Configuring Kubernetes CronJobs with Google Cloud Credentials

This guide explains how to configure Kubernetes CronJobs on Google Kubernetes Engine (GKE) to securely access Google Cloud resources, such as BigQuery, using service account credentials.

Overview

In our setup, we have two separate Google Cloud projects: one for managing data in BigQuery and another for running GKE. To allow GKE to interact with resources in the BigQuery project, we need to set the GOOGLE_APPLICATION_CREDENTIALS environment variable to point to a service account JSON file. Since Kubernetes spins up a new container for each job, we will use Kubernetes Secrets to manage these credentials securely.

Step 1: Create a Kubernetes Secret

First, we need to create a Kubernetes Secret that contains the service account credentials. This can be done using the following command:

kubectl create secret generic my-data-service-account-credentials --from-file=sa_json=path/to/your/service-account.json

This command creates a secret named my-data-service-account-credentials that holds the service account JSON file.

Step 2: Define the CronJob

Next, we will define a CronJob that uses this secret. Below is an example configuration:

apiVersion: batch/v1
kind: CronJob
metadata:
  name: adtech-ads-apidata-el-adunit
spec:
  schedule: "*/5 * * * *"  # Runs every 5 minutes
  successfulJobsHistoryLimit: 10
  failedJobsHistoryLimit: 10
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - name: adtech-ads-apidata-el-adunit-container
            image: your-image-name
            args:
            - -cp
            - opt/nyt/DFPDataIngestion-1.0-jar-with-dependencies.jar
            - com.nyt.cron.AdUnitJob
            env:
              - name: GOOGLE_APPLICATION_CREDENTIALS
                value: "/etc/gcp/sa_credentials.json"
            volumeMounts:
            - name: service-account-credentials-volume
              mountPath: "/etc/gcp"
              readOnly: true
          volumes:
          - name: service-account-credentials-volume
            secret:
              secretName: my-data-service-account-credentials
              items:
              - key: sa_json
                path: sa_credentials.json

Explanation of the CronJob Configuration

• schedule: Defines how often the job runs. In this case, it runs every 5 minutes.
• env: Sets the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path where the service account JSON file will be mounted.
• volumeMounts: Mounts the secret as a volume in the container, making the credentials available at the specified path.
• volumes: Specifies the secret to be used as a volume.

Conclusion

By following these steps, you can securely configure Kubernetes CronJobs on GKE to access Google Cloud resources using service account credentials. This setup ensures that your credentials are managed securely and are only available to the containers that need them.