Skip to content

bennysp/github-actions-deploy-eks-helm

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

90 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Deploy Helm charts to AWS EKS cluster

bitovi/github-actions-deploy-eks-helm deploys helm charts to an EKS Cluster. alt

Action Summary

This action deploys Helm charts to an EKS cluster, allowing ECR/OCI as sources, and handling plugin installation, using this awesome Docker image as base.

Note: If your EKS cluster administrative access is in a private network, you will need to use a self hosted runner in that network to use this action.

If you would like to deploy a backend app/service, check out our other actions:

Action Purpose
Deploy Docker to EC2 Deploys a repo with a Dockerized application to a virtual machine (EC2) on AWS
Deploy React to GitHub Pages Builds and deploys a React application to GitHub Pages.
Deploy static site to AWS (S3/CDN/R53) Hosts a static site in AWS S3 with CloudFront

And more!, check our list of actions in the GitHub marketplace

Need help or have questions?

This project is supported by Bitovi, A DevOps consultancy.

You can get help or ask questions on our:

Customizing

Note: Although Helm repositories are different than OCI registries, the chart-repository variable supports both options.

See example below for reference, but should be similar to using a repo.

Note on charts list command

You can use the name as a way to filter results, or just leave it blank to get all the charts available.

Inputs

Following inputs can be used as step.with keys

Name Type Description
aws-secret-access-key String AWS secret access key part of the aws credentials. This is used to login to EKS.
aws-access-key-id String AWS access key id part of the aws credentials. This is used to login to EKS.
aws-region String AWS region to use. This must match the region your desired cluster lies in.
cluster-name String The name of the desired cluster.
cluster-role-arn String If you wish to assume an admin role, provide the role arn here to login as.
action String Determines if we install/uninstall the chart, or list. (Optional, Defaults to install)
dry-run Boolean Toggles dry-run option for install/uninstall action. (Defaults to false)
config-files String Comma separated list of helm values files.
namespace String Kubernetes namespace to use. To create the namespace if it doesn't exist, also set create-namespace to true.
create-namespace Boolean Adds --create-namespace when set to true. Requires cluster API permissions. (Default: true)
values String Comma separated list of value set for helms. e.x:key1=value1,key2=value2
name String The name of the helm release
chart-path String The path to the chart. (defaults to helm/)
chart-repository String The URL of the chart-repository (Optional) Note: If oci based registry, set url to oci://
version String The version of the chart (Optional)
plugins String Comma separated list of plugins to install. e.x: https://github.com/hypnoglow/helm-s3.git, https://github.com/someuser/helm-plugin.git (defaults to none)
timeout String The value of the timeout for the helm release
update-deps Boolean Update chart dependencies
helm-wait String Add the helm --wait flag to the helm Release (Optional)
atomic String Add the helm --atomic flag if set (Optional)
ca-file String Verify certificates of HTTPS-enabled servers using this CA bundle.
cert-file String Identify HTTPS client using this SSL certificate file.
key-file String Identify HTTPS client using this SSL key file.
insecure-skip-tls-verify String Skip tls certificate checks for the chart download.
pass-credentials String Pass credentials to all domains. set (Optional)
username String Chart repository username where to locate the requested chart.
password String Chart repository password where to locate the requested chart.
use-secrets-vals Boolean Use secrets plugin using vals to evaluate the secrets
helm-extra-args String Append any string containing any extra option that might escape the ones present in this action.

Example 1 - local repo chart

    - name: Deploy Helm
      uses: bitovi/[email protected]
      with:
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-region: us-west-2
        cluster-name: mycluster
        config-files: .github/values/dev.yaml
        chart-path: chart/
        namespace: dev
        values: key1=value1,key2=value2
        name: release_name

Example 2 - Custom Chart Repo

    - name: Deploy Helm
      uses: bitovi/[email protected]
      with:
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-region: us-west-2
        cluster-name: mycluster
        cluster-role-arn: ${{ secrets.AWS_ROLE_ARN }}
        config-files: fluent-bit/prod/values.yaml
        chart-path: fluent/fluent-bit
        namespace: logging
        create-namespace: true
        name: fluent-bit
        chart-repository: https://fluent.github.io/helm-charts
        version: 0.20.6
        atomic: true

