Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use Google Default Credentials Model #1

Open
meggieveggie opened this issue May 11, 2020 · 1 comment
Open

Use Google Default Credentials Model #1

meggieveggie opened this issue May 11, 2020 · 1 comment

Comments

@meggieveggie
Copy link

Describe The problem

Generally when using Google Cloud Credentials Model if you set GOOGLE_APPLICATION_CREDENTIALS then the application will look for the credentials at that specified path, this allow for voluming in docker containers to be smoother as when you volume in something like Kubernetes the volume will overwrite any files in the volume directory, hence if you attempted to do something like this:

    containers:
        - name: gsuite-permission-sync
          image: quay.io/google-cloud-tools/grafana-permission-sync:v1.0.6
          imagePullPolicy: IfNotPresent
          resources: {}
          args:
          - --configPath=/app/config/config.yaml
          env:
          - name: GRAFANA_PASS
            valueFrom:
                secretKeyRef:
                  name: grafana
                  key: admin-password
          volumeMounts:
            - name: gsuite-config
              mountPath: "/app/config"
            - name: gsuite-credentials
              mountPath: /app/
              subPath: credentials.json
              readOnly: true

This will overwrite the binary found in /app, however this is the directory that the application looks for the credentials.json

Proposed Solution

If you used the GOOGLE_APPLICATION_CREDENTIALS way you could do something like this:

containers:
        - name: gsuite-permission-sync
          image: quay.io/google-cloud-tools/grafana-permission-sync:v1.0.6
          imagePullPolicy: IfNotPresent
          resources: {}
          args:
          - --configPath=/app/config/config.yaml
          env:
          - name: GRAFANA_PASS
            valueFrom:
                secretKeyRef:
                  name: grafana
                  key: admin-password
          - name: GOOGLE_APPLICATION_CREDENTIALS
            value: /app/credentials/credentials.json
          volumeMounts:
            - name: gsuite-config
              mountPath: "/app/config"
            - name: gsuite-credentials
              mountPath: /app/credentials
              subPath: credentials.json
              readOnly: true

Which would look for the credentials in the folder /app/credentials specifically. I'm not sure if this is possible currently but just not documented but when I try the above I get the following error:

"msg":"unable to create google directory service","error":"open /app/credentials.json: no such file or directory"
@Nosmoht
Copy link

Nosmoht commented Mar 26, 2021

Hi all,

i got it working using env variable GOOGLE_APPLICATION_CREDENTIALS. Here's the code i'm using right now. Not finalized but at least working

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: grafana-permission-sync
  labels:
    app: grafana-permission-snyc
spec:
  replicas: 1
  selector:
    matchLabels:
      app: grafana-permission-sync
  template:
    metadata:
      labels:
        app: grafana-permission-sync
    spec:
      containers:
        - name: grafana-permission-sync
          image: quay.io/google-cloud-tools/grafana-permission-sync:v1.0.9
          args:
            - --configPath=/app/config/config.yaml
          env:
            - name: GRAFANA_PASS
              valueFrom:
                secretKeyRef:
                  name: grafana-permission-sync-grafana-admin
                  key: GRAFANA_PASS
            - name: GOOGLE_APPLICATION_CREDENTIALS
              value: /app/credentials/credentials.json
          volumeMounts:
            - mountPath: /app/config
              name: config
            - mountPath: /app/credentials
              name: google-credentials
              readOnly: true
      volumes:
        - name: config
          configMap:
            name: grafana-permission-sync
        - name: google-credentials
          secret:
            secretName: grafana-permission-sync-google-credentials
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: grafana-permission-sync
data:
  config.yaml: |
    grafana:
      url: http://grafana.example.com
      user: admin
    google:
      credentialsPath: /app/credentials/credentials.json
      adminEmail: [email protected]
      domain: example.com
    rules:
      - groups:
          - [email protected]
        orgs:
          - "Example Org. "
        role: Admin
      - groups:
          - [email protected]
        orgs:
          - "Example Org."
        role: Viewer
---
apiVersion: v1
data:
  GRAFANA_PASS: ...
kind: Secret
metadata:
  name: grafana-permission-sync-grafana-admin
---
apiVersion: v1
data:
  credentials.json: ...
kind: Secret
metadata:
  name: grafana-permission-sync-google-credentials

@marcusramberg marcusramberg mentioned this issue Apr 7, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Nosmoht @meggieveggie