如何在通过 Kubernetes 运行的 GKE 上设置 GOOGLE_APPLICATION_CREDENTIALS [英] How to set GOOGLE_APPLICATION_CREDENTIALS on GKE running through Kubernetes
问题描述
在 kubernetes 的帮助下,我在 GKE 上运行日常作业,每天基于 kubernetes 中配置的 cron 启动一个新容器并尝试将一些数据插入 BigQuery.
with the help of kubernetes I am running daily jobs on GKE, On a daily basis based on cron configured in kubernetes a new container spins up and try to insert some data into BigQuery.
我们的设置是我们在一个项目中的 GCP 中有 2 个不同的项目,我们在另一个项目中维护 BigQuery 中的数据,我们运行所有 GKE,因此当 GKE 必须与不同的项目资源交互时,我猜我必须设置一个名为 GOOGLE_APPLICATION_CREDENTIALS 的环境变量,它指向一个服务帐户 json 文件,但是由于 kubernetes 每天都在启动一个新容器,我不确定应该如何以及在哪里设置这个变量.
The setup that we have is we have 2 different projects in GCP in one project we maintain the data in BigQuery in other project we have all the GKE running so when GKE has to interact with different project resource my guess is I have to set an environment variable with name GOOGLE_APPLICATION_CREDENTIALS which points to a service account json file, but since every day kubernetes is spinning up a new container I am not sure how and where I should set this variable.
提前致谢!
---
apiVersion: v1
kind: Secret
metadata:
name: my-data-service-account-credentials
type: Opaque
data:
sa_json: "bas64JsonServiceAccount"
---
apiVersion: v1
kind: Pod
metadata:
name: adtech-ads-apidata-el-adunit-pod
spec:
containers:
- name: adtech-ads-apidata-el-adunit-container
volumeMounts:
- name: service-account-credentials-volume
mountPath: "/etc/gcp"
readOnly: true
volumes:
- name: service-account-credentials-volume
secret:
secretName: my-data-service-account-credentials
items:
- key: sa_json
path: sa_credentials.json
<小时>
这是我们用于加载 AdUnit 数据的 cron 作业
apiVersion: batch/v2alpha1
kind: CronJob
metadata:
name: adtech-ads-apidata-el-adunit
spec:
schedule: "*/5 * * * *"
suspend: false
concurrencyPolicy: Replace
successfulJobsHistoryLimit: 10
failedJobsHistoryLimit: 10
jobTemplate:
spec:
template:
spec:
containers:
- name: adtech-ads-apidata-el-adunit-container
image: {{.image}}
args:
- -cp
- opt/nyt/DFPDataIngestion-1.0-jar-with-dependencies.jar
- com.nyt.cron.AdUnitJob
env:
- name: ENV_APP_NAME
value: "{{.env_app_name}}"
- name: ENV_APP_CONTEXT_NAME
value: "{{.env_app_context_name}}"
- name: ENV_GOOGLE_PROJECTID
value: "{{.env_google_projectId}}"
- name: ENV_GOOGLE_DATASETID
value: "{{.env_google_datasetId}}"
- name: ENV_REPORTING_DATASETID
value: "{{.env_reporting_datasetId}}"
- name: ENV_ADBRIDGE_DATASETID
value: "{{.env_adbridge_datasetId}}"
- name: ENV_SALESFORCE_DATASETID
value: "{{.env_salesforce_datasetId}}"
- name: ENV_CLOUD_PLATFORM_URL
value: "{{.env_cloud_platform_url}}"
- name: ENV_SMTP_HOST
value: "{{.env_smtp_host}}"
- name: ENV_TO_EMAIL
value: "{{.env_to_email}}"
- name: ENV_FROM_EMAIL
value: "{{.env_from_email}}"
- name: ENV_AWS_USERNAME
value: "{{.env_aws_username}}"
- name: ENV_CLIENT_ID
value: "{{.env_client_id}}"
- name: ENV_REFRESH_TOKEN
value: "{{.env_refresh_token}}"
- name: ENV_NETWORK_CODE
value: "{{.env_network_code}}"
- name: ENV_APPLICATION_NAME
value: "{{.env_application_name}}"
- name: ENV_SALESFORCE_USERNAME
value: "{{.env_salesforce_username}}"
- name: ENV_SALESFORCE_URL
value: "{{.env_salesforce_url}}"
- name: GOOGLE_APPLICATION_CREDENTIALS
value: "/etc/gcp/sa_credentials.json"
