community.okd.openshift_auth (3.0.1) — module

Install collection

Install with ansible-galaxy collection install community.okd:==3.0.1

Add to requirements.yml

  collections:
    - name: community.okd
      version: 3.0.1

Description

This module handles authenticating to OpenShift clusters requiring I(explicit) authentication procedures, meaning ones where a client logs in (obtains an authentication token), performs API operations using said token and then logs out (revokes the token).

On the other hand a popular configuration for username+password authentication is one utilizing HTTP Basic Auth, which does not involve any additional login/logout steps (instead login credentials can be attached to each and every API call performed) and as such is handled directly by the C(k8s) module (and other resource–specific modules) by utilizing the C(host), C(username) and C(password) parameters. Please consult your preferred module's documentation for more details.

Requirements

• python >= 3.6
• urllib3
• requests
• requests-oauthlib

Usage examples

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

- name: Example Playbook
  hosts: localhost
  module_defaults:
    group/community.okd.okd:
      host: https://k8s.example.com/
      ca_cert: ca.pem
  tasks:
    - name: Authenticate to OpenShift cluster and gell a list of all pods from any namespace
      block:
        # It's good practice to store login credentials in a secure vault and not
        # directly in playbooks.
        - name: Include 'openshift_passwords.yml'
          ansible.builtin.include_vars: openshift_passwords.yml

        - name: Log in (obtain access token)
          community.okd.openshift_auth:
            username: admin
            password: "{{ openshift_admin_password }}"
          register: openshift_auth_results

        # Previous task provides the token/api_key, while all other parameters
        # are taken from module_defaults
        - name: Get a list of all pods from any namespace
          kubernetes.core.k8s_info:
            api_key: "{{ openshift_auth_results.openshift_auth.api_key }}"
            kind: Pod
          register: pod_list

      always:
        - name: If login succeeded, try to log out (revoke access token)
          when: openshift_auth_results.openshift_auth.api_key is defined
          community.okd.openshift_auth:
            state: absent
            api_key: "{{ openshift_auth_results.openshift_auth.api_key }}"

Inputs

    
host:
    description:
    - Provide a URL for accessing the API server.
    required: true
    type: str

state:
    choices:
    - present
    - absent
    default: present
    description:
    - If set to I(present) connect to the API server using the URL specified in C(host)
      and attempt to log in.
    - If set to I(absent) attempt to log out by revoking the authentication token specified
      in C(api_key).
    type: str

api_key:
    description:
    - When C(state) is set to I(absent), this specifies the token to revoke.
    type: str

ca_cert:
    aliases:
    - ssl_ca_cert
    description:
    - Path to a CA certificate file used to verify connection to the API server. The full
      certificate chain must be provided to avoid certificate validation errors.
    type: path

password:
    description:
    - Provide a password for authenticating with the API server.
    type: str

username:
    description:
    - Provide a username for authenticating with the API server.
    type: str

validate_certs:
    aliases:
    - verify_ssl
    default: true
    description:
    - Whether or not to verify the API server's SSL certificates.
    type: bool

Outputs

k8s_auth:
  contains:
    api_key:
      description: Authentication token.
      returned: success
      type: str
    ca_cert:
      description: Path to a CA certificate file used to verify connection to the
        API server.
      returned: success
      type: str
    host:
      description: URL for accessing the API server.
      returned: success
      type: str
    username:
      description: Username for authenticating with the API server.
      returned: success
      type: str
    validate_certs:
      description: Whether or not to verify the API server's SSL certificates.
      returned: success
      type: bool
  description: Same as returned openshift_auth. Kept only for backwards compatibility
  returned: success
  type: complex
openshift_auth:
  contains:
    api_key:
      description: Authentication token.
      returned: success
      type: str
    ca_cert:
      description: Path to a CA certificate file used to verify connection to the
        API server.
      returned: success
      type: str
    host:
      description: URL for accessing the API server.
      returned: success
      type: str
    username:
      description: Username for authenticating with the API server.
      returned: success
      type: str
    validate_certs:
      description: Whether or not to verify the API server's SSL certificates.
      returned: success
      type: bool
  description: OpenShift authentication facts.
  returned: success
  type: complex