🔧 Update required script to deploy to private eks clusters

dinushchathurya · dinushchathurya · commit 3ed9acdbc0df · 2025-06-17T10:12:29.000+01:00
diff --git a/Dockerfile b/Dockerfile
@@ -8,12 +8,17 @@ ENV KUBECONFIG="/opt/kubernetes/config"
 # ca-certificates: For validating SSL/TLS connections
 # bash: Shell environment
 # git: For cloning Git repositories, potentially private Helm charts
-# gnupg: For verifying signed Helm charts or other secured assets (already present, ensuring it's there)
+# gnupg: For verifying signed Helm charts or other secured assets
 # jq: A lightweight and flexible command-line JSON processor
 # py-pip: Python package installer, used for awscli
-# curl: Tool for transferring data with URL syntax (already present, ensuring it's there)
-# gettext: GNU gettext for internationalization (already present)
+# curl: Tool for transferring data with URL syntax
+# gettext: GNU gettext for internationalization
+# openssh-client: SSH client for bastion host connectivity
+# bind-tools: DNS utilities (nslookup, dig)
+# netcat-openbsd: Network testing utilities
+# timeout: Command timeout utility
 RUN apk add --no-cache ca-certificates bash git gnupg jq py-pip \
+    openssh-client bind-tools netcat-openbsd coreutils \
     && apk add --update -t deps curl gettext \
     && pip install awscli
 
@@ -42,9 +47,11 @@ RUN curl -o aws-iam-authenticator https://github.com/kubernetes-sigs/aws-iam-aut
 # Clean up APK cache to reduce image size
 RUN rm -rf /var/cache/apk/*
 
-# Create directories for Kubernetes config and Helm, and set appropriate permissions
-# These directories are used for storing configurations and cache
-RUN mkdir -p /opt/kubernetes && chmod a+rwx /opt/kubernetes && mkdir -p /opt/helm && chmod a+rwx /opt/helm
+# Create directories for Kubernetes config, Helm, and SSH
+# Set appropriate permissions for multi-user scenarios
+RUN mkdir -p /opt/kubernetes && chmod a+rwx /opt/kubernetes && \
+    mkdir -p /opt/helm && chmod a+rwx /opt/helm && \
+    mkdir -p /root/.ssh && chmod 700 /root/.ssh
 
 # Set Helm environment variables for cache and config home
 ENV HELM_HOME="/opt/helm"
@@ -61,4 +68,4 @@ ADD . .
 RUN chmod +x entrypoint.sh
 
 # Set the entrypoint for the Docker container
-ENTRYPOINT [ "/entrypoint.sh" ]
+ENTRYPOINT [ "/entrypoint.sh" ]
diff --git a/action.yml b/action.yml
@@ -1,6 +1,6 @@
 # action.yml
 name: 'EKS Helm Client'
-description: 'Helm client to install and upgrade Helm chart on EKS cluster with comprehensive error handling'
+description: 'Helm client to install and upgrade Helm chart on EKS cluster with support for private clusters'
 branding:
   icon: 'upload-cloud'
   color: 'blue'
@@ -11,6 +11,7 @@ inputs:
   args:
     description: 'Commands to execute'
     required: true
+  # AWS Configuration
   aws-access-key-id:
     description: 'AWS Access Key ID'
     required: false
@@ -30,4 +31,23 @@ inputs:
     required: false
   helm-registry-password:
     description: 'Password for Helm registry authentication'
+    required: false
+  # Private Cluster Support
+  bastion-host:
+    description: 'Bastion host IP/hostname for private cluster access'
+    required: false
+  bastion-user:
+    description: 'SSH username for bastion host'
+    required: false
+  ssh-private-key:
+    description: 'SSH private key for bastion host access'
+    required: false
+  http-proxy:
+    description: 'HTTP proxy URL for private cluster access'
+    required: false
+  https-proxy:
+    description: 'HTTPS proxy URL for private cluster access'
+    required: false
+  no-proxy:
+    description: 'Comma-separated list of hosts to bypass proxy'
     required: false
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -21,6 +21,123 @@ log_success() {
 
 echo "--- Pre-flight Checks ---"
 
+# Function to check if cluster is private
+check_cluster_privacy() {
+    local endpoint_config
+    endpoint_config=$(aws eks describe-cluster --region "$REGION_CODE" --name "$CLUSTER_NAME" --query "cluster.resourcesVpcConfig.endpointConfig" --output json 2>/dev/null)
+    
+    if [ $? -ne 0 ]; then
+        return 1
+    fi
+    
+    local public_access=$(echo "$endpoint_config" | jq -r '.publicAccess // true')
+    local private_access=$(echo "$endpoint_config" | jq -r '.privateAccess // false')
+    
+    log_info "Cluster endpoint configuration:"
+    log_info "  - Public access: $public_access"
+    log_info "  - Private access: $private_access"
+    
+    if [ "$public_access" = "false" ] && [ "$private_access" = "true" ]; then
+        log_info "Detected fully private EKS cluster"
+        return 0
+    elif [ "$public_access" = "true" ] && [ "$private_access" = "true" ]; then
+        log_info "Detected EKS cluster with both public and private access"
+        return 1
+    else
+        log_info "Detected public EKS cluster"
+        return 1
+    fi
+}
+
+# Check if we're running in a private network context
+check_private_network_setup() {
+    log_info "Checking private network setup..."
+    
+    # Check if we're running on a self-hosted runner (common for private clusters)
+    if [ -n "$RUNNER_NAME" ] && [ "$RUNNER_NAME" != "GitHub Actions" ]; then
+        log_info "Running on self-hosted runner: $RUNNER_NAME"
+        return 0
+    fi
+    
+    # Check if VPN environment variables are set
+    if [ -n "$VPN_CONFIG" ] || [ -n "$BASTION_HOST" ]; then
+        log_info "VPN or bastion configuration detected"
+        return 0
+    fi
+    
+    # Check for AWS VPC environment (like running in EC2)
+    if curl -s --max-time 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null 2>&1; then
+        log_info "Running in AWS environment (likely EC2 instance)"
+        return 0
+    fi
+    
+    return 1
+}
+
+# Function to test network connectivity to EKS endpoint
+test_eks_connectivity() {
+    local endpoint_url="$1"
+    local host=$(echo "$endpoint_url" | sed 's|https://||' | sed 's|/.*||')
+    
+    log_info "Testing network connectivity to EKS endpoint: $host"
+    
+    # Test DNS resolution
+    if ! nslookup "$host" > /dev/null 2>&1; then
+        log_error "DNS resolution failed for $host"
+        return 1
+    fi
+    
+    # Test TCP connectivity
+    if ! timeout 10 bash -c "</dev/tcp/$host/443" 2>/dev/null; then
+        log_error "TCP connection failed to $host:443"
+        return 1
+    fi
+    
+    log_success "Network connectivity to EKS endpoint verified"
+    return 0
+}
+
+# Function to setup bastion/proxy if configured
+setup_network_proxy() {
+    if [ -n "$BASTION_HOST" ] && [ -n "$BASTION_USER" ]; then
+        log_info "Setting up SSH tunnel through bastion host..."
+        
+        # Check if SSH key is provided
+        if [ -n "$SSH_PRIVATE_KEY" ]; then
+            echo "$SSH_PRIVATE_KEY" > /tmp/ssh_key
+            chmod 600 /tmp/ssh_key
+            SSH_KEY_PARAM="-i /tmp/ssh_key"
+        else
+            SSH_KEY_PARAM=""
+        fi
+        
+        # Start SSH tunnel in background
+        ssh -f -N -L 8443:$CLUSTER_ENDPOINT_HOST:443 \
+            $SSH_KEY_PARAM \
+            -o StrictHostKeyChecking=no \
+            -o UserKnownHostsFile=/dev/null \
+            $BASTION_USER@$BASTION_HOST
+        
+        if [ $? -eq 0 ]; then
+            log_success "SSH tunnel established through bastion"
+            export PROXY_ENDPOINT="https://localhost:8443"
+        else
+            log_error "Failed to establish SSH tunnel through bastion"
+            return 1
+        fi
+    fi
+    
+    # Setup HTTP proxy if configured
+    if [ -n "$HTTP_PROXY" ] || [ -n "$HTTPS_PROXY" ]; then
+        log_info "HTTP proxy configuration detected"
+        export http_proxy="$HTTP_PROXY"
+        export https_proxy="$HTTPS_PROXY"
+        export no_proxy="$NO_PROXY"
+    fi
+    
+    return 0
+}
+
 # Check if required environment variables are set
 log_info "Checking required environment variables..."
 
@@ -68,7 +185,34 @@ if ! aws eks describe-cluster --region "$REGION_CODE" --name "$CLUSTER_NAME" > /
     exit 1
 fi
 
