as Clayton wrote: - create a service account [1] - get its token: oc sa get-token <serviceaccount name> - log in with the token from your script: oc login --token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9... You can use a vault and have your script retrieve the token from it but that's outside the scope of OpenShift.
[1] https://docs.openshift.org/latest/dev_guide/service_accounts.html On Tue, Dec 6, 2016 at 9:59 AM, Den Cowboy <[email protected]> wrote: > Were executing our prune commands with: > > oadm prune images --keep-tag-revisions=20 --certificate-authority=/etc/ > docker/certs.d/service-ip-registy:5000/ca.crt > --registry-url=my-registry.dev --confirm > > > The real problem for our cron-jobs is the authentication on openshift > itself (before we can execute oadm). Do we really need to put oc login -u > myuser .. + define the passwd hardcoded in our cronjob? > ------------------------------ > *Van:* Clayton Coleman <[email protected]> > *Verzonden:* maandag 5 december 2016 20:38:49 > *Aan:* Srinivas Naga Kotaru (skotaru) > *CC:* Den Cowboy; [email protected] > *Onderwerp:* Re: authentication for oadm prune in cron job > > Prune has to connect to your registry server directly to delete blobs, and > the registry does not support certificate based auth. The most consistent > path would be to use a service account that had the appropriate permissions > and get its token with "oc serviceaccounts get-token". > > On Mon, Dec 5, 2016 at 3:08 PM, Srinivas Naga Kotaru (skotaru) < > [email protected]> wrote: > >> Am also interested to know the answer. >> >> >> >> Am thinking we don’t need token for oadm command since it doesn’t use >> tokens or oauth based authentication. Since it is installed with root >> privileges, we are using sudo oadm command to executive commands. >> >> >> >> # sudo oadm prune builds --orphans --confirm >> >> NAMESPACE NAME >> >> java-hello-universe os-sample-java-web-1 >> >> upgrade upgrade-1 >> >> sujchinncae-test django-1 >> >> >> >> We’re not running internal registry for builds. Am not sure we still need >> to run prune operations in this scanario. >> >> >> >> -- >> >> *Srinivas Kotaru* >> >> >> >> *From: *<[email protected]> on behalf of Den >> Cowboy <[email protected]> >> *Date: *Monday, December 5, 2016 at 12:37 AM >> *To: *"[email protected]" <[email protected]. >> com> >> *Subject: *authentication for oadm prune in cron job >> >> >> >> We are able to delete old deployments + old images (also inside the >> registry) with our oadm prune commands. >> We want to put this in cronjobs. But to perform oadm commands we need to >> be authenticated. Which is the best way to authenticate in a cron job? >> >> >> At the moment we have 1 admin account (with cluster-admin permissions) + >> we have the system:admin account. >> >> Do we need a new account (or service account) for our cronjobs and which >> permission would we need? >> >> >> >> Thanks >> >> _______________________________________________ >> users mailing list >> [email protected] >> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >> >> > > _______________________________________________ > users mailing list > [email protected] > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > > -- *Frédéric Giloux* Senior Middleware Consultant Red Hat GmbH MesseTurm, Friedrich-Ebert-Anlage 49, 60308 Frankfurt am Main Mobile: +49 (0) 174 1724661 <callto:00491741724661> E-Mail: [email protected], http://www.redhat.de/ Delivering value year after year Red Hat ranks # 1 in value among software vendors http://www.redhat.com/promo/vendor/ Freedom...Courage...Commitment...Accountability ________________________________________________________________________ Red Hat GmbH, http://www.de.redhat.com/ Sitz: Grasbrunn, Handelsregister: Amtsgericht München, HRB 153243 Geschäftsführer: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
