Basic Auth not working for fabric8:apply

[Jay Mann]

Hi All,

I'm using version 2.2.115 of the fabric8 plugin, and setting the following environment variables before calling mvn json:appy.

KUBERNETES_AUTH_BASIC_USERNAME=jmandawg

KUBERNETES_AUTH_BASIC_PASSWORD=secret$

But it's not picking it up, i get the following error:

[ERROR] Failed to execute goal io.fabric8:fabric8-maven-plugin:2.2.115:apply (default-cli) on project booty: Failure executing: GET at: https://myserver:8443/api/v1/namespaces/dev-xxx-tmp. Message: User "system:anonymous" cannot get namespaces in project "dev-xxx-tmp". Received status: Status(apiVersion=v1, code=403, details=StatusDetails(causes=[], group=null, kind=namespaces, name=dev-xxx-tmp, retryAfterSeconds=null, additionalProperties={}), kind=Status, message=User "system:anonymous" cannot get namespaces in project "dev-xxx-tmp", metadata=ListMeta(resourceVersion=null, selfLink=null, additionalProperties={}), reason=Forbidden, status=Failure, additionalProperties={}). -> [Help 1]

I have no clue where it's picking up "system:anonymous" from.

This is running inside jenkins so we don't want to rely on calling oc login first.  We don't want to have to install oc on the jenkins box either.

[James Strachan]

If you're using OpenShift then it should be using the OAuth automatically without you having to specify any of those KUBERNETES auth environment variables.

I suspect the issue is related to the ServiceAccount for jenkins not having access to the 'dev-xxx-tmp' namespace. 

Typically its easiest to run Jenkins (and cd-pipeline as a whole) inside your development project (dev-xxx-tmp) so that your jenkins can see and work with your development environment

--
You received this message because you are subscribed to the Google Groups "fabric8" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fabric8+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

James
-------
Red Hat

Twitter: @jstrachan
Email: james.s...@gmail.com

Blog: https://medium.com/@jstrachan/

fabric8: http://fabric8.io/

open source microservices platform

[Jay Mann]

Unfortunately our requirement is to run jenkins outside of openshift.  

Can you tell me what i need to set so that the fabric8-maven-plugin (which uses kubernetes-client) will pass in the username & password credentials (since we are NOT using the "oc login" and .kube files)?

Thanks.

-J

[Jimmi Dyson]

Try setting the environment variables `KUBERNETES_AUTH_BASIC_USERNAME` & `KUBERNETES_AUTH_BASIC_PASSWORD`. These should be picked up by fabric8's kubernetes-client that the plugin uses under the hood.

--

[Jimmi Dyson]

Sorry didn't read the opening mail! Hmm can you raise an issue please so we can investigate more? Those env vars should work fine.

On Fri, 20 May 2016 at 18:18 Jay Mann <jmand...@gmail.com> wrote:

--

[Jay Mann]

I got it to a point where i can debug it, and i see it going into the httpclient interceptor in HttpClientUtils.java and it has the username and password set:

public Response intercept(Chain chain) throws IOException {

                        Request authReq = chain.request().newBuilder().addHeader("Authorization", Credentials.basic(config.getUsername(), config.getPassword())).build();

                        return chain.proceed(authReq);

                    }

Is there anything we have to do on the Openshift server to enable basic authentication?

-J

[Jimmi Dyson]

I've not used basic authentication personally with OpenShift but there are some details at https://docs.openshift.com/enterprise/3.1/install_config/configuring_authentication.html#BasicAuthPasswordIdentityProvider which might be useful.

[Jay Mann]

I found it in the guide: https://docs.openshift.com/enterprise/3.0/admin_guide/configuring_authentication.html#BasicAuthPasswordIdentityProvider

I need to confirm with the individual who controls the server, will post back with results.

Thanks,

John