linki / mate

Deprecated: Mate manages AWS Route53 and Google CloudDNS records for your Kubernetes services and ingresses. (moved from https://github.com/zalando-incubator/mate)
MIT License
114 stars 12 forks source link

Document Google service account configuration #36

Open paultiplady opened 7 years ago

paultiplady commented 7 years ago

I'm getting the following error while running mate v0.3.0 in GCE:

time="2016-12-29T20:43:03Z" level=fatal msg="Error applying change for qwil-builds/builds.qwil.co: Unable to create change for <project>/<zone>: googleapi: Error 403: Insufficient Permission, insufficientPermissions"

I'm sure this is because the Service Account being used doesn't have permissions on Google Cloud DNS.

How is mate assuming that the Service accounts have been configured? Does the default node service account have to have the DNS permissions added? A few words in the docs on configuring this would be helpful.

'm hoping there's a better way than just adding the permissions to the project-wide service account, which isn't viable in a production cluster (but would still be viable in a test/build cluster). Other similar projects (e.g. https://github.com/PalmStoneGames/kube-cert-manager/) read a service account JSON blob from a mounted volume, which seems to be a good general approach.

Raffo commented 7 years ago

I'm not entirely sure about the details of this, this is why I add @linki who'll be able to answer clearly. Also, we actually used this with GKE (Container Engine) and not with a custom installation of GCE. We're definitely looking forward to make it usable in all the Google Cloud environments.

paultiplady commented 7 years ago

Thanks! I'm running in GKE too -- as far as I'm aware the GKE default service account is the GCE node's service account, which default's to the GCP project's default service account. I could be mistaken on that though.

linki commented 7 years ago

@paultiplady You're right, by default mate assumes the service account permissions of the nodes which is based on the default service account by default, afaik. However, you can mount a secret containing the service account credentials json and it will use the corresponding service account.

I documented the different options for GCP and AWS over at https://github.com/zalando-incubator/mate/pull/43.

Small disclaimer: mounting the credentials file is currently untested with mate but it works fine on some of our other projects.

paultiplady commented 7 years ago

:+1: thanks for the info, this will work well for my usecase then.