Do to companies restriction, I have to use different service accounts for different google services.
One of the accounts is for pubsub and a second one is for bigquery.
I've gotten the pubsub authentication to work with spring.
Snippet
@Autowired
private ClientConfiguration clientConfiguration;
private Context context = new Context();
.
.
.
context.setClientConfiguration(clientConfiguration);
String projectId = clientConfiguration.getSubscriptionProjectDefault();
List<ReceivedMessage> receivedMessageList = getPubSubMessages(projectId, clientConfiguration.getSubscriptionNameDefault(), Integer.parseInt(clientConfiguration.getNumMaxOfMessages()));
When doing these steps for bigquery, the path to the secret is "/secret/secret_name". When doing what the URL says, I get a nullpointerexception in the File. Here is the snippet:
log.debug("PATH_BIG_QUERY_CREDENTIALS:"+System.getenv("PATH_BIG_QUERY_CREDENTIALS"));
String pathBigQueryCredentials = System.getenv("PATH_BIG_QUERY_CREDENTIALS");
File credentialsPath = new File(pathBigQueryCredentials);
FileInputStream serviceAccountStream = new FileInputStream(credentialsPath);
GoogleCredentials credentials = ServiceAccountCredentials.fromStream(serviceAccountStream);
BigQuery bigquery = BigQueryOptions.newBuilder().setCredentials(credentials).build().getService();
What is the correct way to use a second service account? This is a non negotiable :(
The answer actually was in the deployment.yaml
To mount multiple secrets it needs to be the following:
---
# POD - API configuration (with Google Endpoints)
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: event-keeper-acl
spec:
# Number of replicas
replicas: 1
template:
metadata:
labels:
app: app_name
tier: backend
spec:
containers:
- name: app_name
image: REGISTRY_HOSTNAME/PROJECT_ID/REPOSITORY_NAME:IMAGE_TAG
imagePullPolicy: Always
ports:
- containerPort: 8080
env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: "/secret/secret_name_1"
- name: PATH_BIG_QUERY_CREDENTIALS
value: "/secret/secret_name_2"
volumeMounts:
- name: service-secrets
mountPath: /secret
readOnly: true
envFrom:
- configMapRef:
name: app-name-config-map
volumes:
- name: service-secrets
projected: # <----- THIS ENABLES MULTIPLE SECRETS IN SAME MOUNT POINT
sources:
- secret:
name: secret_name_1
- secret:
name: secret_name_2