From cc64a80ab368ebc327f9a4f949e756181603c620 Mon Sep 17 00:00:00 2001 From: Ruben Di Battista Date: Sat, 10 Dec 2022 19:43:57 +0100 Subject: [PATCH 1/5] :recycle: refactor: Move to dedicated folder for Github action --- action.yml => .github/actions/action.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename action.yml => .github/actions/action.yml (100%) diff --git a/action.yml b/.github/actions/action.yml similarity index 100% rename from action.yml rename to .github/actions/action.yml From ebf9886aedcc70cad4caacdf8f6f8ad304fa2aa3 Mon Sep 17 00:00:00 2001 From: Ruben Di Battista Date: Sat, 10 Dec 2022 22:37:57 +0100 Subject: [PATCH 2/5] :sparkles: feat: Add dockerfile build action --- .github/workflows/docker.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 .github/workflows/docker.yml diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml new file mode 100644 index 0000000..e00d2a9 --- /dev/null +++ b/.github/workflows/docker.yml @@ -0,0 +1,24 @@ +name: ci + +on: + push: + branches: + - "main" + - "gitlab" + +jobs: + docker: + runs-on: ubuntu-latest + steps: + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + - name: Login to Docker Hub + uses: docker/login-action@v2 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: Build and push + uses: docker/build-push-action@v3 + with: + push: true + tags: rdb91/gitops-pusher:latest From 241c1ddc878731dd3d4e388852e9899c1e0effc6 Mon Sep 17 00:00:00 2001 From: Ruben Di Battista Date: Sat, 10 Dec 2022 22:58:49 +0100 Subject: [PATCH 3/5] :sparkles: feat: Add Gitlab import CI YAML --- .github/workflows/docker.yml | 2 +- .gitlab/tailscale-acls-gitops.yml | 15 +++++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) create mode 100644 .gitlab/tailscale-acls-gitops.yml diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index e00d2a9..d195184 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -21,4 +21,4 @@ jobs: uses: docker/build-push-action@v3 with: push: true - tags: rdb91/gitops-pusher:latest + tags: tailscale/gitops-pusher:latest diff --git a/.gitlab/tailscale-acls-gitops.yml b/.gitlab/tailscale-acls-gitops.yml new file mode 100644 index 0000000..665a215 --- /dev/null +++ b/.gitlab/tailscale-acls-gitops.yml @@ -0,0 +1,15 @@ +image: + name: rdb91/gitops-pusher:latest + entrypoint: [""] + +validate tailscale acls: + script: + - gitops-pusher --policy-file=${TAILSCALE_POLICY_FILE:-policy.hujson} test + +push: + needs: + - validate tailscale acls + script: + - gitops-pusher --policy-file=${TAILSCALE_POLICY_FILE:-policy.hujson} apply + rules: + - if: $CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH From 8c7c5671c4622dfd4009bf0a9b9f13478f3589ee Mon Sep 17 00:00:00 2001 From: Ruben Di Battista Date: Sun, 11 Dec 2022 00:08:58 +0100 Subject: [PATCH 4/5] :memo: docs: Add README info about Gitlab --- .gitlab/tailscale-acls-gitops.yml | 2 +- README.md | 45 ++++++++++++++++++++++--------- 2 files changed, 33 insertions(+), 14 deletions(-) diff --git a/.gitlab/tailscale-acls-gitops.yml b/.gitlab/tailscale-acls-gitops.yml index 665a215..dd77c49 100644 --- a/.gitlab/tailscale-acls-gitops.yml +++ b/.gitlab/tailscale-acls-gitops.yml @@ -6,7 +6,7 @@ validate tailscale acls: script: - gitops-pusher --policy-file=${TAILSCALE_POLICY_FILE:-policy.hujson} test -push: +push tailscale policy: needs: - validate tailscale acls script: diff --git a/README.md b/README.md index 5baea78..8331d20 100644 --- a/README.md +++ b/README.md @@ -1,19 +1,21 @@ -# GitHub Action to Sync Tailscale ACLs +# CI/CD config files to Sync Tailscale ACLs -This GitHub action lets you manage your [tailnet policy file](https://tailscale.com/kb/1018/acls/) using a +These configuration files let you manage your [tailnet policy file](https://tailscale.com/kb/1018/acls/) using a [GitOps](https://about.gitlab.com/topics/gitops/) workflow. With