Skip to content
This repository was archived by the owner on Feb 11, 2025. It is now read-only.

feat: add extended proxy support #62

Merged
merged 3 commits into from
Feb 22, 2023
Merged

feat: add extended proxy support #62

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
41eb9f5
feat: add extended proxy support
eksrha Feb 22, 2023
064afc3
fix ident
eksrha Feb 22, 2023
f482172
fix piping of proxy
eksrha Feb 22, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
88 changes: 83 additions & 5 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,16 +43,94 @@ Available Tags:

For the helm values see the [values.yaml](https://github.com/fullstack-devops/helm-charts/blob/main/charts/github-actions-runner/values.yaml), section `envValues`

| Variable | Type | Default | Description |
| ----------------- | ------ | ------------------------ | -------------------------------------------------------------------- |
| `GH_URL` | string | `https://github.com` | For GitHub Enterprise support |
| `GH_API_ENDPOINT` | string | `https://api.github.com` | For GitHub Enterprise support eg.: `https://git.example.com/api/v3/` |
| `KANIKO_ENABLED` | bool | `false` | enable builds with kaniko (works only with kaniko-sidecar) |
| Variable | Type | Default | Description |
| ------------------------ | ------ | ------------------------ | ------------------------------------------------------------------------- |
| `GH_URL` | string | `https://github.com` | For GitHub Enterprise support |
| `GH_API_ENDPOINT` | string | `https://api.github.com` | For GitHub Enterprise support eg.: `https://git.example.com/api/v3/` |
| `KANIKO_ENABLED` | bool | `false` | enable builds with kaniko (works only with kaniko-sidecar) |
| `PROXY_PAC` | string | - | proxy pac file url |
| `PROXY_NTLM_CREDENTIALS` | string | - | (required when `PROXY_PAC` is set) credentials when connecting with proxy |

---

## Proxy Support

The way out ;)

- Getting the Software to create the Credentials: https://github.com/samuong/alpaca/releases
- Creating your NTML Cerdentials `alpaca -d <windows-domain (optional)> -u <windows-user> -H`
- Set the env variables `PROXY_PAC` and `PROXY_NTLM_CREDENTIALS` in your container, pod or helm-chart
- If you want to use the proxy service in your github-action checkout the examples

## Examples

### Proxy in github actions

#### for only one step

```yaml
name: Deploy from internet

on:

jobs:
add-helm-chart:
runs-on: [self-hosted, ansible] # look for default tags or your own
steps:
- name: Checkout code
uses: actions/checkout@v3

- name: check helm chart
env:
http_proxy: http://localhost:3128
https_proxy: http://localhost:3128
no_proxy: "197.0.0.0/8,*.internal.net" # replace with you internal reachable adresses
run: |
helm repo add fs-devops https://fullstack-devops.github.io/helm-charts/
helm repo add sonatype https://sonatype.github.io/helm3-charts/

- name: do something here

- name: remove check helm chart
if: always()
run: |
helm repo remove fs-devops
helm repo remove sonatype
```

#### for whole workflow

```yaml
name: Deploy from internet

on:

env:
http_proxy: http://localhost:3128
https_proxy: http://localhost:3128
no_proxy: "197.0.0.0/8,*.internal.net" # replace with you internal reachable adresses

jobs:
add-helm-chart:
runs-on: [self-hosted, ansible] # look for default tags or your own
steps:
- name: Checkout code
uses: actions/checkout@v3

- name: check helm chart
run: |
helm repo add fs-devops https://fullstack-devops.github.io/helm-charts/
helm repo add sonatype https://sonatype.github.io/helm3-charts/

- name: do something here

- name: remove check helm chart
if: always()
run: |
helm repo remove fs-devops
helm repo remove sonatype
```

### docker

If you are using `docker` or `podman` the options and commands are basically the same.
Expand Down
6 changes: 2 additions & 4 deletions images/base/helper-scripts/detect-setup.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
#!/bin/bash

