Skip to content

Commit 0e5b041

Browse files
goshandergoshander
authored
Fix github runner creation with token from lockbox (#224)
1 parent 815a01e commit 0e5b041

File tree

3 files changed

+52
-17
lines changed

3 files changed

+52
-17
lines changed

deploy/terraform/github-runner-config.yaml

+14-2
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,26 @@
11
#cloud-config
22
runcmd:
3-
- apt update && apt install -y jq unzip curl git docker.io docker-compose-v2
3+
- apt update && apt install -y jq unzip curl wget git docker.io docker-compose-v2
4+
# install github cli
5+
- mkdir -p -m 755 /etc/apt/keyrings
6+
- wget -qO- https://cli.github.com/packages/githubcli-archive-keyring.gpg | tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null
7+
- chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg
8+
- echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | tee /etc/apt/sources.list.d/github-cli.list > /dev/null
9+
- apt update && apt install gh -y
10+
# install yc cli
11+
- su - root -c "curl -o ./yc-install.sh -L https://storage.yandexcloud.net/yandexcloud-yc/install.sh"
12+
- su - root -c "chmod +x ./yc-install.sh && ./yc-install.sh -i /tmp/yc -n && mv /tmp/yc/bin/yc /usr/bin/yc"
13+
# add non root user
414
- useradd -m github --shell /bin/bash && usermod -aG docker github
515
- cd /home/github
616
- su - github -c "mkdir -p /home/github/actions-runner"
717
- cd actions-runner
18+
# install github runner agent
819
- case $(uname -m) in aarch64) ARCH="arm64" ;; amd64|x86_64) ARCH="x64" ;; esac && export RUNNER_ARCH=$${ARCH}
20+
- export RUNNER_TOKEN=$(yc lockbox payload get --id ${LOCKBOX_ID} --key ${LOCKBOX_KEY})
921
- su - github -c "curl -O -L https://github.com/actions/runner/releases/download/v${VERSION}/actions-runner-linux-$${RUNNER_ARCH}-${VERSION}.tar.gz"
1022
- su - github -c "tar xzf ./actions-runner-linux-$${RUNNER_ARCH}-${VERSION}.tar.gz"
11-
- su - github -c "./config.sh --unattended --url https://github.com/${OWNER}/${REPO} --token ${TOKEN} --name github-runner-${REPO}-ind-${IND} --runnergroup default --work _work --labels cloud"
23+
- su - github -c "./config.sh --unattended --url https://github.com/${OWNER}/${REPO} --token $${RUNNER_TOKEN} --name github-runner-${REPO}-ind-${IND} --runnergroup default --work _work --labels cloud"
1224
- su - github -c "export PATH=\$${PATH}:\$${HOME}/.local/bin && ./run.sh"
1325
bootcmd:
1426
- cd /home/github/actions-runner

deploy/terraform/github-runner.tf

+36-13
Original file line numberDiff line numberDiff line change
@@ -2,9 +2,12 @@ locals {
22
gh_owner = "datalens-tech"
33
gh_repo = "datalens"
44

5-
runner_version = "2.319.1"
5+
runner_ssh_access = false
66

7-
runners_count = 1
7+
runner_os_image = "ubuntu-2404-lts-oslogin"
8+
runner_version = "2.319.1"
9+
10+
runners_count = 2
811
runners_ids = local.is_create_github_runner ? [for i in range(0, local.runners_count) : { key = "ind-${i}", ind = i }] : []
912
}
1013

@@ -14,12 +17,6 @@ resource "yandex_lockbox_secret" "github-runner" {
1417
name = "${local.service}-github-runner-secrets"
1518
}
1619

17-
data "yandex_lockbox_secret_version" "github-runner" {
18-
for_each = toset(local.is_create_github_runner ? ["main"] : [])
19-
20-
secret_id = yandex_lockbox_secret.github-runner["main"].id
21-
}
22-
2320
resource "yandex_iam_service_account" "github-runner" {
2421
for_each = toset(local.is_create_github_runner ? ["main"] : [])
2522

@@ -34,8 +31,29 @@ resource "yandex_resourcemanager_folder_iam_member" "github-runner" {
3431
member = "serviceAccount:${yandex_iam_service_account.github-runner["main"].id}"
3532
}
3633

34+
resource "yandex_lockbox_secret_iam_binding" "github-runner" {
35+
for_each = toset(local.is_create_github_runner ? ["main"] : [])
36+
37+
secret_id = yandex_lockbox_secret.github-runner["main"].id
38+
role = "lockbox.payloadViewer"
39+
40+
members = [
41+
"serviceAccount:${yandex_iam_service_account.github-runner["main"].id}",
42+
]
43+
}
44+
3745
data "yandex_compute_image" "this" {
38-
family = "ubuntu-24-04-lts"
46+
family = local.runner_os_image
47+
}
48+
49+
resource "yandex_vpc_address" "github-runner" {
50+
for_each = local.runner_ssh_access ? { for id in local.runners_ids : id.key => id.ind } : {}
51+
52+
name = "github-runner-${each.key}-ip"
53+
54+
external_ipv4_address {
55+
zone_id = "ru-central1-a"
56+
}
3957
}
4058

