This is an internal documentation. There is a good chance you’re looking for something else. See Disclaimer.
Beside the normal user accounts that are used to login interactively with the openshift client, openshift provides service accounts. With a service accounts you can login interactively as well, but as the name says, this accounts are rather used by services than people.
What Do We Need Service Accounts For?¶
When we do a deployment with teamcity we have to run certain openshift commands like: ‘oc get’ or ‘oc rollout’. These commands have to be executed by an account. That no one has to be logged in all the time with his own account, we use service accounts. With this type of account we just have to login once and the session will stay.
How To Create A Service Account¶
In openshift you can only create service accounts bound to a project and not to the whole cluster. First this seems to be a little bit weird, and yes it is. So it is common sense to create on project just for service accounts. You can easily give permissions for other projects to the service account. The syntax to create an account is very easy, but be sure that you are in the right project.
$ oc create sa teamcity $ oc get sa NAME SECRETS AGE builder 2 57d default 2 57d deployer 2 57d teamcity 2 2S
An example for granting permission to a service account, namely for the teamcity account, can be found in the Ansible Repository.
Login With A Service Account¶
The login with a service account isn’t the common style with username and password. The credentials are replaced with a token. So you only need the token to login. The challenge here is to find the token, but don’t worry we documented it for you.
$ oc project serviceaccounts
$ oc get sa $ oc describe sa teamcity Name: teamcity Namespace: serviceaccounts Labels: <none> Annotations: <none> Image pull secrets: teamcity-dockercfg-9mvt0 Mountable secrets: teamcity-token-fz73r teamcity-dockercfg-9mvt0 Tokens: teamcity-token-fz73r teamcity-token-k25qk
$ oc describe secret teamcity-token-fz73r Name: teamcity-token-fz73r Namespace: serviceaccounts Labels: <none> Annotations: kubernetes.io/service-account.name=teamcity kubernetes.io/service-account.uid=65638a57-c537-11e7-862d-fa163ec9e279 Type: kubernetes.io/service-account-token Data ==== namespace: 20 bytes service-ca.crt: 2235 bytes token: token ca.crt: 1066 bytes
oc login --token= token