nearform · blucas · Mar 6, 2023 · Feb 24, 2023 · Feb 28, 2023 · Feb 28, 2023
diff --git a/Makefile b/Makefile
@@ -91,3 +91,6 @@ integration-test: ## Run integration tests
 
 validate: ## Run static checks
 	@ASDF_DEFAULT_TOOL_VERSIONS_FILENAME=$(CURDIR)/.tool-versions pre-commit run --color=always --show-diff-on-failure --all-files
+
+create-ci-service-account: ## Create a k8s service account that would be used by CI systems
+	@./scripts/create-ci-service-account.sh
diff --git a/manifests/ci-service-account/README.md b/manifests/ci-service-account/README.md
@@ -0,0 +1,11 @@
+# Service account for CI Bot
+This cluster will deploy a `ServiceAccount` with the
+sole purpose of being utilized by the CI System to interact with the cluster.
+
+The `ServiceAccount` is associated with a `kubernetes.io/service-account-token`.
+Once this token is generated, the cluster administrator must export this token to the
+CI System as a secret.
+
+In the case of GitHub, follow the [official guide](https://docs.github.com/en/actions/security-guides/encrypted-secrets#about-encrypted-secrets)
+for creating a secret. Depending on your specific needs the secret could be applicable to a single repo,
+an environment, or the entire GitHub organization.
diff --git a/manifests/ci-service-account/ci-cluster-role-binding.yaml b/manifests/ci-service-account/ci-cluster-role-binding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: continuous-deployment
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: continuous-deployment
+subjects:
+  - kind: ServiceAccount
+    name: ci-bot
+    namespace: default
diff --git a/manifests/ci-service-account/ci-cluster-role.yaml b/manifests/ci-service-account/ci-cluster-role.yaml
@@ -0,0 +1,25 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: continuous-deployment
+rules:
+  - apiGroups:
+      - ''
+      - apps
+      - networking.k8s.io
+    resources:
+      - namespaces
+      - deployments
+      - replicasets
+      - ingresses
+      - services
+      - secrets
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - get
+      - list
+      - patch
+      - update
+      - watch
diff --git a/manifests/ci-service-account/ci-service-account.yaml b/manifests/ci-service-account/ci-service-account.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ci-bot
diff --git a/manifests/ci-service-account/ci-token.yaml b/manifests/ci-service-account/ci-token.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: github-actions-token
+  annotations:
+    kubernetes.io/service-account.name: "ci-bot"
+type: kubernetes.io/ci-bot-token
diff --git a/scripts/create-ci-service-account.sh b/scripts/create-ci-service-account.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+kubectl apply -f manifests/gha-service-account
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		#!/usr/bin/env bash

		kubectl apply -f manifests/gha-service-account
blucas marked this conversation as resolved. Show resolved Hide resolved