Reputation: 43
Using ansible k8s module: how to authenticate with certificates
I'm struggling to deploy the playbook below (adding a namespace to Openshift 3.11 cluster):
---
- hosts: kubernetesmastergfm
gather_facts: false
vars:
name_namespace: testingnamespace
tasks:
- name: Create a k8s namespace
k8s:
host: "https://{{ cluster.endpoint }}"
ca_cert: "/etc/origin/master/ca.crt" <--WHERE IS THIS IN OPENSHIFT 3.11?
api_key: "/etc/origin/master/admin.key"<--WHERE IS THIS IN OPENSHIFT 3.11?
validate_certs: no
name: pippo
api_version: v1
kind: Namespace
state: present
I'm getting the error:
...
kubernetes.client.rest.ApiException: (401)
Reason: Unauthorized
HTTP response headers: HTTPHeaderDict({'Date': 'Tue, 16 Feb 2021 16:05:03 GMT', 'Content-Length': '129', 'Content-Type': 'application/json', 'Cache-Control': 'no-store'})
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
I suspect that the certificates in the path below are wrong: /etc/origin/master/ca.crt /etc/origin/master/admin.key
Any suggestion is welcome. Gian Filippo
Upvotes: 0
Views: 2850
Answers (2)
Reputation: 43
Finally I found out another way to authenticate to API (Openshift) by using k8s_auth rather then k8s. The playbook should look like:
- hosts: localhost
module_defaults:
group/k8s:
host: https://openshift-url:8443
ca_cert: /etc/origin/master/ca.crt <<===THIS IS THE RIGHT PATH FOR OCP 3.11
tasks:
- name: Log in (obtain access token)
k8s_auth:
username: xxxx
password: yyyy
register: k8s_auth_results
Upvotes: 0
Reputation: 4614
The api_key parameter is the value of the ServiceAccount token.
I think you should paste this token directly as a api_key parameter value becuse providing the path to the file with token doesn't seem to work.
I will describe required steps on a simple example to illustrate you how it works.
To find the token name associated with a specific ServiceAccount you can use:
### kubectl describe sa <SERVICE ACCOUNT NAME> | grep "Token"
# kubectl describe sa namespace-creator | grep "Token"
Tokens: namespace-creator-token-hs6zn
And then to display the value of this token:
### kubectl describe secret <TOKEN NAME> | grep "token:"
# kubectl describe secret namespace-creator-token-hs6zn | grep "token:"
token: ey(...)3Q
Finally pass this token value as the api_key parameter value:
---
...
tasks:
- name: Create a k8s namespace
community.kubernetes.k8s:
...
api_key: "ey(...)3Q"
validate_certs: no
...
To find out where the CA certificate is located, you may look at the --client-ca-file parameter of the API server e.g:
# kubectl describe pod kube-apiserver-master -n kube-system | grep "client-ca-file"
--client-ca-file=/etc/kubernetes/ssl/ca.crt
NOTE: If you are using validate_certs: no, you don't need to provide ca_cert parameter.
Additionally, if you want instead of api_key, you can use kubeconfig with path to an existing Kubernetes config file.
Upvotes: 2
Related Questions
- Certificate Auth. : the specified credentials were rejected by the server
- Ansible: Create a Self-Signed SSL Certificate and Key
- How can I create a Kubernetes Secret with Ansible?
- Set up Kubernetes using Ansible
- Ansible create kubernetes secret from file
- How do I get past authentication for setting local host name via kubespray?
- Running k8s_exec from Ansible playbook results in Handshake status 403 Forbidden error
- How do I get Kerberos authentication working in k8s
- Use ansible k8s module behind a proxy
- kubeadm token create with Ansible