action.yaml

name: get-kubeconfig-from-vault
description: ''
inputs:
  vault_addr:
    description: ''
    required: false
  vault_token:
    description: ''
    required: false
  vault_kubernetes_backend:
    description: ''
    required: true
  vault_kubernetes_role:
    description: ''
    required: true
  kubeconfig_template:
    description: ''
    required: false
    default: |
      apiVersion: v1
      kind: Config
      current-context: default
      clusters:
        - name: cluster
          cluster:
            certificate-authority-data: ${KUBERNETES_CA_CERT}
            server: ${KUBERNETES_HOST}
      users:
        - name: user
          user:
            token: ${SERVICE_ACCOUNT_TOKEN}
      contexts:
        - name: default
          context:
            cluster: cluster
            user: user
            namespace: default

runs:
  using: composite
  steps:
    # Install HashiCorp Vault #################################################
    - run: |
        export VERSION=$(gh release list --repo hashicorp/vault | grep Latest | awk '{sub(/v/,X,$0);print $1}')
        wget -q https://releases.hashicorp.com/vault/${VERSION}/vault_${VERSION}_linux_amd64.zip
        sudo unzip vault_${VERSION}_linux_amd64.zip vault -d /usr/bin
      shell: bash
      env:
        GH_TOKEN: ${{ github.token }}

    # Load Vault address ######################################################
    - if: inputs.vault_addr
      run: echo "VAULT_ADDR=${{ inputs.vault_addr }}" >> ${GITHUB_ENV}
      shell: bash

    # Load Vault token ########################################################
    - if: inputs.vault_token
      run: echo "VAULT_TOKEN=${{ inputs.vault_token }}" >> ${GITHUB_ENV}
      shell: bash

    # Fetch service account token #############################################
    - run: echo "SERVICE_ACCOUNT_TOKEN=$(vault write -force -field service_account_token ${{ inputs.vault_kubernetes_backend }}/creds/${{ inputs.vault_kubernetes_role }})" >> ${GITHUB_ENV}
      shell: bash

    # Fetch kubernetes host ###################################################
    - run: |
        echo "KUBERNETES_HOST=$(vault read -field kubernetes_host ${{ inputs.vault_kubernetes_backend }}/config)" >> ${GITHUB_ENV}
        echo "::add-mask::${KUBERNETES_HOST}"
      shell: bash

    # Fetch kubernetes CA token ###############################################
    - run: | 
        echo "KUBERNETES_CA_CERT=$(vault read -field kubernetes_ca_cert ${{ inputs.vault_kubernetes_backend }}/config | base64 -w 0)" >> ${GITHUB_ENV}
        echo "::add-mask::${KUBERNETES_CA_CERT}"
      shell: bash

    # Generate kubeconfig file ################################################
    - run: |
        mkdir -p ${{ github.workspace }}/.kube
        echo "${{ inputs.kubeconfig_template }}" | envsubst | tee -a ${KUBECONFIG}
        chmod 0600 ${KUBECONFIG}
        echo "KUBECONFIG=${KUBECONFIG}" >> ${GITHUB_ENV}
      shell: bash
      env:
        KUBECONFIG: ${{ github.workspace }}/.kube/config