oci-github-actions/.github/workflows/oke-oidc.yml at master · fharris/oci-github-actions · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
name: OKE-OIDC

on:
  # Triggers the workflow on push or pull request events but only for the "main" branch
  push:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]

  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:

env:
  # Setting an environment variable with the value of a configuration variable
  OCI_CLI_REGION:  ${{ vars.VAR_OCI_CLI_REGION }}
  OKE_CLUSTER_OCID: ${{ vars.VAR_OKE_CLUSTER_OCID }}
  OKE_CLUSTER_API_ENDPOINT: ${{ vars.OKE_CLUSTER_API_ENDPOINT }}

permissions:
  id-token: write # Required to receive OIDC tokens

# This workflow generates a GitHub Actions OIDC token and runs kubectl command in an OKE cluster
jobs:
  oke-oidc:
    runs-on: ubuntu-latest
    steps:
      - name: Create OIDC Token
        id: create-oidc-token
        run: |
          AUDIENCE="oke-kubernetes-cluster"
          OIDC_URL_WITH_AUDIENCE="$ACTIONS_ID_TOKEN_REQUEST_URL&audience=$AUDIENCE"
          IDTOKEN=$(curl \
            -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
            -H "Accept: application/json; api-version=2.0" \
            "$OIDC_URL_WITH_AUDIENCE" | jq -r .value)
          echo "::add-mask::${IDTOKEN}"
          echo "idToken=${IDTOKEN}" >> $GITHUB_OUTPUT

      - name: Check Permissions in Kubernetes
        run: |
          kubectl \
          --token=${{ steps.create-oidc-token.outputs.IDTOKEN }} \
          --server=$OKE_CLUSTER_API_ENDPOINT \
          --insecure-skip-tls-verify \
          auth can-i --list