) diff --git a/.github/workflows/test-garden.yaml b/.github/workflows/test-garden.yaml index b66e764..784a1e9 100644 --- a/.github/workflows/test-garden.yaml +++ b/.github/workflows/test-garden.yaml @@ -44,20 +44,15 @@ jobs: - name: Test 4 - Version should be 0.12.44 run: garden --version - - name: Test 5 – Prepare kubeconfig and garden-auth-token + - name: Test 5 – Prepare garden-auth-token uses: ./ with: - kubeconfig: Zm9vYmFy garden-auth-token: foobar - - name: Test 6 – Test if kubeconfig and garden-auth-token is prepared + - name: Test 6 – Test if garden-auth-token is prepared run: | - if [[ "$(cat $KUBECONFIG)" != "foobar" ]]; then - echo "The $KUBECONFIG file did not contain the expected string foobar" - exit 1 - fi if [[ "$GARDEN_AUTH_TOKEN" != "foobar" ]]; then echo "The $GARDEN_AUTH_TOKEN variable was not set to the expected string foobar" exit 1 fi - echo "Test passed" \ No newline at end of file + echo "Test passed" diff --git a/README.md b/README.md index 0528b67..3c5d37e 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ This action installs garden and can optionally be used to run any [Garden](https://garden.io) command, for example `deploy`, `test` or `run workflow`. -Garden combines rapid development, testing, and DevOps automation in one tool. +Garden combines rapid development, testing, and DevOps automation in one tool. This action will perform the following steps: @@ -11,7 +11,9 @@ This action will perform the following steps: 3. Export garden to the `PATH`, so it can be used from any scripts in the following steps of the GitHub Action job. 4. If the `command` option is provided, it will run the given garden command. - If the `command` option is *not* provided it will only prepare garden, which means it will also export the `KUBECONFIG` and `GARDEN_AUTH_TOKEN` environment variables if the `kubeconfig` and `garden-auth-token` are configured. This is helpful when calling `garden` in scripts from one of the following steps. + If the `command` option is *not* provided it will only prepare garden, which means it will install Garden and export it to the `PATH` environment variable. It will also export the `GARDEN_AUTH_TOKEN` environment variable `garden-auth-token` is configured. + + This is helpful when calling `garden` in scripts from one of the following steps. **Note:** At the moment this action only works with Linux-based GitHub Action runners. If you are using macOS or Windows runners and need this action, please open a GitHub issue – in case there is demand, we will rewrite this action to make it platform-independent. (We also accept Pull requests for rewriting this Action in Typescript) @@ -22,31 +24,12 @@ If you are using macOS or Windows runners and need this action, please open a Gi **Optional** The Garden command to execute, including all options. For example `deploy`, `test`, `run workflow` etc. -If not provided, the garden-action will only install garden and export the `KUBECONFIG` and `GARDEN_AUTH_TOKEN` environment variables for use in scripts in later steps. +If not provided, the garden-action will +- install garden and export it to the `PATH` environment variable for subsequent steps +- export the `GARDEN_AUTH_TOKEN` environment variable for subsequent steps if the `garden-auth-token` input has been provided For the full documentation please refer to the [Garden CLI documentation](https://docs.garden.io/reference/commands). -## `kubeconfig` - -**Optional** Authentication to a Kubernetes Cluster can be done in multiple ways. This option allows to specify a base64 encoded kubeconfig, as a secret for GitHub actions. To use this option, base64 encode the relevant kubeconfig with the context referenced in your Garden project: - -``` - -cat kubeconfig.yaml | base64 - -``` - -Encoding is necessary to deal with newlines and special characters. This action will decode the kubeconfig for usage in the action. - -The secret will be [masked to prevent accidental exposure in logs](https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#masking-a-value-in-log) - -**If no command has been supplied, the action will expose this value to the the following steps in the GitHub Action job by exporting a `KUBECONFIG` environment variable.** - -## `kubeconfig-location` - -**Optional** Specify a location the GitHub action should be saved to in the container while running the action. This is only necessary if you have configured the `kubeconfig` parameter in your project.garden.yaml provider configuration. Please note that the home directory in the GitHub action context is `/github/home`. -Defaults to `${{ runner.temp }}/garden/kubeconfig` - ## `garden-version` **Optional** Garden version. Default is latest @@ -98,12 +81,18 @@ jobs: role-to-assume: ${{ secrets.AWS_ROLE_EKS_DEV }} role-session-name: GitHubActionsDev role-duration-seconds: 3600 + - name: AWS EKS Kubeconfig + run: | + # Add EKS cluster ${cluster_name} to ~/.kube/config + # NOTE: The context name will be the EKS cluster ARN by default. + # If your Garden configuration expects a different context name, + # you can add override it using the `--alias` option. + aws eks update-kubeconfig --name ${cluster_name} --region ${region} - uses: actions/checkout@v3.0.2 - name: Deploy preview env with Garden uses: garden-io/garden-action@v1.1 with: command: deploy --env preview - kubeconfig: ${{ secrets.KUBECONFIG }} garden-auth-token: ${{ secrets.GARDEN_AUTH_TOKEN }} garden-ci: runs-on: ubuntu-latest @@ -115,6 +104,13 @@ jobs: role-to-assume: ${{ secrets.AWS_ROLE_EKS_DEV }} role-session-name: GitHubActionsDev role-duration-seconds: 3600 + - name: AWS EKS Kubeconfig + run: | + # Add EKS cluster ${cluster_name} to ~/.kube/config + # NOTE: The context name will be the EKS cluster ARN by default. + # If your Garden configuration expects a different context name, + # you can add override it using the `--alias` option. + aws eks update-kubeconfig --name ${cluster_name} --region ${region} - uses: actions/checkout@v3.0.2 - name: Run tests in ci environment with Garden uses: garden-io/garden-action@v1.1 @@ -123,6 +119,5 @@ jobs: test --env ci --var postgres-database=postgres --var postgres-password=${{ secrets.PG_PASSWORD }} - kubeconfig: ${{ secrets.KUBECONFIG }} garden-auth-token: ${{ secrets.GARDEN_AUTH_TOKEN }} ``` diff --git a/action.yaml b/action.yaml index bade454..4c2fb2f 100644 --- a/action.yaml +++ b/action.yaml @@ -8,8 +8,9 @@ inputs: description: | All command line options for the garden cli command. - If not provided, the garden-action will only install garden and export the KUBECONFIG and GARDEN_AUTH_TOKEN - environment variables for use in scripts in later steps. + If not provided, the garden-action will + - install garden and export it to the `PATH` environment variable for subsequent steps + - export the `GARDEN_AUTH_TOKEN` environment variable for subsequent steps if the `garden-auth-token` input has been provided required: false logger-type: description: 'Garden logger type. Defaults to basic.' @@ -19,13 +20,6 @@ inputs: description: 'Garden log level. Defaults to verbose.' required: false default: verbose - kubeconfig: - description: 'A base64 encoded string of the kubeconfig to use with Garden. Optional.' - required: false - kubeconfig-location: - description: 'Path where Garden expects the kubeconfig. Defaults to $HOME/kube/config.' - required: false - default: ${{ runner.temp }}/garden/kubeconfig garden-version: description: 'Garden version. Defaults to latest stable.' required: false @@ -36,7 +30,7 @@ inputs: garden-workdir: description: | A path to a garden project in a repository. - + Only necessary if there are multiple garden projects in a repository, or when the project.garden.yml is in a subdirectory. github-token: description: 'Github token for releases API. Required. Defaults to the `github.token` context variable.' @@ -48,28 +42,14 @@ runs: - name: prepare shell: bash env: - kubeconfig_base64: ${{ inputs.kubeconfig }} - kubeconfig_location: ${{ inputs.kubeconfig-location }} garden_auth_token: ${{ inputs.garden-auth-token }} github_token: ${{ inputs.github-token }} run: | # Prepare # Mask secrets - [[ "${kubeconfig_base64}" != "" ]] && echo "::add-mask::${kubeconfig_base64}" [[ "${garden_auth_token}" != "" ]] && echo "::add-mask::${garden_auth_token}" [[ "${github_token}" != "" ]] && echo "::add-mask::${github_token}" - - # Prepare Kubeconfig - if [[ ! -d "$(dirname "${kubeconfig_location}")" ]]; then - mkdir -p "$(dirname "${kubeconfig_location}")" - fi - - # Write kubeconfig - if [[ -n "${kubeconfig_base64}" ]]; then - echo "${kubeconfig_base64}" | base64 -d > "${kubeconfig_location}" - chmod 700 "${kubeconfig_location}" - fi - name: download garden shell: bash env: @@ -115,7 +95,6 @@ runs: shell: bash env: command: ${{ inputs.command }} - KUBECONFIG: ${{ inputs.kubeconfig-location }} GARDEN_AUTH_TOKEN: ${{ inputs.garden-auth-token }} GARDEN_LOGGER_TYPE: ${{ inputs.logger-type }} GARDEN_LOG_LEVEL: ${{ inputs.log-level }} @@ -125,14 +104,9 @@ runs: if: ${{ !inputs.command }} shell: bash env: - kubeconfig_base64: ${{ inputs.kubeconfig }} - kubeconfig_location: ${{ inputs.kubeconfig-location }} garden_auth_token: ${{ inputs.garden-auth-token }} run: | # Export environment variables - if [[ "${kubeconfig_base64}" != "" ]]; then - echo "KUBECONFIG=${kubeconfig_location}" >> "$GITHUB_ENV" - fi if [[ "${garden_auth_token}" != "" ]]; then echo "GARDEN_AUTH_TOKEN=${garden_auth_token}" >> "$GITHUB_ENV" fi