Created
October 2, 2020 18:11
-
-
Save imjasonh/c91ad4d1f97f112a963b58d55e97cd3b to your computer and use it in GitHub Desktop.
GCR creds-updating Tekton sidecar
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Demonstrates a GCR creds-updating sidecar | |
# - The `creds-refresh` sidecar periodically fetches a Service Account auth | |
# token and uses it with `docker login` to authorize docker pushes to GCR. | |
# - The dind sidecar provides an ephemeral Docker daemon to run builds and | |
# store images before they're pushed. | |
# - The step periodically uses these credentials to push an image to GCR. | |
# $ kubectl create -f gcr-creds.yaml | |
# taskrun.tekton.dev/gcr-creds-9d7t7 created | |
# $ tkn tr logs gcr-creds-9d7t7 | |
apiVersion: tekton.dev/v1beta1 | |
kind: TaskRun | |
metadata: | |
generateName: gcr-creds- | |
spec: | |
taskSpec: | |
steps: | |
# NB: If this is running *without* Workload Identity, the node SA | |
# ([projnum]-compute@developer.gserviceaccount.com needs to have Storage | |
# Read/Write scopes (not the default Read-Only). | |
- image: docker | |
script: | | |
#!/bin/sh | |
set -ex | |
docker pull busybox | |
while true; do | |
tag=$(date +%s) | |
docker tag busybox gcr.io/jasonhall-kube/date:$tag | |
docker push gcr.io/jasonhall-kube/date:$tag | |
sleep 60 | |
done | |
env: | |
- name: DOCKER_CONFIG | |
value: /gcb-compat/ | |
# Connect to the sidecar over TCP, with TLS. | |
- name: DOCKER_HOST | |
value: tcp://localhost:2376 | |
# Verify TLS. | |
- name: DOCKER_TLS_VERIFY | |
value: '1' | |
# Use the certs generated by the sidecar daemon. | |
- name: DOCKER_CERT_PATH | |
value: /certs/client | |
volumeMounts: | |
- name: docker-config | |
mountPath: /gcb-compat/ | |
- mountPath: /certs/client | |
name: dind-certs | |
sidecars: | |
- image: docker:dind | |
name: server | |
args: | |
- --storage-driver=vfs | |
- --userland-proxy=false | |
- --debug | |
securityContext: | |
privileged: true | |
env: | |
# Write generated certs to the path shared with the client. | |
- name: DOCKER_TLS_CERTDIR | |
value: /certs | |
volumeMounts: | |
- mountPath: /certs/client | |
name: dind-certs | |
# Wait for the dind daemon to generate the certs it will share with the | |
# client. | |
readinessProbe: | |
periodSeconds: 1 | |
exec: | |
command: ['ls', '/certs/client/ca.pem'] | |
- name: creds-refresh | |
image: docker | |
script: | | |
#!/bin/sh | |
set -e | |
while true; do | |
t=$(wget -qO- --header="Metadata-Flavor: Google" \ | |
http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token?alt=text) | |
p=$(echo $t | cut -d' ' -f2) | |
echo $p | docker login -u oauth2accesstoken --password-stdin https://gcr.io | |
sleep 300 # 5 minutes | |
done | |
# Wait for the config file to be written. | |
readinessProbe: | |
periodSeconds: 1 | |
exec: | |
command: ['ls', '/gcb-compat/config.json'] | |
env: | |
- name: DOCKER_CONFIG | |
value: /gcb-compat/ | |
volumeMounts: | |
- name: docker-config | |
mountPath: /gcb-compat/ | |
volumes: | |
- name: docker-config | |
emptyDir: {} | |
- name: dind-certs | |
emptyDir: {} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment