[英]Create secret for Gcp service accont using Yaml in Kubernetes
I am trying to create a Kubernetes secret for the IAM service account of GCP from the download file which has the following structure我正在尝试从具有以下结构的下载文件中为 GCP 的 IAM 服务帐户创建一个 Kubernetes 密钥
secret.yaml秘密.yaml
apiVersion: v1
kind: Secret
metadata:
name: gcp-secret
namespace: tekton-pipelines
type: kubernetes.io/opaque
stringData:
gcs-config: |
{
"type": "service_account",
"project_id": "fetebird-350310",
"private_key_id": "5566b5e81ce3cb9530659be6c70e07a36dcbd581",
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvww2VjXHj9/7gQ8ZWs/OaQKBgQDDHqb2rG4b5wGMDeeW\nuNTofm7xfC9yAHBm4Rug6hXpYSy36LUrpe0agZqzcLpH2G4xTarQyx76sPXVCpGc\nyFAQ6Jvj1kqM2pHJlGg+L1kX1mZ96jOyyZ2mxPV3r837q90w4CqT2rLKTF9VgWre\nSD6P7h2JbJ46Xzu4Mp72wSxSCg==\n-----END PRIVATE KEY-----\n",
"client_email": "ssss@ssss-350310.iam.gserviceaccount.com",
"client_id": "sssssssss",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/fetebird%40fetebird-350310.iam.gserviceaccount.com"
}
Run the below command, it does create a secret, However, the authentication is not working via the service account运行以下命令,它确实创建了一个秘密,但是,身份验证无法通过服务帐户进行
kubectl apply --filename secret.yaml
service-account.yaml服务帐户.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: git-service-account
secrets:
- name: git-ssh-auth
- name: gcp-secret
Pipeline-run流水线运行
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: run-pipeline
namespace: tekton-pipelines
spec:
serviceAccountNames:
- taskName: clone-repository
serviceAccountName: git-service-account
- taskName: build
serviceAccountName: gcp-service-account
pipelineRef:
name: fetebird-discount
workspaces:
- name: shared-workspace
persistentVolumeClaim:
claimName: fetebird-discount-pvc
params:
- name: repo-url
value: git@bitbucket.org:anandjaisy/discount.git
The way I am creating secret from secret.yaml is correct?我从 secret.yaml 创建秘密的方式正确吗?
That service account has these permissions该服务帐户具有这些权限
Getting error on tekton pipeline as在 tekton 管道上出现错误
If I provide public access to the artifact registry, it works.如果我提供对工件注册表的公共访问权限,它就可以工作。 Somehow the permission are not working for me, not sure how to resolve this不知何故,权限对我不起作用,不知道如何解决这个问题
You may try this:你可以试试这个:
apiVersion: v1
kind: ServiceAccount
metadata:
name: git-service-account
secrets:
- name: git-ssh-auth
- name: pubsub-key
- name: gcp-secret
You did not add the secret to the list of secrets in the serviceaccount.您没有将机密添加到服务帐户中的机密列表中。
Can you try the following?你可以试试下面的吗? And please try to merge all the secrets in the single service account.请尝试合并单个服务帐户中的所有机密。
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: run-pipeline
namespace: tekton-pipelines
spec:
serviceAccountName: git-service-account
pipelineRef:
name: fetebird-discount
workspaces:
- name: shared-workspace
persistentVolumeClaim:
claimName: fetebird-discount-pvc
params:
- name: repo-url
value: git@bitbucket.org:anandjaisy/discount.git
There is one another suggestion i could try here.我可以在这里尝试另一个建议。 Did you include the annotation like suggested here?您是否包含此处建议的注释?
https://tekton.dev/docs/pipelines/auth/#configuring-ssh-auth-authentication-for-git https://tekton.dev/docs/pipelines/auth/#configuring-ssh-auth-authentication-for-git
apiVersion: v1
kind: Secret
metadata:
name: ssh-key
annotations:
tekton.dev/git-0: github.com # Described below
type: kubernetes.io/ssh-auth
stringData:
ssh-privatekey: <private-key>
# This is non-standard, but its use is encouraged to make this more secure.
# If it is not provided then the git server's public key will be requested
# when the repo is first fetched.
known_hosts: <known-hosts>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.