Skip to content

czerasz-mineiros/get-gke-credentials

BranchesTags
 
 

Repository files navigation

get-gke-credentials

This action configures authentication to a GKE cluster via a kubeconfig file that can be used with kubectl or other methods of interacting with the cluster.

Authentication is performed by generating a short-lived token (default behaviour) or via the GCP auth plugin present in kubectl which uses the service account keyfile path in GOOGLE_APPLICATION_CREDENTIALS.

Prerequisites

This action requires:

  • Google Cloud credentials that are authorized to view a GKE cluster. See the Authorization section below for more information.

  • Create a GKE cluster

Usage

jobs:
  job_id:
    permissions:
      contents: 'read'
      id-token: 'write'

    steps:
    - id: 'auth'
      uses: 'google-github-actions/auth@v0'
      with:
        workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
        service_account: '[email protected]'

    - id: 'get-credentials'
      uses: 'google-github-actions/get-gke-credentials@v0'
      with:
        cluster_name: 'my-cluster'
        location: 'us-central1-a'

    # The KUBECONFIG env var is automatically exported and picked up by kubectl.
    - id: 'get-pods'
      run: 'kubectl get pods'

Inputs

  • cluster_name - (Required) Name of the cluster for which to get credentials. If specified as a full resource name (e.g. "projects/p/locations/l/clusters/c"), then then "project_id" and "location" inputs are optional. If only specified as the name (e.g. "my-cluster"), then the "project_id" and "location" inputs may be required.

  • location - (Optional) Location (e.g. region or zone) in which the cluster resides. This value is required unless you specify "cluster_name" as a full resource name.

  • project_id - (Optional) Project ID where the cluster is deployed. If provided, this will override the project configured by previous steps or environment variables. If not provided, the project will be inferred, best-effort.

  • use_auth_provider - (Optional) If true, use the Google Cloud auth plugin in kubectl instead of a short-lived access token. The default value is false.

  • use_internal_ip - (Optional) If true, use the internal IP address for the cluster endpoint. This is mostly used with private GKE clusters. The default value is false.

  • credentials - (DEPRECATED) This input is deprecated. See auth section for more details. Service account key to use for authentication. This should be the JSON formatted private key which can be exported from the Cloud Console. The value can be raw or base64-encoded.

Outputs

  • Exports env var KUBECONFIG which is set to the generated kubeconfig file path.

Authorization

There are a few ways to authenticate this action. A service account will be needed with at least the following roles:

  • Kubernetes Engine Cluster Viewer (roles/container.clusterViewer):
    • Get and list access to GKE Clusters. `

Via google-github-actions/auth

Use google-github-actions/auth to authenticate the action. You can use Workload Identity Federation or traditional Service Account Key JSON authentication. by specifying the credentials input. This Action supports both the recommended Workload Identity Federation based authentication and the traditional Service Account Key JSON based auth.

See usage for more details.

Authenticating via Workload Identity Federation

jobs:
  job_id:
    permissions:
      contents: 'read'
      id-token: 'write'

    steps:
    - id: 'auth'
      uses: 'google-github-actions/auth@v0'
      with:
        workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
        service_account: '[email protected]'

    - id: 'get-credentials'
      uses: 'google-github-actions/get-gke-credentials@v0'
      with:
        cluster_name: 'my-cluster'
        location: 'us-central1-a'

Authenticating via Service Account Key JSON

jobs:
  job_id:
    steps:
    - id: 'auth'
      uses: 'google-github-actions/auth@v0'
      with:
        credentials_json: '${{ secrets.gcp_credentials }}'

    - id: 'get-credentials'
      uses: 'google-github-actions/get-gke-credentials@v0'
      with:
        cluster_name: 'my-cluster'
        location: 'us-central1-a'

Via Application Default Credentials

If you are hosting your own runners, and those runners are on Google Cloud, you can leverage the Application Default Credentials of the instance. This will authenticate requests as the service account attached to the instance. This only works using a custom runner hosted on GCP.

jobs:
  job_id:
    steps:
    - id: 'get-credentials'
      uses: 'google-github-actions/get-gke-credentials@v0'
      with:
        cluster_name: 'my-cluster'
        location: 'us-central1-a'

The action will automatically detect and use the Application Default Credentials.

Versioning

We recommend pinning to the latest available major version:

- uses: 'google-github-actions/get-gke-credentials@v0'

While this action attempts to follow semantic versioning, but we're ultimately human and sometimes make mistakes. To prevent accidental breaking changes, you can also pin to a specific version:

- uses: 'google-github-actions/[email protected]'

However, you will not get automatic security updates or new features without explicitly updating your version number. Note that we only publish MAJOR and MAJOR.MINOR.PATCH versions. There is not a floating alias for MAJOR.MINOR.

About

This action configures authentication to a GKE cluster.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

7 tags

Packages

No packages published

Languages

  • TypeScript 92.8%
  • JavaScript 7.2%