Example 3 - OCI Chart Repo

    - name: Deploy Helm
      uses: bitovi/[email protected]
      with:
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-region: us-west-2
        cluster-name: mycluster
        cluster-role-arn: ${{ secrets.AWS_ROLE_ARN }}
        chart-repository: oci://registry.io/
        chart-path: organization/chart
        namespace: org
        name: some-name
        version: 0.1.0

Example 4 - Separate AWS login

    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v2
      with:
        role-to-assume: arn:aws:iam::${{ env.aws-account-id }}:role/${{ env.aws-assume-role }}
        aws-region: ${{ env.aws-region }}

    - name: Install Helm Chart
      uses: bitovi/[email protected]
      with:
        aws-region: ${{ env.aws-region }}
        cluster-name: eks-cluster-${{ env.environment }}
        ... (put your other arguments here)

Example 5 - Use secrets with vals backend

    - name: Deploy Helm
      uses: bitovi/[email protected]
      with:
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-region: us-west-2
        cluster-name: mycluster
        config-files: .github/values/dev.yaml
        chart-path: chart/
        namespace: dev
        values: key1=value1,key2=value2
        name: release_name
        use-secrets-vals: true
        plugins: https://github.com/jkroepke/helm-secrets

Example 6 - Use with S3 as repo

    - name: Deploy S3 Helm chart
      uses: bitovi/[email protected]
      with:
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-region: us-west-2
        chart-repository: s3://my-s3-bucket/
        chart-path: my-service/my-service
        version: 0.1.0
        cluster-name: mycluster
        namespace: dev
        name: my_service_name
        plugins: https://github.com/hypnoglow/helm-s3.git

Example 7 - Using a different role in action vs the role the cluster was built with

action.yaml

    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v2
      with:
        role-to-assume: arn:aws:iam::${{ env.aws-account-id }}:role/${{ env.aws-assume-role }}
        aws-region: ${{ env.aws-region }}
    - name: Install Helm Chart
      uses: bitovi/[email protected]
      with:
        aws-region: ${{ env.aws-region }}
        cluster-name: eks-cluster-${{ env.environment }}
        ... (put your other arguments here)

terraform.tf

    ... (surrounding code)

    module "eks" {
      source  = "terraform-aws-modules/eks/aws"
      version = "~> 20.11.1"

    ... (surrounding code)

        access_entries = {
            kubernetes_groups = []
            principal_arn     = var.aws-assume-role.role_arn
        
            policy_associations = {
              access_entry_policy = {
                policy_arn = var.aws-assume-role.aws_policy_arn
                access_scope = {
                  type       = "cluster"
                }
              }
            }
        }
    }

    ... (surrounding code)

NOTE: If you see an error like Not Authorized or Kubernetes cluster unreachable: the server has asked for the client to provide credentials, this could be due to the fact that this action is using a different role vs the role that the EKS cluster was built with. The previous method to fix, was to add an entry to the aws-auth ConfigMap in the kube-system namespace, however, AWS is now using Access Entries and that would need to be adjusted in order to give the action role access to the EKS cluster.
You may be able to use to some AssumedRole method where you chain the roles together in the AWS authentication instead.

Example Uninstall

    - name: Deploy Helm
      uses: bitovi/[email protected]
      with:
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-region: us-west-2
        action: uninstall
        cluster-name: mycluster
        namespace: dev
        name: release_name

Example List

    - name: Deploy Helm
      uses: bitovi/[email protected]
      with:
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-region: us-west-2
        action: list
        namespace: dev
        name: release_name

Contributing

We would love for you to contribute to bitovi/github-actions-deploy-eks-helm. Issues and Pull Requests are welcome!

License

The scripts and documentation in this project are released under the MIT License.

Provided by Bitovi

Bitovi is a proud supporter of Open Source software.

Need help or have questions?

You can get help or ask questions on Discord channel! Come hangout with us!

Or, you can hire us for training, consulting, or development. Set up a free consultation.

About

Easily deploys helm charts to an EKS Cluster.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Shell 97.7%
  • Dockerfile 2.3%