I am trying to use a GOOGLE_APPLICATION_CREDENTIALS secret with GKEPodOperator. Basically I want to: 1. Upload the secret to GKE 2. Mount (?) the secret to a container 3. Use the secret when running the container.
Until now I have added the key.json-file to my image at build time, and I know this is not the correct way to do it.
I found this question: How to set GOOGLE_APPLICATION_CREDENTIALS on GKE running through Kubernetes
The difference is that they are not using GKEPodOperator.
What I have done: 1. Created the secret using:
kubectl create secret generic mysupersecret --from-file=service_account_key=key.json
I see there are volumes
and volume_mounts
parameters but I dont understand how to use them.
Can anyone give me a helping hand on this? Maybe I am about to do something stupid..
To use a Secret with your workloads, you can specify environment variables that reference the Secret's values, or mount a volume containing the Secret. Please follow this link to using secrets and set volumes and volume_mounts.
This link refer to the Google general document for Authenticating to Cloud Platform with Service Accounts to use a GOOGLE_APPLICATION_CREDENTIALS secret. And this link describes how to use the KubernetesPodOperator to launch Kubernetes pods.
This is similar to passing secrets to the KubernetesPodOperator
. Check details here.
Here is quick sample.
influx_username = secret.Secret(
...
)
influx_pass = secret.Secret(
...
)
operator = GKEPodOperator(
task_id='task-id',
project_id='prj-id',
location='location',
cluster_name='cluster-name',
name='pod-name',
namespace='default',
image='image-path',
secrets=[influx_username, influx_pass],
)