If you want a single external integration to have push access to *all* projects, you don't need a service account in every namespace. You can create a single service account, and grant that service account push access to all namespaces.
oc sa create external-jenkins -n myns oadm policy add-cluster-role-to-user system:image-builder system:serviceaccount:myns:external-jenkins oc sa get-token external-jenkins -n myns That service account would then have push/pull access to *every* namespace on the cluster. Note that the service account and its credentials should live in a closely guarded project. On Tue, Jul 19, 2016 at 9:12 AM, Lorenz Vanthillo < [email protected]> wrote: > Hi, > > We have an external jenkins which is pushing images in our OpenShift > Registry. > So in jenkins we perform: > > docker login -u user \ > -p token registry.xxx.xxx > > How do we obtain this token? > Well, for every project we perform these steps: > > $ oc new-project test-push > > $ oc create serviceaccount pusher > > $ oc policy add-role-to-user system:image-builder system:serviceaccount: > *test-push*:pusher > > > > $ oc describe sa pusher > > Name: pusher > > Namespace: pushed > > Labels: <none> > > > > > > Mountable secrets: pusher-token-fxg2k > > > > pusher-dockercfg-vwddo > > > > > > *Tokens: pusher-token-98rix* > > > > * pusher-token-fxg2k* > > > > > $ oc describe secret pusher-token-98rix > > And copy the token part. We use this token to authenticate on our registry in > Jenkins. > > *token:* > > *eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MixxxlYVz8LYsNpkd1PGQGE5Jtegnr5GoFDk5wKxzA7GT1zXt2vVg*Inspirated > by this blog: > https://blog.openshift.com/remotely-push-pull-container-images-openshift/ > > But now we have the following question: > Is there a way to create a global service account which is automatically > generated when we create a new project. (so that we have 4 default sa). > And this service account has automatically a pusher-token which is always the > same? > > So that every login via Jenkins can use the same token (no unique token for > each openshift project). > > Thanks in advance > > > _______________________________________________ > users mailing list > [email protected] > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > >
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
