[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: authentication for oadm prune in cron job



Pruner image is the easiest way to do it, because the pod inherits those credentials automatically.

On Dec 6, 2016, at 5:52 AM, Diego Castro <diego castro getupcloud com> wrote:

Hello, you can take a look at our pruner image [1], all you have to do is set the cronjob to start the pod.



---
Diego Castro / The CloudFather
GetupCloud.com - Eliminamos a Gravidade

2016-12-06 6:39 GMT-03:00 Frederic Giloux <fgiloux redhat com>:
as Clayton wrote:
- create a service account [1]
- get its token: oc sa get-token <serviceaccount name>
- log in with the token from your script: oc login --token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
You can use a vault and have your script retrieve the token from it but that's outside the scope of OpenShift.

On Tue, Dec 6, 2016 at 9:59 AM, Den Cowboy <dencowboy hotmail com> wrote:

Were executing our prune commands with:

oadm prune images --keep-tag-revisions=20 --certificate-authority=/etc/docker/certs.d/service-ip-registy:5000/ca.crt --registry-url="" --confirm


The real problem for our cron-jobs is the authentication on openshift itself (before we can execute oadm). Do we really need to put oc login -u myuser .. + define the passwd hardcoded in our cronjob? 


Van: Clayton Coleman <ccoleman redhat com>
Verzonden: maandag 5 december 2016 20:38:49
Aan: Srinivas Naga Kotaru (skotaru)
CC: Den Cowboy; users lists openshift redhat com
Onderwerp: Re: authentication for oadm prune in cron job
 
Prune has to connect to your registry server directly to delete blobs, and the registry does not support certificate based auth.  The most consistent path would be to use a service account that had the appropriate permissions and get its token with "oc serviceaccounts get-token".

On Mon, Dec 5, 2016 at 3:08 PM, Srinivas Naga Kotaru (skotaru) <skotaru cisco com> wrote:

Am also interested to know the answer.

 

Am thinking we don’t need token for oadm command since it doesn’t use tokens or oauth based authentication. Since it is installed with root privileges, we are using sudo oadm command to executive commands.

 

# sudo oadm prune builds --orphans --confirm

NAMESPACE             NAME

java-hello-universe   os-sample-java-web-1

upgrade               upgrade-1

sujchinncae-test      django-1

 

We’re not running internal registry for builds. Am not sure we still need to run prune operations in this scanario.

 

-- 

Srinivas Kotaru

 

From: <users-bounces lists openshift.redhat.com> on behalf of Den Cowboy <dencowboy hotmail com>
Date: Monday, December 5, 2016 at 12:37 AM
To: "users lists openshift redhat com" <users lists openshift redhat com>
Subject: authentication for oadm prune in cron job

 

We are able to delete old deployments + old images (also inside the registry) with our oadm prune commands.
We want to put this in cronjobs. But to perform oadm commands we need to be authenticated. Which is the best way to authenticate in a cron job?


At the moment we have 1 admin account (with cluster-admin permissions) + we have the system:admin account.

Do we need a new account (or service account) for our cronjobs and which permission would we need?

 

Thanks


_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users



_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users




--
Frédéric Giloux
Senior Middleware Consultant

Red Hat GmbH
MesseTurm, Friedrich-Ebert-Anlage 49, 60308 Frankfurt am Main


Delivering value year after year
Red Hat ranks # 1 in value among software vendors
http://www.redhat.com/promo/vendor/

Freedom...Courage...Commitment...Accountability
________________________________________________________________________
Red Hat GmbH, http://www.de.redhat.com/ Sitz: Grasbrunn,
Handelsregister: Amtsgericht München, HRB 153243
Geschäftsführer: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill

_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users


_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]