durera
commented
2 years ago Implement support such that a user can use our roles/playbooks that call ocp_login against an already deployed OCP cluster by providing two new env vars:
OCP_TOKENOCP_SERVER
The ocp_login role should check for these new variables, and if they are set it bypasses the logic provided for roks/fyre specific login and will instead run a simple oc login command as below:
oc login --token={{ ocp_token }} --server={{ ocp_server }}This will allow one to use an account other than admin, as is requested, and will also help support non-roks/non-fyre deploy targets in the future.
Currently the
ocp_loginrole requires the user to be with IBM Cloud Kubernetes Service Administrator platform role in the target IBM Cloud account, to run the following command to be specific:This may cause failures in case the owner (the user/service ID) of IBM Cloud API Key used doesn't have the required permissions for kubernetes service in that IBM Cloud account although it might still has the cluster_admin role inside that OpenShift cluster (we are in that situation for the clusters in P2PaaS account).
More discussions on Slack: https://ibm-watson-iot.slack.com/archives/C0195MVCEUD/p1640135699356200