search

ansible-collections / community.kubernetes

Kubernetes Collection for Ansible
https://galaxy.ansible.com/community/kubernetes
GNU General Public License v3.0
265 stars 104 forks source link

group/k8s does not work with community.kubernetes.k8s_auth as documented #374

Closed salanisor closed 3 years ago

salanisor commented 3 years ago
SUMMARY

Following the documentation wrote a sample role which fails due to missing required argument host.

ISSUE TYPE
COMPONENT NAME

Using group/k8s in group_defaults does not work with community.kubernetes.k8s_auth

ANSIBLE VERSION
ansible-playbook 2.9.7
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/var/lib/awx/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /bin/ansible-playbook
  python version = 2.7.5 (default, Aug 13 2020, 02:51:10) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
CONFIGURATION
egrep -v '$^|#' /etc/ansible/ansible.cfg 
[defaults]
[inventory]
[privilege_escalation]
[paramiko_connection]
[ssh_connection]
[persistent_connection]
[accelerate]
[selinux]
[colors]
[diff]
OS / ENVIRONMENT

Red Hat Enterprise Linux Server release 7.9 (Maipo)

STEPS TO REPRODUCE
---
- hosts: 127.0.0.1
  connection: local
  gather_facts: false
  vars:
    ansible_python_interpreter: /usr/bin/python3

  tasks:
  - block:
    # It's good practice to store login credentials in a secure vault and not
    # directly in playbooks.
    - include_vars: k8s_passwords.yml

    - name: Log in (obtain access token)
      community.kubernetes.k8s_auth:
        username: admin
        password: "{{ k8s_admin_password }}"
      register: k8s_auth_results

    # Previous task provides the token/api_key, while all other parameters
    # are taken from module_defaults
    - name: Get a list of all pods from any namespace
      community.kubernetes.k8s_info:
        api_key: "{{ k8s_auth_results.k8s_auth.api_key }}"
        kind: Pod
      register: pod_list

    always:
    - name: If login succeeded, try to log out (revoke access token)
      when: k8s_auth_results.k8s_auth.api_key is defined
      community.kubernetes.k8s_auth:
        state: absent
        api_key: "{{ k8s_auth_results.k8s_auth.api_key }}"
    module_defaults:
      #community.kubernetes.k8s_auth:
      group/k8s:
        host: https://k8s.example.com/
        ca_cert: ca.pem
EXPECTED RESULTS

Per the documentation and pull-request-107 the task should not fail when using group/k8s in module_defaults.

ACTUAL RESULTS
(test-venv) -bash-4.2$ ansible-playbook -vvvv k8s.yaml --ask-vault-pass
ansible-playbook 2.9.7
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/var/lib/awx/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /bin/ansible-playbook
  python version = 2.7.5 (default, Aug 13 2020, 02:51:10) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
Using /etc/ansible/ansible.cfg as config file
Vault password: 
setting up inventory plugins
host_list declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
script declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
auto declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Parsed /etc/ansible/hosts inventory source with ini plugin
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'
Loading callback plugin default of type stdout, v2.0 from /usr/lib/python2.7/site-packages/ansible/plugins/callback/default.pyc

PLAYBOOK: k8s.yaml *******************************************************************************************************************************************************************************************************************************************
Positional arguments: k8s.yaml
become_method: sudo
inventory: (u'/etc/ansible/hosts',)
forks: 5
tags: (u'all',)
verbosity: 4
connection: smart
ask_vault_pass: True
timeout: 10
1 plays in k8s.yaml

PLAY [127.0.0.1] *********************************************************************************************************************************************************************************************************************************************
META: ran handlers

TASK [include_vars] ******************************************************************************************************************************************************************************************************************************************
task path: /tmp/ansible/playbooks/k8s.yaml:15
ok: [127.0.0.1] => {
    "ansible_facts": {
        "k8s_admin_password": {
            "__ansible_vault": "$ANSIBLE_VAULT;1.1;AES256\n30666636313966336230653765356334346233633736313931393637386438663235663934383364\n6264363566666664376537613838633564643038306662300a356636333831613036646331326361\n36636236313235303934623034656334616666616238393236366637333331343337643530376136\n3663666336653536660a663733633964333030643239646337336434386532316235633039333366\n39656665313039663135376661376335663965303638333136333436626530396130\n"
        }
    }, 
    "ansible_included_var_files": [
        "/tmp/ansible/playbooks/k8s_passwords.yaml"
    ], 
    "changed": false
}

TASK [Log in (obtain access token)] **************************************************************************************************************************************************************************************************************************
task path: /tmp/ansible/playbooks/k8s.yaml:16
Trying secret <ansible.parsing.vault.PromptVaultSecret object at 0x7fb082f4de90> for vault_id=default
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: awx
<127.0.0.1> EXEC /bin/sh -c 'echo ~awx && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /var/lib/awx/.ansible/tmp `"&& mkdir /var/lib/awx/.ansible/tmp/ansible-tmp-1614617384.16-21816-127432078412242 && echo ansible-tmp-1614617384.16-21816-127432078412242="` echo /var/lib/awx/.ansible/tmp/ansible-tmp-1614617384.16-21816-127432078412242 `" ) && sleep 0'
Using module file /var/lib/awx/.ansible/collections/ansible_collections/community/kubernetes/plugins/modules/k8s_auth.py
<127.0.0.1> PUT /var/lib/awx/.ansible/tmp/ansible-local-21805NTYrkv/tmppCB6er TO /var/lib/awx/.ansible/tmp/ansible-tmp-1614617384.16-21816-127432078412242/AnsiballZ_k8s_auth.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /var/lib/awx/.ansible/tmp/ansible-tmp-1614617384.16-21816-127432078412242/ /var/lib/awx/.ansible/tmp/ansible-tmp-1614617384.16-21816-127432078412242/AnsiballZ_k8s_auth.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/usr/bin/python3 /var/lib/awx/.ansible/tmp/ansible-tmp-1614617384.16-21816-127432078412242/AnsiballZ_k8s_auth.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /var/lib/awx/.ansible/tmp/ansible-tmp-1614617384.16-21816-127432078412242/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
  File "/tmp/ansible_community.kubernetes.k8s_auth_payload_txvnela6/ansible_community.kubernetes.k8s_auth_payload.zip/ansible/module_utils/basic.py", line 1562, in _check_required_arguments
    check_required_arguments(spec, param)
  File "/tmp/ansible_community.kubernetes.k8s_auth_payload_txvnela6/ansible_community.kubernetes.k8s_auth_payload.zip/ansible/module_utils/common/validation.py", line 193, in check_required_arguments
    raise TypeError(to_native(msg))
fatal: [127.0.0.1]: FAILED! => {
    "changed": false, 
    "invocation": {
        "module_args": {
            "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", 
            "state": "present", 
            "username": "kubeadmin", 
            "validate_certs": true
        }
    }, 
    "msg": "missing required arguments: host"
}

TASK [If login succeeded, try to log out (revoke access token)] **********************************************************************************************************************************************************************************************
task path: /tmp/ansible/playbooks/k8s.yaml:29
skipping: [127.0.0.1] => {
    "changed": false, 
    "skip_reason": "Conditional result was False"
}

PLAY RECAP ***************************************************************************************************************************************************************************************************************************************************
127.0.0.1                  : ok=1    changed=0    unreachable=0    failed=1    skipped=1    rescued=0    ignored=0  

==================================================================================================================
tima commented 3 years ago

@salanisor The k8s_auth module was moved over to the OKD/OpenShift collection and was renamed openshift_auth (with a k8s_auth alias in place). Please try that version of the module and report any continuing problems in that repo if they persist.