K
Q

tektoncd + kaniko + openstack s3 context

5/5/2019

Sounds fun already, right?

I know it shows you how to set secrets for docker creds here, but I'm unsure as to how to label my s3 creds for tektoncd. Does anyone have an example so that I can do this for my pipeline?

-- quantomworks
kubernetes

Similar Questions

Kubernetes config version error - your configuration file uses an old API spec: "kubeadm.k8s.io/v1alpha1"
How to scrap Jenkins metrics using Prometheus Operator
Inject env var for all ConfigMap values
apiserver not coming up after adding audit-policy-file param
Make Laravel env variables visible to frontend via Kubernetes
How k8s knows the target port of a process inside a Pod?
Configuration issues with superset in K8s with postgresql

1 Answer

5/6/2019

It must be using AWS SDK to access S3 underneath. Thus it uses the Credential Chain to obtain AWS creds. Java SDK example https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html, but it's same in all SDKs. Based on that you have multiple options:

  1. Pass AWS key/secret to tektoncd container environment (do not recommend)
  2. Mount ~/.aws/credentials to a tektoncd container filesystem (maybe)
  3. If the k8s cluster is on EC2, spin up a https://github.com/uswitch/kiam and assign an IAM role with S3 access to a tektoncd pods (highly recommend). Or poor man's version of this - just add S3 policy to a node role. In both cases, you don't deal with the secrets explicitly, at all.
-- Max Lobur
Source: StackOverflow