如何使用 GithubAction 和 OIDC 在 EKS 上部署 atefact
[英]How to deploy atefact on EKS with GithubAction and OIDC
问题描述
I have a private EKS cluster and I'm trying to deploy some services on it using GithubActions.
我有一个私有 EKS 集群,我正在尝试使用 GithubActions 在其上部署一些服务。 It works ok when I pass account credentials as a secret, and kubeconfig file as well.当我将帐户凭据作为机密以及 kubeconfig 文件传递时,它可以正常工作。 Like this:像这样:
name: Release
on:
pull_request:
branches: [main]
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: eu-central-1
- name: helm deploy
uses: koslib/helm-eks-action@master
env:
KUBE_CONFIG_DATA: ${{ secrets.KUBE_CONFIG_DATA }}
with:
command: helm upgrade <release name> --install --wait <chart> -f <path to values.yaml>
But I think it would be better if I can use OCID for that CI/CD and then fetch kubeconfig file as但我认为如果我可以为那个 CI/CD 使用 OCID 然后获取 kubeconfig 文件会更好
aws eks update-kubeconfig --name <cluster>
And role to implement OIDC connection looks like实现 OIDC 连接的角色看起来像
resource "aws_iam_openid_connect_provider" "github" {
url = "https://token.actions.githubusercontent.com"
client_id_list = ["sts.amazonaws.com"]
thumbprint_list = ["a031c46782e6e6c662c2c87c76da9aa62ccabd8e"]
}
data "aws_iam_policy_document" "github_actions_assume_role" {
statement {
actions = ["sts:AssumeRoleWithWebIdentity"]
principals {
type = "Federated"
identifiers = [var.openid_connect_provider.arn]
}
condition {
test = "StringLike"
variable = "token.actions.githubusercontent.com:sub"
values = ["repo:${var.organization}/${var.name}:*"]
}
}
}
Unfoutantly when I configure role I have no idea how I can attach it to service account to be able to install helm chart毫无疑问,当我配置角色时,我不知道如何将其附加到服务帐户才能安装掌舵图
2 个解决方案
解决方案1
1 已采纳 2022-02-22 00:42:20
我认为更好的方法是在您的 k8s 集群中部署一个自托管运行器,并使用 OIDC 向运行器 pod 授予必要的权限
解决方案2
0 2022-07-07 07:37:07
Assuming the role name is arn:aws:iam::XXXX:role/github-oidc-provider-aws and Trust relationships set as well on that role假设角色名称是arn:aws:iam::XXXX:role/github-oidc-provider-aws并且在该角色上也设置了信任关系
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::XXXXXX:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:GithubOrg/reposiotry-name:ref:refs/heads/main"
}
}
}
]
}
As well as identity providers set and works fine.以及identity providers设置和工作正常。
What do need to be set on EKS.在 EKS 上需要设置什么。 AWS auth should be changed AWS 身份验证应更改
- rolearn: arn:aws:iam::XXXX:role/github-oidc-provider-aws
username: github-action
groups:
- system:masters
Make sure you do not use system:masters but some other group created just for this access.确保您不使用system:masters而是专门为此访问创建的其他组。
As well as EKS do require kubernetes-sigs/aws-iam-authenticator in the PATH除了 EKS 还需要 PATH 中kubernetes-sigs/aws-iam-authenticator
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.