CA_FILE="/etc/ssl/certs/ca-certificates.crt"
CUSTOM_CA_FILE="/etc/ssl/certs/custom/ca-certificates.crt"

importCertOldJava () {
alias=$(openssl x509 -noout -subject -in "$1" | awk -F= '{print $NF}' | sed -e 's/^[ \t]*//' | sed -e 's/ /_/g')
Expand All @@ -15,9 +14,8 @@ importCertNewJava () {
keytool -importcert -alias $alias -cacerts -storepass changeit -file $1 -noprompt -trustcacerts
}

# merge custom ca file
if [ -f "$CA_FILE" ]; then
cat $CUSTOM_CA_FILE >> $CA_FILE
if test -r $CA_FILE; then
echo "[WARN] no permissions on $CA_FILE"
fi

# yarn
Expand Down
94 changes: 66 additions & 28 deletions images/base/helper-scripts/gh-entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,22 +1,44 @@
#!/bin/bash

echo "#####################"
echo "Running entrypoint.sh"
echo ""

# connection details
last_char="${GH_URL: -1}"
[[ $last_char == "/" ]] && GH_URL="${GH_URL::-1}"
readonly _GH_URL="${GH_URL:-https://github.com}"
if [ -n "$GH_URL" ]; then
last_char="${GH_URL: -1}"
[[ $last_char == "/" ]] && GH_URL="${GH_URL::-1}"
readonly _GH_URL="$GH_URL"
echo "Using custom GitHub enterprise instance: $_GH_URL"
else
readonly _GH_URL="https://github.com"
echo "Using default GitHub instance: $_GH_URL"
fi

last_char="${GH_API_ENDPOINT: -1}"
[[ $last_char == "/" ]] && GH_API_ENDPOINT="${GH_API_ENDPOINT::-1}"
readonly _GH_API_ENDPOINT="${GH_API_ENDPOINT:-https://api.github.com}"
if [ -n "$GH_API_ENDPOINT" ]; then
last_char="${GH_API_ENDPOINT: -1}"
[[ $last_char == "/" ]] && GH_API_ENDPOINT="${GH_API_ENDPOINT::-1}"
readonly _GH_API_ENDPOINT="$GH_API_ENDPOINT"
echo "Using custom api url: $_GH_API_ENDPOINT"
else
# if GH_API_ENDPOINT not specified but GH_URL
if [ -n "$GH_URL" ]; then
readonly _GH_API_ENDPOINT="$_GH_URL/api/v3"
echo "Using custom GitHub instance with default api url: $_GH_API_ENDPOINT"
else
readonly _GH_API_ENDPOINT="https://api.github.com"
echo "Using default GitHub instance: $_GH_API_ENDPOINT"
fi
fi

# Org/ Repo details
if [ -n "$GH_ORG" ]; then
readonly RUNNER_URL="${_GH_URL}/${GH_ORG}"
readonly RUNNER_REG_TOKEN_URL="${_GH_API_ENDPOINT}/orgs/${GH_ORG}/actions/runners/registration-token"
elif [ -n "$GH_ORG" ] && [ -n "$GH_REPO" ]; then
elif [ -n "$GH_ORG" ] && [ -n "$GH_REPO" ]; then
readonly RUNNER_URL="${_GH_URL}/${GH_ORG}/${GH_REPO}"
readonly RUNNER_REG_TOKEN_URL="${_GH_API_ENDPOINT}/repos/${GH_ORG}/${GH_REPO}/actions/runners/registration-token"
elif [ -n "$GH_ENTERPRISE" ]; then
elif [ -n "$GH_ENTERPRISE" ]; then
readonly RUNNER_URL="${_GH_URL}/${GH_ENTERPRISE}"
readonly RUNNER_REG_TOKEN_URL="${_GH_API_ENDPOINT}/enterprises/${GH_ENTERPRISEs}/actions/runners/registration-token"
else
Expand All @@ -30,7 +52,7 @@ fi
# access details
if [ ! -z "$RUNNER_TOKEN" ]; then
readonly REG_TOKEN=$RUNNER_TOKEN
elif [ ! -z $GH_ACCESS_TOKEN ]; then
elif [ ! -z $GH_ACCESS_TOKEN ]; then
readonly REG_TOKEN=$(curl -s -X POST -H "Accept: application/vnd.github.v3+json" -H "Authorization: token $GH_ACCESS_TOKEN" $RUNNER_REG_TOKEN_URL | jq .token --raw-output)
else
echo "Please provide one of the Environment Variables:"
Expand All @@ -40,43 +62,59 @@ fi