this GitHub action you can automatically manage your tailnet policy file using a git repository -as your source of truth. +as your source of truth. -## Inputs +## Github Action -### `tailnet` +### Inputs + +#### `tailnet` **Required** The name of your tailnet. You can find it by opening [the admin panel](https://login.tailscale.com/admin) and copying down the name next to the Tailscale logo in the upper left hand corner of the page. -### `api-key` +#### `api-key` **Required** An API key authorized for your tailnet. You can get one [in the admin panel](https://login.tailscale.com/admin/settings/keys). @@ -21,12 +23,12 @@ admin panel](https://login.tailscale.com/admin/settings/keys). Please note that API keys will expire in 90 days. Set up a monthly event to rotate your Tailscale API key. -### `policy-file` +#### `policy-file` **Optional** The path to your policy file in the repository. If not set this defaults to `policy.hujson` in the root of your repository. -### `action` +#### `action` **Required** One of `test` or `apply`. If you set `test`, the action will run ACL tests and not update the ACLs in Tailscale. If you set `apply`, the action @@ -34,7 +36,7 @@ will run ACL tests and then update the ACLs in Tailscale. This enables you to use pull requests to make changes with CI stopping you from pushing a bad change out to production. -## Getting Started +### Getting Started Set up a new GitHub repository that will contain your tailnet policy file. Open the [Access Controls page of the admin console](https://login.tailscale.com/admin/acls) and copy your policy file to a file in that repo called `policy.hujson`. @@ -49,9 +51,9 @@ name: Sync Tailscale ACLs on: push: - branches: [ "main" ] + branches: ["main"] pull_request: - branches: [ "main" ] + branches: ["main"] jobs: acls: @@ -87,6 +89,23 @@ jobs: action: test ``` +## Gitlab CI + +You can include the YAML file contained in this repository: + +```yaml +include: + - remote: "https://raw.githubusercontent.com/tailscale/gitops-acl-action/gitlab/.gitlab/tailscale-acls-gitops.yml" +``` + +This will generate two jobs. The first one (`validate tailscale acls`) tests the validity of the ACLs policy file (by default `policy.hujson`, but can be overridden by the env variable `TAILSCALE_POLICY_FILE`). It does it for every push. The next one (`push tailscale policy`) pushes the policies upstream. + +You can check this example project for future information: [tailscale-gitops-gitlab-example](https://gitlab.com/rdb-is/devops/tailscale-gitops-gitlab-example). + +You'll need to set the [CI/CD variables](https://docs.gitlab.com/ee/ci/variables/#add-a-cicd-variable-to-a-project) `TS_TAILNET` and `TS_API_KEY`. + +## Generate the required API keys + Generate a new API key [here](https://login.tailscale.com/admin/settings/keys). Set a monthly calendar reminder to renew this key because Tailscale does not @@ -95,8 +114,8 @@ that feature is implemented). Then open the secrets settings for your repo and add two secrets: -* `TS_API_KEY`: Your Tailscale API key from the earlier step -* `TS_TAILNET`: Your tailnet's name (it's next to the logo on the upper +- `TS_API_KEY`: Your Tailscale API key from the earlier step +- `TS_TAILNET`: Your tailnet's name (it's next to the logo on the upper left-hand corner of the [admin panel](https://login.tailscale.com/admin/machines)) From 488cc0d5624d4e4749580810ef1232faf391e636 Mon Sep 17 00:00:00 2001 From: Ruben Di Battista Date: Sun, 11 Dec 2022 00:31:58 +0100 Subject: [PATCH 5/5] :fire: refactor: Remove `gitlab` branch from ci action --- .github/workflows/docker.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index d195184..9da47dc 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -4,7 +4,6 @@ on: push: branches: - "main" - - "gitlab" jobs: docker: