We are trying to use github actions
, and we want to keep sensitive data such as kubeconfig
inside the github secrets
I've created a GitHub secret with name KUBECONFIG1
Steps to reproduce
In the GitHub secret I should store the following file also tried to convert to JSON with this https://onlineyamltools.com/convert-yaml-to-json
apiVersion: v1
kind: Config
clusters:
- name: brf
cluster:
certificate-authority-data: >-
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTakNBd0t6RXBNQ2NHQTFVRUF4TWdkbWx5ZE2bUljTlRtakFWCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
server: 'https://vfg.canary.k8s.ondemand.com'
users:
- name: user1
user:
token: >-
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuW1lc3BhY2UiOiJnYXJkZW4tZGV2e
contexts:
- name: g-root
context:
cluster: garv
user: robot
namespace: gking
current-context: gaot
in the github actions workflow we keep the file content above with the name KUBECONFIG1
and create from it k8s secret.
name: Example action
on: [push]
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- uses: actions/checkout@v2
- name: install k8s
run: |
curl -sfL https://get.k3s.io | K3S_KUBECONFIG_MODE=777 sh -
cat /etc/rancher/k3s/k3s.yaml
mkdir -p ~/.kube
cp /etc/rancher/k3s/k3s.yaml ~/.kube/config
- run: 'echo -e "$KUBECONFIG1" > ~/.tmpfile.json'
shell: bash
env:
KUBECONFIG1: ${{secrets.KUBECONFIG1}}
- name: example
shell: bash
run: |
cd ~/
kubectl create secret generic project-kubecfg --from-file=~/.tmpfile.json -n default
After running this workflow I got the following error:
error: error loading config file "/home/runner/work/_temp/kubeconfig_1617030542039": couldn't get version/kind; json parse error: json: cannot unmarshal string into Go value of type struct *** APIVersion string "json:\"apiVersion,omitempty\""; Kind string "json:\"kind,omitempty\"" ***
Error: Process completed with exit code 1.
I try also to take the file content and use https://onlinelinuxtools.com/escape-shell-characters
As we work with Golang maybe I should take the kubeconfig and use it as go template and save the sensitive-data
like token
certificate-authority-data
etc as github secret and during the workflow update the secrets value to the template but not sure how...
What I need at the end I need that the following command will work in the workflow
kubectl create secret generic project-kubecfg --from-file=~/.tmpfile.json -n default
The issue is with the below command
kubectl create secret generic project-kubecfg --from-file=~/.tmpfile.json -n default
The problem is that ~
goes to kubectl
which doesn't expand it to the home directory. So if you change it like below it will work
kubectl create secret generic project-kubecfg --from-file=/home/runner/.tmpfile.json -n default
Or rather use a fixed path instead of home directory with ~