search

IBM / ibmcloud-object-storage-plugin

IBM Cloud Object Storage plugin is a Kubernetes volume plugin that enables Kubernetes pods to access IBM Cloud Object Storage buckets. The plugin has two components: a dynamic provisioner and a FlexVolume driver for mounting the buckets using s3fs-fuse on a worker node.
Apache License 2.0
56 stars 42 forks source link

Clarify which values need to be passed in the Secret. #10

Open patrocinio opened 6 years ago

patrocinio commented 6 years ago

The documentation to specify either (access-key + secret-key) or (api-key + service-instance-id):

kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
type: ibm/ibmc-s3fs
metadata:
  name: test-secret
  namespace: <NAMESPACE_NAME>
data:
  access-key: <access key encoded in base64 (when not using IAM OAuth)>
  secret-key: <secret key encoded in base64 (when not using IAM OAuth)>
  api-key: <api key encoded in base64 (for IAM OAuth)>
  service-instance-id: <service-instance-id encoded in base64 (for IAM OAuth + bucket creation)>
EOF

Here are the values from my COS instance:

{
  "apikey": "...",
  "endpoints": "https://cos-service.bluemix.net/endpoints",
  "iam_apikey_description": "Auto generated apikey during resource-key operation for Instance - crn:v1:bluemix:public:cloud-object-storage:global:a/3fffae21e3b21d6ea72bab695ad1df00:a91941a2-f3a4-4726-91e6-6f0dcb499687::",
  "iam_apikey_name": "auto-generated-apikey-b93070f7-094f-4768-b3d3-08a8bc5c173b",
  "iam_role_crn": "crn:v1:bluemix:public:iam::::serviceRole:Writer",
  "iam_serviceid_crn": "...",
  "resource_instance_id": "..."
}

Which values should I specify?

This is the error I am getting when I specify api-key + service-instance-id:

Broadcast message from systemd-journald@kube-worker2 (Fri 2018-09-07 16:16:58 UTC):

s3fs[19657]: s3fs: if one access key is specified, both keys need to be specified.

Thanks!

nkkashyap commented 6 years ago

@patrocinio Hi For IAM, we have to use apikey: and resource_instance_id: from the service credentials. Convert these value to base64 and set as api-key: & service-instance-id: in following cmd

kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
type: ibm/ibmc-s3fs
metadata:
  name: test-secret
  namespace: <NAMESPACE_NAME>
data:
  api-key: <api key encoded in base64 (for IAM OAuth)>
  service-instance-id: <service-instance-id encoded in base64 (for IAM OAuth + bucket creation)>
EOF

Some time, the key value may corrupt during copy-paste operation, I recommend to use the utility create-k8s-secret(https://github.com/IBM/ibmcloud-object-storage-plugin/tree/master/tools/IBM)

To use the utility

  1. Log into IBM Cloud CLI $ ibmcloud login -a api.ng.bluemix.net -u <user id>
  2. Export Kube-Config $ export KUBECONFIG=<armada cluster config file>
  3. Get the list of service instances $ ibmcloud resource service-instances
  4. Get the list of service keys under the service instance $ ibmcloud resource service-keys --instance-name <instance name>
  5. Execute create-k8s-secret as follows ./create-k8s-secret iam <service-key> <secret name> <K8S namespace
patrocinio commented 6 years ago

Thanks, @nkkashyap I will try apikey and resource_instance_id again. Notice I am not using IKS / Armada.