readme.fr

Hot opensource news

Openshift 3 – where is my permanant token ?

Generally for monitoring or metering purpose it’s better to access to the service with a  dedicated account.
For example on galera we can create a read only user for the monitoring. But in openshift ?

The first idea is to create a dedicated user and add the right role to be able to read information at the cluster level

htpasswd /etc/origin/openshift-passwd monitoring

oadm policy add-cluster-role-to-user cluster-reader monitoring
create user and affect role cluster reader

Now in your script you can use the login/password and connect to the api every check. To avoid a lot of unnecessary connection, you could use the temporary token (available 24h) and reconnect each 24h to have a new one.

The problem with that methode is the user monitoring have a namespace and rights to create projects.

In openshift we have a better way to access to the cluster data via openshift api. We could use service account.

Create a service account

echo '{
  "apiVersion": "v1",
  "kind": "ServiceAccount",
  "metadata": {
    "name": "monitoring"
  }
}' > monitoringSA.json
 
oc create -f monitoringSA.json
create monitoring serviceaccount

To be able to affect role at cluster level you have to use the oadm (openshift admin cli). And set the right role to read all the informations

oadm policy add-cluster-role-to-user cluster-reader system:serviceaccount:default:monitoring
set role cluster-reader

By defaut 2 secrets are created

  • API token for openshift
  • credentials for the internal Docker registry

The API token is permanent, so you could use the same each time in your check.

How to get the permanent API token ?

To get the api token you have 2 solutions

Solution 1 : oc describe

Get the token with oc describe command (with a system:admin account)

oc get secrets
NAME                       TYPE                                  DATA      AGE
monitoring-token-7o4eh        kubernetes.io/service-account-token   2         1d

oc describe secret monitoring-token-7o4eh | grep token:
token:	eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6Im1ldHJpY3MtdG9rZW4tN280ZWgiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoibWV0cmljcyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImFiNjgzMWM1LTg5ZjItMTFlNS04NmFkLTA2ZmY1ZDRjMjZkZiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0Om1ldHJpY3MifQ.WUjOegMHQ9EJHw26nMSMHiGcqtvjbhQ4XZXdfSZdtkC2w_yqb_8O8RECb91V5g20iNWCsEAUuy2Im0BNJj6m_T_KbXt5AKHA1vD4VxbeljLjzdgEMJrVL7vyIQsCUQ7XBoXvM31ghecnCLj7NARfeRhQLY9Bl-a70HIBy956ZHG6dvnxYe5f5pBt9fLGnezHT7oZ0pY1GOsKbQ-XNYxz-_cndSmneI6JD9IoEnW0clnnIixRCF0hqVw-Nm5dgwNsschGBYpnkiSJE6sddfS45jaodPI68zaPkM0ym4yXkLfjBUeWaDmSn6tCd7LK__7n8UzzQZB6fWQb3q-CdN3A
describe secret

Solution 2 : Get with oc get -ojson

oc get  secret monitoring-token-7o4eh -ojson | grep token
#or directly
oc get  secret monitoring-token-7o4eh --template='{{.data.token}}'
oc get -o json

But be careful /!\  The token returned in json output is encoded in base64. So to decoded you should use base64 –decode

oc get  secret monitoring-token-7o4eh --template='{{.data.token}}' | base64 --decode	

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6Im1ldHJpY3MtdG9rZW4tN280ZWgiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoibWV0cmljcyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImFiNjgzMWM1LTg5ZjItMTFlNS04NmFkLTA2ZmY1ZDRjMjZkZiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0Om1ldHJpY3MifQ.WUjOegMHQ9EJHw26nMSMHiGcqtvjbhQ4XZXdfSZdtkC2w_yqb_8O8RECb91V5g20iNWCsEAUuy2Im0BNJj6m_T_KbXt5AKHA1vD4VxbeljLjzdgEMJrVL7vyIQsCUQ7XBoXvM31ghecnCLj7NARfeRhQLY9Bl-a70HIBy956ZHG6dvnxYe5f5pBt9fLGnezHT7oZ0pY1GOsKbQ-XNYxz-_cndSmneI6JD9IoEnW0clnnIixRCF0hqVw-Nm5dgwNsschGBYpnkiSJE6sddfS45jaodPI68zaPkM0ym4yXkLfjBUeWaDmSn6tCd7LK__7n8UzzQZB6fWQb3q-CdN3A
decode base64 token

Now go play with your permanent token.

grumpysandbox

Additional links

talset
talset on Githubtalset on Linkedin

, , , , ,

3 thoughts on “Openshift 3 – where is my permanant token ?

  • Jordan Liggitt says:

    In the latest version of OpenShift, you can also do

    oc create serviceaccount my-sa
    oc sa new-token my-sa

    • talset says:

      yes for your first command it is already available in kubernetes and origin client, not yet in OSE but it should arrived soon.
      Create a new token is not needed because we already have a token by default with SA. However you are right we have a lot of easier available commands and we should use them now

  • sikis izle says:

    You do have a fabulous blog thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *