@@ -266,21 +266,7 @@ jobs:
266266 # we are doing this to avoid letsenrypt rate limits
267267 if ! kubectl get certificate pr${{ env.PR_NUMBER }}-tls -n pr-deployment-certs > /dev/null 2>&1; then
268268 echo "Certificate doesn't exist. Creating a new one."
269- cat <<EOF | kubectl apply -f -
270- apiVersion: cert-manager.io/v1
271- kind: Certificate
272- metadata:
273- name: pr${{ env.PR_NUMBER }}-tls
274- namespace: pr-deployment-certs
275- spec:
276- secretName: pr${{ env.PR_NUMBER }}-tls
277- issuerRef:
278- name: letsencrypt
279- kind: ClusterIssuer
280- dnsNames:
281- - "${{ env.PR_DEPLOYMENT_ACCESS_URL }}"
282- - "*.${{ env.PR_DEPLOYMENT_ACCESS_URL }}"
283- EOF
269+ envsubst < ./.github/pr-deployments/certificate.yaml | kubectl apply -f -
284270 else
285271 echo "Certificate exists. Skipping certificate creation."
286272 fi
@@ -311,55 +297,10 @@ jobs:
311297
312298name : Create a kubeconfig for the workspace
313299 if : needs.get_info.outputs.NEW == 'true'
314- # This service account will be used to grant full access to the namespace from the workspace
315300 run : |
316301 set -euo pipefail
317302 # Create service account, role, rolebinding and secret
318- cat <<EOF | kubectl apply -f -
319- apiVersion: v1
320- kind: ServiceAccount
321- metadata:
322- name: coder-workspace
323- namespace: pr${{ env.PR_NUMBER }}
324- secrets:
325- - name: coder-workspace-token
326-
327- ---
328- apiVersion: rbac.authorization.k8s.io/v1
329- kind: Role
330- metadata:
331- name: coder-workspace
332- namespace: pr${{ env.PR_NUMBER }}
333- rules:
334- - apiGroups: ["*"]
335- resources: ["*"]
336- verbs: ["*"]
337-
338- ---
339- apiVersion: rbac.authorization.k8s.io/v1
340- kind: RoleBinding
341- metadata:
342- name: coder-workspace
343- namespace: pr${{ env.PR_NUMBER }}
344- subjects:
345- - kind: ServiceAccount
346- name: coder-workspace
347- namespace: pr${{ env.PR_NUMBER }}
348- roleRef:
349- apiGroup: rbac.authorization.k8s.io
350- kind: Role
351- name: coder-workspace
352-
353- ---
354- apiVersion: v1
355- kind: Secret
356- metadata:
357- name: coder-workspace-token
358- namespace: pr${{ env.PR_NUMBER }}
359- annotations:
360- kubernetes.io/service-account.name: coder-workspace
361- type: kubernetes.io/service-account-token
362- EOF
303+ envsubst < ./.github/pr-deployments/rbac.yaml | kubectl -n pr${{ env.PR_NUMBER }} apply -f -
363304
364305 # Get the token for the service account
365306 TOKEN=$(kubectl -n pr${{ env.PR_NUMBER }} get secret coder-workspace-token -o jsonpath='{.data.token}' | base64 --decode)
@@ -369,80 +310,20 @@ jobs:
369310 CLUSTER_ENDPOINT=$(kubectl config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.server}')
370311
371312 # Create a kubeconfig for the namespace to be used in the workspace
372- cat <<EOF > namespace-kubeconfig.yaml
373- apiVersion: v1
374- kind: Config
375- clusters:
376- - cluster:
377- certificate-authority-data: $CLUSTER_CA
378- server: $CLUSTER_ENDPOINT
379- name: pr${{ env.PR_NUMBER }}
380- contexts:
381- - context:
382- cluster: pr${{ env.PR_NUMBER }}
383- namespace: pr${{ env.PR_NUMBER }}
384- user: coder-workspace
385- name: pr${{ env.PR_NUMBER }}
386- current-context: pr${{ env.PR_NUMBER }}
387- users:
388- - name: coder-workspace
389- user:
390- token: $TOKEN
391- EOF
313+ envsubst < ./.github/pr-deployments/kubeconfig.yaml > ./namespace-kubeconfig.yaml
392314
393315 # Create a secret from the kubeconfig
394316 kubectl create secret generic coder-namespace-kubeconfig -n pr${{ env.PR_NUMBER }} --from-file=kubeconfig=./namespace-kubeconfig.yaml
395317
396318name : Create values.yaml
397319 if : github.event_name == 'workflow_dispatch'
320+ env :
321+ EXPERIMENTS : ${{ github.event.inputs.experiments }}
322+ PR_DEPLOYMENTS_GITHUB_OAUTH_CLIENT_ID : ${{ secrets.PR_DEPLOYMENTS_GITHUB_OAUTH_CLIENT_ID }}
323+ PR_DEPLOYMENTS_GITHUB_OAUTH_CLIENT_SECRET : ${{ secrets.PR_DEPLOYMENTS_GITHUB_OAUTH_CLIENT_SECRET }}
398324 run : |
399- cat <<EOF > pr-deploy-values.yaml
400- coder:
401- image:
402- repo: ${{ env.REPO }}
403- tag: pr${{ env.PR_NUMBER }}
404- pullPolicy: Always
405- service:
406- type: ClusterIP
407- ingress:
408- enable: true
409- className: traefik
410- host: ${{ env.PR_DEPLOYMENT_ACCESS_URL }}
411- wildcardHost: "*.${{ env.PR_DEPLOYMENT_ACCESS_URL }}"
412- tls:
413- enable: true
414- secretName: pr${{ env.PR_NUMBER }}-tls
415- wildcardSecretName: pr${{ env.PR_NUMBER }}-tls
416- volumes:
417- - name: coder-namespace-kubeconfig
418- secret:
419- secretName: coder-namespace-kubeconfig
420- volumeMounts:
421- - name: coder-namespace-kubeconfig
422- mountPath: /home/coder/.kube/config
423- subPath: kubeconfig
424- readOnly: true
425- env:
426- - name: "CODER_ACCESS_URL"
427- value: "https://${{ env.PR_DEPLOYMENT_ACCESS_URL }}"
428- - name: "CODER_WILDCARD_ACCESS_URL"
429- value: "*.${{ env.PR_DEPLOYMENT_ACCESS_URL }}"
430- - name: "CODER_EXPERIMENTS"
431- value: "${{ github.event.inputs.experiments }}"
432- - name: CODER_PG_CONNECTION_URL
433- valueFrom:
434- secretKeyRef:
435- name: coder-db-url
436- key: url
437- - name: "CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS"
438- value: "true"
439- - name: "CODER_OAUTH2_GITHUB_CLIENT_ID"
440- value: "${{ secrets.PR_DEPLOYMENTS_GITHUB_OAUTH_CLIENT_ID }}"
441- - name: "CODER_OAUTH2_GITHUB_CLIENT_SECRET"
442- value: "${{ secrets.PR_DEPLOYMENTS_GITHUB_OAUTH_CLIENT_SECRET }}"
443- - name: "CODER_OAUTH2_GITHUB_ALLOWED_ORGS"
444- value: "coder"
445- EOF
325+ set -euo pipefail
326+ envsubst < ./.github/pr-deployments/values.yaml > ./pr-deploy-values.yaml
446327
447328name : Install/Upgrade Helm chart
448329 run : |
0 commit comments