Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit98b7d05

Browse files
committed
example: use ServiceAccount for cluster authentication
1 parent9dfcbe1 commit98b7d05

File tree

2 files changed

+127
-1
lines changed

2 files changed

+127
-1
lines changed

‎examples/kubernetes-multi-service/README.md

Lines changed: 72 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,3 +3,75 @@ name: Develop multiple services in Kubernetes
33
description:Get started with Kubernetes development.
44
tags:[cloud, kubernetes]
55
---
6+
7+
#Authentication
8+
9+
This template has several ways to authenticate to a Kubernetes cluster.
10+
11+
##kubeconfig (Coder host)
12+
13+
If the Coder host has a local`~/.kube/config`, this can be used to authenticate with Coder. Make sure this is on the same user running the`coder` service.
14+
15+
##ServiceAccount
16+
17+
Create a ServiceAccount and role on your cluster to authenticate your template with Coder.
18+
19+
1. Run the following command on a device with Kubernetes context:
20+
21+
```sh
22+
CODER_NAMESPACE=default
23+
kubectl apply -n$CODER_NAMESPACE -f -<<EOF
24+
apiVersion: v1
25+
kind: ServiceAccount
26+
metadata:
27+
name: coder
28+
---
29+
apiVersion: rbac.authorization.k8s.io/v1
30+
kind: Role
31+
metadata:
32+
name: coder
33+
rules:
34+
- apiGroups: ["", "apps", "networking.k8s.io"] # "" indicates the core API group
35+
resources: ["persistentvolumeclaims", "pods", "deployments", "services", "secrets", "pods/exec","pods/log", "events", "networkpolicies", "serviceaccounts"]
36+
verbs: ["create", "get", "list", "watch", "update", "patch", "delete", "deletecollection"]
37+
- apiGroups: ["metrics.k8s.io", "storage.k8s.io"]
38+
resources: ["pods", "storageclasses"]
39+
verbs: ["get", "list", "watch"]
40+
---
41+
apiVersion: rbac.authorization.k8s.io/v1
42+
kind: RoleBinding
43+
metadata:
44+
name: coder
45+
subjects:
46+
- kind: ServiceAccount
47+
name: coder
48+
roleRef:
49+
kind: Role
50+
name: coder
51+
apiGroup: rbac.authorization.k8s.io
52+
EOF
53+
```
54+
55+
1. Use the following commands to fetch the values:
56+
57+
**Cluster IP:**
58+
59+
```sh
60+
kubectl cluster-info | grep "control plane"
61+
```
62+
63+
**CA certificate**
64+
65+
```sh
66+
kubectl get secrets -n$CODER_NAMESPACE -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='coder')].data['ca\.crt']}{'\n'}"
67+
```
68+
69+
**Token**
70+
71+
```sh
72+
kubectl get secrets -n$CODER_NAMESPACE -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='coder')].data['token']}{'\n'}"
73+
```
74+
75+
**Namespace**
76+
77+
This should be the same as`$CODER_NAMESPACE`,setin step 1.

‎examples/kubernetes-multi-service/main.tf

Lines changed: 55 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,8 +11,62 @@ terraform {
1111
}
1212
}
1313

14+
variable"step1_use_kubeconfig" {
15+
type=bool
16+
sensitive=true
17+
description="Use local ~/.kube/config? (true/false)"
18+
}
19+
20+
variable"step2_cluster_host" {
21+
type=string
22+
sensitive=true
23+
description=<<-EOF
24+
Hint: You can use:
25+
$ kubectl cluster-info | grep "control plane"
26+
27+
28+
Leave blank if using ~/.kube/config (from step 1)
29+
EOF
30+
}
31+
32+
variable"step3_certificate" {
33+
type=string
34+
sensitive=true
35+
description=<<-EOF
36+
Use docs at https://github.com/coder/coder/tree/main/examples/kubernetes-multi-service#serviceaccount to create a ServiceAccount for Coder and grab values.
37+
38+
Enter CA certificate
39+
40+
Leave blank if using ~/.kube/config (from step 1)
41+
EOF
42+
}
43+
44+
variable"step4_token" {
45+
type=string
46+
sensitive=true
47+
description=<<-EOF
48+
Enter token (refer to docs at https://github.com/coder/coder/tree/main/examples/kubernetes-multi-service#serviceaccount)
49+
50+
Leave blank if using ~/.kube/config (from step 1)
51+
EOF
52+
}
53+
54+
variable"step5_coder_namespace" {
55+
type=string
56+
sensitive=true
57+
description=<<-EOF
58+
Enter namespace (refer to docs at https://github.com/coder/coder/tree/main/examples/kubernetes-multi-service#serviceaccount)
59+
60+
Leave blank if using ~/.kube/config (from step 1)
61+
EOF
62+
}
63+
1464
provider"kubernetes" {
15-
config_path="~/.kube/config"
65+
# Authenticate via ~/.kube/config or a Coder-specific ServiceAccount, depending on admin preferences
66+
config_path=var.step1_use_kubeconfig==true?"~/.kube/config":null
67+
host=var.step1_use_kubeconfig==false? var.step2_cluster_host:null
68+
cluster_ca_certificate=var.step1_use_kubeconfig==false?base64decode(var.step3_certificate):null
69+
token=var.step1_use_kubeconfig==false?base64decode(var.step4_token):null
1670
}
1771

1872
data"coder_workspace""me" {}

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp