Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify which values need to be passed in the Secret. #10

Open
patrocinio opened this issue Sep 7, 2018 · 2 comments
Open

Clarify which values need to be passed in the Secret. #10

patrocinio opened this issue Sep 7, 2018 · 2 comments

Comments

@patrocinio
Copy link

The documentation to specify either (access-key + secret-key) or (api-key + service-instance-id):

kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
type: ibm/ibmc-s3fs
metadata:
  name: test-secret
  namespace: <NAMESPACE_NAME>
data:
  access-key: <access key encoded in base64 (when not using IAM OAuth)>
  secret-key: <secret key encoded in base64 (when not using IAM OAuth)>
  api-key: <api key encoded in base64 (for IAM OAuth)>
  service-instance-id: <service-instance-id encoded in base64 (for IAM OAuth + bucket creation)>
EOF

Here are the values from my COS instance:

{
  "apikey": "...",
  "endpoints": "https://cos-service.bluemix.net/endpoints",
  "iam_apikey_description": "Auto generated apikey during resource-key operation for Instance - crn:v1:bluemix:public:cloud-object-storage:global:a/3fffae21e3b21d6ea72bab695ad1df00:a91941a2-f3a4-4726-91e6-6f0dcb499687::",
  "iam_apikey_name": "auto-generated-apikey-b93070f7-094f-4768-b3d3-08a8bc5c173b",
  "iam_role_crn": "crn:v1:bluemix:public:iam::::serviceRole:Writer",
  "iam_serviceid_crn": "...",
  "resource_instance_id": "..."
}

Which values should I specify?

This is the error I am getting when I specify api-key + service-instance-id:

Broadcast message from systemd-journald@kube-worker2 (Fri 2018-09-07 16:16:58 UTC):

s3fs[19657]: s3fs: if one access key is specified, both keys need to be specified.

Thanks!
@nkkashyap
Copy link
Member

@patrocinio Hi
For IAM, we have to use apikey: and resource_instance_id: from the service credentials.
Convert these value to base64 and set as api-key: & service-instance-id: in following cmd

kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
type: ibm/ibmc-s3fs
metadata:
  name: test-secret
  namespace: <NAMESPACE_NAME>
data:
  api-key: <api key encoded in base64 (for IAM OAuth)>
  service-instance-id: <service-instance-id encoded in base64 (for IAM OAuth + bucket creation)>
EOF

Some time, the key value may corrupt during copy-paste operation, I recommend to use the utility
create-k8s-secret(https://github.com/IBM/ibmcloud-object-storage-plugin/tree/master/tools/IBM)

To use the utility

  1. Log into IBM Cloud CLI
    $ ibmcloud login -a api.ng.bluemix.net -u <user id>
  2. Export Kube-Config
    $ export KUBECONFIG=<armada cluster config file>
  3. Get the list of service instances
    $ ibmcloud resource service-instances
  4. Get the list of service keys under the service instance
    $ ibmcloud resource service-keys --instance-name <instance name>
  5. Execute create-k8s-secret as follows
    ./create-k8s-secret iam <service-key> <secret name> <K8S namespace

@patrocinio
Copy link
Author

Thanks, @nkkashyap
I will try apikey and resource_instance_id again.
Notice I am not using IKS / Armada.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@patrocinio @nkkashyap