- name: ENV_CLOUD_SQL_URL
valueFrom:
secretKeyRef:
name: secrets
key: cloud_sql_url
- name: ENV_AWS_PASSWORD
valueFrom:
secretKeyRef:
name: secrets
key: aws_password
- name: ENV_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: secrets
key: dfp_client_secret
- name: ENV_SALESFORCE_PASSWORD
valueFrom:
secretKeyRef:
name: secrets
key: salesforce_password
restartPolicy: OnFailure
<小时>
推荐答案
因此,如果您的 GKE 项目是项目 my-gke
,并且该项目包含您的 GKE 容器需要访问的服务/事物是项目 my-data
,一种方法是:
So, if your GKE project is project my-gke
, and the project containing the services/things your GKE containers need access to is project my-data
, one approach is to:
- 在
my-data
项目中创建一个服务帐户.为其提供所需的任何 GCP 角色/权限(例如roles/bigquery.dataViewer
(如果您有一些my-gke
GKE 容器需要读取的 BigQuery 表).- 为该服务帐号创建一个服务帐号密钥.当您在控制台中按照 https://cloud.google 执行此操作时.com/iam/docs/creating-managing-service-account-keys,您应该自动下载包含 SA 凭据的
.json
文件.
- Create a service account in the
my-data
project. Give it whatever GCP roles/permissions are needed (ex.roles/bigquery. dataViewer
if you have some BigQuery tables that yourmy-gke
GKE containers need to read).- Create a service account key for that service account. When you do this in the console following https://cloud.google.com/iam/docs/creating-managing-service-account-keys, you should automatically download a
.json
file containing the SA credentials.
为这些服务帐户凭据创建 Kubernetes 机密资源.它可能看起来像这样:
Create a Kubernetes secret resource for those service account credentials. It might look something like this:
apiVersion: v1 kind: Secret metadata: name: my-data-service-account-credentials type: Opaque data: sa_json: <contents of running 'base64 the-downloaded-SA-credentials.json'>
- Create a service account key for that service account. When you do this in the console following https://cloud.google.com/iam/docs/creating-managing-service-account-keys, you should automatically download a
在需要访问的容器中安装凭据:
Mount the credentials in the container that needs access:
[...] spec: containers: - name: my-container volumeMounts: - name: service-account-credentials-volume mountPath: /etc/gcp readOnly: true [...] volumes: - name: service-account-credentials-volume secret: secretName: my-data-service-account-credentials items: - key: sa_json path: sa_credentials.json
在容器中设置
GOOGLE_APPLICATION_CREDENTIALS
环境变量以指向挂载凭据的路径:Set the
GOOGLE_APPLICATION_CREDENTIALS
environment variable in the container to point to the path of the mounted credentials:[...] spec: containers: - name: my-container env: - name: GOOGLE_APPLICATION_CREDENTIALS value: /etc/gcp/sa_credentials.json
因此,任何官方 GCP 客户端(例如 GCP Python 客户端、GCP Java 客户端、gcloud CLI 等)都应遵守
GOOGLE_APPLICATION_CREDENTIALS
环境变量,并在发出 API 请求时自动使用您创建的my-data
服务帐户的凭据,并为其装载了凭据.json
文件.With that, any official GCP clients (ex. the GCP Python client, GCP Java Client, gcloud CLI, etc. should respect the
GOOGLE_APPLICATION_CREDENTIALS
env var and, when making API requests, automatically use the credentials of themy-data
service account that you created and mounted the credentials.json
file for.这篇关于如何在通过 Kubernetes 运行的 GKE 上设置 GOOGLE_APPLICATION_CREDENTIALS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
- 为该服务帐号创建一个服务帐号密钥.当您在控制台中按照 https://cloud.google 执行此操作时.com/iam/docs/creating-managing-service-account-keys,您应该自动下载包含 SA 凭据的