feat(arc): mount k8s and talos inside

buroa · Dec 28, 2024 · 5a93302 · 5a93302
1 parent 969373a
commit 5a93302
Show file tree

Hide file tree

Showing 9 changed files with 47 additions and 26 deletions.
diff --git a/.github/workflows/helm-repository-sync.yaml b/.github/workflows/helm-repository-sync.yaml
@@ -38,13 +38,6 @@ jobs:
         with:
           token: "${{ steps.app-token.outputs.token }}"
 
-      - name: Write kubeconfig
-        id: kubeconfig
-        uses: timheuer/base64-to-file@v1
-        with:
-          encodedString: "${{ secrets.KUBECONFIG }}"
-          fileName: kubeconfig
-
       - if: ${{ github.event.inputs.helmRepoNamespace == '' && github.event.inputs.helmRepoName == '' }}
         name: Get changed files
         id: changed-files
@@ -59,8 +52,6 @@ jobs:
 
       - if: ${{ github.event.inputs.helmRepoNamespace == '' && github.event.inputs.helmRepoName == '' }}
         name: Sync Helm Repository
-        env:
-          KUBECONFIG: "${{ steps.kubeconfig.outputs.filePath }}"
         shell: bash
         run: |
           declare -a repos=()
@@ -79,8 +70,6 @@ jobs:
 
       - if: ${{ github.event.inputs.helmRepoNamespace != '' && github.event.inputs.helmRepoName != '' }}
         name: Sync Helm Repository
-        env:
-          KUBECONFIG: ${{ steps.kubeconfig.outputs.filePath }}
         shell: bash
         run: |
           flux \

diff --git a/.github/workflows/pre-pull-images.yaml b/.github/workflows/pre-pull-images.yaml
@@ -104,19 +104,8 @@ jobs:
       - name: Setup Workflow Tools
         run: brew update && brew install siderolabs/tap/talosctl
 
-      - name: Write talosconfig
-        id: talosconfig
-        uses: timheuer/base64-to-file@v1
-        with:
-          encodedString: "${{ secrets.TALOSCONFIG }}"
-          fileName: talosconfig
-
       - name: Pre-pull Image
-        env:
-          TALOSCONFIG: "${{ steps.talosconfig.outputs.filePath }}"
-        run: |
-          NODE=$(talosctl config info --output json | jq --raw-output '.nodes[]' | shuf -n 1)
-          talosctl -n $NODE image pull ${{ matrix.images }}
+        run: talosctl -n $NODE_IP image pull ${{ matrix.images }}
 
   # Summarize matrix https://github.community/t/status-check-for-a-matrix-jobs/127354/7
   pre-pull-images-success:

diff --git a/kubernetes/apps/actions-runner-system/actions-runner-controller/app/kustomization.yaml b/kubernetes/apps/actions-runner-system/actions-runner-controller/app/kustomization.yaml
@@ -4,3 +4,4 @@ kind: Kustomization
 resources:
   - ./externalsecret.yaml
   - ./helmrelease.yaml
+  - ./rbac.yaml
diff --git a/kubernetes/apps/actions-runner-system/actions-runner-controller/app/rbac.yaml b/kubernetes/apps/actions-runner-system/actions-runner-controller/app/rbac.yaml
@@ -0,0 +1,26 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: actions-runner
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: actions-runner
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: actions-runner
+    namespace: actions-runner-system
+---
+apiVersion: talos.dev/v1alpha1
+kind: ServiceAccount
+metadata:
+  name: actions-runner
+spec:
+  roles:
+    - os:admin
diff --git a/kubernetes/apps/actions-runner-system/actions-runner-controller/runner/helmrelease.yaml b/kubernetes/apps/actions-runner-system/actions-runner-controller/runner/helmrelease.yaml
@@ -31,11 +31,26 @@ spec:
       type: dind
     template:
       spec:
+        autoMountServiceAccountToken: true
         containers:
           - name: runner
             image: ghcr.io/buroa/actions-runner:2.321.0@sha256:08baa1d4489fdbcf85e726568406be481d35cf86da8281d9821a32b78d9301d9
             command:
               - /home/runner/run.sh
+            env:
+              - name: NODE_IP
+                valueFrom:
+                  fieldRef:
+                    fieldPath: status.hostIP
+            volumeMounts:
+              - mountPath: /var/run/secrets/talos.dev
+                name: talos
+                readOnly: true
+        serviceAccount: actions-runner
+        volumes:
+          - name: talos
+            secret:
+              secretName: actions-runner
     controllerServiceAccount:
       name: gha-runner-scale-set-controller
       namespace: actions-runner-system

diff --git a/kubernetes/apps/system-upgrade/system-upgrade-controller/app/rbac.yaml b/kubernetes/apps/system-upgrade/system-upgrade-controller/app/rbac.yaml
@@ -15,7 +15,7 @@ subjects:
 apiVersion: talos.dev/v1alpha1
 kind: ServiceAccount
 metadata:
-  name: talos
+  name: system-upgrade
 spec:
   roles:
     - os:admin
diff --git a/kubernetes/apps/system-upgrade/system-upgrade-controller/plans/kubernetes.yaml b/kubernetes/apps/system-upgrade/system-upgrade-controller/plans/kubernetes.yaml
@@ -7,7 +7,7 @@ spec:
   version: ${KUBERNETES_VERSION}
   serviceAccountName: system-upgrade
   secrets:
-    - name: talos
+    - name: system-upgrade
       path: /var/run/secrets/talos.dev
       ignoreUpdates: true
   concurrency: 1

diff --git a/kubernetes/apps/system-upgrade/system-upgrade-controller/plans/talos.yaml b/kubernetes/apps/system-upgrade/system-upgrade-controller/plans/talos.yaml
@@ -7,7 +7,7 @@ spec:
   version: ${TALOS_VERSION}
   serviceAccountName: system-upgrade
   secrets:
-    - name: talos
+    - name: system-upgrade
       path: /var/run/secrets/talos.dev
       ignoreUpdates: true
   concurrency: 1

diff --git a/talos/talconfig.yaml b/talos/talconfig.yaml
@@ -434,4 +434,5 @@ controlPlane:
             allowedRoles:
               - os:admin
             allowedKubernetesNamespaces:
+              - actions-runner-system
               - system-upgrade