Merge pull request #55 from ansible-collections/49-missing-pr-63219

k8s: persist refreshed tokens
2026-03-26 21:33:02 +00:00 · 2020-03-12 14:08:36 -05:00
parent c5ba4bb13a 5cb93f16b6
commit 5924561afc
2 changed files with 19 additions and 2 deletions
--- a/plugins/doc_fragments/k8s_auth_options.py
+++ b/plugins/doc_fragments/k8s_auth_options.py
@@ -76,6 +76,19 @@ options:
    - Please note that this module does not pick up typical proxy settings from the environment (e.g. HTTP_PROXY).
    version_added: "2.9"
    type: str
+  persist_config:
+    description:
+    - Whether or not to save the kube config refresh tokens.
+      Can also be specified via K8S_AUTH_PERSIST_CONFIG environment variable.
+    - When the k8s context is using a user credentials with refresh tokens (like oidc or gke/gcloud auth),
+      the token is refreshed by the k8s python client library but not saved by default. So the old refresh token can
+      expire and the next auth might fail. Setting this flag to true will tell the k8s python client to save the
+      new refresh token to the kube config file.
+    - Default to false.
+    - Please note that the current version of the k8s python client library does not support setting this flag to True yet.
+    - "The fix for this k8s python library is here: https://github.com/kubernetes-client/python-base/pull/169"
+    type: bool
+    version_added: "2.10"
 notes:
  - "The OpenShift Python client wraps the K8s Python client, providing full access to
    all of the APIS and models available on both platforms. For API version details and
--- a/plugins/module_utils/common.py
+++ b/plugins/module_utils/common.py
@@ -126,6 +126,9 @@ AUTH_ARG_SPEC = {
    'proxy': {
        'type': 'str',
    },
+    'persist_config': {
+        'type': 'bool',
+    },
 }

 # Map kubernetes-client parameters to ansible parameters
@@ -141,6 +144,7 @@ AUTH_ARG_MAP = {
    'cert_file': 'client_cert',
    'key_file': 'client_key',
    'proxy': 'proxy',
+    'persist_config': 'persist_config',
 }


@@ -182,13 +186,13 @@ class K8sAnsibleMixin(object):
            # We have enough in the parameters to authenticate, no need to load incluster or kubeconfig
            pass
        elif auth_set('kubeconfig') or auth_set('context'):
-            kubernetes.config.load_kube_config(auth.get('kubeconfig'), auth.get('context'))
+            kubernetes.config.load_kube_config(auth.get('kubeconfig'), auth.get('context'), persist_config=auth.get('persist_config'))
        else:
            # First try to do incluster config, then kubeconfig
            try:
                kubernetes.config.load_incluster_config()
            except kubernetes.config.ConfigException:
-                kubernetes.config.load_kube_config(auth.get('kubeconfig'), auth.get('context'))
+                kubernetes.config.load_kube_config(auth.get('kubeconfig'), auth.get('context'), persist_config=auth.get('persist_config'))

        # Override any values in the default configuration with Ansible parameters
        configuration = kubernetes.client.Configuration()