tektoncd + kaniko + openstack s3 context

5/5/2019

Sounds fun already, right?

I know it shows you how to set secrets for docker creds here, but I'm unsure as to how to label my s3 creds for tektoncd. Does anyone have an example so that I can do this for my pipeline?

-- quantomworks
kubernetes

1 Answer

5/6/2019

It must be using AWS SDK to access S3 underneath. Thus it uses the Credential Chain to obtain AWS creds. Java SDK example https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html, but it's same in all SDKs. Based on that you have multiple options:

  1. Pass AWS key/secret to tektoncd container environment (do not recommend)
  2. Mount ~/.aws/credentials to a tektoncd container filesystem (maybe)
  3. If the k8s cluster is on EC2, spin up a https://github.com/uswitch/kiam and assign an IAM role with S3 access to a tektoncd pods (highly recommend). Or poor man's version of this - just add S3 policy to a node role. In both cases, you don't deal with the secrets explicitly, at all.
-- Max Lobur
Source: StackOverflow