Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't refresh OIDC tokens when using k8s lookup #641

Open
dimm0 opened this issue Aug 3, 2023 · 1 comment
Open

Can't refresh OIDC tokens when using k8s lookup #641

dimm0 opened this issue Aug 3, 2023 · 1 comment
Labels
needs_verify

Comments

@dimm0
Copy link

dimm0 commented Aug 3, 2023

SUMMARY

When using the k8s lookup for the cluster that uses OIDC tokens, ansible can't refresh one.

When token is not expired, it's working as it should.

ISSUE TYPE
  • Bug Report
COMPONENT NAME

k8s lookup

ANSIBLE VERSION
➜  ~ ansible --version
ansible [core 2.15.1]
  config file = None
  configured module search path = ['/Users/dimm/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /opt/homebrew/Cellar/ansible/8.1.0/libexec/lib/python3.11/site-packages/ansible
  ansible collection location = /Users/dimm/.ansible/collections:/usr/share/ansible/collections
  executable location = /opt/homebrew/bin/ansible
  python version = 3.11.4 (main, Jun 20 2023, 17:23:00) [Clang 14.0.3 (clang-1403.0.22.14.1)] (/opt/homebrew/Cellar/ansible/8.1.0/libexec/bin/python3.11)
  jinja version = 3.1.2
  libyaml = True
COLLECTION VERSION
CONFIGURATION
➜  ~ ansible-config dump --only-changed -t all
CONFIG_FILE() = None
PAGER(env: PAGER) = less
OS / ENVIRONMENT

MacOS

STEPS TO REPRODUCE
- name: Get Kubernetes nodes
  gather_facts: false
  hosts: all
  tags:
    - always
  vars:
    k8s_nodes: "{{ lookup('k8s', api_version='v1', kind='node') }}"
  tasks:
    - name: Add host to inventory
      delegate_to: localhost
      ansible.builtin.add_host:
        hostname: "{{ item | json_query('status.addresses[1].address') }}"
        groups:
          - current
      loop: "{{ k8s_nodes }}"
      loop_control:
        label: "{{ item | json_query('status.addresses[1].address') }}"
EXPECTED RESULTS

Expect the ansible library to renew the token via OIDC mechanism

ACTUAL RESULTS

The renewal fails with message:

The message is:

/opt/homebrew/Cellar/ansible/8.1.0/libexec/lib/python3.11/site-packages/urllib3/connectionpool.py:1056: InsecureRequestWarning: Unverified HTTPS request is being made to host 'cilogon.org'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
  warnings.warn(
objc[79165]: +[__NSCFConstantString initialize] may have been in progress in another thread when fork() was called.
objc[79165]: +[__NSCFConstantString initialize] may have been in progress in another thread when fork() was called. We cannot safely call it or ignore it in the fork() child process. Crashing instead. Set a breakpoint on objc_initializeAfterForkError to debug.
ERROR! A worker was found in a dead state
@ashtongraves
Copy link

Happening with me on 2.16.2:

ansible --version
ansible [core 2.16.2]
  config file = None
  configured module search path = ['/Users/ashton/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /opt/homebrew/Cellar/ansible/9.1.0/libexec/lib/python3.12/site-packages/ansible
  ansible collection location = /Users/ashton/.ansible/collections:/usr/share/ansible/collections
  executable location = /opt/homebrew/bin/ansible
  python version = 3.12.1 (main, Dec  7 2023, 20:45:44) [Clang 15.0.0 (clang-1500.0.40.1)] (/opt/homebrew/Cellar/ansible/9.1.0/libexec/bin/python)
  jinja version = 3.1.3
  libyaml = True

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs_verify
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gravesm @dimm0 @ashtongraves