Thanks for the reply!
My response is inline as well.
On 30.11.2018 00:51, Ben Parees wrote:
On Thu, Nov 29, 2018 at 5:34 PM Dan Pungă <[email protected]
<mailto:[email protected]>> wrote:
Hello all,
The short version/question would be: How can I use a custom
ServiceAccount with a BuildConfig?
you can choose the SA used by the build via:
buildconfig.spec.serviceAccount
But I don't think this will help you.
It appears the build Pod doesn't have the serviceAcoount's token
mounted
at the location:
cat: /var/run/secrets/kubernetes.io/serviceaccount/token
<http://kubernetes.io/serviceaccount/token>: No such file
or directory
how are you running the cat command?
In general users cannot get into/manipulate the build pod. If you're
executing that from within your build logic, then it's going to run
inside your build container (ie where your application is constructd)
which does not have the builder service account available, it's not
the same as the build pod itself which would have the service account
token mounted.
It sounds like you might want to use build secrets to make a
credential available to your build logic:
https://docs.okd.io/latest/dev_guide/builds/build_inputs.html#using-secrets-during-build
I'm running the command as a postCommit hook/script. So, if I understand
it right, it should be a temporary pod that runs the image that was just
build.
The actual BuildConfig holds:
spec:
....
postCommit:
command:
- /bin/bash
- '-c'
- $HOME/scripts/checkAndCreateConf.sh
serviceAccount: manager
I was expecting the same behaviour as with a container defined in a
DeploymentConfig/Job/CronJob where the serviceAccount's token is mounted
in /var/run/secrets/kubernetes.io/serviceaccount/token
<http://kubernetes.io/serviceaccount/token>
So I don't use it during the actual build process and I can't configure
it as a build input because I can't reference the secret by name in a
consistent way. OKD creates the secrets for SAs with some appended
random 5 characters....manager-token-xxxxx
Thank you!
Longer version:
I'm trying to create Openshift resources from within a Pod.
The starting point is the app - that needs to be deployed - which
holds
an "unknown" number of configurations/customers that need to run on
their own containers. So for each of them I need a set of resources
created inside an Openshift/OKD project; mainly a deploymentConfig
and a
service that exposes the runtime ports.
I can build the application for all the customers and the build is
also
triggered by a repository hook. So each time a build is done, it is
certain that the image pushed to the stream holds app-builds for all
those customers.
What I've done so far is to make use of a custom ServiceAccount
with a
custom project role given to it and a Template that defines the
DeploymentConfig, Service, etc in parameterized form. The idea being
that I would run a pod, using the ServiceAccount, on a image that
holds
the built application, authenticate via token to the OKD API and,
based
on some logic, it would discover the customers that don't have the
needed resources and create those from the template with specific
parameter values.
I've tried using a Job, only to realize that it has "run once"
behaviour. So I cannot use the triggering mechanism.
I've also tried using a CronJob, and i'll probably use it if
there's no
other way to achieve the goal. I'd rather have this work by way of
notification and not by "polling".
I've tried using the postCommit hook and call my scripted logic after
the build is done, but I get the error about the unfound token. I
also
think I'll need to extend the custom role of the service account
so it
also has the rights of the builder SA.
_______________________________________________
users mailing list
[email protected]
<mailto:[email protected]>
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
--
Ben Parees | OpenShift
_______________________________________________
users mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
