openshift_login

Manages OpenShift login operations

This role performs OpenShift login based on calls to the oc cli tool and exposes a well defined set of variables that, after a successful login, can be used as credentials and API endpoints in other parts of the framework. If more than one login attempts are needed the role retries as many times as dictated by cifmw_openshift_login_retries.

Many login scenarios are allowed by passing or omitting the following variables:

  • cifmw_openshift_login_kubeconfig: The kubeconfig file path, if not given, the role will try to use user/password login and will create the kubeconfig in the default location ~/.kube/config.

  • cifmw_openshift_login_api: The OpenShift API endpoint. If not given the role will extract it from the kubeconfig.

  • cifmw_openshift_login_user and cifmw_openshift_login_password: User/password for password based logins.

  • cifmw_openshift_login_provided_token: Token only based logins.

After successful login, the following variables will hold all the needed information to perform call to the cluster:

  • cifmw_openshift_login_api and cifmw_openshift_api: OpenShift API endpoint.

  • cifmw_openshift_login_kubeconfig and cifmw_openshift_kubeconfig: Current kubeconfig file. Token and context populated with the latest changes.

  • cifmw_openshift_login_context and cifmw_openshift_context: The current selected context in cifmw_openshift_login_kubeconfig/cifmw_openshift_kubeconfig.

  • cifmw_openshift_login_token and cifmw_openshift_token: OpenShift token/API key.

  • cifmw_openshift_login_user and cifmw_openshift_user: The user associated to the cifmw_openshift_login_token/cifmw_openshift_token.

Privilege escalation

No privilege escalation needed.

Parameters

  • cifmw_openshift_login_kubeconfig: (String) Optional. Path to the kubeconfig file. Defaults to cifmw_openshift_kubeconfig and ~/.kube/config as last instance.

  • cifmw_openshift_login_api: (String) Optional. Path to the kubeconfig file. Defaults to cifmw_openshift_api and to the real API endpoint after login.

  • cifmw_openshift_login_user: (String) Optional. Login user. If provided, the user that logins. Defaults to cifmw_openshift_user and to the logged in user after login.

  • cifmw_openshift_login_provided_token: (String) Optional. Initial login token. If provided, that token will be used to authenticate into OpenShift. Defaults to cifmw_openshift_provided_token.

  • cifmw_openshift_login_password: (String) Optional. Login password. If provided is the password used for login in. Defaults to cifmw_openshift_password.

  • cifmw_openshift_login_password_file: (String) Optional. Path to a file that contains the plain login password. If provided is the password used for login in.

  • cifmw_openshift_login_force_refresh: (Boolean) Disallow reusing already existing token. Defaults to false.

  • cifmw_openshift_login_retries: (Integer) Number of attempts to retry the login action if it fails. Defaults to 10.

  • cifmw_openshift_login_retries_delay: (Integer) Delay, in seconds, between login retries. Defaults to 20.

  • cifmw_openshift_login_assume_cert_system_user: (Boolean) When trying cert key login from kubeconfig, assume that the inferred user is a system: admin. Defaults to true.

  • cifmw_openshift_login_skip_tls_verify: (Boolean) Skip TLS verification to login. Note: This option may break admin login using certs. Defaults to cifmw_openshift_skip_tls_verify and false as last instance..

Examples

1 - Login using user/password and API combination

- hosts: all
  tasks:
    - name: Log in user/password/API
      include_role:
        name: openshift_login
      vars:
        cifmw_openshift_login_api: "https://api.crc.testing:6443"
        cifmw_openshift_login_user: "kubeadmin"
        cifmw_openshift_login_password: "12345678"

2 - Login using user/password and kubeconfig combination

- hosts: all
  tasks:
    - name: Log in user/password/API
      include_role:
        name: openshift_login
      vars:
        # API inferred from the given kubeconfig
        cifmw_openshift_login_kubeconfig: "/home/zuul/.crc/machines/crc/kubeconfig"
        cifmw_openshift_login_user: "kubeadmin"
        cifmw_openshift_login_password: "12345678"

3 - Login using admin kubeconfig

- hosts: all
  tasks:
    - name: Log in user/password/API
      include_role:
        name: openshift_login
      vars:
        # X509 key in the kubeconfig client data
        cifmw_openshift_login_kubeconfig: "/home/zuul/.crc/machines/crc/kubeconfig"

4 - Token based login

- hosts: all
  tasks:
    - name: Log in with token
      include_role:
        name: openshift_login
      vars:
        cifmw_openshift_login_provided_token: "sha256~Abcdefghij..."