Skip to content

5. Define a Service Account

Before running the pipeline, we need to set up a service account. In OpenShift, a service account is associated with a username and can be granted roles to control access to protected resources. A service account can use secrets containing credentials for authentication along with RBAC-related resources for permission to create and modify relevant Kubernetes resources.

Set up IBM Cloud Container Registry (ICR) as a private registry on Red Hat OpenShift

Red Hat OpenShift on IBM Cloud clusters are also set up by default with an internal registry that stores images locally in your cluster. You can use either the internal registry on OpenShift or the private IBM Cloud Container Registry (ICR), in combination or separately. For instance, you could create an ImageStream on your cluster, pull copies of images in ICR to the internal private registry, and in a deployment use the image from the internal private registry.

In this workshop, we use only the private IBM Cloud Container Registry (ICR). To access ICR, you need to set up access to IBM Cloud Container Registry (ICR) as a private registry on Red Hat OpenShift.

Create a new IBM Cloud API Key or use an existing IBM Cloud API Key

$ USERNAME=<your username>

$ ibmcloud iam api-key-create $USERNAME-tekton-apikey -d "apikey for tekton task in openshift" --file apikey-tekton.json
Creating API key user1-tekton-apikey under e65910fa61ce9072d64902d03f3d4774 as user1@email.com...OK
API key user1-tekton-apikey was created
Successfully save API key information to apikey-tekton.json

$ IBMCLOUD_APIKEY=$(cat apikey-tekton.json | jq -r ".apikey")
$ echo $IBMCLOUD_APIKEY

$ oc create secret generic ibm-cr-push-secret --type="kubernetes.io/basic-auth" --from-literal=username=iamapikey --from-literal=password=$IBMCLOUD_APIKEY

secret/ibm-cr-push-secret created

$ oc annotate secret ibm-cr-push-secret tekton.dev/docker-0=us.icr.io

secret/ibm-cr-push-secret annotated

$ EMAIL=user1v@email.com
$ oc create secret docker-registry ibm-cr-pull-secret --docker-server=$REGISTRY_ROUTE --docker-username=iamapikey --docker-password=$IBMCLOUD_APIKEY --docker-email=$EMAIL

Next, create a service account using the following yaml file at tekton/pipeline-account.yaml.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: pipeline-account
secrets:
- name: ibm-cr-push-secret

---

apiVersion: v1
kind: Secret
metadata:
  name: kube-api-secret
  annotations:
    kubernetes.io/service-account.name: pipeline-account
type: kubernetes.io/service-account-token

---

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: pipeline-role
rules:
- apiGroups: [""]
  resources: ["services"]
  verbs: ["get", "create", "update", "patch"]
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "create", "update", "patch"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: pipeline-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pipeline-role
subjects:
- kind: ServiceAccount
  name: pipeline-account

This yaml creates the following Kubernetes resources:

  • A ServiceAccount named pipeline-account. The service account references the annotated ibm-cr-push-secret secret so that the pipeline authenticates to your private container registry when it pushes and pulls a container image from the private ICR.

  • A Secret named kube-api-secret which contains a token (generated by Kubernetes) for accessing the Kubernetes API. This allows the pipeline to use kubectl or oc to talk to your cluster. In OpenShift, a controller loop ensures a Secret with an API token exists for ServiceAccounts. To create our own additional API token for our ServiceAccount, we need to create a Secret of type kubernetes.io/service-account-token with an annotation referencing the ServiceAccount. The controller will update it with a generated token.

  • A Role named pipeline-role which provides the Resource-Based Access Control (RBAC) permissions needed for this pipeline to create and modify Kubernetes resources, respectively services and deployments.

  • And a RoleBinding named pipeline-role-binding, which binds the Role to your Service Account.

Apply the file to your cluster to create the service account and related resources.

$ oc apply -f tekton/pipeline-account.yaml
serviceaccount/pipeline-account created
secret/kube-api-secret created
role.rbac.authorization.k8s.io/pipeline-role created
rolebinding.rbac.authorization.k8s.io/pipeline-role-binding created

Our pipeline-account is now authorized to get, create, update and patch services and deployments.

Next

Next, go to Create a PipelineRun.