What does adding K8s credentials to a playbook actually do?

Archives AWX Project
,
1

I’ve been trying to use AWX 15 to deploy applications to kubernetes with a playbook including helm. This Works On My Machine ™ using ansible-playbook. Apart from actually getting the helm binary into the awx pods (I’ve stuffed it in the project repo for now), I am hitting issues with credentials.

I have created a service-account for awx to use with this playbook, created a credential for that in awx, and attached it to the job template. However, when the helm task runs, it is reporting errors with permissions, but they are for the ‘awx’ SA, not my new ‘awx-deploy’ SA. I had a trawl through the awx code, to try and figure out what k8s credentials actually do, and there are no injectors (for environment vars, config files or whatever)…

Do K8s credentials actually get passed to playbooks? The manual doesn’t explicitly say.

Thanks in advance,

Howie

2

Answering my own question, for the sake of future searchers:

it defines environment variables:
K8S_AUTH_HOST - the URL for the K8S API endpoint
K8S_AUTH_API_KEY - the API token
K8S_AUTH_SSL_CA_CERT - PATH to a temporary file with the CA cert
K8S_AUTH_VERIFY_SSL (True or False - if False, CA cert is not defined)

This is fine for some of the collection.kubernetes.* modules but not c.k.helm. That currently requires you to generate a kubeconfig file.

3

@Howard ,
Thanks for the post . I am facing a similar issue trying to use the community.kubernetes.helm modules.

Could you please share how you created a kubeconfig to use with this collection ?

4

I *think* the latest release of the modules addresses this, but I documented what I did in the github issue:

https://github.com/ansible-collections/community.kubernetes/issues/279#issuecomment-720742644

5

Tower 3.6.0 user here, in this version there is an additional type of credential ( Openshift or Kubernetes api Bearer Token) .
Is that the type of credential you are referring to here ?
I am interested in using this credential with playbooks, however in the template , it it not available (even though I have created the credential already) .
Any idea how to use this that way ? thanks

6

ok it seems to be available from tower 3.8 only . Not sure why red-hat added the credential capability in 3.6 then . Anyway, not AWX related

7

Yes, I believe it was originally added for something else (scaling for worker processes?), and then updated to actually set environment variables. On awx, that was in 14.0.0 if I recall from last year. I don't know what that translates to as far as Tower is concerned.

There were also some recent changes in the kubernetes galaxy collection, so that the helm module would use secrets in the form that awx provides (previously the k8s module did, but helm didn't), without needing a generated .kubeconfig anymore.