CoCalc -- gcr-pull-secret-job.yaml

GitHub Repository: gitpod-io/gitpod
Path: blob/main/dev/preview/workflow/vm/template/gcr-pull-secret-job.yaml
²⁵⁰¹ views
1
apiVersion: batch/v1
2
kind: CronJob
3
metadata:
4
  name: gcr-refresh-token
5
spec:
6
  schedule: "30 * * * *"
7
  successfulJobsHistoryLimit: 1
8
  suspend: false
9
  concurrencyPolicy: Forbid
10
  failedJobsHistoryLimit: 1
11
  jobTemplate:
12
    spec:
13
      ttlSecondsAfterFinished: 60
14
      template:
15
        spec:
16
          serviceAccountName: gcr-refresh-token
17
          containers:
18
          - name: gcr-refresh-token
19
            image: chainguard/kubectl:latest-dev
20
            command:
21
              - /bin/sh
22
              - -c
23
              - |-
24
                ACCOUNTS=$(wget -q -O - --header "Metadata-Flavor: Google" "http://169.254.169.254/computeMetadata/v1/instance/service-accounts/" | tr -d '\r')
25
                NON_DEFAULT_ACCOUNTS=$(echo "$ACCOUNTS" | grep -v "^default$")
26
                FIRST_NON_DEFAULT_ACCOUNT=$(echo "$NON_DEFAULT_ACCOUNTS" | head -1)
27
                TOKEN=$(wget -q -O - --header "Metadata-Flavor: Google" "http://169.254.169.254/computeMetadata/v1/instance/service-accounts/$FIRST_NON_DEFAULT_ACCOUNT/token")
28
                ACCESS_TOKEN=$(echo "$TOKEN" | grep -o '"access_token": *"[^"]*"' | sed 's/"access_token": *"\([^"]*\)"/\1/')
29

30
                AUTH_TOKEN=$(echo -n _dcgcloud_token:${ACCESS_TOKEN} | base64 -w0)
31

32

33
                # Create Docker config.json
34
                cat << EOF > /tmp/config.json
35
                {
36
                  "auths": {
37
                    "eu.gcr.io": {
38
                      "auth": "${AUTH_TOKEN}"
39
                    }
40
                  }
41
                }
42
                EOF
43

44
                # To avoid the deletion/creation we can run dry-run and then apply
45
                kubectl create secret generic image-pull-secret \
46
                  --from-file=.dockerconfigjson=/tmp/config.json \
47
                  --type=kubernetes.io/dockerconfigjson \
48
                  -o yaml --dry-run=client | kubectl apply --server-side --force-conflicts -f -
49

50
                echo "Secret gcr-credential was successfully updated at $(date)"
51
          restartPolicy: Never
52
---
53
apiVersion: rbac.authorization.k8s.io/v1
54
kind: Role
55
metadata:
56
  name: gcr-refresh-token-access-to-secrets-role
57
rules:
58
- apiGroups: [""]
59
  resources: ["secrets"]
60
  resourceNames: ["image-pull-secret"]
61
  verbs:
62
    - "get"
63
    - "create"
64
    - "patch"
65
---
66
kind: RoleBinding
67
apiVersion: rbac.authorization.k8s.io/v1
68
metadata:
69
  name: gcr-refresh-token-role-binding
70
subjects:
71
- kind: ServiceAccount
72
  name: gcr-refresh-token
73
  apiGroup: ""
74
roleRef:
75
  kind: Role
76
  name: gcr-refresh-token-access-to-secrets-role
77
  apiGroup: ""
78
---
79
apiVersion: v1
80
kind: ServiceAccount
81
metadata:
82
  name: gcr-refresh-token
83

84
Product

Resources

Company
