Keep k8s secrets in github actions

3/29/2021

We are trying to use github actions, and we want to keep sensitive data such as kubeconfig inside the github secrets I've created a GitHub secret with name KUBECONFIG1

Steps to reproduce

In the GitHub secret I should store the following file also tried to convert to JSON with this https://onlineyamltools.com/convert-yaml-to-json

apiVersion: v1
kind: Config
clusters:
  - name: brf
    cluster:
      certificate-authority-data: >-
        LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTakNBd0t6RXBNQ2NHQTFVRUF4TWdkbWx5ZE2bUljTlRtakFWCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
      server: 'https://vfg.canary.k8s.ondemand.com'
users:
  - name: user1
    user:
      token: >-
        eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuW1lc3BhY2UiOiJnYXJkZW4tZGV2e
contexts:
  - name: g-root
    context:
      cluster: garv
      user: robot
      namespace: gking
current-context: gaot

in the github actions workflow we keep the file content above with the name KUBECONFIG1 and create from it k8s secret.

name: Example action

on: [push]

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 5
    steps:
      - uses: actions/checkout@v2
      - name: install k8s
        run: |
          curl -sfL https://get.k3s.io | K3S_KUBECONFIG_MODE=777 sh -
          cat /etc/rancher/k3s/k3s.yaml
          mkdir -p ~/.kube
          cp /etc/rancher/k3s/k3s.yaml ~/.kube/config


     - run: 'echo -e "$KUBECONFIG1" > ~/.tmpfile.json'
        shell: bash
        env:
          KUBECONFIG1: ${{secrets.KUBECONFIG1}}
    
      - name: example 
        shell: bash
        run: |
          cd ~/
          kubectl create secret generic project-kubecfg --from-file=~/.tmpfile.json -n default

After running this workflow I got the following error:

error: error loading config file "/home/runner/work/_temp/kubeconfig_1617030542039": couldn't get version/kind; json parse error: json: cannot unmarshal string into Go value of type struct *** APIVersion string "json:\"apiVersion,omitempty\""; Kind string "json:\"kind,omitempty\"" ***
Error: Process completed with exit code 1.

I try also to take the file content and use https://onlinelinuxtools.com/escape-shell-characters

As we work with Golang maybe I should take the kubeconfig and use it as go template and save the sensitive-data like token certificate-authority-data etc as github secret and during the workflow update the secrets value to the template but not sure how...

What I need at the end I need that the following command will work in the workflow

kubectl create secret generic project-kubecfg --from-file=~/.tmpfile.json -n default

-- JJD
github
github-actions
go
json
kubernetes

1 Answer

4/1/2021

The issue is with the below command

kubectl create secret generic project-kubecfg --from-file=~/.tmpfile.json -n default

The problem is that ~ goes to kubectl which doesn't expand it to the home directory. So if you change it like below it will work

kubectl create secret generic project-kubecfg --from-file=/home/runner/.tmpfile.json -n default

Or rather use a fixed path instead of home directory with ~

-- Tarun Lalwani
Source: StackOverflow