Merge commit '9a3c487421e63ce5b50e4cabc9a2236ab5bf1622'

Author: Martin Jackson

common/.ansible-lint

@@ -16,5 +16,6 @@ exclude_paths:
   - ./ansible/playbooks/iib-ci/iib-ci.yaml
   - ./ansible/playbooks/k8s_secrets/k8s_secrets.yml
   - ./ansible/playbooks/process_secrets/process_secrets.yml
+  - ./ansible/playbooks/write-token-kubeconfig/write-token-kubeconfig.yml
   - ./ansible/playbooks/process_secrets/display_secrets_info.yml
   - ./ansible/roles/vault_utils/tests/test.yml

common/Makefile

@@ -119,6 +119,9 @@ load-iib: ## CI target to install Index Image Bundles
 		exit 1; \
 	fi
 
+.PHONY: token-kubeconfig
+token-kubeconfig: ## Create a local ~/.kube/config with password (not usually needed)
+	common/scripts/write-token-kubeconfig.sh
 
 ##@ Validation Tasks
 

common/ansible/playbooks/write-token-kubeconfig/write-token-kubeconfig.yml

@@ -0,0 +1,93 @@
+---
+- name: Test k8s authentication methods
+  hosts: localhost
+  connection: local
+  gather_facts: false
+  become: false
+  vars:
+    kubeconfig_file: '~/.kube/config'
+    k8s_host: '{{ lookup("env", "K8S_AUTH_HOST") }}'
+    k8s_validate_certs: '{{ lookup("env", "K8S_AUTH_VERIFY_SSL") | default(false) | bool }}'
+    k8s_username: '{{ lookup("env", "K8S_AUTH_USERNAME") | default("kubeconfig") }}'
+    k8s_password: '{{ lookup("env", "K8S_AUTH_PASSWORD") | default(omit) }}'
+    k8s_api_key: '{{ lookup("env", "K8S_AUTH_TOKEN") | default(omit) }}'
+    k8s_ca_cert_file: '{{ lookup("env", "K8S_AUTH_SSL_CA_CERT") | default(omit) }}'
+  tasks:
+    - name: Check for pre-existing kubeconfig
+      ansible.builtin.stat:
+        path: '{{ kubeconfig_file }}'
+      register: kubeconfig_stat
+
+    - name: Exit if kubeconfig found
+      ansible.builtin.fail:
+        msg: '{{ kubeconfig_file }} already exists! Exiting'
+      when: kubeconfig_stat.stat.exists
+
+    - name: Get namespaces to test parameters
+      kubernetes.core.k8s_info:
+        host: '{{ k8s_host }}'
+        validate_certs: '{{ k8s_validate_certs }}'
+        username: '{{ k8s_username }}'
+        api_key: '{{ k8s_api_key }}'
+        ca_cert: '{{ k8s_ca_cert_file | default(omit) }}'
+        kind: namespace
+      when: k8s_api_key
+
+    - name: Login explicitly
+      when: not k8s_api_key
+      block:
+        - name: Login explicitly to get token
+          kubernetes.core.k8s_auth:
+            host: '{{ k8s_host }}'
+            validate_certs: '{{ k8s_validate_certs }}'
+            username: '{{ k8s_username }}'
+            password: '{{ k8s_password }}'
+            ca_cert: '{{ k8s_ca_cert_file | default(omit) }}'
+          register: auth
+
+        - name: Set api_key
+          ansible.builtin.set_fact:
+            k8s_api_key: '{{ auth.openshift_auth.api_key }}'
+
+    - name: Update username if needed
+      ansible.builtin.set_fact:
+        config_k8s_username: 'kube:admin'
+      when: k8s_username == 'kubeadmin'
+
+    - name: Determine clustername
+      ansible.builtin.set_fact:
+        config_k8s_clustername: "{{ k8s_host | regex_replace('https://', '') | regex_replace('\\.', '-') }}"
+
+    - name: Write config file
+      ansible.builtin.copy:
+        content: |-
+          apiVersion: v1
+          clusters:
+            - cluster:
+          {% if k8s_validate_certs is false %}
+                insecure-skip-tls-verify: true
+          {% endif %}
+          {% if k8s_ca_cert_file -%}
+                certificate-authority-data: {{ lookup("file", k8s_ca_cert_file) | b64encode }}
+          {% endif %}
+                server: {{ k8s_host }}
+              name: {{ config_k8s_clustername }}
+          contexts:
+            - context:
+                cluster: {{ config_k8s_clustername }}
+                namespace: default
+                user: {{ config_k8s_username | default(k8s_username) }}/{{ config_k8s_clustername }}
+              name: default/{{ config_k8s_clustername }}/{{ config_k8s_username | default(k8s_username) }}
+          current-context: default/{{ config_k8s_clustername }}/{{ config_k8s_username | default(k8s_username) }}
+          kind: Config
+          preferences: {}
+          users:
+            - name: {{ config_k8s_username | default(k8s_username) }}/{{ config_k8s_clustername }}
+              user:
+                token: {{ k8s_api_key }}
+        dest: '{{ kubeconfig_file }}'
+        mode: '0640'
+
+    - name: Notify user
+      ansible.builtin.debug:
+        msg: "Wrote {{ kubeconfig_file }}"

common/scripts/pattern-util.sh

@@ -67,6 +67,12 @@ podman run -it --rm --pull=newer \
 	-e EXTRA_HELM_OPTS \
 	-e EXTRA_PLAYBOOK_OPTS \
 	-e KUBECONFIG \
+	-e K8S_AUTH_HOST \
+	-e K8S_AUTH_VERIFY_SSL \
+	-e K8S_AUTH_SSL_CA_CERT \
+	-e K8S_AUTH_USERNAME \
+	-e K8S_AUTH_PASSWORD \
+	-e K8S_AUTH_TOKEN \
 	-v "${PKI_HOST_MOUNT}":/etc/pki:ro \
 	-v "${HOME}":"${HOME}" \
 	-v "${HOME}":/pattern-home \

common/scripts/write-token-kubeconfig.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+set -eu
+
+OUTPUTFILE=${1:-"~/.kube/config"}
+
+get_abs_filename() {
+  # $1 : relative filename
+  echo "$(cd "$(dirname "$1")" && pwd)/$(basename "$1")"
+}
+
+SCRIPT=$(get_abs_filename "$0")
+SCRIPTPATH=$(dirname "${SCRIPT}")
+COMMONPATH=$(dirname "${SCRIPTPATH}")
+PATTERNPATH=$(dirname "${COMMONPATH}")
+ANSIBLEPATH="$(dirname ${SCRIPTPATH})/ansible"
+PLAYBOOKPATH="${ANSIBLEPATH}/playbooks"
+export ANSIBLE_CONFIG="${ANSIBLEPATH}/ansible.cfg"
+
+ansible-playbook -e pattern_dir="${PATTERNPATH}" -e kubeconfig_file="${OUTPUTFILE}" "${PLAYBOOKPATH}/write-token-kubeconfig/write-token-kubeconfig.yml"