fix(e2e): use in-cluster service account token for kubeconfig
ARC runner has no kubeconfig file. Use the service account token at /var/run/secrets/kubernetes.io/serviceaccount/ to build a kubeconfig that connects to the Kubernetes API server from within the pod. This is the standard in-cluster access pattern. Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
@@ -49,13 +49,39 @@ jobs:
|
|||||||
run: |
|
run: |
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
echo "HOME=${HOME}"
|
echo "HOME=${HOME}"
|
||||||
echo "GITHUB_WORKSPACE=${GITHUB_WORKSPACE:-<unset>}"
|
echo "KUBERNETES_SERVICE_HOST=${KUBERNETES_SERVICE_HOST:-<unset>}"
|
||||||
echo "ACTIONS_KUBECONFIG=${ACTIONS_KUBECONFIG:-<unset>}"
|
echo "KUBERNETES_SERVICE_PORT=${KUBERNETES_SERVICE_PORT:-<unset>}"
|
||||||
echo "Testing kubectl config view..."
|
echo "Checking service account token..."
|
||||||
kubectl config view --raw 2>&1 | head -5 || true
|
if [ -f /var/run/secrets/kubernetes.io/serviceaccount/token ]; then
|
||||||
echo "Testing kubectl cluster-info..."
|
echo "Service account token found at /var/run/secrets/kubernetes.io/serviceaccount/token"
|
||||||
kubectl cluster-info --request-timeout=5s 2>&1 || true
|
KUBECONFIG=/tmp/kubeconfig-incluster
|
||||||
echo "KUBECONFIG=${KUBECONFIG:-<from default>}"
|
cat > "$KUBECONFIG" <<EOF
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Config
|
||||||
|
clusters:
|
||||||
|
- cluster:
|
||||||
|
certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
|
||||||
|
server: https://${KUBERNETES_SERVICE_HOST:-kubernetes.default.svc}:${KUBERNETES_SERVICE_PORT:-443}
|
||||||
|
name: in-cluster
|
||||||
|
contexts:
|
||||||
|
- context:
|
||||||
|
cluster: in-cluster
|
||||||
|
namespace: headlamp-dev
|
||||||
|
user: runner-sa
|
||||||
|
name: in-cluster
|
||||||
|
current-context: in-cluster
|
||||||
|
users:
|
||||||
|
- name: runner-sa
|
||||||
|
user:
|
||||||
|
tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||||
|
EOF
|
||||||
|
echo "Created kubeconfig at ${KUBECONFIG}"
|
||||||
|
echo "KUBECONFIG=${KUBECONFIG}" >> "$GITHUB_ENV"
|
||||||
|
else
|
||||||
|
echo "::error::Service account token not found at /var/run/secrets/kubernetes.io/serviceaccount/token"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
kubectl cluster-info --request-timeout=5s
|
||||||
|
|
||||||
- name: Apply RBAC for E2E pipeline
|
- name: Apply RBAC for E2E pipeline
|
||||||
run: |
|
run: |
|
||||||
|
|||||||
Reference in New Issue
Block a user