deckhouse.io and github actions controller
There is actions-runner-controller which perfectly runs on usual clusters
But in deckhouse there is modified cert-manager which makes everything little bit harder and setup as is wont work
Long story short we going to grab given yaml files and split them into pieces
We gonna need to create self signed certificate
Before deploying webhook we need to add caBundle to them
At moment actual verion is 0.20.2
Before anything else we are going to create namespace:
00_ns.yml
apiVersion: v1
kind: Namespace
metadata:
labels:
control-plane: controller-manager
name: actions-runner-systemkubectl apply -f 00_ns.ymlNow we need certificates
ca-config.json
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"server": {
"usages": ["signing", "key encipherment", "server auth", "client auth"],
"expiry": "8760h"
}
}
}
}ca-csr.json
{
"hosts": ["cluster.local"],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "UA",
"L": "Kiev",
"ST": "Kiev",
"O": "rabota",
"OU": "stage"
}
]
}Create certs
docker run -it --rm -v $pwd:/certs -w /certs --entrypoint=bash cfssl/cfssl
cfssl gencert -initca ca-csr.json | cfssljson -bare /tmp/ca
cfssl gencert \
-ca=/tmp/ca.pem \
-ca-key=/tmp/ca-key.pem \
-config=ca-config.json \
-hostname="webhook-service,webhook-service.actions-runner-system,webhook-service.actions-runner-system.svc,webhook-service.actions-runner-system.svc.cluster.local,localhost,127.0.0.1" \
-profile=server \
ca-csr.json | cfssljson -bare /tmp/webhook-service
cat <<EOF > 01_secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: webhook-server-cert
namespace: actions-runner-system
type: Opaque
data:
tls.crt: $(cat /tmp/webhook-service.pem | base64 | tr -d '\n')
tls.key: $(cat /tmp/webhook-service-key.pem | base64 | tr -d '\n')
EOF
openssl base64 -A <"/tmp/ca.pem" > caBundle.txtSo now we have our 01_secret.yml which we should apply
01_secret.yml
apiVersion: v1
kind: Secret
metadata:
name: webhook-server-cert
namespace: actions-runner-system
type: Opaque
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVRekNDQXl1Z0F3SUJBZ0lVZmlTdi81UUFaSGhUQWVvaDd2QTJTTUJvTXpnd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1RERUxNQWtHQTFVRUJoTUNWVUV4RFRBTEJnTlZCQWdUQkV0cFpYWXhEVEFMQmdOVkJBY1RCRXRwWlhZeApEekFOQmdOVkJBb1RCbkpoWW05MFlURU9NQXdHQTFVRUN4TUZjM1JoWjJVd0hoY05NakV4TVRBME1UY3pOVEF3CldoY05Nakl4TVRBME1UY3pOVEF3V2pCTU1Rc3dDUVlEVlFRR0V3SlZRVEVOTUFzR0ExVUVDQk1FUzJsbGRqRU4KTUFzR0ExVUVCeE1FUzJsbGRqRVBNQTBHQTFVRUNoTUdjbUZpYjNSaE1RNHdEQVlEVlFRTEV3VnpkR0ZuWlRDQwpBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU10bGJUc0owWGg5YnhJV0k4cXozc2c2CjJyZWQ5MmRjZEZOdXJBZHBpWGZGZEpQVVRtU3hIMWxyT2k4a2hiRUQya3Znd2pjbWJ6R1VOYzYrMVhHWXhmRzAKSjFsSmhETGZRcVpGa3pGajdxWW82d25RUnlaTHhKOFBjMlNPbW1JTWxBWWNQczhZK2N0b0w3ODdnT0JpODlXagpqQjhXaVpneTQzaFNDdlAzREZNQTl6QW5XY0t0TXd1bU1rSmRjYmF5Rjg4VWkzbVNsOHRLQmc4cE03MFBBYzEyCm56V1N5Qy9nVUg2YUZoNU83K3ozUUpqeXRuVUlPSTgxVjZIb2UrN0hEOGt6ZWpsQ3RhRTFmSFVMaHdaeHo5dkkKSTNRMGhHdWlMYWxkWGxpZW8raEs0dWhua3lNdCtGWnh5RWNTbHU2azkvZFZQMDhKY1U1V2ZqeFBoeGZVT3lzQwpBd0VBQWFPQ0FSc3dnZ0VYTUE0R0ExVWREd0VCL3dRRUF3SUZvREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNECkFRWUlLd1lCQlFVSEF3SXdEQVlEVlIwVEFRSC9CQUl3QURBZEJnTlZIUTRFRmdRVXV0UWNlVHRMSGxZNW04RW4KTGZJNjVwRkMyMGN3Z2JnR0ExVWRFUVNCc0RDQnJZSVBkMlZpYUc5dmF5MXpaWEoyYVdObGdpVjNaV0pvYjI5cgpMWE5sY25acFkyVXVZV04wYVc5dWN5MXlkVzV1WlhJdGMzbHpkR1Z0Z2lsM1pXSm9iMjlyTFhObGNuWnBZMlV1CllXTjBhVzl1Y3kxeWRXNXVaWEl0YzNsemRHVnRMbk4yWTRJM2QyVmlhRzl2YXkxelpYSjJhV05sTG1GamRHbHYKYm5NdGNuVnVibVZ5TFhONWMzUmxiUzV6ZG1NdVkyeDFjM1JsY2k1c2IyTmhiSUlKYkc5allXeG9iM04waHdSLwpBQUFCTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBVFFMTFROQXY0UGRvbUxBd0FMVWpMNnNSUFlYaytxLzYyCjZzalJvQVFVZFljUmJMUHZSNTE0T1dhVnozVzdhYkxiWkVhZ1JZaXdQeUhLbXpZRnNvRE5WRjJrUWw3dHRLdGMKMHZHSnpjTVN0cTZKSjZzSWpFRVBzZ1VMNEYyNDdIb2lGMFJ4bE5heXoxS1FGQU9SeURKLzhudGRmOVR0bG5uUwplT0RwSmpyUGx0RjZqb3pYVy9MTXB0VisrcDdSRkhjMFdWdmtvZExiUmkrM3E1T01sN3VaN0RWSjlRekFwalp4CmxpeFZySGpDZ0JRUHZkSDE5dnJRK1BEMFZWZmNLTWdpMHVnbllmck9TbzFyOG5WNmZtN0N4eVdmZ2VwbHZkcUQKSVl5QmVoeFJSVHNyK2VLck1SdnNROWZKbVpteVNFTTIvanhNbnVFT0pkRkxJTU56WFJTTwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBeTJWdE93blJlSDF2RWhZanlyUGV5RHJhdDUzM1oxeDBVMjZzQjJtSmQ4VjBrOVJPClpMRWZXV3M2THlTRnNRUGFTK0RDTnladk1aUTF6cjdWY1pqRjhiUW5XVW1FTXQ5Q3BrV1RNV1B1cGlqckNkQkgKSmt2RW53OXpaSTZhWWd5VUJodyt6eGo1eTJndnZ6dUE0R0x6MWFPTUh4YUptRExqZUZJSzgvY01Vd0QzTUNkWgp3cTB6QzZZeVFsMXh0cklYenhTTGVaS1h5MG9HRHlrenZROEJ6WGFmTlpMSUwrQlFmcG9XSGs3djdQZEFtUEsyCmRRZzRqelZYb2VoNzdzY1B5VE42T1VLMW9UVjhkUXVIQm5IUDI4Z2pkRFNFYTZJdHFWMWVXSjZqNkVyaTZHZVQKSXkzNFZuSElSeEtXN3FUMzkxVS9Ud2x4VGxaK1BFK0hGOVE3S3dJREFRQUJBb0lCQUVqaUkyNFFhcHMrZDFxSAp6SE9LV0w1dk9JaXJka2YzZlVlWVZOU2pJTHRtYWd1Ky9BaGczOWJ1OFg2TEc4eitrRzY0TDJBTHliUitZM21lCk1HWHdWSjN6N0ZXMlhrVE1jOW1ZL05HcCtZNVpBMEFVL2luZTVLb0tvMUxaTnNFRHVOY25yK29PRFJTeVZNbTEKek15YktMelpTaENweHN4ZkQ5dkJxbU1abDdUMTlBZjNINjRCL1FHdDBpaDVqYTRHaVZFRjNmMVAyejFlcTNQUwpnaGZnRVM2QTlOam9UUXV1b1NxYUI1RHZUa01ORk9xa3h5eldpUzAzN0tpNU5aOWhIUG0xQmF3TmovYkJmeHZlCndjem9VKy9pS3V5TFd4K1NETkd5YXVxQnY3VkpYN0ppeW5JVUU0VUx2aDhOS3EwS25xOGZYTzYzcVBhLzNmMTgKdFprQUs2RUNnWUVBNmRTNHhvMGlIeUZ5UWZzUktrbGN5bUVIZHo4b2RrY25Jd3lJYWlMcU1hQ1pHVFBPT2JmcAo1QW9SekxLT0xSRXN2cnVGVjBRQkNwMHVPWG0ybjRlaWp0dm45algwSUxQWWw3OVJVRHZlbHVSOU9RYTlWU29YCnlabzd4R2x5U0twREtSQWdlb1R2WmpzL2ljNkczUGNkUEI5SG5Za2FDZjlDZTlHa2pPT01BWFVDZ1lFQTNxNEgKQk45elV3T0Jqa1ppcXdZSVdTb0ptZmlZaFEwVGZFdVpuWlJkVUFuSXhtUFNMdTZjOEV6OS9wQlpZbXlRWWgvRwpONS83WW1kbDc3WW1SNy82WU0yMExDT0o3VVFJTVp6YVNkbVladmRRTkhBWnZwZzJmZ0dmVGk4THpiYTI5ZGpHCkd5TkEwaHJiQUUzenltemEyS1cyTkhwK1Yya2s5cUQ0SDRMQUZoOENnWUJxemthRU1zMEdLVEhXWDRiTXFPdmcKYVFlTytXTlMrMWN1RkRodk9ubDhwNTJtdkZvVFZTVlppeHZzUXhiY0VQOCtNOHRKTy8rNXlHZm55dWVXNE01bwpzSnU0ZzVaNkpZdm1iSFlJenYveUxuWGdTV3JMN3Nra3hmVk0xdGxqeFptZHRRY1F6NDNHUllQVlAyZXNvSmRTCjhmcTFRMzJJV1hjVnRZR1M5UkRyVFFLQmdIWUhSZjhtTlNsT0ZYQ0ZEQzFjUURhS21wWTY5eFNtenFvMkpCRXIKSDU2WjRRcU94RXhOKzI4L1QrMkxNMldBNTdLcTV0UjYvckswM1lvR1FSb012cmhxcjlJcGNDVUx4MUFNdElNcQpTNlpmOWVvbGRPL2FIQ0FEMmgyRndEcmtXdXZLWDQ3b3k2WFJ5RHpNRktrNXMzSGJ1OHpyRkdaZWU5SWhsZ0tWCnVoeS9Bb0dBVDRUQ05EclBvMlVIM3QzMk1hUStyUkx5Q1RYTmQySUNPdnB4U2hNY25SZmdUUUsyNnpXSmFURTcKaWZ3bTd5cElVa2lNT3lhS3YwZi9FQndEZDRiSTlQRFF6ZlZBeGRpMk02L2podm1YcUhpZkZDMk1tOU5zLzFzQwplQVdsbTBaa2xZMjAyNWZua1k4MzRNTk9IekN0QXcybUZWNitsMk5lVmN1R0VtK0w5S3c9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==And also we need to create secret with github identifiers and private key
kubectl apply -f 01_secret.yml
kubectl create secret generic controller-manager -n actions-runner-system --from-literal=github_app_id=123456 --from-literal=github_app_installation_id=12345678 --from-file=github_app_private_key=private-key.pemNow we need to apply rest of original yaml file except webhooks (crd, rbac, deployment)
As about webhook we need to add caBundle to each, aka:
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: validating-webhook-configuration
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
# ADDED from caBundle.txt
caBundle: xxxxxxxxxxxxxxxxxxxx
service:
name: webhook-service
namespace: actions-runner-system
path: /validate-actions-summerwind-dev-v1alpha1-runnerAnd finaly apply runner which should work as expected
Logs can be found here:
kubectl -n actions-runner-system logs controller-manager-5876d679c9-zjsml -c manager -f
kubectl -n actions-runner-system logs prom1-runner -c runner -fLinks: