chore: some updates to entrypoint and dockerfile

Author: bateau84

Dockerfile

@@ -1,14 +1,12 @@
-FROM alpine:3.21.3
+FROM python:3.13-alpine
 
-RUN apk --no-cache add coreutils util-linux-misc bash curl jq github-cli
+RUN apk --no-cache add coreutils util-linux-misc bash && adduser -u 1001 -D runuser && pip3 install --no-cache-dir configargparse
 
-# Download and install latest version of vault
-RUN curl -L -o /tmp/vault.zip https://releases.hashicorp.com/vault/1.12.2/vault_1.12.2_linux_amd64.zip \
-  && unzip /tmp/vault.zip -d /usr/local/bin/ \
-  && rm -f /tmp/vault.zip
+USER runuser
+ENV HOME=/home/runuser
+COPY --chown=runuser:runuser setenv.py entrypoint.sh $HOME/
+RUN chmod +x $HOME/setenv.py $HOME/entrypoint.sh
 
-COPY bin/setenv.py /usr/local/bin/setenv.py
+WORKDIR ${HOME}
 
-COPY entrypoint.sh /entrypoint.sh
-
-ENTRYPOINT ["/entrypoint.sh"]
+ENTRYPOINT ["/home/runuser/entrypoint.sh"]

README.md

@@ -1,88 +1,32 @@
 # Github action for setting KUBECONFIG using vault
-A custom Github Action that can be used to create a kubernetes-config from vault kubernetes auth and secrets in vault. This custom action was created because the official hashicorp/vault action only supports `GET` requests, while the kubernetes auth method in vault requires `POST`.
 
-### Requires permissions: ###
+A custom Github Action that can be used to read environments from vault.
+
+### Requires permissions:
+
 The following [permissions](https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs#defining-access-for-the-github_token-scopes) need to be defined in [your GitHub Actions workflow](https://github.com/nrkno/plattform-github-apps/blob/6b6e96ab3824630f728574d0362687d1be96e7f4/.github/workflows/policy-bot.yaml#L28) in order to use this custom action.
 
 ```yaml
 permissions:
   id-token: write
-  actions: read
   contents: read
 ```
 
-### Note: ###
-The kubeconfig file is stored in the GITHUB_WORKSPACE, same as where the checkout action stores the repo. Use `output-only: true` to not export KUBECONFIG file and env variable.
-*By default the config will be valid for **10 minutes**. Use input vault-sa-ttl to change.*
+### Note:
 
 ## Example usage:
-Example with deployment to kubernetes cluster.
-Vault-role is `appname-environment`
-```yaml
-      - uses: nrkno/github-action-vault-to-k8s-config@v2.0
-        id: vault-to-k8s-config
-        with:
-          vault-address: ${{ secrets.PLATTFORM_VAULT_URL }}
-          vault-role: plattform-gorgon-api-github-prod
-          cluster: aks-plattform-int-prod-eno
-          namespace: gorgon-api-prod
-      - uses: azure/k8s-deploy@v4.5
-        with:
-          manifests: prod/
-          images: |
-            plattform.azurecr.io/plattform/gorgon:latest
-          annotate-namespace: false
-          action: deploy
-```
-
-_You can find additional examples of usage by [searching for usages of the github-action-vault-to-k8s-config action in the nrkno organization on GitHub](https://github.com/search?q=org%3Anrkno+uses%3A+nrkno%2Fgithub-action-vault-to-k8s-config+language%3AYAML&type=code&l=YAML)._
 
 ### Common issues
 
-#### Failed creating vault token
-If github-action-vault-to-k8s-config [fails with the error "Failed creating vault token"](https://github.com/nrkno/valg-valgportal-2023-api/actions/runs/5517809972/job/14938542371), you've probably forgot to add the required permissions to your workflow, as described below.
-
 ## Inputs
+
 ```yaml
 inputs:
-  vault-address:
-    description: 'address to your vault'
-    required: true
-  vault-role:
-    description: 'Your github applications vault role'
-    required: true
-  vault-path:
-    description: 'Auth path for vault'
-    default: jwt-github
-    required: false
-  vault-sa-ttl:
-    description: 'How long the service account for the kubeconfig will exist'
-    default: 10m
-    required: false
-  cluster:
-    description: 'The name of your kubernetes cluster'
-    required: true
-  namespace:
-    description: 'The name of your kubernetes namespace'
-    required: true
-  cluster-rolebinding:
-    description: 'Rolebinding to give ServiceAccount in the cluster'
-    required: false
-    default: edit
-  output-only:
-    description: "If true, KUBECONFIG env variable wont be set, and kubeconfig file won't be written to GITHUB_WORKSPACE"
-    required: false
-    default: "false"
 ```
 
 ## Outputs
-```yaml
-  k8s-config:
-    description: 'The kube-config for your dynamic service account'
-  ingress-suffix:
-    description: 'Ingress suffix for the cluster'
-```
 
 ## Contributing
+
 Create an issue and optionally a pull-request.
-Use semantic commit messages.
+Use semantic commit messages.

action.yaml

@@ -14,22 +14,22 @@ inputs:
   azure:
     description: "Get Azure credentials, exported as ARM_CLIENT_ID and ARM_CLIENT_SECRET"
     required: false
-  azure-no-arm:
+  azure_no_arm:
     description: "Do not export ARM_CLIENT_ID and ARM_CLIENT_SECRET, only TF_VAR_azure_client_id and TF_VAR_azure_client_secret"
     required: false
   gcp:
     description: 'GCP project names, creates TF_VAR_gcp_project_name for use in "credentials" in google provider'
     required: false
-  terraform-registry:
+  terraform_registry:
     description: 'Get Terraform registry token, expects to be found in vault under "token" in secret/applications/{name}/{env}/terraform-registry'
     required: false
-  no-wait:
+  no_wait:
     description: "Do not wait for credentials to propagate"
     required: false
   eval:
     description: "Output as export statements, for use with eval $()"
     required: false
-  new-line:
+  new_line:
     description: "Output as text separated by newline"
     required: false
   debug:
@@ -38,58 +38,54 @@ inputs:
   token:
     description: "Vault token, defaults to /vault/secrets/token"
     required: false
-  vault-role-id-name:
+  vault_role_id_name:
     description: 'Name of the environment variable for Vault role ID, defaults to "TF_VAR_vault_role_id"'
     required: false
-  vault-secret-id-name:
+  vault_secret_id_name:
     description: 'Name of the environment variable for Vault secret ID, defaults to "TF_VAR_vault_secret_id"'
     required: false
+  vault_secret_id_cidr:
+    description: "CIDR to use for Vault secret ID, defaults to the IP address from --myip-url with /32 suffix"
+    required: false
   cache:
     description: "Cache/ use cached credentials"
     required: false
-  cache-file:
+  cache_file:
     description: "Path and name to cache file, defaults to /tmp/{repo_name}_{workflow_name}.cache.json when running in atlantis, or /tmp/{current_workdir}.cache.json when running from shell"
     required: true
   secret:
-    description: 'Every key/value pair in vault applications "setenv" secret is added to env vars'
+    description: 'Every key/value pair in vault applications "setenv" secret is added to env vars on hardcoded path secret/applications/{name}/{env}/setenv'
     required: false
-  vault-secret:
-    description: "Get secret from vault, specify path to secret, key in secret and name of environment variable to export. Can be used multiple times, e.g. --vault-secret secret/applications/myapp/prod:mykey:MY_VAR_NAME. If using * as key, all keys in secret will be exported with the specified var_name as prefix, e.g.: --vault-secret secret/applications/myapp/prod:*:MY_PREFIX_ will export MY_PREFIX_key1, MY_PREFIX_key2 etc."
+  vault_secret:
+    description: "Get secret from vault, spec path to secret, key in secret and name of environment variable to export. Can be used multiple times, e.g. --vault-secret secret/applications/myapp/prod:mykey:MY_VAR_NAME. using * as key, all keys in secret will be exported with the speced var_name as prefix, e.g.: --vault-secret secret/applications/myapp/prod:*:MY_PREFIX_ will export MY_PREFIX_key1, MY_PREFIX_key2 etc."
     required: false
-  myip-url:
+  myip_url:
     description: "URL to get current IP address, default is http://icanhazip.com"
     required: false
+
 runs:
   using: "docker"
   image: "Dockerfile"
-  args:
-    - --name
-    - ${{ inputs.name }}
-    - --env
-    - ${{ inputs.env }}
-    - --cluster
-    - ${{ for cluster in inputs.cluster.split(',').append('--cluster') if cluster.strip() }}
-    - ${{ if inputs.azure --azure}}
-    - ${{ if inputs.azure-no-arm --azure-no-arm}}
-    - --gcp
-    - ${{ for gcp in inputs.gcp.split(',').append('--gcp') if gcp.strip() }}
-    - --terraform-registry
-    - ${{ inputs.terraform-registry }}
-    - --no-wait
-    - ${{ inputs.no-wait }}
-    - ${{ if inputs.eval --eval }}
-    - ${{ if inputs.new-line --new-line }}
-    - ${{ if inputs.debug --debug }}
-    - ${{ if inputs.token --token }}
-    - --vault-role-id-name
-    - ${{ inputs.vault-role-id-name }}
-    - --vault-secret-id-name
-    - ${{ inputs.vault-secret-id-name }}
-    - ${{ if inputs.cache --cache }}
-    - --cache-file
-    - ${{ inputs.cache-file }}
-    - ${{ if inputs.secret --secret }}
-    - --vault-secret
-    - ${{ for vault_secret in inputs.vault-secret.split(',').append('--vault-secret') if vault_secret.strip() }}
-    - --myip-url
-    - ${{ inputs.myip-url }}
+  env:
+    VAULT_ADDR: ${{ inputs.VAULT_ADDR }}
+  # args:
+  #   - --name ${{ inputs.name }}
+  #   - --env ${{ inputs.env }}
+  #   - --cluster ${{ inputs.cluster }}
+  #   - --azure ${{ inputs.azure}}
+  #   - --azure-no-arm ${{ inputs.azure-no-arm }}
+  #   - --gcp ${{ inputs.gcp }}
+  #   - --terraform-registry ${{ inputs.terraform-registry }}
+  #   - --no-wait ${{ inputs.no-wait }}
+  #   - --eval ${{ inputs.eval }}
+  #   - --new-line ${{ inputs.new-line }}
+  #   - --debug ${{ inputs.debug }}
+  #   - --token ${{ inputs.token }}
+  #   - --vault-role-id-name ${{ inputs.vault-role-id-name }}
+  #   - --vault-secret-id-name ${{ inputs.vault-secret-id-name }}
+  #   - --cache ${{ inputs.cache }}
+  #   - --cache-file ${{ inputs.cache-file }}
+  #   - --secret ${{ inputs.secret }}
+  #   - --vault-secret ${{ inputs.vault-secret }}
+  #   - --vault-secret ${{ inputs.vault-secret }}
+  #   - --myip-url ${{ inputs.myip-url }}

entrypoint.sh

@@ -1,5 +1,12 @@
 #!/bin/bash
-set -e
+
 set -x
 
-pipenv run bin/setenv.py $@
+VARIABLES="$(python3 /home/runuser/setenv.py)"
+
+if [[ -z "$VARIABLES" ]]; then
+  echo "No variables set. Exiting."
+  exit 1
+fi
+
+eval "$VARIABLES"