K
Q

Keep k8s secrets in github actions

3/29/2021

We are trying to use github actions, and we want to keep sensitive data such as kubeconfig inside the github secrets I've created a GitHub secret with name KUBECONFIG1

Steps to reproduce

In the GitHub secret I should store the following file also tried to convert to JSON with this https://onlineyamltools.com/convert-yaml-to-json

apiVersion: v1
kind: Config
clusters:
  - name: brf
    cluster:
      certificate-authority-data: >-
        LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTakNBd0t6RXBNQ2NHQTFVRUF4TWdkbWx5ZE2bUljTlRtakFWCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
      server: 'https://vfg.canary.k8s.ondemand.com'
users:
  - name: user1
    user:
      token: >-
        eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuW1lc3BhY2UiOiJnYXJkZW4tZGV2e
contexts:
  - name: g-root
    context:
      cluster: garv
      user: robot
      namespace: gking
current-context: gaot

in the github actions workflow we keep the file content above with the name KUBECONFIG1 and create from it k8s secret.

name: Example action

on: [push]

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 5
    steps:
      - uses: actions/checkout@v2
      - name: install k8s
        run: |
          curl -sfL https://get.k3s.io | K3S_KUBECONFIG_MODE=777 sh -
          cat /etc/rancher/k3s/k3s.yaml
          mkdir -p ~/.kube
          cp /etc/rancher/k3s/k3s.yaml ~/.kube/config


     - run: 'echo -e "$KUBECONFIG1" > ~/.tmpfile.json'
        shell: bash
        env:
          KUBECONFIG1: ${{secrets.KUBECONFIG1}}
    
      - name: example 
        shell: bash
        run: |
          cd ~/
          kubectl create secret generic project-kubecfg --from-file=~/.tmpfile.json -n default

After running this workflow I got the following error: 

error: error loading config file "/home/runner/work/_temp/kubeconfig_1617030542039": couldn't get version/kind; json parse error: json: cannot unmarshal string into Go value of type struct *** APIVersion string "json:\"apiVersion,omitempty\""; Kind string "json:\"kind,omitempty\"" ***
Error: Process completed with exit code 1.

I try also to take the file content and use https://onlinelinuxtools.com/escape-shell-characters

As we work with Golang maybe I should take the kubeconfig and use it as go template and save the sensitive-data like token certificate-authority-data etc as github secret and during the workflow update the secrets value to the template but not sure how...

What I need at the end I need that the following command will work in the workflow

kubectl create secret generic project-kubecfg --from-file=~/.tmpfile.json -n default

-- JJD
github
github-actions
go
json
kubernetes

Similar Questions

Kubectl Get Worker Nodes Only
How to configure envoy edge proxy for redis service in kubernetes?
Kubernetes not accepting new job definition
Configuring different pod configuration for different environments (Kubernetes + Google Cloud or Minikube)
Monitor ubuntu servers with Prometheus Operator

1 Answer

4/1/2021

The issue is with the below command

kubectl create secret generic project-kubecfg --from-file=~/.tmpfile.json -n default

The problem is that ~ goes to kubectl which doesn't expand it to the home directory. So if you change it like below it will work

kubectl create secret generic project-kubecfg --from-file=/home/runner/.tmpfile.json -n default

Or rather use a fixed path instead of home directory with ~

-- Tarun Lalwani
Source: StackOverflow