if [ -z ${RUNNER_HOME} ]; then
echo "Environment variable 'RUNNER_HOME' is not set"
exit 1
exit 255
fi

if [ "$KANIKO_ENABLED" == "true" ]; then
readonly GH_WORKDIR=$GH_KANIKO_WORKDIR
echo "Build container via Kaniko: enabled"
echo "Build container via Kaniko: enabled"
GH_RUNNER_LABELS="${GH_RUNNER_LABELS},kaniko"
else
readonly GH_WORKDIR=$GH_RUNNER_WORKDIR
echo "Build container via Kaniko: disabled"
echo "Build container via Kaniko: disabled"
fi

echo "Connecting runner to: $RUNNER_URL"
echo "Individual Runner Name: $HOSTNAME"
echo "Runner Home: $RUNNER_HOME"
echo "Connecting runner to: $RUNNER_URL"
echo "Individual Runner Name: $HOSTNAME"
echo "Runner Home: $RUNNER_HOME"
echo ""

# proxy support
if [ -n "$PROXY_PAC" ]; then
echo "Using configured Proxy PAC"
if [ ! -n "$PROXY_NTLM_CREDENTIALS" ]; then
echo "Please provide the Environment Variable 'PROXY_NTLM_CREDENTIALS'"
exit 255
fi
NTLM_CREDENTIALS="$PROXY_NTLM_CREDENTIALS" alpaca -C "$PROXY_PAC" >/dev/null 2>&1 &
unset PROXY_NTLM_CREDENTIALS
echo $! >/tmp/proxy_pid
fi

echo "Running setup fpr installed software..."
echo ""
echo "Running setup for installed software..."
/helper-scripts/detect-setup.sh

echo "configure GitHub runner"
${RUNNER_HOME}/config.sh \
--name $HOSTNAME \
--token $REG_TOKEN \
--work $GH_WORKDIR \
--url "$RUNNER_URL" \
--labels $GH_RUNNER_LABELS \
--unattended \
--replace
echo "Runner configured"
--name $HOSTNAME \
--token $REG_TOKEN \
--work $GH_WORKDIR \
--url "$RUNNER_URL" \
--labels $GH_RUNNER_LABELS \
--runnergroup ${GH_RUNNER_GROUP:-'default'} \
--unattended \
--replace
echo "GitHub runner configured"

cleanup() {
echo "Removing runner..."
if [ ! -z "$RUNNER_TOKEN" ]; then
readonly REG_TOKEN=$RUNNER_TOKEN
elif [ ! -z $GH_ACCESS_TOKEN ]; then
readonly REG_TOKEN=$(curl -s -X POST -H "Accept: application/vnd.github.v3+json" -H "Authorization: token $GH_ACCESS_TOKEN" $RUNNER_REG_TOKEN_URL | jq .token --raw-output)
readonly REG_TOKEN_RM=$RUNNER_TOKEN
elif [ ! -z $GH_ACCESS_TOKEN ]; then
readonly REG_TOKEN_RM=$(curl -s -X POST -H "Accept: application/vnd.github.v3+json" -H "Authorization: token $GH_ACCESS_TOKEN" $RUNNER_REG_TOKEN_URL | jq .token --raw-output)
fi
${RUNNER_HOME}/config.sh remove --token ${REG_TOKEN}
${RUNNER_HOME}/config.sh remove --token ${REG_TOKEN_RM}
exit 1
}

Expand Down