search

datawire / forge

Define and run multi-container apps in Kubernetes
http://forge.sh
Apache License 2.0
416 stars 43 forks source link

Support short-term access tokens instead of json key for gcr #143

Closed majelbstoat closed 6 years ago

majelbstoat commented 6 years ago

Per Gitter conversation: https://gitter.im/datawire/forge?at=5a7916cbce68c3bc744d7ad6

Jamie Talbot @majelbstoat
for google container registry, is there a way not to require a json key in favour of a 
short-term access token that's downloaded on the fly? would rather not have keys 
stored anywhere for too long a time.

Rafael Schloming @rhs 18:48
@majelbstoat there isn't currently, but if you file an issue I can look into that
majelbstoat commented 6 years ago

If it helps, this is what I do to make kubectl work with gcr.io in the same way:

kubectl create secret docker-registry gcr \
  --docker-server=https://gcr.io \
  --docker-username=oauth2accesstoken \
  --docker-password="$(gcloud auth print-access-token)" \
  --docker-email=me@myemail.com

kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "gcr"}]}'
rhs commented 6 years ago

I've made the key optional in forge 0.4.0. If you omit the key for a gcr registry, then forge will automatically use gcloud auth print-access-token for the password. (You will need to run gcloud auth login or gcloud auth activate-service-account prior to running forge.)