Pruner image is the easiest way to do it, because the pod inherits those credentials automatically.
On Dec 6, 2016, at 5:52 AM, Diego Castro <[email protected]> wrote: Hello, you can take a look at our pruner image [1], all you have to do is set the cronjob to start the pod. 1. https://github.com/getupcloud/imagepruner --- Diego Castro / The CloudFather GetupCloud.com - Eliminamos a Gravidade 2016-12-06 6:39 GMT-03:00 Frederic Giloux <[email protected]>: > as Clayton wrote: > - create a service account [1] > - get its token: oc sa get-token <serviceaccount name> > - log in with the token from your script: oc login --token= > eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9... > You can use a vault and have your script retrieve the token from it but > that's outside the scope of OpenShift. > > [1] https://docs.openshift.org/latest/dev_guide/service_accounts.html > > On Tue, Dec 6, 2016 at 9:59 AM, Den Cowboy <[email protected]> wrote: > >> Were executing our prune commands with: >> >> oadm prune images --keep-tag-revisions=20 --certificate-authority=/etc/d >> ocker/certs.d/service-ip-registy:5000/ca.crt >> --registry-url=my-registry.dev --confirm >> >> >> The real problem for our cron-jobs is the authentication on openshift >> itself (before we can execute oadm). Do we really need to put oc login -u >> myuser .. + define the passwd hardcoded in our cronjob? >> ------------------------------ >> *Van:* Clayton Coleman <[email protected]> >> *Verzonden:* maandag 5 december 2016 20:38:49 >> *Aan:* Srinivas Naga Kotaru (skotaru) >> *CC:* Den Cowboy; [email protected] >> *Onderwerp:* Re: authentication for oadm prune in cron job >> >> Prune has to connect to your registry server directly to delete blobs, >> and the registry does not support certificate based auth. The most >> consistent path would be to use a service account that had the appropriate >> permissions and get its token with "oc serviceaccounts get-token". >> >> On Mon, Dec 5, 2016 at 3:08 PM, Srinivas Naga Kotaru (skotaru) < >> [email protected]> wrote: >> >>> Am also interested to know the answer. >>> >>> >>> >>> Am thinking we don’t need token for oadm command since it doesn’t use >>> tokens or oauth based authentication. Since it is installed with root >>> privileges, we are using sudo oadm command to executive commands. >>> >>> >>> >>> # sudo oadm prune builds --orphans --confirm >>> >>> NAMESPACE NAME >>> >>> java-hello-universe os-sample-java-web-1 >>> >>> upgrade upgrade-1 >>> >>> sujchinncae-test django-1 >>> >>> >>> >>> We’re not running internal registry for builds. Am not sure we still >>> need to run prune operations in this scanario. >>> >>> >>> >>> -- >>> >>> *Srinivas Kotaru* >>> >>> >>> >>> *From: *<[email protected]> on behalf of Den >>> Cowboy <[email protected]> >>> *Date: *Monday, December 5, 2016 at 12:37 AM >>> *To: *"[email protected]" <[email protected]. >>> com> >>> *Subject: *authentication for oadm prune in cron job >>> >>> >>> >>> We are able to delete old deployments + old images (also inside the >>> registry) with our oadm prune commands. >>> We want to put this in cronjobs. But to perform oadm commands we need to >>> be authenticated. Which is the best way to authenticate in a cron job? >>> >>> >>> At the moment we have 1 admin account (with cluster-admin permissions) + >>> we have the system:admin account. >>> >>> Do we need a new account (or service account) for our cronjobs and which >>> permission would we need? >>> >>> >>> >>> Thanks >>> >>> _______________________________________________ >>> users mailing list >>> [email protected] >>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>> >>> >> >> _______________________________________________ >> users mailing list >> [email protected] >> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >> >> > > > -- > *Frédéric Giloux* > Senior Middleware Consultant > > Red Hat GmbH > MesseTurm, Friedrich-Ebert-Anlage 49, 60308 Frankfurt am Main > > Mobile: +49 (0) 174 1724661 <callto:00491741724661> > E-Mail: [email protected], http://www.redhat.de/ > > Delivering value year after year > Red Hat ranks # 1 in value among software vendors > http://www.redhat.com/promo/vendor/ > > Freedom...Courage...Commitment...Accountability > ________________________________________________________________________ > Red Hat GmbH, http://www.de.redhat.com/ Sitz: Grasbrunn, > Handelsregister: Amtsgericht München, HRB 153243 > Geschäftsführer: Paul Argiry, Charles Cachera, Michael Cunningham, Michael > O'Neill > > _______________________________________________ > users mailing list > [email protected] > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > > _______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
