4 12 2015

Openshift 3 – where is my permanant token ?

talset | ansible, devops, docker, monitoring, openshift3, python, redhat, tools | 3

Generally for monitoring or metering purpose it’s better to access to the service with a dedicated account.
For example on galera we can create a read only user for the monitoring. But in openshift ?

The first idea is to create a dedicated user and add the right role to be able to read information at the cluster level

htpasswd /etc/origin/openshift-passwd monitoring

oadm policy add-cluster-role-to-user cluster-reader monitoring

create user and affect role cluster reader

Now in your script you can use the login/password and connect to the api every check. To avoid a lot of unnecessary connection, you could use the temporary token (available 24h) and reconnect each 24h to have a new one.

The problem with that methode is the user monitoring have a namespace and rights to create projects.

In openshift we have a better way to access to the cluster data via openshift api. We could use service account.

Create a service account

echo '{
  "apiVersion": "v1",
  "kind": "ServiceAccount",
  "metadata": {
    "name": "monitoring"
  }
}' > monitoringSA.json
 
oc create -f monitoringSA.json

create monitoring serviceaccount

To be able to affect role at cluster level you have to use the oadm (openshift admin cli). And set the right role to read all the informations

oadm policy add-cluster-role-to-user cluster-reader system:serviceaccount:default:monitoring

set role cluster-reader

By defaut 2 secrets are created

API token for openshift
credentials for the internal Docker registry

The API token is permanent, so you could use the same each time in your check.

How to get the permanent API token ?

To get the api token you have 2 solutions

Solution 1 : oc describe

Get the token with oc describe command (with a system:admin account)

oc get secrets
NAME                       TYPE                                  DATA      AGE
monitoring-token-7o4eh        kubernetes.io/service-account-token   2         1d

oc describe secret monitoring-token-7o4eh | grep token:
token:	eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6Im1ldHJpY3MtdG9rZW4tN280ZWgiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoibWV0cmljcyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImFiNjgzMWM1LTg5ZjItMTFlNS04NmFkLTA2ZmY1ZDRjMjZkZiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0Om1ldHJpY3MifQ.WUjOegMHQ9EJHw26nMSMHiGcqtvjbhQ4XZXdfSZdtkC2w_yqb_8O8RECb91V5g20iNWCsEAUuy2Im0BNJj6m_T_KbXt5AKHA1vD4VxbeljLjzdgEMJrVL7vyIQsCUQ7XBoXvM31ghecnCLj7NARfeRhQLY9Bl-a70HIBy956ZHG6dvnxYe5f5pBt9fLGnezHT7oZ0pY1GOsKbQ-XNYxz-_cndSmneI6JD9IoEnW0clnnIixRCF0hqVw-Nm5dgwNsschGBYpnkiSJE6sddfS45jaodPI68zaPkM0ym4yXkLfjBUeWaDmSn6tCd7LK__7n8UzzQZB6fWQb3q-CdN3A

describe secret

Solution 2 : Get with oc get -ojson

oc get  secret monitoring-token-7o4eh -ojson | grep token
#or directly
oc get  secret monitoring-token-7o4eh --template='{{.data.token}}'

oc get -o json

But be careful /!\ The token returned in json output is encoded in base64. So to decoded you should use base64 –decode

oc get  secret monitoring-token-7o4eh --template='{{.data.token}}' | base64 --decode	

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6Im1ldHJpY3MtdG9rZW4tN280ZWgiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoibWV0cmljcyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImFiNjgzMWM1LTg5ZjItMTFlNS04NmFkLTA2ZmY1ZDRjMjZkZiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0Om1ldHJpY3MifQ.WUjOegMHQ9EJHw26nMSMHiGcqtvjbhQ4XZXdfSZdtkC2w_yqb_8O8RECb91V5g20iNWCsEAUuy2Im0BNJj6m_T_KbXt5AKHA1vD4VxbeljLjzdgEMJrVL7vyIQsCUQ7XBoXvM31ghecnCLj7NARfeRhQLY9Bl-a70HIBy956ZHG6dvnxYe5f5pBt9fLGnezHT7oZ0pY1GOsKbQ-XNYxz-_cndSmneI6JD9IoEnW0clnnIixRCF0hqVw-Nm5dgwNsschGBYpnkiSJE6sddfS45jaodPI68zaPkM0ym4yXkLfjBUeWaDmSn6tCd7LK__7n8UzzQZB6fWQb3q-CdN3A

decode base64 token

Now go play with your permanent token.

Additional links

sensu/nagios openshift check : https://github.com/talset/monitoring-plugins/blob/master/openshift/check_openshift.py
ansible fact to get service IP : https://github.com/talset/monitoring-plugins/blob/master/openshift/check_openshift.py

talset

ansible, docker, monitoring, openshift3, token, tools

Docker is also cool for Ops ! Apache BalancerMember mod_proxy, try to be smooth

3 thoughts on “Openshift 3 – where is my permanant token ?”

Jordan Liggitt says:

April 5, 2016 at 22:17

In the latest version of OpenShift, you can also do

oc create serviceaccount my-sa
oc sa new-token my-sa

Reply
- talset says:
  
  April 5, 2016 at 22:35
  
  yes for your first command it is already available in kubernetes and origin client, not yet in OSE but it should arrived soon.
  Create a new token is not needed because we already have a token by default with SA. However you are right we have a lot of easier available commands and we should use them now
  
  Reply
sikis izle says:

May 3, 2016 at 05:13

You do have a fabulous blog thanks.

Reply