Gallery

Cloud-handbok

Schema

Lektions-PDFs

Explore

Workflows

Auto-uppdatera Kubernetes med din senaste image

Om du vid ditt workflow även vill att Kubernetes behöver duv ia Github actions SSH’a in ihop med din VPN-koppling mot din .

Du behöver

Generera en ovpn-fil⁠

Ange sedan följande tillägg i din Workflow yaml-fil (notera antalet mellanslag åt vänster):

Använd Secret i Github som stand-in för vår host, port, key & användarnamn

⁠

https://github.com/appleboy/ssh-action⁠

⁠

build:

name: Build

runs-on: ubuntu-latest

steps:

- name: executing remote ssh commands using ssh key

uses: appleboy/ssh-action@master

with:

host: ${{ secrets.HOST }}

username: ${{ secrets.USERNAME }}

key: ${{ secrets.KEY }}

port: ${{ secrets.PORT }}

script: whoami

Lägg nu till din VPN-koppling för Github så vi kan connecta även med IP-begränsning (läggs före SSH-delen)

Använd ett av dessa nedan alternativ . Alternativ 2 körde vi under lektionen.

⁠

https://github.com/golfzaptw/action-connect-ovpn⁠

⁠

Alternativ 1:

- uses: actions/checkout@v1

- name: Install Open VPN

run: sudo apt-get install openvpn

- name: Connect VPN

uses: golfzaptw/action-connect-ovpn@master

id: connect_vpn

with:

PING_URL: 'DIN_VPN_IP'

FILE_OVPN: '.github/vpn/config.ovpn'

SECRET: ${{ secrets.SECRET_USERNAME_PASSWORD }}

env:

CA_CRT: ${{ secrets.CA_CRT}}

USER_CRT: ${{ secrets.USER_CRT }}

USER_KEY: ${{ secrets.USER_KEY }}

- name: Check Connect VPN

run: echo ${{ steps.connect_vpn.outputs.STATUS }}

- name: kill vpn

if: always()

run: sudo killall openvpn

Alternativ 2:

⁠

https://github.com/kota65535/github-openvpn-connect-action⁠

⁠

___

- name: Install Open VPN

run: |

sudo apt update

sudo apt install -y openvpn openvpn-systemd-resolved

- name: Connect to VPN

id: connect_vpn

uses: "kota65535/github-openvpn-connect-action@v1"

with:

config_file: ./.github/vpn/config.ovpn

username: ${{ secrets.OVPN_Username}}

password: ${{ secrets.OVPN_Password}}

client_key: ${{ secrets.OPEN_VPN_KEY}}

Mata in era secrets med username & assword för er VPN samt hela

-----BEGIN PRIVATE KEY-----

från din ovpn-profile-fil

______

Lägg in detta script istället för “whoami”:

kubectl rollout restart deployment [namnet på din deployment ]

Detta är grundmallen för det som skall ligga i .github/vpn/config.ovpn

Ersätt med in egen IP, din egen “ca” , “cert” och “tls crypt”

client

# use user & password auth

server-poll-timeout 4

nobind

remote [din publika vpn-ip] 1194 udp

remote [din publika vpn-ip] 443 tcp

remote [din publika vpn-ip] 1194 udp

dev tun

dev-type tun

remote-cert-tls server

tls-version-min 1.2

reneg-sec 604800

auth-user-pass

verb 3

push-peer-info

# cf. https://github.com/jonathanio/update-systemd-resolved#openvpn-configuration

script-security 2

up /etc/openvpn/update-systemd-resolved

up-restart

down /etc/openvpn/update-systemd-resolved

down-pre

dhcp-option DOMAIN-ROUTE .

cipher AES-256-CBC

compress lz4-v2

remote-cert-tls server

# CA certificate

<ca>

[sätt in din egen <ca>-här (inklusive header- & footertexten, precis som med cert och tls-crypt nedan]

</ca>

# Client certificate

<cert>

-----BEGIN CERTIFICATE-----

MIIC5zCCAc+gAwIBAgIBDTANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDDApPcGVu

VlBOIENBMB4XDTIyMDIxNjA4MzYzN1oXDTMyMDIxNTA4MzYzN1owEjEQMA4GA1UE

AwwHb3BlbnZwbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMCAS8OM

7O1JlqtQ9dCyrRd36TigAZVR9xF3fcFjTV1iiy1dWg+Lklf+m75Ld7/oEseJNqX7

zp5+htLmsrUrD+iH26WPfvLciyZPVPOmUmUgYKJ3HbTiTbRrde2TWnwcAcDj0WJ8

fQQL7QHf/GrbkMSEffgkIvGTR5WTAcsY1nH9oA+trnSooeK2Poj7inpvzMqycLHX

yeGcC63Rtyvw1m95kVvRapALhiF7DD5jJ8Q4cK20seJ43Tl6KPTS6cL3hX3KP/uE

9MuPdIlOJvcFYyeyjy/VQVELoHtcOt29NWWBzf7vQq2JIExd5G5cEvwuhfzsegAq

7Ai/SWYhzHN0KvcCAwEAAaNFMEMwDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCB4Aw

EwYDVR0lBAwwCgYIKwYBBQUHAwIwEQYJYIZIAYb4QgEBBAQDAgeAMA0GCSqGSIb3

DQEBCwUAA4IBAQDlZG2hbKsF1Pw1ovb1bGT0jtlTGbfyPFA5oXxYxuhKNhPax2hM

XCPpqsFq+ZjhnMVSXysmqe3U1NTfPeY9kpP3wDcs0uSML7J/wYrRSf2YaqGnhpu/

AhEyulCrTDi2Tz/6e5KJdyrv0GJJiqQiqV2+0n5iyx2eyAHfmfI5GR6y1iXJkQTo

LO0qY733Ymyjffkt0JXFlMldPq5f7D/qA+n/gCxmwKLRAXRCbhJPvpIjJx9/D6UA

d/KWUG81tW5tTZ1Qe7YPSsTAzzYIxQN/4UKQm1ew7BXsTzUGe7aZoTzGzRtGYTAw

WjXgZMzFKuavSyLjQwi2We6KTeKeXfYxbUuV

-----END CERTIFICATE-----

</cert>

<tls-crypt>

# 2048 bit OpenVPN static key (Server Agent)

-----BEGIN OpenVPN Static key V1-----

4edeb07a3bb5343ef5465fb413167cbc

994c1822d05fde891252975a46c4df95

5d03c1afa8b5673c4cd95879adfc2288

b53b1f27537ab4f4e3a409c4ddf3aa44

1015ff0ce30515868ad65e875f5a0621

91a67a605dcc43dc48c226d8758a4830

941e41454d06df793a4612ec7df31a84

ce785d7445861ebd6b9d64343713f7b0

980b4e91cb0e7327f8637ce7454f2d39

ef2de51de1282fe07238bd8ed0e29118

7867056dc6ca20d09bfff085b78f8dc7

643e103fe84adcc9a2c2d7238a315b33

82f033a922e3c5b1df48a5f0b11ba3cf

c525a21d0a582aedfe6eefe767469468

7028cf1aceb9e0ce49ee84a7dfbfbfc9

f36b40c344f9a9dfaf3a1e030b490082

-----END OpenVPN Static key V1-----

</tls-crypt>

verb 5

Variant 2 med direktkoppling mot Kubernetes:

Du behöver

Generera en ovpn-fil⁠

och

Skapa en Kubeconfig-fil⁠

Ange sedan följande tillägg i din Workflow yaml-fil (notera antalet mellanslag åt vänster):

- name: Installera OpenVPN i Workflow-stegen

run: |

sudo apt-get update

sudo apt-get --assume-yes --no-install-recommends install openvpn

sudo curl -o /bin/kubectl https://amazon-eks.s3.us-west-2.amazonaws.com/1.21.2/2021-07-05/bin/linux/amd64/kubectl

sudo chmod +x /bin/kubectl

- name: Konfigurera VPN med rätt access

run: |

echo "${{ secrets.PROFILE }}" > /tmp/config.ovpn

echo "${{ secrets.VPN_PASSWORD }}" > /tmp/password

echo "${{ secrets.KUBECONFIG }}" > /tmp/kubeconfig

- name: Connect VPN

run: sudo openvpn --config "/tmp/config.ovpn" --log "vpn.log" --daemon

- name: Gör deploy av ny image på VM-miljön

run: kubectl --insecure-skip-tls-verify -n default get po

env:

KUBECONFIG: /tmp/kubeconfig

- name: Stäng new VPN-kopplingen

if: always()

run: |

sudo chmod 777 vpn.log

sudo killall openvpn

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.