4159
resource "yandex_compute_disk" "github-runner" {
@@ -77,10 +95,14 @@ resource "yandex_compute_instance" "github-runner" {
7795
subnet_id = yandex_vpc_subnet.this[local.zones[each.value % length(local.zones)]].id
7896
security_group_ids = [yandex_vpc_security_group.github-runner["main"].id]
7997
ipv4 = true
98+
99+
nat = local.runner_ssh_access
100+
nat_ip_address = local.runner_ssh_access ? yandex_vpc_address.github-runner[each.key].external_ipv4_address[0].address : null
80101
}
81102

82103
metadata = {
83104
skip_update_ssh_keys = true
105+
enable-oslogin = true
84106

85107
user-data = templatefile("github-runner-config.yaml", {
86108
VERSION = local.runner_version
@@ -89,7 +111,8 @@ resource "yandex_compute_instance" "github-runner" {
89111
REPO = local.gh_repo
90112
IND = "${each.value}"
91113

92-
TOKEN = [for secret in data.yandex_lockbox_secret_version.github-runner["main"].entries : secret.text_value if secret.key == "RUNNER_${upper(replace(local.gh_repo, "-", "_"))}_${each.value}_TOKEN"][0]
114+
LOCKBOX_ID = yandex_lockbox_secret.github-runner["main"].id
115+
LOCKBOX_KEY = "RUNNER_${upper(replace(local.gh_repo, "-", "_"))}_${each.value}_TOKEN"
93116
})
94117
}
95118
}
@@ -130,11 +153,11 @@ data "dns_a_record_set" "github-runner-gh" {
130153
locals {
131154
v4_gh_any_cidr_blocks = ["0.0.0.0/0"]
132155

133-
ingress_github_runner = [
156+
ingress_github_runner = concat([
134157
{ proto = "ANY", target = "self_security_group", from_port = 0, to_port = 65535, desc = "self" },
135158
{ proto = "ANY", cidr_v4 = local.v4_subnets_cidr_blocks, from_port = 0, to_port = 65535, desc = "subnets" },
136159
{ proto = "ICMP", cidr_v4 = local.v4_icmp_cidr_blocks, from_port = 0, to_port = 65535, desc = "icmp" },
137-
]
160+
], local.runner_ssh_access ? [{ proto = "TCP", cidr_v4 = ["${local.v4_public_ip}/32"], port = 22, desc = "ssh" }] : [])
138161
egress_github_runner = concat(
139162
[
140163
{ proto = "ANY", target = "self_security_group", from_port = 0, to_port = 65535, desc = "self" },
@@ -147,7 +170,7 @@ locals {
147170
{ proto = "TCP", cidr_v4 = local.v4_gh_any_cidr_blocks, port = 443, desc = "any" },
148171
],
149172
[for e in local.endpoints : { proto = "TCP", cidr_v4 = ["${data.dns_a_record_set.this[e].addrs[0]}/32"], port = 443, desc = e }],
150-
[for e in local.gh_endpoints : { proto = "TCP", cidr_v4 = ["${data.dns_a_record_set.github-runner-gh[e].addrs[0]}/32"], port = 43, desc = e }],
173+
[for e in local.gh_endpoints : { proto = "TCP", cidr_v4 = ["${data.dns_a_record_set.github-runner-gh[e].addrs[0]}/32"], port = 443, desc = e }],
151174
[for e in local.common_endpoints : { proto = "TCP", cidr_v4 = ["${data.dns_a_record_set.github-runner-common[e].addrs[0]}/32"], port = 80, desc = e }],
152175
[for e in local.common_endpoints : { proto = "TCP", cidr_v4 = ["${data.dns_a_record_set.github-runner-common[e].addrs[0]}/32"], port = 443, desc = e }],
153176
)

deploy/terraform/provider.tf

+2-2
Original file line numberDiff line numberDiff line change
@@ -33,12 +33,12 @@ provider "yandex" {
3333
}
3434

3535
provider "kubernetes" {
36-
config_path = data.shell_script.kubeconfig.output["path"]
36+
config_path = try(data.shell_script.kubeconfig.output["path"], "./kubeconfig.conf")
3737
}
3838

3939
provider "helm" {
4040
kubernetes {
41-
config_path = data.shell_script.kubeconfig.output["path"]
41+
config_path = try(data.shell_script.kubeconfig.output["path"], "./kubeconfig.conf")
4242
}
4343

4444
registry {

0 commit comments

Comments
 (0)