From 5cb93f16b69557d8be3105f9eb36cf009b4d2639 Mon Sep 17 00:00:00 2001 From: Fabrice Rabaute Date: Thu, 12 Mar 2020 13:50:24 -0500 Subject: [PATCH] k8s: persist refreshed tokens When the ansible k8s module is refreshing the tokens from the local kube config, it should save those token to the kube config file. If this is not done, this might break the next kube client call as the token in the local kube config file is not valid anymore and refreshing can fail. This commit is adding an env var K8S_AUTH_PERSIST_CONFIG that can be used to set this flag to true (default is false, same as current behavior). --- plugins/doc_fragments/k8s_auth_options.py | 13 +++++++++++++ plugins/module_utils/common.py | 8 ++++++-- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/plugins/doc_fragments/k8s_auth_options.py b/plugins/doc_fragments/k8s_auth_options.py index 9decda11..22b52414 100644 --- a/plugins/doc_fragments/k8s_auth_options.py +++ b/plugins/doc_fragments/k8s_auth_options.py @@ -76,6 +76,19 @@ options: - Please note that this module does not pick up typical proxy settings from the environment (e.g. HTTP_PROXY). version_added: "2.9" type: str + persist_config: + description: + - Whether or not to save the kube config refresh tokens. + Can also be specified via K8S_AUTH_PERSIST_CONFIG environment variable. + - When the k8s context is using a user credentials with refresh tokens (like oidc or gke/gcloud auth), + the token is refreshed by the k8s python client library but not saved by default. So the old refresh token can + expire and the next auth might fail. Setting this flag to true will tell the k8s python client to save the + new refresh token to the kube config file. + - Default to false. + - Please note that the current version of the k8s python client library does not support setting this flag to True yet. + - "The fix for this k8s python library is here: https://github.com/kubernetes-client/python-base/pull/169" + type: bool + version_added: "2.10" notes: - "The OpenShift Python client wraps the K8s Python client, providing full access to all of the APIS and models available on both platforms. For API version details and diff --git a/plugins/module_utils/common.py b/plugins/module_utils/common.py index 6de6f478..7c88f5be 100644 --- a/plugins/module_utils/common.py +++ b/plugins/module_utils/common.py @@ -126,6 +126,9 @@ AUTH_ARG_SPEC = { 'proxy': { 'type': 'str', }, + 'persist_config': { + 'type': 'bool', + }, } # Map kubernetes-client parameters to ansible parameters @@ -141,6 +144,7 @@ AUTH_ARG_MAP = { 'cert_file': 'client_cert', 'key_file': 'client_key', 'proxy': 'proxy', + 'persist_config': 'persist_config', } @@ -182,13 +186,13 @@ class K8sAnsibleMixin(object): # We have enough in the parameters to authenticate, no need to load incluster or kubeconfig pass elif auth_set('kubeconfig') or auth_set('context'): - kubernetes.config.load_kube_config(auth.get('kubeconfig'), auth.get('context')) + kubernetes.config.load_kube_config(auth.get('kubeconfig'), auth.get('context'), persist_config=auth.get('persist_config')) else: # First try to do incluster config, then kubeconfig try: kubernetes.config.load_incluster_config() except kubernetes.config.ConfigException: - kubernetes.config.load_kube_config(auth.get('kubeconfig'), auth.get('context')) + kubernetes.config.load_kube_config(auth.get('kubeconfig'), auth.get('context'), persist_config=auth.get('persist_config')) # Override any values in the default configuration with Ansible parameters configuration = kubernetes.client.Configuration()