在 Kubernetes 中使用 Yaml 为 Gcp 服务帐户创建密钥
[英]Create secret for Gcp service accont using Yaml in Kubernetes
问题描述
I am trying to create a Kubernetes secret for the IAM service account of GCP from the download file which has the following structure
我正在尝试从具有以下结构的下载文件中为 GCP 的 IAM 服务帐户创建一个 Kubernetes 密钥
secret.yaml秘密.yaml
apiVersion: v1
kind: Secret
metadata:
name: gcp-secret
namespace: tekton-pipelines
type: kubernetes.io/opaque
stringData:
gcs-config: |
{
"type": "service_account",
"project_id": "fetebird-350310",
"private_key_id": "5566b5e81ce3cb9530659be6c70e07a36dcbd581",
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvww2VjXHj9/7gQ8ZWs/OaQKBgQDDHqb2rG4b5wGMDeeW\nuNTofm7xfC9yAHBm4Rug6hXpYSy36LUrpe0agZqzcLpH2G4xTarQyx76sPXVCpGc\nyFAQ6Jvj1kqM2pHJlGg+L1kX1mZ96jOyyZ2mxPV3r837q90w4CqT2rLKTF9VgWre\nSD6P7h2JbJ46Xzu4Mp72wSxSCg==\n-----END PRIVATE KEY-----\n",
"client_email": "ssss@ssss-350310.iam.gserviceaccount.com",
"client_id": "sssssssss",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/fetebird%40fetebird-350310.iam.gserviceaccount.com"
}
Run the below command, it does create a secret, However, the authentication is not working via the service account运行以下命令,它确实创建了一个秘密,但是,身份验证无法通过服务帐户进行
kubectl apply --filename secret.yaml
service-account.yaml服务帐户.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: git-service-account
secrets:
- name: git-ssh-auth
- name: gcp-secret
Pipeline-run流水线运行
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: run-pipeline
namespace: tekton-pipelines
spec:
serviceAccountNames:
- taskName: clone-repository
serviceAccountName: git-service-account
- taskName: build
serviceAccountName: gcp-service-account
pipelineRef:
name: fetebird-discount
workspaces:
- name: shared-workspace
persistentVolumeClaim:
claimName: fetebird-discount-pvc
params:
- name: repo-url
value: git@bitbucket.org:anandjaisy/discount.git
The way I am creating secret from secret.yaml is correct?我从 secret.yaml 创建秘密的方式正确吗?
That service account has these permissions该服务帐户具有这些权限
Getting error on tekton pipeline as在 tekton 管道上出现错误
If I provide public access to the artifact registry, it works.如果我提供对工件注册表的公共访问权限,它就可以工作。 Somehow the permission are not working for me, not sure how to resolve this不知何故,权限对我不起作用,不知道如何解决这个问题
2 个解决方案
解决方案1
0 2022-06-27 12:03:12
You may try this:你可以试试这个:
apiVersion: v1
kind: ServiceAccount
metadata:
name: git-service-account
secrets:
- name: git-ssh-auth
- name: pubsub-key
- name: gcp-secret
You did not add the secret to the list of secrets in the serviceaccount.您没有将机密添加到服务帐户中的机密列表中。
解决方案2
0 2022-06-28 07:40:19
Can you try the following?你可以试试下面的吗? And please try to merge all the secrets in the single service account.请尝试合并单个服务帐户中的所有机密。
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: run-pipeline
namespace: tekton-pipelines
spec:
serviceAccountName: git-service-account
pipelineRef:
name: fetebird-discount
workspaces:
- name: shared-workspace
persistentVolumeClaim:
claimName: fetebird-discount-pvc
params:
- name: repo-url
value: git@bitbucket.org:anandjaisy/discount.git
There is one another suggestion i could try here.我可以在这里尝试另一个建议。 Did you include the annotation like suggested here?您是否包含此处建议的注释?
https://tekton.dev/docs/pipelines/auth/#configuring-ssh-auth-authentication-for-git https://tekton.dev/docs/pipelines/auth/#configuring-ssh-auth-authentication-for-git
apiVersion: v1
kind: Secret
metadata:
name: ssh-key
annotations:
tekton.dev/git-0: github.com # Described below
type: kubernetes.io/ssh-auth
stringData:
ssh-privatekey: <private-key>
# This is non-standard, but its use is encouraged to make this more secure.
# If it is not provided then the git server's public key will be requested
# when the repo is first fetched.
known_hosts: <known-hosts>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.