From cfbbbb3be1f5aa7cafd57c49468960869d180435 Mon Sep 17 00:00:00 2001 From: Mike Graves Date: Fri, 6 May 2022 06:57:01 -0400 Subject: [PATCH] Release 2.2.0 (#161) --- CHANGELOG.rst | 23 + Makefile | 2 +- README.md | 23 +- changelogs/changelog.yaml | 31 + .../fragments/152-add-action-groups.yml | 3 - .../auth-against-api-with-trailing-slash.yaml | 2 - ci/downstream.sh | 2 +- docs/community.okd.k8s_module.rst | 5 +- ...y.okd.openshift_adm_groups_sync_module.rst | 525 +++++++++++++++ ..._adm_migrate_template_instances_module.rst | 532 +++++++++++++++ ...ty.okd.openshift_adm_prune_auth_module.rst | 514 ++++++++++++++ ...openshift_adm_prune_deployments_module.rst | 428 ++++++++++++ ....okd.openshift_adm_prune_images_module.rst | 569 ++++++++++++++++ ...nity.okd.openshift_import_image_module.rst | 626 ++++++++++++++++++ ...community.okd.openshift_process_module.rst | 5 +- ...ity.okd.openshift_registry_info_module.rst | 464 +++++++++++++ docs/community.okd.openshift_route_module.rst | 24 +- galaxy.yml | 2 +- 18 files changed, 3759 insertions(+), 21 deletions(-) delete mode 100644 changelogs/fragments/152-add-action-groups.yml delete mode 100644 changelogs/fragments/auth-against-api-with-trailing-slash.yaml create mode 100644 docs/community.okd.openshift_adm_groups_sync_module.rst create mode 100644 docs/community.okd.openshift_adm_migrate_template_instances_module.rst create mode 100644 docs/community.okd.openshift_adm_prune_auth_module.rst create mode 100644 docs/community.okd.openshift_adm_prune_deployments_module.rst create mode 100644 docs/community.okd.openshift_adm_prune_images_module.rst create mode 100644 docs/community.okd.openshift_import_image_module.rst create mode 100644 docs/community.okd.openshift_registry_info_module.rst diff --git a/CHANGELOG.rst b/CHANGELOG.rst index d0e87e2..1bd9deb 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -5,6 +5,29 @@ OKD Collection Release Notes .. contents:: Topics +v2.2.0 +====== + +Minor Changes +------------- + +- add action groups to runtime.yml (https://github.com/openshift/community.okd/issues/41). + +Bugfixes +-------- + +- fix ocp auth failing against cluster api url with trailing slash (https://github.com/openshift/community.okd/issues/139) + +New Modules +----------- + +- openshift_adm_migrate_template_instances - Update TemplateInstances to point to the latest group-version-kinds +- openshift_adm_prune_auth - Removes references to the specified roles, clusterroles, users, and groups +- openshift_adm_prune_deployments - Remove old completed and failed deployment configs +- openshift_adm_prune_images - Remove unreferenced images +- openshift_import_image - Import the latest image information from a tag in a container image registry. +- openshift_registry_info - Display information about the integrated registry. + v2.1.0 ====== diff --git a/Makefile b/Makefile index 941853c..34cbac4 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ .PHONY: molecule # Also needs to be updated in galaxy.yml -VERSION = 2.1.0 +VERSION = 2.2.0 SANITY_TEST_ARGS ?= --docker --color UNITS_TEST_ARGS ?= --docker --color diff --git a/README.md b/README.md index ab4ad1c..7c338c3 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,8 @@ The collection includes a variety of Ansible content to help automate the manage This collection has been tested against following Ansible versions: **>=2.9.17**. +For collections that support Ansible 2.9, please ensure you update your `network_os` to use the +fully qualified collection name (for example, `cisco.ios.ios`). Plugins and modules within a collection may be tested with only specific Ansible versions. A collection may contain metadata that identifies these versions. PEP440 is the schema used to describe the versions of Ansible. @@ -25,20 +27,27 @@ Click on the name of a plugin or module to view that content's documentation: ### Connection plugins Name | Description --- | --- -[community.okd.oc](https://github.com/ansible-collections/community.okd/blob/main/docs/community.okd.oc_connection.rst)|Execute tasks in pods running on OpenShift. +[community.okd.oc](https://github.com/openshift/community.okd/blob/main/docs/community.okd.oc_connection.rst)|Execute tasks in pods running on OpenShift. ### Inventory plugins Name | Description --- | --- -[community.okd.openshift](https://github.com/ansible-collections/community.okd/blob/main/docs/community.okd.openshift_inventory.rst)|OpenShift inventory source +[community.okd.openshift](https://github.com/openshift/community.okd/blob/main/docs/community.okd.openshift_inventory.rst)|OpenShift inventory source ### Modules Name | Description --- | --- -[community.okd.k8s](https://github.com/ansible-collections/community.okd/blob/main/docs/community.okd.k8s_module.rst)|Manage OpenShift objects -[community.okd.openshift_auth](https://github.com/ansible-collections/community.okd/blob/main/docs/community.okd.openshift_auth_module.rst)|Authenticate to OpenShift clusters which require an explicit login step -[community.okd.openshift_process](https://github.com/ansible-collections/community.okd/blob/main/docs/community.okd.openshift_process_module.rst)|Process an OpenShift template.openshift.io/v1 Template -[community.okd.openshift_route](https://github.com/ansible-collections/community.okd/blob/main/docs/community.okd.openshift_route_module.rst)|Expose a Service as an OpenShift Route. +[community.okd.k8s](https://github.com/openshift/community.okd/blob/main/docs/community.okd.k8s_module.rst)|Manage OpenShift objects +[community.okd.openshift_adm_groups_sync](https://github.com/openshift/community.okd/blob/main/docs/community.okd.openshift_adm_groups_sync_module.rst)|Sync OpenShift Groups with records from an external provider. +[community.okd.openshift_adm_migrate_template_instances](https://github.com/openshift/community.okd/blob/main/docs/community.okd.openshift_adm_migrate_template_instances_module.rst)|Update TemplateInstances to point to the latest group-version-kinds +[community.okd.openshift_adm_prune_auth](https://github.com/openshift/community.okd/blob/main/docs/community.okd.openshift_adm_prune_auth_module.rst)|Removes references to the specified roles, clusterroles, users, and groups +[community.okd.openshift_adm_prune_deployments](https://github.com/openshift/community.okd/blob/main/docs/community.okd.openshift_adm_prune_deployments_module.rst)|Remove old completed and failed deployment configs +[community.okd.openshift_adm_prune_images](https://github.com/openshift/community.okd/blob/main/docs/community.okd.openshift_adm_prune_images_module.rst)|Remove unreferenced images +[community.okd.openshift_auth](https://github.com/openshift/community.okd/blob/main/docs/community.okd.openshift_auth_module.rst)|Authenticate to OpenShift clusters which require an explicit login step +[community.okd.openshift_import_image](https://github.com/openshift/community.okd/blob/main/docs/community.okd.openshift_import_image_module.rst)|Import the latest image information from a tag in a container image registry. +[community.okd.openshift_process](https://github.com/openshift/community.okd/blob/main/docs/community.okd.openshift_process_module.rst)|Process an OpenShift template.openshift.io/v1 Template +[community.okd.openshift_registry_info](https://github.com/openshift/community.okd/blob/main/docs/community.okd.openshift_registry_info_module.rst)|Display information about the integrated registry. +[community.okd.openshift_route](https://github.com/openshift/community.okd/blob/main/docs/community.okd.openshift_route_module.rst)|Expose a Service as an OpenShift Route. @@ -58,7 +67,7 @@ You can also include it in a `requirements.yml` file and install it via `ansible --- collections: - name: community.okd - version: 2.1.0 + version: 2.2.0 ``` ### Installing the Kubernetes Python Library diff --git a/changelogs/changelog.yaml b/changelogs/changelog.yaml index a4b3614..f41436f 100644 --- a/changelogs/changelog.yaml +++ b/changelogs/changelog.yaml @@ -149,3 +149,34 @@ releases: - 102-support-turbo-mode.yaml - 99-openshift_route-add-support-for-annotations.yml release_date: '2021-10-20' + 2.2.0: + changes: + bugfixes: + - fix ocp auth failing against cluster api url with trailing slash (https://github.com/openshift/community.okd/issues/139) + minor_changes: + - add action groups to runtime.yml (https://github.com/openshift/community.okd/issues/41). + fragments: + - 152-add-action-groups.yml + - auth-against-api-with-trailing-slash.yaml + modules: + - description: Update TemplateInstances to point to the latest group-version-kinds + name: openshift_adm_migrate_template_instances + namespace: '' + - description: Removes references to the specified roles, clusterroles, users, + and groups + name: openshift_adm_prune_auth + namespace: '' + - description: Remove old completed and failed deployment configs + name: openshift_adm_prune_deployments + namespace: '' + - description: Remove unreferenced images + name: openshift_adm_prune_images + namespace: '' + - description: Import the latest image information from a tag in a container image + registry. + name: openshift_import_image + namespace: '' + - description: Display information about the integrated registry. + name: openshift_registry_info + namespace: '' + release_date: '2022-05-05' diff --git a/changelogs/fragments/152-add-action-groups.yml b/changelogs/fragments/152-add-action-groups.yml deleted file mode 100644 index 9e66f30..0000000 --- a/changelogs/fragments/152-add-action-groups.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -minor_changes: - - add action groups to runtime.yml (https://github.com/openshift/community.okd/issues/41). diff --git a/changelogs/fragments/auth-against-api-with-trailing-slash.yaml b/changelogs/fragments/auth-against-api-with-trailing-slash.yaml deleted file mode 100644 index f8bfcf9..0000000 --- a/changelogs/fragments/auth-against-api-with-trailing-slash.yaml +++ /dev/null @@ -1,2 +0,0 @@ -bugfixes: - - fix ocp auth failing against cluster api url with trailing slash (https://github.com/openshift/community.okd/issues/139) diff --git a/ci/downstream.sh b/ci/downstream.sh index ee947e6..fbdd609 100755 --- a/ci/downstream.sh +++ b/ci/downstream.sh @@ -9,7 +9,7 @@ # - All functions are prefixed with f_ so it's obvious where they come # from when in use throughout the script -DOWNSTREAM_VERSION="2.1.0" +DOWNSTREAM_VERSION="2.2.0" KEEP_DOWNSTREAM_TMPDIR="${KEEP_DOWNSTREAM_TMPDIR:-''}" INSTALL_DOWNSTREAM_COLLECTION_PATH="${INSTALL_DOWNSTREAM_COLLECTION_PATH:-}" _build_dir="" diff --git a/docs/community.okd.k8s_module.rst b/docs/community.okd.k8s_module.rst index 5b84fce..8d0e0f9 100644 --- a/docs/community.okd.k8s_module.rst +++ b/docs/community.okd.k8s_module.rst @@ -375,13 +375,14 @@ Parameters kubeconfig
- path + raw
Path to an existing Kubernetes config file. If not provided, and no other connection options are provided, the Kubernetes client will attempt to load the default configuration file from ~/.kube/config. Can also be specified via K8S_AUTH_KUBECONFIG environment variable.
+
The kubernetes configuration can be provided as dictionary. This feature requires a python kubernetes client version >= 17.17.0. Added in version 2.2.0.
@@ -602,7 +603,7 @@ Parameters
Provide a path to a file containing a valid YAML definition of an object or objects to be created or updated. Mutually exclusive with resource_definition. NOTE: kind, api_version, name, and namespace will be overwritten by corresponding values found in the configuration read in from the src file.
Reads from the local file system. To read from the Ansible controller's file system, including vaulted files, use the file lookup plugin or template lookup plugin, combined with the from_yaml filter, and pass the result to resource_definition. See Examples below.
-
Mutually exclusive with template in case of k8s module.
+
Mutually exclusive with template in case of kubernetes.core.k8s module.
diff --git a/docs/community.okd.openshift_adm_groups_sync_module.rst b/docs/community.okd.openshift_adm_groups_sync_module.rst new file mode 100644 index 0000000..e16aa4d --- /dev/null +++ b/docs/community.okd.openshift_adm_groups_sync_module.rst @@ -0,0 +1,525 @@ +.. _community.okd.openshift_adm_groups_sync_module: + + +*************************************** +community.okd.openshift_adm_groups_sync +*************************************** + +**Sync OpenShift Groups with records from an external provider.** + + +Version added: 2.1.0 + +.. contents:: + :local: + :depth: 1 + + +Synopsis +-------- +- In order to sync/prune OpenShift Group records with those from an external provider, determine which Groups you wish to sync and where their records live. +- Analogous to `oc adm prune groups` and `oc adm group sync`. +- LDAP sync configuration file syntax can be found here https://docs.openshift.com/container-platform/4.9/authentication/ldap-syncing.html. +- The bindPassword attribute of the LDAP sync configuration is expected to be a string, please use ansible-vault encryption to secure this information. + + + +Requirements +------------ +The below requirements are needed on the host that executes this module. + +- python >= 3.6 +- kubernetes >= 12.0.0 +- python-ldap + + +Parameters +---------- + +.. raw:: html + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ParameterChoices/DefaultsComments
+
+ allow_groups + +
+ list + / elements=string +
+ 		+ +
Allowed groups, could be openshift group name or LDAP group dn value.
+
When parameter type is set to ldap this should contains only LDAP group definition like cn=developers,ou=groups,ou=rfc2307,dc=ansible,dc=redhat.
+
+
+ api_key + +
+ string +
+ 		+ +
Token used to authenticate with the API. Can also be specified via K8S_AUTH_API_KEY environment variable.
+
+
+ ca_cert + +
+ path +
+ 		+ +
Path to a CA certificate used to authenticate with the API. The full certificate chain must be provided to avoid certificate validation errors. Can also be specified via K8S_AUTH_SSL_CA_CERT environment variable.
+

aliases: ssl_ca_cert
+
+
+ client_cert + +
+ path +
+ 		+ +
Path to a certificate used to authenticate with the API. Can also be specified via K8S_AUTH_CERT_FILE environment variable.
+

aliases: cert_file
+
+
+ client_key + +
+ path +
+ 		+ +
Path to a key file used to authenticate with the API. Can also be specified via K8S_AUTH_KEY_FILE environment variable.
+

aliases: key_file
+
+
+ context + +
+ string +
+ 		+ +
The name of a context found in the config file. Can also be specified via K8S_AUTH_CONTEXT environment variable.
+
+
+ deny_groups + +
+ list + / elements=string +
+ 		+ +
Denied groups, could be openshift group name or LDAP group dn value.
+
When parameter type is set to ldap this should contains only LDAP group definition like cn=developers,ou=groups,ou=rfc2307,dc=ansible,dc=redhat.
+
The elements specified in this list will override the ones specified in allow_groups.
+
+
+ host + +
+ string +
+ 		+ +
Provide a URL for accessing the API. Can also be specified via K8S_AUTH_HOST environment variable.
+
+
+ kubeconfig + +
+ raw +
+ 		+ +
Path to an existing Kubernetes config file. If not provided, and no other connection options are provided, the Kubernetes client will attempt to load the default configuration file from ~/.kube/config. Can also be specified via K8S_AUTH_KUBECONFIG environment variable.
+
The kubernetes configuration can be provided as dictionary. This feature requires a python kubernetes client version >= 17.17.0. Added in version 2.2.0.
+
+
+ password + +
+ string +
+ 		+ +
Provide a password for authenticating with the API. Can also be specified via K8S_AUTH_PASSWORD environment variable.
+
Please read the description of the username option for a discussion of when this option is applicable.
+
+
+ persist_config + +
+ boolean +
+ 		+
    Choices: +
  • no
    • +
  • yes
    • +
+ 		+
Whether or not to save the kube config refresh tokens. Can also be specified via K8S_AUTH_PERSIST_CONFIG environment variable.
+
When the k8s context is using a user credentials with refresh tokens (like oidc or gke/gcloud auth), the token is refreshed by the k8s python client library but not saved by default. So the old refresh token can expire and the next auth might fail. Setting this flag to true will tell the k8s python client to save the new refresh token to the kube config file.
+
Default to false.
+
Please note that the current version of the k8s python client library does not support setting this flag to True yet.
+
The fix for this k8s python library is here: https://github.com/kubernetes-client/python-base/pull/169
+
+
+ proxy + +
+ string +
+ 		+ +
The URL of an HTTP proxy to use for the connection. Can also be specified via K8S_AUTH_PROXY environment variable.
+
Please note that this module does not pick up typical proxy settings from the environment (e.g. HTTP_PROXY).
+
+
+ proxy_headers + +
+ dictionary +
+
added in 2.0.0
+ 		+ +
The Header used for the HTTP proxy.
+ +
+
+ basic_auth + +
+ string +
+ 		+ +
Colon-separated username:password for basic authentication header.
+
Can also be specified via K8S_AUTH_PROXY_HEADERS_BASIC_AUTH environment.
+
+
+ proxy_basic_auth + +
+ string +
+ 		+ +
Colon-separated username:password for proxy basic authentication header.
+
Can also be specified via K8S_AUTH_PROXY_HEADERS_PROXY_BASIC_AUTH environment.
+
+
+ user_agent + +
+ string +
+ 		+ +
String representing the user-agent you want, such as foo/1.0.
+
Can also be specified via K8S_AUTH_PROXY_HEADERS_USER_AGENT environment.
+
+
+ state + +
+ string +
+ 		+
    Choices: +
  • absent
    • +
  • present ←
    • +
+ 		+
Determines if the group should be sync when set to present or pruned when set to absent.
+
+
+ sync_config + +
+ dictionary + / required +
+ 		+ +
Provide a valid YAML definition of an LDAP sync configuration.
+

aliases: config, src
+
+
+ type + +
+ string +
+ 		+
    Choices: +
  • ldap ←
    • +
  • openshift
    • +
+ 		+
which groups allow and deny list entries refer to.
+
+
+ username + +
+ string +
+ 		+ +
Provide a username for authenticating with the API. Can also be specified via K8S_AUTH_USERNAME environment variable.
+
Please note that this only works with clusters configured to use HTTP Basic Auth. If your cluster has a different form of authentication (e.g. OAuth2 in OpenShift), this option will not work as expected and you should look into the community.okd.k8s_auth module, as that might do what you need.
+
+
+ validate_certs + +
+ boolean +
+ 		+
    Choices: +
  • no
    • +
  • yes
    • +
+ 		+
Whether or not to verify the API server's SSL certificates. Can also be specified via K8S_AUTH_VERIFY_SSL environment variable.
+

aliases: verify_ssl
+
+
+ + +Notes +----- + +.. note:: + - To avoid SSL certificate validation errors when ``validate_certs`` is *True*, the full certificate chain for the API server must be provided via ``ca_cert`` or in the kubeconfig file. + + + +Examples +-------- + +.. code-block:: yaml + + # Prune all orphaned groups + - name: Prune all orphan groups + openshift_adm_groups_sync: + state: absent + src: "{{ lookup('file', '/path/to/ldap-sync-config.yaml') | from_yaml }}" + + # Prune all orphaned groups from a list of specific groups specified in allow_groups + - name: Prune all orphan groups from a list of specific groups specified in allow_groups + openshift_adm_groups_sync: + state: absent + src: "{{ lookup('file', '/path/to/ldap-sync-config.yaml') | from_yaml }}" + allow_groups: + - cn=developers,ou=groups,ou=rfc2307,dc=ansible,dc=redhat + - cn=developers,ou=groups,ou=rfc2307,dc=ansible,dc=redhat + + # Sync all groups from an LDAP server + - name: Sync all groups from an LDAP server + openshift_adm_groups_sync: + src: + kind: LDAPSyncConfig + apiVersion: v1 + url: ldap://localhost:1390 + insecure: true + bindDN: cn=admin,dc=example,dc=org + bindPassword: adminpassword + rfc2307: + groupsQuery: + baseDN: "cn=admins,ou=groups,dc=example,dc=org" + scope: sub + derefAliases: never + filter: (objectClass=*) + pageSize: 0 + groupUIDAttribute: dn + groupNameAttributes: [ cn ] + groupMembershipAttributes: [ member ] + usersQuery: + baseDN: "ou=users,dc=example,dc=org" + scope: sub + derefAliases: never + pageSize: 0 + userUIDAttribute: dn + userNameAttributes: [ mail ] + tolerateMemberNotFoundErrors: true + tolerateMemberOutOfScopeErrors: true + + # Sync all groups except the ones from the deny_groups from an LDAP server + - name: Sync all groups from an LDAP server using deny_groups + openshift_adm_groups_sync: + src: "{{ lookup('file', '/path/to/ldap-sync-config.yaml') | from_yaml }}" + deny_groups: + - cn=developers,ou=groups,ou=rfc2307,dc=ansible,dc=redhat + - cn=developers,ou=groups,ou=rfc2307,dc=ansible,dc=redhat + + # Sync all OpenShift Groups that have been synced previously with an LDAP server + - name: Sync all OpenShift Groups that have been synced previously with an LDAP server + openshift_adm_groups_sync: + src: "{{ lookup('file', '/path/to/ldap-sync-config.yaml') | from_yaml }}" + type: openshift + + + +Return Values +------------- +Common return values are documented `here `_, the following are the fields unique to this module: + +.. raw:: html + + + + + + + + + + + + +
KeyReturnedDescription
+
+ builds + +
+ list + / elements=dictionary +
+ 		success +
The groups that were created, updated or deleted
+
+
Sample:
+
[{'apiVersion': 'user.openshift.io/v1', 'kind': 'Group', 'metadata': {'annotations': {'openshift.io/ldap.sync-time': '2021-12-17T12:20:28.125282', 'openshift.io/ldap.uid': 'cn=developers,ou=groups,ou=rfc2307,dc=ansible,dc=redhat', 'openshift.io/ldap.url': 'localhost:1390'}, 'creationTimestamp': '2021-12-17T11:09:49Z', 'labels': {'openshift.io/ldap.host': 'localhost'}, 'managedFields': [{'apiVersion': 'user.openshift.io/v1', 'fieldsType': 'FieldsV1', 'fieldsV1': {'f:metadata': {'f:annotations': {'.': {}, 'f:openshift.io/ldap.sync-time': {}, 'f:openshift.io/ldap.uid': {}, 'f:openshift.io/ldap.url': {}}, 'f:labels': {'.': {}, 'f:openshift.io/ldap.host': {}}}, 'f:users': {}}, 'manager': 'OpenAPI-Generator', 'operation': 'Update', 'time': '2021-12-17T11:09:49Z'}], 'name': 'developers', 'resourceVersion': '2014696', 'uid': '8dc211cb-1544-41e1-96b1-efffeed2d7d7'}, 'users': ['jordanbulls@ansible.org']}]
+
+

+ + +Status +------ + + +Authors +~~~~~~~ + +- Aubin Bikouo (@abikouo) diff --git a/docs/community.okd.openshift_adm_migrate_template_instances_module.rst b/docs/community.okd.openshift_adm_migrate_template_instances_module.rst new file mode 100644 index 0000000..a7940ca --- /dev/null +++ b/docs/community.okd.openshift_adm_migrate_template_instances_module.rst @@ -0,0 +1,532 @@ +.. _community.okd.openshift_adm_migrate_template_instances_module: + + +****************************************************** +community.okd.openshift_adm_migrate_template_instances +****************************************************** + +**Update TemplateInstances to point to the latest group-version-kinds** + + +Version added: 2.2.0 + +.. contents:: + :local: + :depth: 1 + + +Synopsis +-------- +- Update TemplateInstances to point to the latest group-version-kinds. +- Analogous to ``oc adm migrate template-instances``. + + + +Requirements +------------ +The below requirements are needed on the host that executes this module. + +- python >= 3.6 +- kubernetes >= 12.0.0 + + +Parameters +---------- + +.. raw:: html + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ParameterChoices/DefaultsComments
+
+ api_key + +
+ string +
+ 		+ +
Token used to authenticate with the API. Can also be specified via K8S_AUTH_API_KEY environment variable.
+
+
+ ca_cert + +
+ path +
+ 		+ +
Path to a CA certificate used to authenticate with the API. The full certificate chain must be provided to avoid certificate validation errors. Can also be specified via K8S_AUTH_SSL_CA_CERT environment variable.
+

aliases: ssl_ca_cert
+
+
+ client_cert + +
+ path +
+ 		+ +
Path to a certificate used to authenticate with the API. Can also be specified via K8S_AUTH_CERT_FILE environment variable.
+

aliases: cert_file
+
+
+ client_key + +
+ path +
+ 		+ +
Path to a key file used to authenticate with the API. Can also be specified via K8S_AUTH_KEY_FILE environment variable.
+

aliases: key_file
+
+
+ context + +
+ string +
+ 		+ +
The name of a context found in the config file. Can also be specified via K8S_AUTH_CONTEXT environment variable.
+
+
+ host + +
+ string +
+ 		+ +
Provide a URL for accessing the API. Can also be specified via K8S_AUTH_HOST environment variable.
+
+
+ kubeconfig + +
+ raw +
+ 		+ +
Path to an existing Kubernetes config file. If not provided, and no other connection options are provided, the Kubernetes client will attempt to load the default configuration file from ~/.kube/config. Can also be specified via K8S_AUTH_KUBECONFIG environment variable.
+
The kubernetes configuration can be provided as dictionary. This feature requires a python kubernetes client version >= 17.17.0. Added in version 2.2.0.
+
+
+ namespace + +
+ string +
+ 		+ +
The namespace that the template can be found in.
+
If no namespace if specified, migrate objects in all namespaces.
+
+
+ password + +
+ string +
+ 		+ +
Provide a password for authenticating with the API. Can also be specified via K8S_AUTH_PASSWORD environment variable.
+
Please read the description of the username option for a discussion of when this option is applicable.
+
+
+ persist_config + +
+ boolean +
+ 		+
    Choices: +
  • no
    • +
  • yes
    • +
+ 		+
Whether or not to save the kube config refresh tokens. Can also be specified via K8S_AUTH_PERSIST_CONFIG environment variable.
+
When the k8s context is using a user credentials with refresh tokens (like oidc or gke/gcloud auth), the token is refreshed by the k8s python client library but not saved by default. So the old refresh token can expire and the next auth might fail. Setting this flag to true will tell the k8s python client to save the new refresh token to the kube config file.
+
Default to false.
+
Please note that the current version of the k8s python client library does not support setting this flag to True yet.
+
The fix for this k8s python library is here: https://github.com/kubernetes-client/python-base/pull/169
+
+
+ proxy + +
+ string +
+ 		+ +
The URL of an HTTP proxy to use for the connection. Can also be specified via K8S_AUTH_PROXY environment variable.
+
Please note that this module does not pick up typical proxy settings from the environment (e.g. HTTP_PROXY).
+
+
+ proxy_headers + +
+ dictionary +
+
added in 2.0.0
+ 		+ +
The Header used for the HTTP proxy.
+ +
+
+ basic_auth + +
+ string +
+ 		+ +
Colon-separated username:password for basic authentication header.
+
Can also be specified via K8S_AUTH_PROXY_HEADERS_BASIC_AUTH environment.
+
+
+ proxy_basic_auth + +
+ string +
+ 		+ +
Colon-separated username:password for proxy basic authentication header.
+
Can also be specified via K8S_AUTH_PROXY_HEADERS_PROXY_BASIC_AUTH environment.
+
+
+ user_agent + +
+ string +
+ 		+ +
String representing the user-agent you want, such as foo/1.0.
+
Can also be specified via K8S_AUTH_PROXY_HEADERS_USER_AGENT environment.
+
+
+ username + +
+ string +
+ 		+ +
Provide a username for authenticating with the API. Can also be specified via K8S_AUTH_USERNAME environment variable.
+
Please note that this only works with clusters configured to use HTTP Basic Auth. If your cluster has a different form of authentication (e.g. OAuth2 in OpenShift), this option will not work as expected and you should look into the community.okd.k8s_auth module, as that might do what you need.
+
+
+ validate_certs + +
+ boolean +
+ 		+
    Choices: +
  • no
    • +
  • yes
    • +
+ 		+
Whether or not to verify the API server's SSL certificates. Can also be specified via K8S_AUTH_VERIFY_SSL environment variable.
+

aliases: verify_ssl
+
+
+ wait + +
+ boolean +
+ 		+
    Choices: +
  • no ←
    • +
  • yes
    • +
+ 		+
Whether to wait for certain resource kinds to end up in the desired state.
+
By default the module exits once Kubernetes has received the request.
+
Implemented for state=present for Deployment, DaemonSet and Pod, and for state=absent for all resource kinds.
+
For resource kinds without an implementation, wait returns immediately unless wait_condition is set.
+
+
+ wait_condition + +
+ dictionary +
+ 		+ +
Specifies a custom condition on the status to wait for.
+
Ignored if wait is not set or is set to False.
+
+
+ reason + +
+ string +
+ 		+ +
The value of the reason field in your desired condition
+
For example, if a Deployment is paused, The Progressing type will have the DeploymentPaused reason.
+
The possible reasons in a condition are specific to each resource type in Kubernetes.
+
See the API documentation of the status field for a given resource to see possible choices.
+
+
+ status + +
+ string +
+ 		+
    Choices: +
  • True ←
    • +
  • False
    • +
  • Unknown
    • +
+ 		+
The value of the status field in your desired condition.
+
For example, if a Deployment is paused, the Progressing type will have the Unknown status.
+
+
+ type + +
+ string +
+ 		+ +
The type of condition to wait for.
+
For example, the Pod resource will set the Ready condition (among others).
+
Required if you are specifying a wait_condition.
+
If left empty, the wait_condition field will be ignored.
+
The possible types for a condition are specific to each resource type in Kubernetes.
+
See the API documentation of the status field for a given resource to see possible choices.
+
+
+ wait_sleep + +
+ integer +
+ 		+ Default:
5
+ 		+
Number of seconds to sleep between checks.
+
+
+ wait_timeout + +
+ integer +
+ 		+ Default:
120
+ 		+
How long in seconds to wait for the resource to end up in the desired state.
+
Ignored if wait is not set.
+
+
+ + +Notes +----- + +.. note:: + - To avoid SSL certificate validation errors when ``validate_certs`` is *True*, the full certificate chain for the API server must be provided via ``ca_cert`` or in the kubeconfig file. + + + +Examples +-------- + +.. code-block:: yaml + + - name: Migrate TemplateInstances in namespace=test + community.okd.openshift_adm_migrate_template_instances: + namespace: test + register: _result + + - name: Migrate TemplateInstances in all namespaces + community.okd.openshift_adm_migrate_template_instances: + register: _result + + + +Return Values +------------- +Common return values are documented `here `_, the following are the fields unique to this module: + +.. raw:: html + + + + + + + + + + + + +
KeyReturnedDescription
+
+ result + +
+ list + / elements=dictionary +
+ 		success +
List with all TemplateInstances that have been migrated.
+
+
Sample:
+
[{'apiVersion': 'template.openshift.io/v1', 'kind': 'TemplateInstance', 'metadata': {'creationTimestamp': '2021-11-10T11:12:09Z', 'finalizers': ['template.openshift.io/finalizer'], 'managedFields': [{'apiVersion': 'template.openshift.io/v1', 'fieldsType': 'FieldsV1', 'fieldsV1': {'f:spec': {'f:template': {'f:metadata': {'f:name': {}}, 'f:objects': {}, 'f:parameters': {}}}}, 'manager': 'kubectl-create', 'operation': 'Update', 'time': '2021-11-10T11:12:09Z'}, {'apiVersion': 'template.openshift.io/v1', 'fieldsType': 'FieldsV1', 'fieldsV1': {'f:metadata': {'f:finalizers': {'.': {}, 'v:"template.openshift.io/finalizer"': {}}}, 'f:status': {'f:conditions': {}}}, 'manager': 'openshift-controller-manager', 'operation': 'Update', 'time': '2021-11-10T11:12:09Z'}, {'apiVersion': 'template.openshift.io/v1', 'fieldsType': 'FieldsV1', 'fieldsV1': {'f:status': {'f:objects': {}}}, 'manager': 'OpenAPI-Generator', 'operation': 'Update', 'time': '2021-11-10T11:12:33Z'}], 'name': 'demo', 'namespace': 'test', 'resourceVersion': '545370', 'uid': '09b795d7-7f07-4d94-bf0f-2150ee66f88d'}, 'spec': {'requester': {'groups': ['system:masters', 'system:authenticated'], 'username': 'system:admin'}, 'template': {'metadata': {'creationTimestamp': None, 'name': 'template'}, 'objects': [{'apiVersion': 'v1', 'kind': 'Secret', 'metadata': {'labels': {'foo': 'bar'}, 'name': 'secret'}}, {'apiVersion': 'apps/v1', 'kind': 'Deployment', 'metadata': {'name': 'deployment'}, 'spec': {'replicas': 0, 'selector': {'matchLabels': {'key': 'value'}}, 'template': {'metadata': {'labels': {'key': 'value'}}, 'spec': {'containers': [{'image': 'k8s.gcr.io/e2e-test-images/agnhost:2.32', 'name': 'hello-openshift'}]}}}}, {'apiVersion': 'v1', 'kind': 'Route', 'metadata': {'name': 'route'}, 'spec': {'to': {'name': 'foo'}}}], 'parameters': [{'name': 'NAME', 'value': '${NAME}'}]}}, 'status': {'conditions': [{'lastTransitionTime': '2021-11-10T11:12:09Z', 'message': '', 'reason': 'Created', 'status': 'True', 'type': 'Ready'}], 'objects': [{'ref': {'apiVersion': 'v1', 'kind': 'Secret', 'name': 'secret', 'namespace': 'test', 'uid': '33fad364-6d47-4f9c-9e51-92cba5602a57'}}, {'ref': {'apiVersion': 'apps/v1', 'kind': 'Deployment', 'name': 'deployment', 'namespace': 'test', 'uid': '3b527f88-42a1-4811-9e2f-baad4e4d8807'}}, {'ref': {'apiVersion': 'route.openshift.io/v1.Route', 'kind': 'Route', 'name': 'route', 'namespace': 'test', 'uid': '5b5411de-8769-4e27-ba52-6781630e4008'}}]}}, '...']
+
+

+ + +Status +------ + + +Authors +~~~~~~~ + +- Alina Buzachis (@alinabuzachis) diff --git a/docs/community.okd.openshift_adm_prune_auth_module.rst b/docs/community.okd.openshift_adm_prune_auth_module.rst new file mode 100644 index 0000000..b4b11c2 --- /dev/null +++ b/docs/community.okd.openshift_adm_prune_auth_module.rst @@ -0,0 +1,514 @@ +.. _community.okd.openshift_adm_prune_auth_module: + + +************************************** +community.okd.openshift_adm_prune_auth +************************************** + +**Removes references to the specified roles, clusterroles, users, and groups** + + +Version added: 2.2.0 + +.. contents:: + :local: + :depth: 1 + + +Synopsis +-------- +- This module allow administrators to remove references to the specified roles, clusterroles, users, and groups. +- Analogous to ``oc adm prune auth``. + + + +Requirements +------------ +The below requirements are needed on the host that executes this module. + +- python >= 3.6 +- kubernetes >= 12.0.0 + + +Parameters +---------- + +.. raw:: html + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ParameterChoices/DefaultsComments
+
+ api_key + +
+ string +
+ 		+ +
Token used to authenticate with the API. Can also be specified via K8S_AUTH_API_KEY environment variable.
+
+
+ ca_cert + +
+ path +
+ 		+ +
Path to a CA certificate used to authenticate with the API. The full certificate chain must be provided to avoid certificate validation errors. Can also be specified via K8S_AUTH_SSL_CA_CERT environment variable.
+

aliases: ssl_ca_cert
+
+
+ client_cert + +
+ path +
+ 		+ +
Path to a certificate used to authenticate with the API. Can also be specified via K8S_AUTH_CERT_FILE environment variable.
+

aliases: cert_file
+
+
+ client_key + +
+ path +
+ 		+ +
Path to a key file used to authenticate with the API. Can also be specified via K8S_AUTH_KEY_FILE environment variable.
+

aliases: key_file
+
+
+ context + +
+ string +
+ 		+ +
The name of a context found in the config file. Can also be specified via K8S_AUTH_CONTEXT environment variable.
+
+
+ host + +
+ string +
+ 		+ +
Provide a URL for accessing the API. Can also be specified via K8S_AUTH_HOST environment variable.
+
+
+ kubeconfig + +
+ raw +
+ 		+ +
Path to an existing Kubernetes config file. If not provided, and no other connection options are provided, the Kubernetes client will attempt to load the default configuration file from ~/.kube/config. Can also be specified via K8S_AUTH_KUBECONFIG environment variable.
+
The kubernetes configuration can be provided as dictionary. This feature requires a python kubernetes client version >= 17.17.0. Added in version 2.2.0.
+
+
+ label_selectors + +
+ list + / elements=string +
+ 		+ +
Selector (label query) to filter on.
+
Mutually exclusive with option name.
+
+
+ name + +
+ string +
+ 		+ +
Use to specify an object name to remove.
+
Mutually exclusive with option label_selectors.
+
If neither name nor label_selectors are specified, prune all resources in the namespace.
+
+
+ namespace + +
+ string +
+ 		+ +
Use to specify an object namespace.
+
Ignored when resource is set to clusterroles.
+
+
+ password + +
+ string +
+ 		+ +
Provide a password for authenticating with the API. Can also be specified via K8S_AUTH_PASSWORD environment variable.
+
Please read the description of the username option for a discussion of when this option is applicable.
+
+
+ persist_config + +
+ boolean +
+ 		+
    Choices: +
  • no
    • +
  • yes
    • +
+ 		+
Whether or not to save the kube config refresh tokens. Can also be specified via K8S_AUTH_PERSIST_CONFIG environment variable.
+
When the k8s context is using a user credentials with refresh tokens (like oidc or gke/gcloud auth), the token is refreshed by the k8s python client library but not saved by default. So the old refresh token can expire and the next auth might fail. Setting this flag to true will tell the k8s python client to save the new refresh token to the kube config file.
+
Default to false.
+
Please note that the current version of the k8s python client library does not support setting this flag to True yet.
+
The fix for this k8s python library is here: https://github.com/kubernetes-client/python-base/pull/169
+
+
+ proxy + +
+ string +
+ 		+ +
The URL of an HTTP proxy to use for the connection. Can also be specified via K8S_AUTH_PROXY environment variable.
+
Please note that this module does not pick up typical proxy settings from the environment (e.g. HTTP_PROXY).
+
+
+ proxy_headers + +
+ dictionary +
+
added in 2.0.0
+ 		+ +
The Header used for the HTTP proxy.
+ +
+
+ basic_auth + +
+ string +
+ 		+ +
Colon-separated username:password for basic authentication header.
+
Can also be specified via K8S_AUTH_PROXY_HEADERS_BASIC_AUTH environment.
+
+
+ proxy_basic_auth + +
+ string +
+ 		+ +
Colon-separated username:password for proxy basic authentication header.
+
Can also be specified via K8S_AUTH_PROXY_HEADERS_PROXY_BASIC_AUTH environment.
+
+
+ user_agent + +
+ string +
+ 		+ +
String representing the user-agent you want, such as foo/1.0.
+
Can also be specified via K8S_AUTH_PROXY_HEADERS_USER_AGENT environment.
+
+
+ resource + +
+ string + / required +
+ 		+
    Choices: +
  • roles
    • +
  • clusterroles
    • +
  • users
    • +
  • groups
    • +
+ 		+
The specified resource to remove.
+
+
+ username + +
+ string +
+ 		+ +
Provide a username for authenticating with the API. Can also be specified via K8S_AUTH_USERNAME environment variable.
+
Please note that this only works with clusters configured to use HTTP Basic Auth. If your cluster has a different form of authentication (e.g. OAuth2 in OpenShift), this option will not work as expected and you should look into the community.okd.k8s_auth module, as that might do what you need.
+
+
+ validate_certs + +
+ boolean +
+ 		+
    Choices: +
  • no
    • +
  • yes
    • +
+ 		+
Whether or not to verify the API server's SSL certificates. Can also be specified via K8S_AUTH_VERIFY_SSL environment variable.
+

aliases: verify_ssl
+
+
+ + +Notes +----- + +.. note:: + - To avoid SSL certificate validation errors when ``validate_certs`` is *True*, the full certificate chain for the API server must be provided via ``ca_cert`` or in the kubeconfig file. + + + +Examples +-------- + +.. code-block:: yaml + + - name: Prune all roles from default namespace + openshift_adm_prune_auth: + resource: roles + namespace: testing + + - name: Prune clusterroles using label selectors + openshift_adm_prune_auth: + resource: roles + namespace: testing + label_selectors: + - phase=production + + + +Return Values +------------- +Common return values are documented `here `_, the following are the fields unique to this module: + +.. raw:: html + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
KeyReturnedDescription
+
+ authorization + +
+ list +
+ 		resource=users +
list of OAuthClientAuthorization deleted.
+
+
+
+ cluster_role_binding + +
+ list +
+ 		always +
list of cluster role binding deleted.
+
+
+
+ group + +
+ list +
+ 		resource=users +
list of Security Context Constraints deleted.
+
+
+
+ role_binding + +
+ list +
+ 		resource=users or resource=groups or resource=clusterroles +
list of role binding deleted.
+
+
+
+ security_context_constraints + +
+ list +
+ 		resource=users or resource=groups +
list of Security Context Constraints deleted.
+
+
+

+ + +Status +------ + + +Authors +~~~~~~~ + +- Aubin Bikouo (@abikouo) diff --git a/docs/community.okd.openshift_adm_prune_deployments_module.rst b/docs/community.okd.openshift_adm_prune_deployments_module.rst new file mode 100644 index 0000000..16e0ded --- /dev/null +++ b/docs/community.okd.openshift_adm_prune_deployments_module.rst @@ -0,0 +1,428 @@ +.. _community.okd.openshift_adm_prune_deployments_module: + + +********************************************* +community.okd.openshift_adm_prune_deployments +********************************************* + +**Remove old completed and failed deployment configs** + + +Version added: 2.2.0 + +.. contents:: + :local: + :depth: 1 + + +Synopsis +-------- +- This module allow administrators to remove old completed and failed deployment configs. +- Analogous to ``oc adm prune deployments``. + + + +Requirements +------------ +The below requirements are needed on the host that executes this module. + +- python >= 3.6 +- kubernetes >= 12.0.0 + + +Parameters +---------- + +.. raw:: html + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ParameterChoices/DefaultsComments
+
+ api_key + +
+ string +
+ 		+ +
Token used to authenticate with the API. Can also be specified via K8S_AUTH_API_KEY environment variable.
+
+
+ ca_cert + +
+ path +
+ 		+ +
Path to a CA certificate used to authenticate with the API. The full certificate chain must be provided to avoid certificate validation errors. Can also be specified via K8S_AUTH_SSL_CA_CERT environment variable.
+

aliases: ssl_ca_cert
+
+
+ client_cert + +
+ path +
+ 		+ +
Path to a certificate used to authenticate with the API. Can also be specified via K8S_AUTH_CERT_FILE environment variable.
+

aliases: cert_file
+
+
+ client_key + +
+ path +
+ 		+ +
Path to a key file used to authenticate with the API. Can also be specified via K8S_AUTH_KEY_FILE environment variable.
+

aliases: key_file
+
+
+ context + +
+ string +
+ 		+ +
The name of a context found in the config file. Can also be specified via K8S_AUTH_CONTEXT environment variable.
+
+
+ host + +
+ string +
+ 		+ +
Provide a URL for accessing the API. Can also be specified via K8S_AUTH_HOST environment variable.
+
+
+ keep_younger_than + +
+ integer +
+ 		+ +
Specify the minimum age (in minutes) of a deployment for it to be considered a candidate for pruning.
+
+
+ kubeconfig + +
+ raw +
+ 		+ +
Path to an existing Kubernetes config file. If not provided, and no other connection options are provided, the Kubernetes client will attempt to load the default configuration file from ~/.kube/config. Can also be specified via K8S_AUTH_KUBECONFIG environment variable.
+
The kubernetes configuration can be provided as dictionary. This feature requires a python kubernetes client version >= 17.17.0. Added in version 2.2.0.
+
+
+ namespace + +
+ string +
+ 		+ +
Use to specify namespace for deployments to be deleted.
+
+
+ orphans + +
+ boolean +
+ 		+
    Choices: +
  • no ←
    • +
  • yes
    • +
+ 		+
If true, prune all deployments where the associated DeploymentConfig no longer exists, the status is complete or failed, and the replica size is 0.
+
+
+ password + +
+ string +
+ 		+ +
Provide a password for authenticating with the API. Can also be specified via K8S_AUTH_PASSWORD environment variable.
+
Please read the description of the username option for a discussion of when this option is applicable.
+
+
+ persist_config + +
+ boolean +
+ 		+
    Choices: +
  • no
    • +
  • yes
    • +
+ 		+
Whether or not to save the kube config refresh tokens. Can also be specified via K8S_AUTH_PERSIST_CONFIG environment variable.
+
When the k8s context is using a user credentials with refresh tokens (like oidc or gke/gcloud auth), the token is refreshed by the k8s python client library but not saved by default. So the old refresh token can expire and the next auth might fail. Setting this flag to true will tell the k8s python client to save the new refresh token to the kube config file.
+
Default to false.
+
Please note that the current version of the k8s python client library does not support setting this flag to True yet.
+
The fix for this k8s python library is here: https://github.com/kubernetes-client/python-base/pull/169
+
+
+ proxy + +
+ string +
+ 		+ +
The URL of an HTTP proxy to use for the connection. Can also be specified via K8S_AUTH_PROXY environment variable.
+
Please note that this module does not pick up typical proxy settings from the environment (e.g. HTTP_PROXY).
+
+
+ proxy_headers + +
+ dictionary +
+
added in 2.0.0
+ 		+ +
The Header used for the HTTP proxy.
+ +
+
+ basic_auth + +
+ string +
+ 		+ +
Colon-separated username:password for basic authentication header.
+
Can also be specified via K8S_AUTH_PROXY_HEADERS_BASIC_AUTH environment.
+
+
+ proxy_basic_auth + +
+ string +
+ 		+ +
Colon-separated username:password for proxy basic authentication header.
+
Can also be specified via K8S_AUTH_PROXY_HEADERS_PROXY_BASIC_AUTH environment.
+
+
+ user_agent + +
+ string +
+ 		+ +
String representing the user-agent you want, such as foo/1.0.
+
Can also be specified via K8S_AUTH_PROXY_HEADERS_USER_AGENT environment.
+
+
+ username + +
+ string +
+ 		+ +
Provide a username for authenticating with the API. Can also be specified via K8S_AUTH_USERNAME environment variable.
+
Please note that this only works with clusters configured to use HTTP Basic Auth. If your cluster has a different form of authentication (e.g. OAuth2 in OpenShift), this option will not work as expected and you should look into the community.okd.k8s_auth module, as that might do what you need.
+
+
+ validate_certs + +
+ boolean +
+ 		+
    Choices: +
  • no
    • +
  • yes
    • +
+ 		+
Whether or not to verify the API server's SSL certificates. Can also be specified via K8S_AUTH_VERIFY_SSL environment variable.
+

aliases: verify_ssl
+
+
+ + +Notes +----- + +.. note:: + - To avoid SSL certificate validation errors when ``validate_certs`` is *True*, the full certificate chain for the API server must be provided via ``ca_cert`` or in the kubeconfig file. + + + +Examples +-------- + +.. code-block:: yaml + + - name: Prune Deployments from testing namespace + community.okd.openshift_adm_prune_deployments: + namespace: testing + + - name: Prune orphans deployments, keep younger than 2hours + community.okd.openshift_adm_prune_deployments: + orphans: True + keep_younger_than: 120 + + + +Return Values +------------- +Common return values are documented `here `_, the following are the fields unique to this module: + +.. raw:: html + + + + + + + + + + + + +
KeyReturnedDescription
+
+ replication_controllers + +
+ list +
+ 		always +
list of replication controllers candidate for pruning.
+
+
+

+ + +Status +------ + + +Authors +~~~~~~~ + +- Aubin Bikouo (@abikouo) diff --git a/docs/community.okd.openshift_adm_prune_images_module.rst b/docs/community.okd.openshift_adm_prune_images_module.rst new file mode 100644 index 0000000..08fd357 --- /dev/null +++ b/docs/community.okd.openshift_adm_prune_images_module.rst @@ -0,0 +1,569 @@ +.. _community.okd.openshift_adm_prune_images_module: + + +**************************************** +community.okd.openshift_adm_prune_images +**************************************** + +**Remove unreferenced images** + + +Version added: 2.2.0 + +.. contents:: + :local: + :depth: 1 + + +Synopsis +-------- +- This module allow administrators to remove references images. +- Note that if the ``namespace`` is specified, only references images on Image stream for the corresponding namespace will be candidate for prune if only they are not used or references in another Image stream from another namespace. +- Analogous to ``oc adm prune images``. + + + +Requirements +------------ +The below requirements are needed on the host that executes this module. + +- python >= 3.6 +- kubernetes >= 12.0.0 +- docker-image-py + + +Parameters +---------- + +.. raw:: html + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ParameterChoices/DefaultsComments
+
+ all_images + +
+ boolean +
+ 		+
    Choices: +
  • no
    • +
  • yes ←
    • +
+ 		+
Include images that were imported from external registries as candidates for pruning.
+
If pruned, all the mirrored objects associated with them will also be removed from the integrated registry.
+
+
+ api_key + +
+ string +
+ 		+ +
Token used to authenticate with the API. Can also be specified via K8S_AUTH_API_KEY environment variable.
+
+
+ ca_cert + +
+ path +
+ 		+ +
Path to a CA certificate used to authenticate with the API. The full certificate chain must be provided to avoid certificate validation errors. Can also be specified via K8S_AUTH_SSL_CA_CERT environment variable.
+

aliases: ssl_ca_cert
+
+
+ client_cert + +
+ path +
+ 		+ +
Path to a certificate used to authenticate with the API. Can also be specified via K8S_AUTH_CERT_FILE environment variable.
+

aliases: cert_file
+
+
+ client_key + +
+ path +
+ 		+ +
Path to a key file used to authenticate with the API. Can also be specified via K8S_AUTH_KEY_FILE environment variable.
+

aliases: key_file
+
+
+ context + +
+ string +
+ 		+ +
The name of a context found in the config file. Can also be specified via K8S_AUTH_CONTEXT environment variable.
+
+
+ host + +
+ string +
+ 		+ +
Provide a URL for accessing the API. Can also be specified via K8S_AUTH_HOST environment variable.
+
+
+ ignore_invalid_refs + +
+ boolean +
+ 		+
    Choices: +
  • no ←
    • +
  • yes
    • +
+ 		+
If set to True, the pruning process will ignore all errors while parsing image references.
+
This means that the pruning process will ignore the intended connection between the object and the referenced image.
+
As a result an image may be incorrectly deleted as unused.
+
+
+ keep_younger_than + +
+ integer +
+ 		+ +
Specify the minimum age (in minutes) of an image and its referrers for it to be considered a candidate for pruning.
+
+
+ kubeconfig + +
+ raw +
+ 		+ +
Path to an existing Kubernetes config file. If not provided, and no other connection options are provided, the Kubernetes client will attempt to load the default configuration file from ~/.kube/config. Can also be specified via K8S_AUTH_KUBECONFIG environment variable.
+
The kubernetes configuration can be provided as dictionary. This feature requires a python kubernetes client version >= 17.17.0. Added in version 2.2.0.
+
+
+ namespace + +
+ string +
+ 		+ +
Use to specify namespace for objects.
+
+
+ password + +
+ string +
+ 		+ +
Provide a password for authenticating with the API. Can also be specified via K8S_AUTH_PASSWORD environment variable.
+
Please read the description of the username option for a discussion of when this option is applicable.
+
+
+ persist_config + +
+ boolean +
+ 		+
    Choices: +
  • no
    • +
  • yes
    • +
+ 		+
Whether or not to save the kube config refresh tokens. Can also be specified via K8S_AUTH_PERSIST_CONFIG environment variable.
+
When the k8s context is using a user credentials with refresh tokens (like oidc or gke/gcloud auth), the token is refreshed by the k8s python client library but not saved by default. So the old refresh token can expire and the next auth might fail. Setting this flag to true will tell the k8s python client to save the new refresh token to the kube config file.
+
Default to false.
+
Please note that the current version of the k8s python client library does not support setting this flag to True yet.
+
The fix for this k8s python library is here: https://github.com/kubernetes-client/python-base/pull/169
+
+
+ proxy + +
+ string +
+ 		+ +
The URL of an HTTP proxy to use for the connection. Can also be specified via K8S_AUTH_PROXY environment variable.
+
Please note that this module does not pick up typical proxy settings from the environment (e.g. HTTP_PROXY).
+
+
+ proxy_headers + +
+ dictionary +
+
added in 2.0.0
+ 		+ +
The Header used for the HTTP proxy.
+ +
+
+ basic_auth + +
+ string +
+ 		+ +
Colon-separated username:password for basic authentication header.
+
Can also be specified via K8S_AUTH_PROXY_HEADERS_BASIC_AUTH environment.
+
+
+ proxy_basic_auth + +
+ string +
+ 		+ +
Colon-separated username:password for proxy basic authentication header.
+
Can also be specified via K8S_AUTH_PROXY_HEADERS_PROXY_BASIC_AUTH environment.
+
+
+ user_agent + +
+ string +
+ 		+ +
String representing the user-agent you want, such as foo/1.0.
+
Can also be specified via K8S_AUTH_PROXY_HEADERS_USER_AGENT environment.
+
+
+ prune_over_size_limit + +
+ boolean +
+ 		+
    Choices: +
  • no ←
    • +
  • yes
    • +
+ 		+
Specify if images which are exceeding LimitRanges specified in the same namespace, should be considered for pruning.
+
+
+ prune_registry + +
+ boolean +
+ 		+
    Choices: +
  • no
    • +
  • yes ←
    • +
+ 		+
If set to False, the prune operation will clean up image API objects, but none of the associated content in the registry is removed.
+
+
+ registry_ca_cert + +
+ path +
+ 		+ +
Path to a CA certificate used to contact registry. The full certificate chain must be provided to avoid certificate validation errors.
+
+
+ registry_url + +
+ string +
+ 		+ +
The address to use when contacting the registry, instead of using the default value.
+
This is useful if you can't resolve or reach the default registry but you do have an alternative route that works.
+
Particular transport protocol can be enforced using '<scheme>://' prefix.
+
+
+ registry_validate_certs + +
+ boolean +
+ 		+
    Choices: +
  • no
    • +
  • yes
    • +
+ 		+
Whether or not to verify the API server's SSL certificates. Can also be specified via K8S_AUTH_VERIFY_SSL environment variable.
+
+
+ username + +
+ string +
+ 		+ +
Provide a username for authenticating with the API. Can also be specified via K8S_AUTH_USERNAME environment variable.
+
Please note that this only works with clusters configured to use HTTP Basic Auth. If your cluster has a different form of authentication (e.g. OAuth2 in OpenShift), this option will not work as expected and you should look into the community.okd.k8s_auth module, as that might do what you need.
+
+
+ validate_certs + +
+ boolean +
+ 		+
    Choices: +
  • no
    • +
  • yes
    • +
+ 		+
Whether or not to verify the API server's SSL certificates. Can also be specified via K8S_AUTH_VERIFY_SSL environment variable.
+

aliases: verify_ssl
+
+
+ + +Notes +----- + +.. note:: + - To avoid SSL certificate validation errors when ``validate_certs`` is *True*, the full certificate chain for the API server must be provided via ``ca_cert`` or in the kubeconfig file. + + + +Examples +-------- + +.. code-block:: yaml + + # Prune if only images and their referrers were more than an hour old + - name: Prune image with referrer been more than an hour old + community.okd.openshift_adm_prune_images: + keep_younger_than: 60 + + # Remove images exceeding currently set limit ranges + - name: Remove images exceeding currently set limit ranges + community.okd.openshift_adm_prune_images: + prune_over_size_limit: true + + # Force the insecure http protocol with the particular registry host name + - name: Prune images using custom registry + community.okd.openshift_adm_prune_images: + registry_url: http://registry.example.org + registry_validate_certs: false + + + +Return Values +------------- +Common return values are documented `here `_, the following are the fields unique to this module: + +.. raw:: html + + + + + + + + + + + + + + + + + +
KeyReturnedDescription
+
+ deleted_images + +
+ list + / elements=dictionary +
+ 		success +
The images deleted.
+
+
Sample:
+
[{'apiVersion': 'image.openshift.io/v1', 'dockerImageLayers': [{'mediaType': 'application/vnd.docker.image.rootfs.diff.tar.gzip', 'name': 'sha256:5e0b432e8ba9d9029a000e627840b98ffc1ed0c5172075b7d3e869be0df0fe9b', 'size': 54932878}, {'mediaType': 'application/vnd.docker.image.rootfs.diff.tar.gzip', 'name': 'sha256:a84cfd68b5cea612a8343c346bfa5bd6c486769010d12f7ec86b23c74887feb2', 'size': 5153424}, {'mediaType': 'application/vnd.docker.image.rootfs.diff.tar.gzip', 'name': 'sha256:e8b8f2315954535f1e27cd13d777e73da4a787b0aebf4241d225beff3c91cbb1', 'size': 10871995}, {'mediaType': 'application/vnd.docker.image.rootfs.diff.tar.gzip', 'name': 'sha256:0598fa43a7e793a76c198e8d45d8810394e1cfc943b2673d7fcf5a6fdc4f45b3', 'size': 54567844}, {'mediaType': 'application/vnd.docker.image.rootfs.diff.tar.gzip', 'name': 'sha256:83098237b6d3febc7584c1f16076a32ac01def85b0d220ab46b6ebb2d6e7d4d4', 'size': 196499409}, {'mediaType': 'application/vnd.docker.image.rootfs.diff.tar.gzip', 'name': 'sha256:b92c73d4de9a6a8f6b96806a04857ab33cf6674f6411138603471d744f44ef55', 'size': 6290769}, {'mediaType': 'application/vnd.docker.image.rootfs.diff.tar.gzip', 'name': 'sha256:ef9b6ee59783b84a6ec0c8b109c409411ab7c88fa8c53fb3760b5fde4eb0aa07', 'size': 16812698}, {'mediaType': 'application/vnd.docker.image.rootfs.diff.tar.gzip', 'name': 'sha256:c1f6285e64066d36477a81a48d3c4f1dc3c03dddec9e72d97da13ba51bca0d68', 'size': 234}, {'mediaType': 'application/vnd.docker.image.rootfs.diff.tar.gzip', 'name': 'sha256:a0ee7333301245b50eb700f96d9e13220cdc31871ec9d8e7f0ff7f03a17c6fb3', 'size': 2349241}], 'dockerImageManifestMediaType': 'application/vnd.docker.distribution.manifest.v2+json', 'dockerImageMetadata': {'Architecture': 'amd64', 'Config': {'Cmd': ['python3'], 'Env': ['PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', 'LANG=C.UTF-8', 'GPG_KEY=E3FF2839C048B25C084DEBE9B26995E310250568', 'PYTHON_VERSION=3.8.12', 'PYTHON_PIP_VERSION=21.2.4', 'PYTHON_SETUPTOOLS_VERSION=57.5.0', 'PYTHON_GET_PIP_URL=https://github.com/pypa/get-pip/raw/3cb8888cc2869620f57d5d2da64da38f516078c7/public/get-pip.py', 'PYTHON_GET_PIP_SHA256=c518250e91a70d7b20cceb15272209a4ded2a0c263ae5776f129e0d9b5674309'], 'Image': 'sha256:cc3a2931749afa7dede97e32edbbe3e627b275c07bf600ac05bc0dc22ef203de'}, 'Container': 'b43fcf5052feb037f6d204247d51ac8581d45e50f41c6be2410d94b5c3a3453d', 'ContainerConfig': {'Cmd': ['/bin/sh', '-c', '#(nop) ', 'CMD ["python3"]'], 'Env': ['PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', 'LANG=C.UTF-8', 'GPG_KEY=E3FF2839C048B25C084DEBE9B26995E310250568', 'PYTHON_VERSION=3.8.12', 'PYTHON_PIP_VERSION=21.2.4', 'PYTHON_SETUPTOOLS_VERSION=57.5.0', 'PYTHON_GET_PIP_URL=https://github.com/pypa/get-pip/raw/3cb8888cc2869620f57d5d2da64da38f516078c7/public/get-pip.py', 'PYTHON_GET_PIP_SHA256=c518250e91a70d7b20cceb15272209a4ded2a0c263ae5776f129e0d9b5674309'], 'Hostname': 'b43fcf5052fe', 'Image': 'sha256:cc3a2931749afa7dede97e32edbbe3e627b275c07bf600ac05bc0dc22ef203de'}, 'Created': '2021-12-03T01:53:41Z', 'DockerVersion': '20.10.7', 'Id': 'sha256:f746089c9d02d7126bbe829f788e093853a11a7f0421049267a650d52bbcac37', 'Size': 347487141, 'apiVersion': 'image.openshift.io/1.0', 'kind': 'DockerImage'}, 'dockerImageMetadataVersion': '1.0', 'dockerImageReference': 'python@sha256:a874dcabc74ca202b92b826521ff79dede61caca00ceab0b65024e895baceb58', 'kind': 'Image', 'metadata': {'annotations': {'image.openshift.io/dockerLayersOrder': 'ascending'}, 'creationTimestamp': '2021-12-07T07:55:30Z', 'name': 'sha256:a874dcabc74ca202b92b826521ff79dede61caca00ceab0b65024e895baceb58', 'resourceVersion': '1139214', 'uid': '33be6ab4-af79-4f44-a0fd-4925bd473c1f'}}, '...']
+
+
+ updated_image_streams + +
+ list + / elements=dictionary +
+ 		success +
The images streams updated.
+
+
Sample:
+
[{'apiVersion': 'image.openshift.io/v1', 'kind': 'ImageStream', 'metadata': {'annotations': {'openshift.io/image.dockerRepositoryCheck': '2021-12-07T07:55:30Z'}, 'creationTimestamp': '2021-12-07T07:55:30Z', 'generation': 1, 'name': 'python', 'namespace': 'images', 'resourceVersion': '1139215', 'uid': '443bad2c-9fd4-4c8f-8a24-3eca4426b07f'}, 'spec': {'lookupPolicy': {'local': False}, 'tags': [{'annotations': None, 'from': {'kind': 'DockerImage', 'name': 'python:3.8.12'}, 'generation': 1, 'importPolicy': {'insecure': True}, 'name': '3.8.12', 'referencePolicy': {'type': 'Source'}}]}, 'status': {'dockerImageRepository': 'image-registry.openshift-image-registry.svc:5000/images/python', 'publicDockerImageRepository': 'default-route-openshift-image-registry.apps-crc.testing/images/python', 'tags': []}}, '...']
+
+

+ + +Status +------ + + +Authors +~~~~~~~ + +- Aubin Bikouo (@abikouo) diff --git a/docs/community.okd.openshift_import_image_module.rst b/docs/community.okd.openshift_import_image_module.rst new file mode 100644 index 0000000..920c840 --- /dev/null +++ b/docs/community.okd.openshift_import_image_module.rst @@ -0,0 +1,626 @@ +.. _community.okd.openshift_import_image_module: + + +************************************ +community.okd.openshift_import_image +************************************ + +**Import the latest image information from a tag in a container image registry.** + + +Version added: 2.2.0 + +.. contents:: + :local: + :depth: 1 + + +Synopsis +-------- +- Image streams allow you to control which images are rolled out to your builds and applications. +- This module fetches the latest version of an image from a remote repository and updates the image stream tag if it does not match the previous value. +- Running the module multiple times will not create duplicate entries. +- When importing an image, only the image metadata is copied, not the image contents. +- Analogous to ``oc import-image``. + + + +Requirements +------------ +The below requirements are needed on the host that executes this module. + +- python >= 3.6 +- kubernetes >= 12.0.0 +- docker-image-py + + +Parameters +---------- + +.. raw:: html + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ParameterChoices/DefaultsComments
+
+ all + +
+ boolean +
+ 		+
    Choices: +
  • no ←
    • +
  • yes
    • +
+ 		+
If set to true, import all tags from the provided source on creation or if source is specified.
+
+
+ api_key + +
+ string +
+ 		+ +
Token used to authenticate with the API. Can also be specified via K8S_AUTH_API_KEY environment variable.
+
+
+ ca_cert + +
+ path +
+ 		+ +
Path to a CA certificate used to authenticate with the API. The full certificate chain must be provided to avoid certificate validation errors. Can also be specified via K8S_AUTH_SSL_CA_CERT environment variable.
+

aliases: ssl_ca_cert
+
+
+ client_cert + +
+ path +
+ 		+ +
Path to a certificate used to authenticate with the API. Can also be specified via K8S_AUTH_CERT_FILE environment variable.
+

aliases: cert_file
+
+
+ client_key + +
+ path +
+ 		+ +
Path to a key file used to authenticate with the API. Can also be specified via K8S_AUTH_KEY_FILE environment variable.
+

aliases: key_file
+
+
+ context + +
+ string +
+ 		+ +
The name of a context found in the config file. Can also be specified via K8S_AUTH_CONTEXT environment variable.
+
+
+ host + +
+ string +
+ 		+ +
Provide a URL for accessing the API. Can also be specified via K8S_AUTH_HOST environment variable.
+
+
+ kubeconfig + +
+ raw +
+ 		+ +
Path to an existing Kubernetes config file. If not provided, and no other connection options are provided, the Kubernetes client will attempt to load the default configuration file from ~/.kube/config. Can also be specified via K8S_AUTH_KUBECONFIG environment variable.
+
The kubernetes configuration can be provided as dictionary. This feature requires a python kubernetes client version >= 17.17.0. Added in version 2.2.0.
+
+
+ name + +
+ raw + / required +
+ 		+ +
Image stream to import tag into.
+
This can be provided as a list of images streams or a single value.
+
+
+ namespace + +
+ string + / required +
+ 		+ +
Use to specify namespace for image stream to create/update.
+
+
+ password + +
+ string +
+ 		+ +
Provide a password for authenticating with the API. Can also be specified via K8S_AUTH_PASSWORD environment variable.
+
Please read the description of the username option for a discussion of when this option is applicable.
+
+
+ persist_config + +
+ boolean +
+ 		+
    Choices: +
  • no
    • +
  • yes
    • +
+ 		+
Whether or not to save the kube config refresh tokens. Can also be specified via K8S_AUTH_PERSIST_CONFIG environment variable.
+
When the k8s context is using a user credentials with refresh tokens (like oidc or gke/gcloud auth), the token is refreshed by the k8s python client library but not saved by default. So the old refresh token can expire and the next auth might fail. Setting this flag to true will tell the k8s python client to save the new refresh token to the kube config file.
+
Default to false.
+
Please note that the current version of the k8s python client library does not support setting this flag to True yet.
+
The fix for this k8s python library is here: https://github.com/kubernetes-client/python-base/pull/169
+
+
+ proxy + +
+ string +
+ 		+ +
The URL of an HTTP proxy to use for the connection. Can also be specified via K8S_AUTH_PROXY environment variable.
+
Please note that this module does not pick up typical proxy settings from the environment (e.g. HTTP_PROXY).
+
+
+ proxy_headers + +
+ dictionary +
+
added in 2.0.0
+ 		+ +
The Header used for the HTTP proxy.
+ +
+
+ basic_auth + +
+ string +
+ 		+ +
Colon-separated username:password for basic authentication header.
+
Can also be specified via K8S_AUTH_PROXY_HEADERS_BASIC_AUTH environment.
+
+
+ proxy_basic_auth + +
+ string +
+ 		+ +
Colon-separated username:password for proxy basic authentication header.
+
Can also be specified via K8S_AUTH_PROXY_HEADERS_PROXY_BASIC_AUTH environment.
+
+
+ user_agent + +
+ string +
+ 		+ +
String representing the user-agent you want, such as foo/1.0.
+
Can also be specified via K8S_AUTH_PROXY_HEADERS_USER_AGENT environment.
+
+
+ reference_policy + +
+ string +
+ 		+
    Choices: +
  • source ←
    • +
  • local
    • +
+ 		+
Allow to request pullthrough for external image when set to local.
+
+
+ scheduled + +
+ boolean +
+ 		+
    Choices: +
  • no ←
    • +
  • yes
    • +
+ 		+
Set each imported Docker image to be periodically imported from a remote repository.
+
+
+ source + +
+ string +
+ 		+ +
A Docker image repository to import images from.
+
Should be provided as 'registry.io/repo/image'
+
+
+ username + +
+ string +
+ 		+ +
Provide a username for authenticating with the API. Can also be specified via K8S_AUTH_USERNAME environment variable.
+
Please note that this only works with clusters configured to use HTTP Basic Auth. If your cluster has a different form of authentication (e.g. OAuth2 in OpenShift), this option will not work as expected and you should look into the community.okd.k8s_auth module, as that might do what you need.
+
+
+ validate_certs + +
+ boolean +
+ 		+
    Choices: +
  • no
    • +
  • yes
    • +
+ 		+
Whether or not to verify the API server's SSL certificates. Can also be specified via K8S_AUTH_VERIFY_SSL environment variable.
+

aliases: verify_ssl
+
+
+ validate_registry_certs + +
+ boolean +
+ 		+
    Choices: +
  • no
    • +
  • yes
    • +
+ 		+
If set to true, allow importing from registries that have invalid HTTPS certificates. or are hosted via HTTP. This parameter will take precedence over the insecure annotation.
+
+
+ + +Notes +----- + +.. note:: + - To avoid SSL certificate validation errors when ``validate_certs`` is *True*, the full certificate chain for the API server must be provided via ``ca_cert`` or in the kubeconfig file. + + + +Examples +-------- + +.. code-block:: yaml + + # Import tag latest into a new image stream. + - name: Import tag latest into new image stream + community.okd.openshift_import_image: + namespace: testing + name: mystream + source: registry.io/repo/image:latest + + # Update imported data for tag latest in an already existing image stream. + - name: Update imported data for tag latest + community.okd.openshift_import_image: + namespace: testing + name: mystream + + # Update imported data for tag 'stable' in an already existing image stream. + - name: Update imported data for tag latest + community.okd.openshift_import_image: + namespace: testing + name: mystream:stable + + # Update imported data for all tags in an existing image stream. + - name: Update imported data for all tags + community.okd.openshift_import_image: + namespace: testing + name: mystream + all: true + + # Import all tags into a new image stream. + - name: Import all tags into a new image stream. + community.okd.openshift_import_image: + namespace: testing + name: mystream + source: registry.io/repo/image:latest + all: true + + # Import all tags into a new image stream for a list of image streams + - name: Import all tags into a new image stream. + community.okd.openshift_import_image: + namespace: testing + name: + - mystream1 + - mystream2 + - mystream3 + source: registry.io/repo/image:latest + all: true + + + +Return Values +------------- +Common return values are documented `here `_, the following are the fields unique to this module: + +.. raw:: html + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
KeyReturnedDescription
+
+ result + +
+ list + / elements=dictionary +
+ 		success +
List with all ImageStreamImport that have been created.
+
+
  +
+ api_version + +
+ string +
+ 		success +
The versioned schema of this representation of an object.
+
+
  +
+ kind + +
+ string +
+ 		success +
Represents the REST resource this object represents.
+
+
  +
+ metadata + +
+ dictionary +
+ 		success +
Standard object metadata. Includes name, namespace, annotations, labels, etc.
+
+
  +
+ spec + +
+ dictionary +
+ 		success +
Specific attributes of the object. Will vary based on the api_version and kind.
+
+
  +
+ status + +
+ dictionary +
+ 		success +
Current status details for the object.
+
+
+

+ + +Status +------ + + +Authors +~~~~~~~ + +- Aubin Bikouo (@abikouo) diff --git a/docs/community.okd.openshift_process_module.rst b/docs/community.okd.openshift_process_module.rst index c1bbd5e..7de7e8c 100644 --- a/docs/community.okd.openshift_process_module.rst +++ b/docs/community.okd.openshift_process_module.rst @@ -143,13 +143,14 @@ Parameters kubeconfig
- path + raw
Path to an existing Kubernetes config file. If not provided, and no other connection options are provided, the Kubernetes client will attempt to load the default configuration file from ~/.kube/config. Can also be specified via K8S_AUTH_KUBECONFIG environment variable.
+
The kubernetes configuration can be provided as dictionary. This feature requires a python kubernetes client version >= 17.17.0. Added in version 2.2.0.
@@ -388,7 +389,7 @@ Parameters
Provide a path to a file containing a valid YAML definition of an object or objects to be created or updated. Mutually exclusive with resource_definition. NOTE: kind, api_version, name, and namespace will be overwritten by corresponding values found in the configuration read in from the src file.
Reads from the local file system. To read from the Ansible controller's file system, including vaulted files, use the file lookup plugin or template lookup plugin, combined with the from_yaml filter, and pass the result to resource_definition. See Examples below.
-
Mutually exclusive with template in case of k8s module.
+
Mutually exclusive with template in case of kubernetes.core.k8s module.
diff --git a/docs/community.okd.openshift_registry_info_module.rst b/docs/community.okd.openshift_registry_info_module.rst new file mode 100644 index 0000000..f556d0f --- /dev/null +++ b/docs/community.okd.openshift_registry_info_module.rst @@ -0,0 +1,464 @@ +.. _community.okd.openshift_registry_info_module: + + +************************************* +community.okd.openshift_registry_info +************************************* + +**Display information about the integrated registry.** + + +Version added: 2.2.0 + +.. contents:: + :local: + :depth: 1 + + +Synopsis +-------- +- This module exposes information about the integrated registry. +- Use ``check`` to verify your local client can access the registry. +- If the adminstrator has not configured a public hostname for the registry then this command may fail when run outside of the server. +- Analogous to ``oc registry info``. + + + +Requirements +------------ +The below requirements are needed on the host that executes this module. + +- python >= 3.6 +- kubernetes >= 12.0.0 +- docker-image-py + + +Parameters +---------- + +.. raw:: html + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ParameterChoices/DefaultsComments
+
+ api_key + +
+ string +
+ 		+ +
Token used to authenticate with the API. Can also be specified via K8S_AUTH_API_KEY environment variable.
+
+
+ ca_cert + +
+ path +
+ 		+ +
Path to a CA certificate used to authenticate with the API. The full certificate chain must be provided to avoid certificate validation errors. Can also be specified via K8S_AUTH_SSL_CA_CERT environment variable.
+

aliases: ssl_ca_cert
+
+
+ check + +
+ boolean +
+ 		+
    Choices: +
  • no ←
    • +
  • yes
    • +
+ 		+
Attempt to contact the integrated registry using local client.
+
+
+ client_cert + +
+ path +
+ 		+ +
Path to a certificate used to authenticate with the API. Can also be specified via K8S_AUTH_CERT_FILE environment variable.
+

aliases: cert_file
+
+
+ client_key + +
+ path +
+ 		+ +
Path to a key file used to authenticate with the API. Can also be specified via K8S_AUTH_KEY_FILE environment variable.
+

aliases: key_file
+
+
+ context + +
+ string +
+ 		+ +
The name of a context found in the config file. Can also be specified via K8S_AUTH_CONTEXT environment variable.
+
+
+ host + +
+ string +
+ 		+ +
Provide a URL for accessing the API. Can also be specified via K8S_AUTH_HOST environment variable.
+
+
+ kubeconfig + +
+ raw +
+ 		+ +
Path to an existing Kubernetes config file. If not provided, and no other connection options are provided, the Kubernetes client will attempt to load the default configuration file from ~/.kube/config. Can also be specified via K8S_AUTH_KUBECONFIG environment variable.
+
The kubernetes configuration can be provided as dictionary. This feature requires a python kubernetes client version >= 17.17.0. Added in version 2.2.0.
+
+
+ password + +
+ string +
+ 		+ +
Provide a password for authenticating with the API. Can also be specified via K8S_AUTH_PASSWORD environment variable.
+
Please read the description of the username option for a discussion of when this option is applicable.
+
+
+ persist_config + +
+ boolean +
+ 		+
    Choices: +
  • no
    • +
  • yes
    • +
+ 		+
Whether or not to save the kube config refresh tokens. Can also be specified via K8S_AUTH_PERSIST_CONFIG environment variable.
+
When the k8s context is using a user credentials with refresh tokens (like oidc or gke/gcloud auth), the token is refreshed by the k8s python client library but not saved by default. So the old refresh token can expire and the next auth might fail. Setting this flag to true will tell the k8s python client to save the new refresh token to the kube config file.
+
Default to false.
+
Please note that the current version of the k8s python client library does not support setting this flag to True yet.
+
The fix for this k8s python library is here: https://github.com/kubernetes-client/python-base/pull/169
+
+
+ proxy + +
+ string +
+ 		+ +
The URL of an HTTP proxy to use for the connection. Can also be specified via K8S_AUTH_PROXY environment variable.
+
Please note that this module does not pick up typical proxy settings from the environment (e.g. HTTP_PROXY).
+
+
+ proxy_headers + +
+ dictionary +
+
added in 2.0.0
+ 		+ +
The Header used for the HTTP proxy.
+ +
+
+ basic_auth + +
+ string +
+ 		+ +
Colon-separated username:password for basic authentication header.
+
Can also be specified via K8S_AUTH_PROXY_HEADERS_BASIC_AUTH environment.
+
+
+ proxy_basic_auth + +
+ string +
+ 		+ +
Colon-separated username:password for proxy basic authentication header.
+
Can also be specified via K8S_AUTH_PROXY_HEADERS_PROXY_BASIC_AUTH environment.
+
+
+ user_agent + +
+ string +
+ 		+ +
String representing the user-agent you want, such as foo/1.0.
+
Can also be specified via K8S_AUTH_PROXY_HEADERS_USER_AGENT environment.
+
+
+ username + +
+ string +
+ 		+ +
Provide a username for authenticating with the API. Can also be specified via K8S_AUTH_USERNAME environment variable.
+
Please note that this only works with clusters configured to use HTTP Basic Auth. If your cluster has a different form of authentication (e.g. OAuth2 in OpenShift), this option will not work as expected and you should look into the community.okd.k8s_auth module, as that might do what you need.
+
+
+ validate_certs + +
+ boolean +
+ 		+
    Choices: +
  • no
    • +
  • yes
    • +
+ 		+
Whether or not to verify the API server's SSL certificates. Can also be specified via K8S_AUTH_VERIFY_SSL environment variable.
+

aliases: verify_ssl
+
+
+ + +Notes +----- + +.. note:: + - To avoid SSL certificate validation errors when ``validate_certs`` is *True*, the full certificate chain for the API server must be provided via ``ca_cert`` or in the kubeconfig file. + + + +Examples +-------- + +.. code-block:: yaml + + # Get registry information + - name: Read integrated registry information + community.okd.openshift_registry_info: + + # Read registry integrated information and attempt to contact using local client. + - name: Attempt to contact integrated registry using local client + community.okd.openshift_registry_info: + check: yes + + + +Return Values +------------- +Common return values are documented `here `_, the following are the fields unique to this module: + +.. raw:: html + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
KeyReturnedDescription
+
+ check + +
+ dictionary +
+ 		success +
Whether the local client can contact or not the registry.
+
+
  +
+ msg + +
+ string +
+ 		always +
message describing the ping operation.
+
+
  +
+ reached + +
+ string +
+ 		success +
Whether the registry has been reached or not.
+
+
+
+ internal_hostname + +
+ string +
+ 		success +
The internal registry hostname.
+
+
+
+ public_hostname + +
+ string +
+ 		success +
The public registry hostname.
+
+
+

+ + +Status +------ + + +Authors +~~~~~~~ + +- Aubin Bikouo (@abikouo) diff --git a/docs/community.okd.openshift_route_module.rst b/docs/community.okd.openshift_route_module.rst index c3be683..fc62623 100644 --- a/docs/community.okd.openshift_route_module.rst +++ b/docs/community.okd.openshift_route_module.rst @@ -19,7 +19,7 @@ Synopsis -------- - Looks up a Service and creates a new Route based on it. - Analogous to `oc expose` and `oc create route` for creating Routes, but does not support creating Services. -- For creating Services from other resources, see kubernetes.core.k8s_expose +- For creating Services from other resources, see kubernetes.core.k8s. @@ -43,6 +43,23 @@ Parameters Choices/Defaults Comments + + +
+ annotations + +
+ dictionary +
+
added in 2.1.0
+ + + + +
Specify the Route Annotations.
+
A set of key: value pairs.
+ +
@@ -176,13 +193,14 @@ Parameters kubeconfig
- path + raw
Path to an existing Kubernetes config file. If not provided, and no other connection options are provided, the Kubernetes client will attempt to load the default configuration file from ~/.kube/config. Can also be specified via K8S_AUTH_KUBECONFIG environment variable.
+
The kubernetes configuration can be provided as dictionary. This feature requires a python kubernetes client version >= 17.17.0. Added in version 2.2.0.
@@ -808,6 +826,8 @@ Examples service: hello-kubernetes namespace: default insecure_policy: allow + annotations: + haproxy.router.openshift.io/balance: roundrobin register: route diff --git a/galaxy.yml b/galaxy.yml index 12f7df7..53e9220 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -24,4 +24,4 @@ tags: - okd - cluster # Also needs to be updated in the Makefile -version: 2.1.0 +version: 2.2.0