-log_success "EKS cluster is accessible"
+log_success "EKS cluster is accessible via AWS API"
+
+# Check if cluster is private and handle accordingly
+if check_cluster_privacy; then
+    log_info "Private EKS cluster detected - checking network setup..."
+    
+    if ! check_private_network_setup; then
+        log_error "Private EKS cluster requires special network setup!"
+        log_error "For private EKS clusters, you need one of the following:"
+        log_error "  1. Self-hosted GitHub Actions runner in the same VPC"
+        log_error "  2. VPN connection to the cluster's VPC"
+        log_error "  3. Bastion host configuration"
+        log_error "  4. GitHub Actions runner in EC2 with proper networking"
+        log_error ""
+        log_error "Environment variables for private cluster access:"
+        log_error "  - BASTION_HOST: SSH bastion host IP/hostname"
+        log_error "  - BASTION_USER: SSH username for bastion"
+        log_error "  - SSH_PRIVATE_KEY: SSH private key for bastion access"
+        log_error "  - HTTP_PROXY/HTTPS_PROXY: HTTP proxy settings"
+        exit 1
+    fi
+    
+    # Setup network proxy/tunnel if configured
+    if ! setup_network_proxy; then
+        log_error "Failed to setup network connectivity for private cluster"
+        exit 1
+    fi
+fi
 
 echo "--- Configuring AWS EKS Kubeconfig ---"
 
@@ -90,9 +234,27 @@ if [ -z "$ENDPOINT_URL" ] || [ "$ENDPOINT_URL" = "None" ]; then
     exit 1
 fi
 
+# Use proxy endpoint if configured
+if [ -n "$PROXY_ENDPOINT" ]; then
+    log_info "Using proxy endpoint for private cluster access"
+    export ENDPOINT_URL="$PROXY_ENDPOINT"
+fi
+
 log_success "Retrieved EKS cluster configuration"
 log_info "EKS Cluster Endpoint: $ENDPOINT_URL"
 
+# Test network connectivity to the endpoint
+export CLUSTER_ENDPOINT_HOST=$(echo "$ENDPOINT_URL" | sed 's|https://||' | sed 's|/.*||')
+if ! test_eks_connectivity "$ENDPOINT_URL"; then
+    log_error "Cannot establish network connectivity to EKS cluster endpoint"
+    log_error "This is common with private EKS clusters. Please ensure:"
+    log_error "  - You're running from within the cluster's VPC"
+    log_error "  - VPN connection is established"
+    log_error "  - Bastion host/proxy is properly configured"
+    log_error "  - Security groups allow access on port 443"
+    exit 1
+fi
+
 # Generate Kubernetes configuration file (/opt/kubernetes/config)
 log_info "Generating Kubernetes configuration file..."
 if ! cat /config.template | envsubst > /opt/kubernetes/config; then
@@ -111,19 +273,48 @@ log_success "Kubernetes configuration file generated successfully"
 # Ensure KUBECONFIG environment variable is correctly set for subsequent commands
 export KUBECONFIG=/opt/kubernetes/config
 
-# Test kubectl connectivity
+# Test kubectl connectivity with longer timeout for private clusters
 log_info "Testing kubectl connectivity to EKS cluster..."
-if ! kubectl cluster-info --request-timeout=10s > /dev/null 2>&1; then
+kubectl_timeout=30
+if [ -n "$PROXY_ENDPOINT" ] || check_cluster_privacy; then
+    kubectl_timeout=60
+    log_info "Using extended timeout for private cluster connectivity test"
+fi
+
+if ! timeout $kubectl_timeout kubectl cluster-info --request-timeout=30s > /dev/null 2>&1; then
     log_error "Cannot connect to Kubernetes cluster"
     log_error "Please check:"
-    log_error "  - EKS cluster is running"
-    log_error "  - AWS credentials have kubernetes access permissions"
-    log_error "  - Network connectivity to the cluster"
+    log_error "  - EKS cluster is running and healthy"
+    log_error "  - AWS credentials have kubernetes access permissions (eks:DescribeCluster)"
+    log_error "  - Network connectivity to the cluster endpoint"
+    log_error "  - Security groups allow inbound traffic on port 443"
+    log_error "  - RBAC permissions for the AWS user/role"
+    
+    # Additional troubleshooting for private clusters
+    if check_cluster_privacy 2>/dev/null; then
+        log_error ""
+        log_error "Private cluster specific checks:"
+        log_error "  - Runner is in the same VPC as the EKS cluster"
+        log_error "  - VPC has proper DNS resolution enabled"
+        log_error "  - Route tables allow access to the cluster subnets"
+        log_error "  - NAT Gateway/Instance for internet access (if needed)"
+    fi
+    
     exit 1
 fi
 
 log_success "Successfully connected to Kubernetes cluster"
 
+# Test basic kubectl permissions
+log_info "Testing basic kubectl permissions..."
+if kubectl auth can-i get pods --all-namespaces > /dev/null 2>&1; then
+    log_success "Basic kubectl permissions verified"
+else
+    log_error "Limited kubectl permissions detected"
+    log_error "Some operations may fail due to RBAC restrictions"
+    log_error "Ensure your AWS user/role has proper Kubernetes RBAC bindings"
+fi
+
 # Check for Helm registry credentials if any helm registry login commands are present
 log_info "Checking for Helm registry credentials..."
 helm_login_required=false
