4 12 2015
Openshift 3 – where is my permanant token ?
Generally for monitoring or metering purpose it’s better to access to the service with a dedicated account.
For example on galera we can create a read only user for the monitoring. But in openshift ?
The first idea is to create a dedicated user and add the right role to be able to read information at the cluster level
Now in your script you can use the login/password and connect to the api every check. To avoid a lot of unnecessary connection, you could use the temporary token (available 24h) and reconnect each 24h to have a new one.
The problem with that methode is the user monitoring have a namespace and rights to create projects.
In openshift we have a better way to access to the cluster data via openshift api. We could use service account.
Create a service account
To be able to affect role at cluster level you have to use the oadm (openshift admin cli). And set the right role to read all the informations
By defaut 2 secrets are created
- API token for openshift
- credentials for the internal Docker registry
The API token is permanent, so you could use the same each time in your check.
How to get the permanent API token ?
To get the api token you have 2 solutions
Solution 1 : oc describe
Get the token with oc describe command (with a system:admin account)
Solution 2 : Get with oc get -ojson
But be careful /!\ The token returned in json output is encoded in base64. So to decoded you should use base64 –decode
Now go play with your permanent token.
- sensu/nagios openshift check : https://github.com/talset/monitoring-plugins/blob/master/openshift/check_openshift.py
- ansible fact to get service IP : https://github.com/talset/monitoring-plugins/blob/master/openshift/check_openshift.py