This GitHub Action creates a TBS Build on the given cluster.
Warning This software is being released as an Alpha, meaning it is still in active development and may be subject to change at any point.
In order to use this action there are two things that need to be configured:
- Ensure that the GitHub action runner has access to the kubernetes API Server.
- Configure a service account that has the required permissions.
The GitHub action talks directly to the kubernetes API server, so if you are running this on github.com with the default action runners you'll need to ensure your API server is accessable from GitHubs IP ranges. Alternatively it may be possible to runner the action on a custom runner within your firewall (with access to the TAP cluster).
The minimum permissions required on the TBS cluster are documented below:
ClusterRole
└ kpack.io
└ clusterbuilders verbs=[get]
Role (developer namespace)
├ ''
│ ├ pods verbs=[get watch list] ✔
│ └ pods/log verbs=[get] ✔
└ kpack.io
└ builds verbs=[get watch list create delete] ✔
The example file contains the minimum required permissions.
To apply this file to a namespace called dev
:
kubectl apply -f https://raw.githubusercontent.com/vmware-tanzu/build-image-action/main/config/rbac.yaml
Then to access the values:
DEV_NAMESPACE=dev
SECRET=$(kubectl get sa github-actions -oyaml -n $DEV_NAMESPACE | yq '.secrets[0].name')
CA_CERT=$(kubectl get secret $SECRET -oyaml -n $DEV_NAMESPACE | yq '.data."ca.crt"')
NAMESPACE=$(kubectl get secret $SECRET -oyaml -n $DEV_NAMESPACE | yq .data.namespace | base64 -d)
TOKEN=$(kubectl get secret $SECRET -oyaml -n $DEV_NAMESPACE | yq .data.token | base64 -d)
SERVER=$(kubectl config view --minify | yq '.clusters[0].cluster.server')
Using the GitHub cli create the required secrets on the repository:
gh secret set CA_CERT --app actions --body "$CA_CERT"
gh secret set NAMESPACE --app actions --body "$NAMESPACE"
gh secret set TOKEN --app actions --body "$TOKEN"
gh secret set SERVER --app actions --body "$SERVER"
server
: Host of the API Server.ca-cert
: CA Certificate of the API Server.token
: Service Account token to access kubernetes.namespace
: (required) The namespace to create the build resource in.
destination
: (required)env
: A list of environment variables to be passed to the build, see below for the formatserviceAccountName
: Name of the service account in the namespace, defaults todefault
clusterBuilder
: Name of the cluster builder to use, defaults todefault
timeout
: Max active time that the pod can run for in seconds, defaults to3600
cleanup
: Should the action cleanup any generated resources on completion, defaults totrue
- name: Build Image
id: build
uses: vmware-tanzu/build-image-action@v1-alpha
with:
# auth
server: ${{ secrets.SERVER }}
token: ${{ secrets.TOKEN }}
ca_cert: ${{ secrets.CA_CERT }}
namespace: ${{ secrets.NAMESPACE }}
# image config
destination: gcr.io/project-id/name-for-image
env: |
BP_JAVA_VERSION=17
name
: The full name, including sha of the built image.
- name: Do something with image
run:
echo "${{ steps.build.outputs.name }}"
To run this action in "debug" mode, add a secret called ACTIONS_STEP_DEBUG
with the value set to true
as
documented in the GitHub Action Docs.
TODO
The build-image-action project team welcomes contributions from the community. Before you start working with this project please read and sign our Contributor License Agreement CLA. If you wish to contribute code and you have not signed our contributor license agreement (CLA), our bot will prompt you to do so when you open a Pull Request. For any questions about the CLA process, please refer to our FAQ.
The scripts and documentation in this project are released under the Apache 2.