2

Currently I am trying to make sure that the default pipeline account is able to perform the git-clone ClusterTask in a Tekton pipeline. With the following yaml, the task can be performed successfully (the repo gets pulled):

apiVersion: v1
kind: ServiceAccount
metadata:
  name: pipeline
secrets
  - name: git-secret

However, when I use this same configuration in an OpenShift template, e.g.:

apiVersion: v1
kind: Template
metadata:
  name: test-template
objects:
  - apiVersion: v1
    kind: Secret
    type: kubernetes.io/ssh-auth
    metadata:
      name: git-secret
      annotations:
        tekton.dev/git-0: bitbucket.org
    data:
      ssh-privatekey: ${GIT_SSH_KEY}

  - apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: pipeline
    secrets
      - name: git-secret

The secret is not linked with the ServiceAccount and as a result, the pull fails. I tried to give the secret the following annotation:

kubernetes.io/service-account.name: pipeline

But that does not help either. When creating a new ServiceAccount in the template (e.g. pipeline-with-secret), things work perfectly. Also, when linking the secret manually, it also works well. However, I would prefer to have the template set the link correctly to avoid having to do the linking manually. This makes me wonder: is it possible to link a secret to a ServiceAccount that gets created by default?

OpenShift version: 4.5.19

Thanks.

Sebastian
  • 259
  • 3
  • 10

1 Answers1

0

You are almost there,

The problem is that you miss parameters, see my last section below:

apiVersion: v1
kind: Template
metadata:
  name: test-template
objects:
  - apiVersion: v1
    kind: Secret
    type: kubernetes.io/ssh-auth
    metadata:
      name: git-secret
      annotations:
        tekton.dev/git-0: bitbucket.org
    data:
      ssh-privatekey: ${GIT_SSH_KEY}

  - apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: pipeline
    secrets
      - name: git-secret
parameters:
- name:  GIT_SSH_KEY
  displayName: SSH Private Key
  description: SSH Private key to use for openshift pipelines
  required: true
  value: ssh-private-key...

See the Templates Parameters section here.

To be honest I hate templates, prefer helm which is more as a standard.

MrSimpleMind
  • 7,890
  • 3
  • 40
  • 45
  • Thanks for your reply. I have defined parameters in my template, just forgot to add it to the example in my post. Unfortunately, even with the parameter defined, it does not work as I expect. The secret gets created. The ServiceAccount gets created when I name it test-pipeline and the secret gets linked correctly. It just does not work when I want to update the existing default pipeline ServiceAccount. Will definitely take a look at Helm templates. – Sebastian Jan 19 '21 at 07:09
  • Could you try with adding a annotations for the Secret as `template.alpha.openshift.io/wait-for-ready: "true"` (normally this applies for other objects, not sure it will apply for secret, but worth a try. I m thinking that the secret is not ready when SA is created, and this makes it fail) – MrSimpleMind Jan 19 '21 at 08:33
  • Good suggestion! I tried adding the wait-for-ready annotation on both the secret and the ServiceAccount (separate attempts). Unfortunately, the secret still does not get linked with the account. I guess I'll go with creating a new ServiceAccount and not use the default pipeline one for now. Oddly enough, this way it works. Helm seems like a solid option for the future. – Sebastian Jan 19 '21 at 09:43
  • Redhat suggests using a pipeline instead when having "dependency" in the order in a template. Or adding the `wait-for-ready` annotations, but this is limited on several objects and unfortunately from what I can see not applicable for a SA object (only for `Build`, `BuildConfig`, `Deployment`, `DeploymentConfig`, `Job`, or `StatefulSet`; a dirty solution could be like setup a job which creates the secret and then the SA - as said dirtyyyy). My suggestion is absolutely go for Helm. Much easier and prettier solution, also for other k8s environments. – MrSimpleMind Jan 19 '21 at 09:54