Reputation: 17128
Authenticate private google cloud artifact registry from Tekton Pipeline
I have a local setup of Tekton Pipeline, which has task to clone and build application . The code base is on java so, clones the code from BitBucket and does a Gradle build.
gradle.build
repositories {
mavenCentral()
maven {
url "artifactregistry://${LOCATION}-maven.pkg.dev/${PROJECT}/${REPOSITORY}"
}
}
gradle.properties
LOCATION=australia-southeast2
PROJECT=fetebird-350310
REPOSITORY=common
I have set up a service account and passed it to the pipeline run
apiVersion: v1
kind: Secret
metadata:
name: gcp-secret
namespace: tekton-pipelines
type: kubernetes.io/opaque
stringData:
gcs-config: |
{
"type": "service_account",
"project_id": "xxxxx-350310",
"private_key_id": "28e8xxxxx2642a8a0cd9cd5c2696",
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC3zOuPTogiZ2kU\nEYsGMCl4lUO48GSLOjOH1lwkQ76zxL\n0F6cfpV/8iwao/9IOqsmKoRPUZcQjqXFMEuCYJNhoScsn4TAYMNBeATVq+2JJ/5T\n2e7YfbbPVue9R36MfTwqDeI=\n-----END PRIVATE KEY-----\n",
"client_email": "[email protected]",
"client_id": "xxxxxxxxxxxxxxxxx",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/fetebird%40fetebird-350310.iam.gserviceaccount.com"
}
service-account
apiVersion: v1
kind: ServiceAccount
metadata:
name: service-account
secrets:
- name: git-ssh-auth
- name: gcp-secret
During the Gradle build, getting an exception as
> Could not resolve fete.bird:common:1.0.1.
2022-06-22T12:43:41.599990295Z > Could not get resource 'https://australia-southeast2-maven.pkg.dev/fetebird-350310/common/fete/bird/common/1.0.1/common-1.0.1.pom'.
2022-06-22T12:43:41.606630129Z > Could not GET 'https://australia-southeast2-maven.pkg.dev/fetebird-350310/common/fete/bird/common/1.0.1/common-1.0.1.pom'. Received status code 403 from server: Forbidden
implementation("fete.bird:common:1.0.1") is published on GCP artifact registry
In local development, the Gradle build is working file, because the service key is exported as environment variable export GOOGLE_APPLICATION_CREDENTIALS="file-location.json"
Pipeline Run
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: run-pipeline
namespace: tekton-pipelines
spec:
serviceAccountNames:
- taskName: clone-repository
serviceAccountName: git-service-account
- taskName: build
serviceAccountName: gcp-service-account
pipelineRef:
name: fetebird-discount
workspaces:
- name: shared-workspace
persistentVolumeClaim:
claimName: fetebird-discount-pvc
params:
- name: repo-url
value: [email protected]:anandjaisy/discount.git
Upvotes: 0
Views: 788
Answers (1)
Reputation: 1
You mount that Service Account secret as volumeMount inside the pod and set an Environment Variable "export GOOGLE_APPLICATION_CREDENTIALS="path to secret inside the pod" in pod /deployment definition.
Upvotes: 0
Related Questions
- Cloudbuild can't access Artifacts Registery when building cloud run docker container
- Inject Google Artifact Registry credentials to Docker build
- Testing Artifactory Credentials
- GCP yum artifact registry 403 when imported from packer instance
- Access to Google Cloud registry in Docker file
- Auth error when pushing to Google Artifact Repository
- How to access private Github package registry via Gradle
- Keyring authentication to Artifact Repository not working (GCP)
- How to pass authenticated state from the cloud builder to docker?
- Authenticate Gradle to Azure Artifacts Maven