Skip to content

Commit

Permalink
Added role for github runner for deploy to dev namespace, move rolebi…
Browse files Browse the repository at this point in the history
…nding to code for github-runner deploy
  • Loading branch information
Valentin Khramtsov committed Aug 23, 2024
1 parent 1686fa2 commit 68a0d2b
Show file tree
Hide file tree
Showing 2 changed files with 50 additions and 32 deletions.
23 changes: 0 additions & 23 deletions terraform/modules/k8s-addons/eks-dev-namespace.tf
Original file line number Diff line number Diff line change
Expand Up @@ -12,27 +12,4 @@ module "dev_namespace" {
name = local.dev_namespace.namespace
network_policies = []

depends_on = [helm_release.gha_runner_scale_set]
}
resource "kubectl_manifest" "github_runner_role_binding" {
count = local.dev_namespace.enabled && local.gha_runner_scale_set_controller.enabled ? 1 : 0

yaml_body = <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: github-runner-role-binding
namespace: ${local.dev_namespace.namespace}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: gha-runner-scale-set-gha-rs-no-permission
namespace: ${module.gha_runner_scale_set_controller_namespace[0].name}
EOF

depends_on = [module.dev_namespace]
}

59 changes: 50 additions & 9 deletions terraform/modules/k8s-addons/eks-gha-runner-scale-set.tf
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
locals {
gha_runner_scale_set = {
name = local.helm_releases[index(local.helm_releases.*.id, "gha-runner-scale-set")].id
enabled = local.helm_releases[index(local.helm_releases.*.id, "gha-runner-scale-set")].enabled
chart = local.helm_releases[index(local.helm_releases.*.id, "gha-runner-scale-set")].chart
chart_version = local.helm_releases[index(local.helm_releases.*.id, "gha-runner-scale-set")].chart_version
namespace = local.helm_releases[index(local.helm_releases.*.id, "gha-runner-scale-set")].namespace
name = local.helm_releases[index(local.helm_releases.*.id, "gha-runner-scale-set")].id
enabled = local.helm_releases[index(local.helm_releases.*.id, "gha-runner-scale-set")].enabled
chart = local.helm_releases[index(local.helm_releases.*.id, "gha-runner-scale-set")].chart
chart_version = local.helm_releases[index(local.helm_releases.*.id, "gha-runner-scale-set")].chart_version
namespace = local.helm_releases[index(local.helm_releases.*.id, "gha-runner-scale-set")].namespace
service_account_name = "gha-runner-scale-set-gha-rs-no-permission"
}
kube_github_runner_github_token = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "github_pat_token", "")
service_account_name = "gha-runner-scale-set-gha-rs-no-permission"
eks_oidc_provider_url = replace("${data.aws_eks_cluster.main.identity[0].oidc[0].issuer}" , "https://", "")

gha_runner_scale_set_values = <<VALUES
Expand All @@ -27,7 +27,7 @@ containerMode:
template:
spec:
serviceAccountName: ${local.service_account_name}
serviceAccountName: ${local.gha_runner_scale_set.service_account_name}
containers:
- name: runner
image: ghcr.io/actions/actions-runner:latest
Expand Down Expand Up @@ -61,7 +61,7 @@ metadata:
app.kubernetes.io/instance: gha-runner-scale-set
app.kubernetes.io/name: gha-runner-scale-set
app.kubernetes.io/part-of: gha-rs
name: ${local.service_account_name}
name: ${local.gha_runner_scale_set.service_account_name}
namespace: ${local.gha_runner_scale_set.namespace}
EOF

Expand Down Expand Up @@ -108,7 +108,7 @@ data "aws_iam_policy_document" "github_actions_runner_assume_role_policy" {
condition {
test = "StringEquals"
variable = "${local.eks_oidc_provider_url}:sub"
values = ["system:serviceaccount:${local.gha_runner_scale_set.namespace}:${local.service_account_name}"]
values = ["system:serviceaccount:${local.gha_runner_scale_set.namespace}:${local.gha_runner_scale_set.service_account_name}"]
}
}
}
Expand Down Expand Up @@ -140,3 +140,44 @@ data "aws_iam_policy_document" "github_actions_runner_policy" {
}
}

resource "kubectl_manifest" "github_runner_role" {
count = local.dev_namespace.enabled && local.gha_runner_scale_set_controller.enabled ? 1 : 0

yaml_body = <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: ${local.dev_namespace.namespace}
name: github-runner-deploy-role
rules:
- apiGroups: ["apps"]
resources: ["deployments","replicasets"]
verbs: ["*"]
- apiGroups: [""]
resources: ["services","secrets"]
verbs: ["*"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses"]
verbs: ["*"]
EOF
}

resource "kubectl_manifest" "github_runner_role_binding" {
count = local.dev_namespace.enabled && local.gha_runner_scale_set_controller.enabled ? 1 : 0

yaml_body = <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: github-runner-role-binding
namespace: ${local.dev_namespace.namespace}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ${kubectl_manifest.github_runner_role[0].name}
subjects:
- kind: ServiceAccount
name: ${local.gha_runner_scale_set.service_account_name}
namespace: ${local.gha_runner_scale_set.namespace}
EOF
}

0 comments on commit 68a0d2b

Please sign in to comment.