[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

ServiceAccount token for a build Pod (Dynamic resource creation )



Hello all,

The short version/question would be: How can I use a custom ServiceAccount with a BuildConfig?

It appears the build Pod doesn't have the serviceAcoount's token mounted at the location:

cat: /var/run/secrets/kubernetes.io/serviceaccount/token: No such file or directory

Thank you!

Longer version:

I'm trying to create Openshift resources from within a Pod.
The starting point is the app - that needs to be deployed - which holds an "unknown" number of configurations/customers that need to run on their own containers. So for each of them I need a set of resources created inside an Openshift/OKD project; mainly a deploymentConfig and a service that exposes the runtime ports.

I can build the application for all the customers and the build is also triggered by a repository hook. So each time a build is done, it is certain that the image pushed to the stream holds app-builds for all those customers.

What I've done so far is to make use of a custom ServiceAccount with a custom project role given to it and a Template that defines the DeploymentConfig, Service, etc in parameterized form. The idea being that I would run a pod, using the ServiceAccount, on a image that holds the built application, authenticate via token to the OKD API and, based on some logic, it would discover the customers that don't have the needed resources and create those from the template with specific parameter values.

I've tried using a Job, only to realize that it has "run once" behaviour. So I cannot use the triggering mechanism.

I've also tried using a CronJob, and i'll probably use it if there's no other way to achieve the goal. I'd rather have this work by way of notification and not by "polling".

I've tried using the postCommit hook and call my scripted logic after the build is done, but I get the error about the unfound token. I also think I'll need to extend the custom role of the service account so it also has the rights of the builder SA.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]