From 41eb9f5f627f6c803febe0f8bcd468d328651f8a Mon Sep 17 00:00:00 2001 From: eksrha <58111764+eksrha@users.noreply.github.com> Date: Wed, 22 Feb 2023 20:59:03 +0100 Subject: [PATCH 1/3] feat: add extended proxy support --- README.md | 88 +++++++++++++++++-- images/base/helper-scripts/detect-setup.sh | 6 +- images/base/helper-scripts/gh-entrypoint.sh | 94 ++++++++++++++------- 3 files changed, 150 insertions(+), 38 deletions(-) diff --git a/README.md b/README.md index 7c7d16a..e48d1d1 100644 --- a/README.md +++ b/README.md @@ -43,16 +43,94 @@ Available Tags: For the helm values see the [values.yaml](https://github.com/fullstack-devops/helm-charts/blob/main/charts/github-actions-runner/values.yaml), section `envValues` -| Variable | Type | Default | Description | -| ----------------- | ------ | ------------------------ | -------------------------------------------------------------------- | -| `GH_URL` | string | `https://github.com` | For GitHub Enterprise support | -| `GH_API_ENDPOINT` | string | `https://api.github.com` | For GitHub Enterprise support eg.: `https://git.example.com/api/v3/` | -| `KANIKO_ENABLED` | bool | `false` | enable builds with kaniko (works only with kaniko-sidecar) | +| Variable | Type | Default | Description | +| ------------------------ | ------ | ------------------------ | ------------------------------------------------------------------------- | +| `GH_URL` | string | `https://github.com` | For GitHub Enterprise support | +| `GH_API_ENDPOINT` | string | `https://api.github.com` | For GitHub Enterprise support eg.: `https://git.example.com/api/v3/` | +| `KANIKO_ENABLED` | bool | `false` | enable builds with kaniko (works only with kaniko-sidecar) | +| `PROXY_PAC` | string | - | proxy pac file url | +| `PROXY_NTLM_CREDENTIALS` | string | - | (required when `PROXY_PAC` is set) credentials when connecting with proxy | --- +## Proxy Support + +The way out ;) + +- Getting the Software to create the Credentials: https://github.com/samuong/alpaca/releases +- Creating your NTML Cerdentials `alpaca -d -u -H` +- Set the env variables `PROXY_PAC` and `PROXY_NTLM_CREDENTIALS` in your container, pod or helm-chart +- If you want to use the proxy service in your github-action checkout the examples + ## Examples +### Proxy in github actions + +#### for only one step + +```yaml +name: Deploy from internet + +on: + +jobs: + add-helm-chart: + runs-on: [self-hosted, ansible] # look for default tags or your own + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: check helm chart + env: + http_proxy: http://localhost:3128 + https_proxy: http://localhost:3128 + no_proxy: "197.0.0.0/8,*.internal.net" # replace with you internal reachable adresses + run: | + helm repo add fs-devops https://fullstack-devops.github.io/helm-charts/ + helm repo add sonatype https://sonatype.github.io/helm3-charts/ + + - name: do something here + + - name: remove check helm chart + if: always() + run: | + helm repo remove fs-devops + helm repo remove sonatype +``` + +#### for whole workflow + +```yaml +name: Deploy from internet + +on: + +env: + http_proxy: http://localhost:3128 + https_proxy: http://localhost:3128 + no_proxy: "197.0.0.0/8,*.internal.net" # replace with you internal reachable adresses + +jobs: + add-helm-chart: + runs-on: [self-hosted, ansible] # look for default tags or your own + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: check helm chart + run: | + helm repo add fs-devops https://fullstack-devops.github.io/helm-charts/ + helm repo add sonatype https://sonatype.github.io/helm3-charts/ + + - name: do something here + + - name: remove check helm chart + if: always() + run: | + helm repo remove fs-devops + helm repo remove sonatype +``` + ### docker If you are using `docker` or `podman` the options and commands are basically the same. diff --git a/images/base/helper-scripts/detect-setup.sh b/images/base/helper-scripts/detect-setup.sh index a8f58d2..55f11c6 100755 --- a/images/base/helper-scripts/detect-setup.sh +++ b/images/base/helper-scripts/detect-setup.sh @@ -1,7 +1,6 @@ #!/bin/bash CA_FILE="/etc/ssl/certs/ca-certificates.crt" -CUSTOM_CA_FILE="/etc/ssl/certs/custom/ca-certificates.crt" importCertOldJava () { alias=$(openssl x509 -noout -subject -in "$1" | awk -F= '{print $NF}' | sed -e 's/^[ \t]*//' | sed -e 's/ /_/g') @@ -15,9 +14,8 @@ importCertNewJava () { keytool -importcert -alias $alias -cacerts -storepass changeit -file $1 -noprompt -trustcacerts } -# merge custom ca file -if [ -f "$CA_FILE" ]; then - cat $CUSTOM_CA_FILE >> $CA_FILE +if test -r $CA_FILE; then + echo "[WARN] no permissions on $CA_FILE" fi # yarn diff --git a/images/base/helper-scripts/gh-entrypoint.sh b/images/base/helper-scripts/gh-entrypoint.sh index 8e1f866..68c19a9 100755 --- a/images/base/helper-scripts/gh-entrypoint.sh +++ b/images/base/helper-scripts/gh-entrypoint.sh @@ -1,22 +1,56 @@ #!/bin/bash +echo "#####################" +echo "Running entrypoint.sh" +echo "" + # connection details -last_char="${GH_URL: -1}" -[[ $last_char == "/" ]] && GH_URL="${GH_URL::-1}" -readonly _GH_URL="${GH_URL:-https://github.com}" +if [ -n "$GH_URL" ]; then + last_char="${GH_URL: -1}" + [[ $last_char == "/" ]] && GH_URL="${GH_URL::-1}" + readonly _GH_URL="$GH_URL" + echo "Using custom GitHub enterprise instance: $_GH_URL" +else + readonly _GH_URL="https://github.com" + echo "Using default GitHub instance: $_GH_URL" +fi + +if [ -n "$GH_API_ENDPOINT" ]; then + last_char="${GH_API_ENDPOINT: -1}" + [[ $last_char == "/" ]] && GH_API_ENDPOINT="${GH_API_ENDPOINT::-1}" + readonly _GH_API_ENDPOINT="$GH_API_ENDPOINT" + echo "Using custom api url: $_GH_API_ENDPOINT" +else + # if GH_API_ENDPOINT not specified but GH_URL + if [ -n "$GH_URL" ]; then + readonly _GH_API_ENDPOINT="$_GH_URL/api/v3" + echo "Using custom GitHub instance with default api url: $_GH_API_ENDPOINT" + else + readonly _GH_API_ENDPOINT="https://api.github.com" + echo "Using default GitHub instance: $_GH_API_ENDPOINT" + fi +fi -last_char="${GH_API_ENDPOINT: -1}" -[[ $last_char == "/" ]] && GH_API_ENDPOINT="${GH_API_ENDPOINT::-1}" -readonly _GH_API_ENDPOINT="${GH_API_ENDPOINT:-https://api.github.com}" +# proxy support +if [ -n "$PROXY_PAC" ]; then + echo "Using configured Proxy PAC" + if [ ! -n "$PROXY_NTLM_CREDENTIALS" ]; then + echo "Please provide the Environment Variable 'PROXY_NTLM_CREDENTIALS'" + exit 255 + fi + NTLM_CREDENTIALS="$PROXY_NTLM_CREDENTIALS" alpaca -C "$PROXY_PAC" 2>&1 1>/dev/null & + unset PROXY_NTLM_CREDENTIALS + echo $! >/tmp/proxy_pid +fi # Org/ Repo details if [ -n "$GH_ORG" ]; then readonly RUNNER_URL="${_GH_URL}/${GH_ORG}" readonly RUNNER_REG_TOKEN_URL="${_GH_API_ENDPOINT}/orgs/${GH_ORG}/actions/runners/registration-token" -elif [ -n "$GH_ORG" ] && [ -n "$GH_REPO" ]; then + elif [ -n "$GH_ORG" ] && [ -n "$GH_REPO" ]; then readonly RUNNER_URL="${_GH_URL}/${GH_ORG}/${GH_REPO}" readonly RUNNER_REG_TOKEN_URL="${_GH_API_ENDPOINT}/repos/${GH_ORG}/${GH_REPO}/actions/runners/registration-token" -elif [ -n "$GH_ENTERPRISE" ]; then + elif [ -n "$GH_ENTERPRISE" ]; then readonly RUNNER_URL="${_GH_URL}/${GH_ENTERPRISE}" readonly RUNNER_REG_TOKEN_URL="${_GH_API_ENDPOINT}/enterprises/${GH_ENTERPRISEs}/actions/runners/registration-token" else @@ -30,7 +64,7 @@ fi # access details if [ ! -z "$RUNNER_TOKEN" ]; then readonly REG_TOKEN=$RUNNER_TOKEN -elif [ ! -z $GH_ACCESS_TOKEN ]; then + elif [ ! -z $GH_ACCESS_TOKEN ]; then readonly REG_TOKEN=$(curl -s -X POST -H "Accept: application/vnd.github.v3+json" -H "Authorization: token $GH_ACCESS_TOKEN" $RUNNER_REG_TOKEN_URL | jq .token --raw-output) else echo "Please provide one of the Environment Variables:" @@ -40,43 +74,45 @@ fi if [ -z ${RUNNER_HOME} ]; then echo "Environment variable 'RUNNER_HOME' is not set" - exit 1 + exit 255 fi if [ "$KANIKO_ENABLED" == "true" ]; then readonly GH_WORKDIR=$GH_KANIKO_WORKDIR - echo "Build container via Kaniko: enabled" + echo "Build container via Kaniko: enabled" GH_RUNNER_LABELS="${GH_RUNNER_LABELS},kaniko" else readonly GH_WORKDIR=$GH_RUNNER_WORKDIR - echo "Build container via Kaniko: disabled" + echo "Build container via Kaniko: disabled" fi -echo "Connecting runner to: $RUNNER_URL" -echo "Individual Runner Name: $HOSTNAME" -echo "Runner Home: $RUNNER_HOME" - -echo "Running setup fpr installed software..." +echo "Connecting runner to: $RUNNER_URL" +echo "Individual Runner Name: $HOSTNAME" +echo "Runner Home: $RUNNER_HOME" +echo "" +echo "Running setup for installed software..." /helper-scripts/detect-setup.sh +echo "configure GitHub runner" ${RUNNER_HOME}/config.sh \ - --name $HOSTNAME \ - --token $REG_TOKEN \ - --work $GH_WORKDIR \ - --url "$RUNNER_URL" \ - --labels $GH_RUNNER_LABELS \ - --unattended \ - --replace -echo "Runner configured" +--name $HOSTNAME \ +--token $REG_TOKEN \ +--work $GH_WORKDIR \ +--url "$RUNNER_URL" \ +--labels $GH_RUNNER_LABELS \ +--runnergroup ${GH_RUNNER_GROUP:-'default'} \ +--unattended \ +--replace +echo "GitHub runner configured" cleanup() { echo "Removing runner..." if [ ! -z "$RUNNER_TOKEN" ]; then - readonly REG_TOKEN=$RUNNER_TOKEN - elif [ ! -z $GH_ACCESS_TOKEN ]; then - readonly REG_TOKEN=$(curl -s -X POST -H "Accept: application/vnd.github.v3+json" -H "Authorization: token $GH_ACCESS_TOKEN" $RUNNER_REG_TOKEN_URL | jq .token --raw-output) + readonly REG_TOKEN_RM=$RUNNER_TOKEN + elif [ ! -z $GH_ACCESS_TOKEN ]; then + readonly REG_TOKEN_RM=$(curl -s -X POST -H "Accept: application/vnd.github.v3+json" -H "Authorization: token $GH_ACCESS_TOKEN" $RUNNER_REG_TOKEN_URL | jq .token --raw-output) fi - ${RUNNER_HOME}/config.sh remove --token ${REG_TOKEN} + ${RUNNER_HOME}/config.sh remove --token ${REG_TOKEN_RM} exit 1 } From 064afc3d38a3e1929af38df87716140388c28e9a Mon Sep 17 00:00:00 2001 From: eksrha <58111764+eksrha@users.noreply.github.com> Date: Wed, 22 Feb 2023 21:09:17 +0100 Subject: [PATCH 2/3] fix ident --- images/base/helper-scripts/gh-entrypoint.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/images/base/helper-scripts/gh-entrypoint.sh b/images/base/helper-scripts/gh-entrypoint.sh index 68c19a9..cfe3c19 100755 --- a/images/base/helper-scripts/gh-entrypoint.sh +++ b/images/base/helper-scripts/gh-entrypoint.sh @@ -86,9 +86,9 @@ else echo "Build container via Kaniko: disabled" fi -echo "Connecting runner to: $RUNNER_URL" -echo "Individual Runner Name: $HOSTNAME" -echo "Runner Home: $RUNNER_HOME" +echo "Connecting runner to: $RUNNER_URL" +echo "Individual Runner Name: $HOSTNAME" +echo "Runner Home: $RUNNER_HOME" echo "" echo "Running setup for installed software..." /helper-scripts/detect-setup.sh From f4821722a1116762a3f39fb400749258914178a5 Mon Sep 17 00:00:00 2001 From: eksrha <58111764+eksrha@users.noreply.github.com> Date: Wed, 22 Feb 2023 21:23:41 +0100 Subject: [PATCH 3/3] fix piping of proxy --- images/base/helper-scripts/gh-entrypoint.sh | 26 +++++++++++---------- 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/images/base/helper-scripts/gh-entrypoint.sh b/images/base/helper-scripts/gh-entrypoint.sh index cfe3c19..0529a91 100755 --- a/images/base/helper-scripts/gh-entrypoint.sh +++ b/images/base/helper-scripts/gh-entrypoint.sh @@ -31,18 +31,6 @@ else fi fi -# proxy support -if [ -n "$PROXY_PAC" ]; then - echo "Using configured Proxy PAC" - if [ ! -n "$PROXY_NTLM_CREDENTIALS" ]; then - echo "Please provide the Environment Variable 'PROXY_NTLM_CREDENTIALS'" - exit 255 - fi - NTLM_CREDENTIALS="$PROXY_NTLM_CREDENTIALS" alpaca -C "$PROXY_PAC" 2>&1 1>/dev/null & - unset PROXY_NTLM_CREDENTIALS - echo $! >/tmp/proxy_pid -fi - # Org/ Repo details if [ -n "$GH_ORG" ]; then readonly RUNNER_URL="${_GH_URL}/${GH_ORG}" @@ -89,6 +77,20 @@ fi echo "Connecting runner to: $RUNNER_URL" echo "Individual Runner Name: $HOSTNAME" echo "Runner Home: $RUNNER_HOME" +echo "" + +# proxy support +if [ -n "$PROXY_PAC" ]; then + echo "Using configured Proxy PAC" + if [ ! -n "$PROXY_NTLM_CREDENTIALS" ]; then + echo "Please provide the Environment Variable 'PROXY_NTLM_CREDENTIALS'" + exit 255 + fi + NTLM_CREDENTIALS="$PROXY_NTLM_CREDENTIALS" alpaca -C "$PROXY_PAC" >/dev/null 2>&1 & + unset PROXY_NTLM_CREDENTIALS + echo $! >/tmp/proxy_pid +fi + echo "" echo "Running setup for installed software..." /helper-scripts/detect-setup.sh