search

ansible-collections / kubernetes.core

The collection includes a variety of Ansible content to help automate the management of applications in Kubernetes and OpenShift clusters, as well as the provisioning and maintenance of clusters themselves.
Other
216 stars 135 forks source link

Unable to create a Kubernetes dashboard token #779

Open roncemer opened 1 month ago

roncemer commented 1 month ago
SUMMARY

Unable to find any way to create a Kubernetes dashboard token. Typically with kubectl, this is done with the following command:

kubectl -n kubernetes-dashboard create token --duration=43200s admin-user

If you add -o yaml to this command, you get output similar to the following:

kind: TokenRequest
metadata:
  creationTimestamp: "2024-09-13T14:58:48Z"
  name: admin-user
  namespace: kubernetes-dashboard
spec:
  audiences:
  - https://kubernetes.default.svc
  boundObjectRef: null
  expirationSeconds: 43200
status:
  expirationTimestamp: "2024-09-14T02:58:48Z"
  token: <base64-encoded token here>

So I tried creating this task:

    - name: "Create a Kubernetes dashboard token"
      changed_when: false
      kubernetes.core.k8s:
        kubeconfig: "{{ kubeconfig }}"
        state: "present"
        force: true
        definition:
          apiVersion: authentication.k8s.io/v1
          kind: TokenRequest
          metadata:
            name: admin-user
            namespace: kubernetes-dashboard
          spec:
            audiences:
            - https://kubernetes.default.svc
            boundObjectRef: null
            expirationSeconds: 43200
      register: create_token_output

But it just generates the following error:

fatal: [localhost]: FAILED! => {"changed": false, "msg": "Failed to find exact match for authentication.k8s.io/v1.TokenRequest by [kind, name, singularName, shortNames]"}
ISSUE TYPE
COMPONENT NAME

kubernetes.core.k8s

ANSIBLE VERSION
ansible [core 2.17.1]
  config file = None
  configured module search path = ['/Users/rcemer/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /opt/homebrew/lib/python3.12/site-packages/ansible
  ansible collection location = /Users/rcemer/.ansible/collections:/usr/share/ansible/collections
  executable location = /opt/homebrew/bin/ansible
  python version = 3.12.6 (main, Sep  6 2024, 19:03:47) [Clang 15.0.0 (clang-1500.3.9.4)] (/opt/homebrew/opt/python@3.12/bin/python3.12)
  jinja version = 3.1.4
  libyaml = True
COLLECTION VERSION
Collection      Version
--------------- -------
kubernetes.core 3.2.0
CONFIGURATION
CONFIG_FILE() = None
OS / ENVIRONMENT

Darwin ***-**.local 23.6.0 Darwin Kernel Version 23.6.0: Mon Jul 29 21:13:04 PDT 2024; root:xnu-10063.141.2~1/RELEASE_ARM64_T6020 arm64

STEPS TO REPRODUCE

Set the kubeconfig fact to the path to a valid kubeconfig file for the cluster, then run the following task.

    - name: "Create a Kubernetes dashboard token"
      changed_when: false
      kubernetes.core.k8s:
        kubeconfig: "{{ kubeconfig }}"
        state: "present"
        force: true
        definition:
          apiVersion: authentication.k8s.io/v1
          kind: TokenRequest
          metadata:
            name: admin-user
            namespace: kubernetes-dashboard
          spec:
            audiences:
            - https://kubernetes.default.svc
            boundObjectRef: null
            expirationSeconds: 43200
      register: create_token_output
EXPECTED RESULTS

Create and output the dashboard token.

ACTUAL RESULTS

Fails with this error:

fatal: [localhost]: FAILED! => {"changed": false, "msg": "Failed to find exact match for authentication.k8s.io/v1.TokenRequest by [kind, name, singularName, shortNames]"}
yurnov commented 1 month ago

Hi @roncemer,

Suppose you will apply the same definition with kubectl apply -f <file.yaml> you will have the same result.

It seems that the request of a service account token is not supported yet in kubernetes.core collections, you can create Feature request or make with requested feathere a PR by yourself with official kubernetes python client.

gravesm commented 1 week ago

As @yurnov pointed out, you cannot create a TokenRequest resource using apply. The TokenRequest is a subresource of a ServiceAccount. This would have to be implemented as a new module that uses the token attribute in a similar way to how we implement the k8s_scale module: https://github.com/ansible-collections/kubernetes.core/blob/c8a9326306e65c0edf945fb3e99a67937cbe9375/plugins/modules/k8s_scale.py#L375