Thanks for the reply!
My response is inline as well.
On 30.11.2018 00:51, Ben Parees wrote:
The short version/question would be: How can I use a
ServiceAccount with a BuildConfig?
you can choose the SA used by the build via:
But I don't think this will help you.
It appears the build Pod doesn't have the serviceAcoount's
at the location:
No such file
how are you running the cat command?
In general users cannot get into/manipulate the build
pod. If you're executing that from within your build
logic, then it's going to run inside your build container
(ie where your application is constructd) which does not
have the builder service account available, it's not the
same as the build pod itself which would have the service
account token mounted.
It sounds like you might want to use build secrets to
make a credential available to your build logic:
I'm running the command as a postCommit hook/script. So, if I
understand it right, it should be a temporary pod that runs the
image that was just build.
The actual BuildConfig holds:
I was expecting the same behaviour as with a container defined in
a DeploymentConfig/Job/CronJob where the serviceAccount's token is
mounted in /var/run/secrets/kubernetes.io/serviceaccount/token
So I don't use it during the actual build process and I can't
configure it as a build input because I can't reference the secret
by name in a consistent way. OKD creates the secrets for SAs with
some appended random 5 characters....manager-token-xxxxx
I'm trying to create Openshift resources from within a
The starting point is the app - that needs to be deployed
- which holds
an "unknown" number of configurations/customers that need
to run on
their own containers. So for each of them I need a set of
created inside an Openshift/OKD project; mainly a
deploymentConfig and a
service that exposes the runtime ports.
I can build the application for all the customers and the
build is also
triggered by a repository hook. So each time a build is
done, it is
certain that the image pushed to the stream holds
app-builds for all
What I've done so far is to make use of a custom
ServiceAccount with a
custom project role given to it and a Template that
DeploymentConfig, Service, etc in parameterized form. The
that I would run a pod, using the ServiceAccount, on a
image that holds
the built application, authenticate via token to the OKD
API and, based
on some logic, it would discover the customers that don't
needed resources and create those from the template with
I've tried using a Job, only to realize that it has "run
behaviour. So I cannot use the triggering mechanism.
I've also tried using a CronJob, and i'll probably use it
if there's no
other way to achieve the goal. I'd rather have this work
by way of
notification and not by "polling".
I've tried using the postCommit hook and call my scripted
the build is done, but I get the error about the unfound
token. I also
think I'll need to extend the custom role of the service
account so it
also has the rights of the builder SA.
users mailing list
users lists openshift redhat com