Skip to content

Kustomizer GitHub Actions

You can use Kustomizer to push artifacts to container registries and deploy to Kubernetes from your GitHub workflows.

Usage

To run Kustomizer commands on GitHub Linux runners, add the following steps to your GitHub workflow:

    steps:
      - name: Setup Kustomizer CLI
        uses: stefanprodan/kustomizer/action@main
        with:
          version: 2.0.0 # defaults to latest
          arch: amd64 # can be amd64 or arm64
      - name: Run Kustomizer commands
        run: kustomizer -v

Publish artifacts to GHCR

Example of publishing OCI artifacts to GitHub Container Registry:

name: publish
on:
  push:
    tag:
      - 'v*'

env:
  ARTIFACT: oci://ghcr.io/${{github.repository_owner}}/${{github.event.repository.name}}

jobs:
  kustomizer:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GHCR_TOKEN }}
      - name: Setup kustomizer
        uses: stefanprodan/kustomizer/action@main
      - name: Push
        run: |
          kustomizer push artifact ${ARTIFACT}:${{ github.ref_name }} -f ./deploy \
            --source=${{ github.repositoryUrl }} \
            --revision="${{ github.ref_name }}/${{ github.sha }}"
      - name: Tag latest
        run: |
          kustomizer tag artifact ${ARTIFACT}:${GITHUB_REF_NAME} latest

Publish signed artifacts

Example of publishing signed artifacts using cosgin keyless signatures and GitHub OIDC:

name: publish
on:
  push:
    tag:
      - 'v*'

permissions:
  contents: read # needed for checkout
  id-token: write # needed for keyless signing
  packages: write # needed for GHCR access

env:
  ARTIFACT: oci://ghcr.io/${{github.repository_owner}}/${{github.event.repository.name}}

jobs:
  kustomizer:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Setup cosign
        uses: sigstore/cosign-installer@main
      - name: Setup kustomizer
        uses: stefanprodan/kustomizer/action@main
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Push and sign
        run: |
          kustomizer push artifact ${ARTIFACT}:${GITHUB_REF_NAME} -f ./deploy --sign \
            --source=${{ github.repositoryUrl }} \
            --revision="${{ github.ref_name }}/${{ github.sha }}"
      - name: Tag latest
        run: |
          kustomizer tag artifact ${ARTIFACT}:${GITHUB_REF_NAME} latest

Deploy to Kubernetes from GHCR

Example of applying Kubernetes manifests from an OCI artifact:

name: deploy
on:
  workflow_dispatch:
    inputs:
      name:
        description: 'Tag to deploy'
        required: true
        default: 'latest'

env:
  ARTIFACT: oci://ghcr.io/${{github.repository_owner}}/${{github.event.repository.name}}

jobs:
  kustomizer:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Setup kubeconfig
        uses: azure/k8s-set-context@v1
        with:
          kubeconfig: ${{ secrets.KUBE_CONFIG }}
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GHCR_TOKEN }}
      - name: Setup cosign
        uses: sigstore/cosign-installer@main
      - name: Setup kustomizer
        uses: stefanprodan/kustomizer/action@main
      - name: Verify signature
        run: |
          kustomizer inspect artifact ${ARTIFACT}:${{ github.event.inputs.name }} --verify
      - name: Deploy
        run: |
          kustomizer apply inventory ${{ github.event.repository.name }} \
            --artifact ${ARTIFACT}:${{ github.event.inputs.name }} \
            --prune --wait

Deploy to Kubernetes from Git

Example of applying Kubernetes manifests from a Git repository:

name: deploy
on:
  push:
    branches:
      - 'main'

jobs:
  kustomizer:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Setup kubeconfig
        uses: azure/k8s-set-context@v1
        with:
          kubeconfig: ${{ secrets.KUBE_CONFIG }}
      - name: Setup kustomizer
        uses: stefanprodan/kustomizer/action@main
      - name: Diff
        run: |
          kustomizer diff inventory ${{ github.event.repository.name }} \
            -f ./deploy --prune
      - name: Deploy
        run: |
          kustomizer apply inventory ${{ github.event.repository.name }} \
            --source=${{ github.event.repository.html_url }} \
            --revision=${{ github.sha }} \
            -f ./deploy --prune --wait