Skip to content

Commit 65f1e08

Browse files
matifalimatifali
committed
update
1 parent 4d370f7 commit 65f1e08

File tree

1 file changed

+101
-54
lines changed

1 file changed

+101
-54
lines changed

.github/workflows/pr-deploy.yaml

Lines changed: 101 additions & 54 deletions
Original file line numberDiff line numberDiff line change
@@ -53,7 +53,7 @@ jobs:
5353
- name: Get PR number, title, and branch name
5454
id: pr_info
5555
run: |
56-
set -euxo pipefail
56+
set -e pipefail
5757
PR_NUMBER=${{ github.event.inputs.pr_number || github.event.pull_request.number }}
5858
PR_TITLE=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" https://api.github.com/repos/coder/coder/pulls/$PR_NUMBER | jq -r '.title')
5959
PR_BRANCH=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" https://api.github.com/repos/coder/coder/pulls/$PR_NUMBER | jq -r '.head.ref')
@@ -65,7 +65,7 @@ jobs:
6565
- name: Set required tags
6666
id: set_tags
6767
run: |
68-
set -euxo pipefail
68+
set -e pipefail
6969
echo "CODER_BASE_IMAGE_TAG=$CODER_BASE_IMAGE_TAG" >> $GITHUB_OUTPUT
7070
echo "CODER_IMAGE_TAG=$CODER_IMAGE_TAG" >> $GITHUB_OUTPUT
7171
env:
@@ -74,15 +74,15 @@ jobs:
7474

7575
- name: Set up kubeconfig
7676
run: |
77-
set -euxo pipefail
77+
set -e pipefail
7878
mkdir -p ~/.kube
7979
echo "${{ secrets.PR_DEPLOYMENTS_KUBECONFIG }}" > ~/.kube/config
8080
export KUBECONFIG=~/.kube/config
8181
8282
- name: Check if the helm deployment already exists
8383
id: check_deployment
8484
run: |
85-
set -euxo pipefail
85+
set -e pipefail
8686
if helm status "pr${{ steps.pr_info.outputs.PR_NUMBER }}" --namespace "pr${{ steps.pr_info.outputs.PR_NUMBER }}" > /dev/null 2>&1; then
8787
echo "Deployment already exists. Skipping deployment."
8888
new=false
@@ -151,7 +151,7 @@ jobs:
151151
- name: Print number of changed files
152152
if: github.event_name == 'workflow_dispatch' || steps.check_deployment.outputs.NEW == 'false'
153153
run: |
154-
set -euxo pipefail
154+
set -e pipefail
155155
echo "Total number of changed files: ${{ steps.filter.outputs.all_count }}"
156156
echo "Number of ignored files: ${{ steps.filter.outputs.ignored_count }}"
157157
@@ -193,7 +193,7 @@ jobs:
193193

194194
- name: Build and push Linux amd64 Docker image
195195
run: |
196-
set -euxo pipefail
196+
set -e pipefail
197197
go mod download
198198
make gen/mark-fresh
199199
export DOCKER_IMAGE_NO_PREREQUISITES=true
@@ -224,15 +224,15 @@ jobs:
224224
steps:
225225
- name: Set up kubeconfig
226226
run: |
227-
set -euxo pipefail
227+
set -e pipefail
228228
mkdir -p ~/.kube
229229
echo "${{ secrets.PR_DEPLOYMENTS_KUBECONFIG }}" > ~/.kube/config
230230
export KUBECONFIG=~/.kube/config
231231
232232
- name: Check if image exists
233233
if: needs.get_info.outputs.NEW == 'true'
234234
run: |
235-
set -euxo pipefail
235+
set -e pipefail
236236
foundTag=$(curl -fsSL https://github.com/coder/coder/pkgs/container/coder-preview | grep -o ${{ env.CODER_IMAGE_TAG }} | head -n 1)
237237
if [ -z "$foundTag" ]; then
238238
echo "Image not found"
@@ -257,7 +257,7 @@ jobs:
257257
- name: Create PR namespace
258258
if: needs.get_info.outputs.NEW == 'true'
259259
run: |
260-
set -euxo pipefail
260+
set -e pipefail
261261
# try to delete the namespace, but don't fail if it doesn't exist
262262
kubectl delete namespace "pr${{ env.PR_NUMBER }}" || true
263263
kubectl create namespace "pr${{ env.PR_NUMBER }}"
@@ -312,6 +312,90 @@ jobs:
312312
kubectl create secret generic coder-db-url -n pr${{ env.PR_NUMBER }} \
313313
--from-literal=url="postgres://coder:coder@coder-db-postgresql.pr${{ env.PR_NUMBER }}.svc.cluster.local:5432/coder?sslmode=disable"
314314
315+
- name: Create a kubeconfig for the workspace
316+
if: needs.get_info.outputs.NEW == 'true'
317+
# This service account will be used to grant full access to the namespace from the workspace
318+
run: |
319+
set -e pipefail
320+
# Create service account, role, rolebinding and secret
321+
cat <<EOF | kubectl apply -f -
322+
apiVersion: v1
323+
kind: ServiceAccount
324+
metadata:
325+
name: coder-workspace
326+
namespace: pr${{ env.PR_NUMBER }}
327+
secrets:
328+
- name: coder-workspace-token
329+
330+
---
331+
apiVersion: rbac.authorization.k8s.io/v1
332+
kind: Role
333+
metadata:
334+
name: coder-workspace
335+
namespace: pr${{ env.PR_NUMBER }}
336+
rules:
337+
- apiGroups: ["*"]
338+
resources: ["*"]
339+
verbs: ["*"]
340+
341+
---
342+
apiVersion: rbac.authorization.k8s.io/v1
343+
kind: RoleBinding
344+
metadata:
345+
name: coder-workspace
346+
namespace: pr${{ env.PR_NUMBER }}
347+
subjects:
348+
- kind: ServiceAccount
349+
name: coder-workspace
350+
namespace: pr${{ env.PR_NUMBER }}
351+
roleRef:
352+
apiGroup: rbac.authorization.k8s.io
353+
kind: Role
354+
name: coder-workspace
355+
356+
---
357+
apiVersion: v1
358+
kind: Secret
359+
metadata:
360+
name: coder-workspace-token
361+
namespace: pr${{ env.PR_NUMBER }}
362+
annotations:
363+
kubernetes.io/service-account.name: coder-workspace
364+
type: kubernetes.io/service-account-token
365+
EOF
366+
367+
# Get the token for the service account
368+
TOKEN=$(kubectl -n pr${{ env.PR_NUMBER }} get secret coder-workspace-token -o jsonpath='{.data.token}' | base64 --decode)
369+
370+
# get CLUSTER_CA and CLUSTER_ENDPOINT
371+
CLUSTER_CA=$(kubectl config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.certificate-authority-data}')
372+
CLUSTER_ENDPOINT=$(kubectl config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.server}')
373+
374+
# Create a kubeconfig for the namespace to be used in the workspace
375+
cat <<EOF > namespace-kubeconfig.yaml
376+
apiVersion: v1
377+
kind: Config
378+
clusters:
379+
- cluster:
380+
certificate-authority-data: $CLUSTER_CA
381+
server: $CLUSTER_ENDPOINT
382+
name: pr${{ env.PR_NUMBER }}
383+
contexts:
384+
- context:
385+
cluster: pr${{ env.PR_NUMBER }}
386+
namespace: pr${{ env.PR_NUMBER }}
387+
user: coder-workspace
388+
name: pr${{ env.PR_NUMBER }}
389+
current-context: pr${{ env.PR_NUMBER }}
390+
users:
391+
- name: coder-workspace
392+
user:
393+
token: $TOKEN
394+
EOF
395+
396+
# Create a secret from the kubeconfig
397+
kubectl create secret generic coder-namespace-kubeconfig -n pr${{ env.PR_NUMBER }} --from-file=kubeconfig=./namespace-kubeconfig.yaml
398+
315399
- name: Create values.yaml
316400
if: github.event_name == 'workflow_dispatch'
317401
run: |
@@ -332,6 +416,11 @@ jobs:
332416
enable: true
333417
secretName: pr${{ env.PR_NUMBER }}-tls
334418
wildcardSecretName: pr${{ env.PR_NUMBER }}-tls
419+
volumeMounts:
420+
- name: coder-namespace-kubeconfig
421+
mountPath: /home/coder/.kube/config
422+
subPath: kubeconfig
423+
readOnly: true
335424
env:
336425
- name: "CODER_ACCESS_URL"
337426
value: "https://${{ env.PR_DEPLOYMENT_ACCESS_URL }}"
@@ -356,7 +445,7 @@ jobs:
356445
357446
- name: Install/Upgrade Helm chart
358447
run: |
359-
set -euxo pipefail
448+
set -e pipefail
360449
if [[ ${{ github.event_name }} == "workflow_dispatch" ]]; then
361450
helm upgrade --install "pr${{ env.PR_NUMBER }}" ./helm \
362451
--namespace "pr${{ env.PR_NUMBER }}" \
@@ -384,7 +473,7 @@ jobs:
384473
- name: Get Coder binary
385474
if: needs.get_info.outputs.NEW == 'true'
386475
run: |
387-
set -euxo pipefail
476+
set -e pipefail
388477
389478
DEST="${HOME}/coder"
390479
URL="https://${{ env.PR_DEPLOYMENT_ACCESS_URL }}/bin/coder-linux-amd64"
@@ -407,53 +496,11 @@ jobs:
407496
"${DEST}" version
408497
mv "${DEST}" /usr/local/bin/coder
409498
410-
- name: Create a service account, role and rolebinding for coder-workspace
411-
if: needs.get_info.outputs.NEW == 'true'
412-
# This service account will be used to grant full access to the namespace from the workspace
413-
run: |
414-
set -euxo pipefail
415-
cat <<EOF | kubectl apply -f -
416-
apiVersion: v1
417-
kind: ServiceAccount
418-
metadata:
419-
name: coder-workspace
420-
namespace: pr${{ env.PR_NUMBER }}
421-
EOF
422-
cat <<EOF | kubectl apply -f -
423-
apiVersion: rbac.authorization.k8s.io/v1
424-
kind: Role
425-
metadata:
426-
name: coder-workspace
427-
namespace: pr${{ env.PR_NUMBER }}
428-
rules:
429-
- apiGroups: ["*"]
430-
resources: ["*"]
431-
verbs: ["*"]
432-
EOF
433-
cat <<EOF | kubectl apply -f -
434-
apiVersion: rbac.authorization.k8s.io/v1
435-
kind: RoleBinding
436-
metadata:
437-
name: coder-workspace
438-
namespace: pr${{ env.PR_NUMBER }}
439-
subjects:
440-
- kind: ServiceAccount
441-
name: coder-workspace
442-
namespace: pr${{ env.PR_NUMBER }}
443-
roleRef:
444-
apiGroup: rbac.authorization.k8s.io
445-
kind: Role
446-
name: coder-workspace
447-
EOF
448-
# Get the token for the service account
449-
TOKENNAME=$(kubectl -n your-namespace get serviceaccount/restricted-user -o=jsonpath='{.secrets[0].name}')
450-
TOKEN=$(kubectl -n your-namespace get secret $TOKENNAME -o=jsonpath='{.data.token}' | base64 -d)
451-
452499
- name: Create first user, template and workspace
453500
if: needs.get_info.outputs.NEW == 'true'
454501
id: setup_deployment
455502
run: |
456-
set -euxo pipefail
503+
set -e pipefail
457504
458505
# Create first user
459506

0 commit comments

Comments
 (0)