Hey everyone:D I'd like to get json with lists of pods from openshift. I'm using :
Node[] nodes = template.getForObject("[url_address]/api/v1/nodes", Node[].class);
but its need authentication, so how to solve this problemm. Any idea??
The authorization requires a valid bearer token, default kubernetes client library should use service account mounted to pod to attempt to authenticate properly. It is likely that you either do not use the client lib that does that for you or have no proper serviceaccount bound to the pod (or SA has no access granted to required resources).
For that you may want to just add the access rights to the default account for this project.
https://docs.openshift.com/container-platform/3.3/admin_solutions/user_role_mgmt.html
Related
When sending request to api, it throws NPE at api.listPodForAllNamespaces step. Could you please advise, what should be the correct configuration here?
As the error says:
pods is forbidden: User \"system:serviceaccount:sds-test:default\" cannot list resource \"pods\"
This means that the service account default in the namespace sds-test does not have the appropriate permissions to list pods. You are probably not specifying a service account when you deploy. K8s will automatically assign you the default service account.
You need to create a ServiceAccount. Grant it the required access using a Role and RoleBinding. Then update your Deployment/Pod to use your newly created ServiceAccount. Details of which can be found here
I am trying to connect to Azure KeyVault from my locally running Spring Boot Application. I can't keep those secrets to be saved in keyvault in different properties or yaml during dev, because my application will generate and delete so many secrets and tokens to be saved in keyvault in the run time.
I am aware of the process in which we can create an Azure service principal from your application registration. And use
azure.keyvault.client-id
azure.keyvault.client-key
in application.properties to connect.
But it may not be allowed to be created Azure service principal in our case. So is there any way to connect to key vault using MSI from locally running SpringBoot application.
using MSI_ENDPOINT
and MSI_SECRET
So is there any way to connect to key vault using MSI from locally running SpringBoot application.
using MSI_ENDPOINT and MSI_SECRET
I don't think you can use MSI_ENDPOINT and MSI_SECRET get the token in local, it just works when the web app published in the cloud.
But it may not be allowed to be created Azure service principal in our case.
As you know, you can use the service principal client id and secret(key) to access the keyvault. Actually, when enabling the MSI of the web app, it will create a service principal in your Azure AD tenant automatically. So you can just use the client id and secret of it.
Navigate to the portal -> Azure Active Directory -> Enterprise applications -> search for your web app name(select the Application Type with All Applications), then you get the client id(application id).
Note: Remember to check the object id of the service principal with that in your web app -> Identity, make sure you use the correct one.
For the service principal secret, you could create it via powershell like below(your account need the admin role Application administrator or Global administrator in your AAD tenant).
New-AzureADServicePrincipalPasswordCredential -ObjectId <service principal object id>
Then you will be able to access the keyvault with the client id and secret. For details in java, you can refer to this link.
You can't get it using those variables because locally there is no Azure AD Identity Registered on your local machine and as such Microsoft didn't build any MSI emulator so no variables will be set.
I can recommend what Microsoft did in their .NET library
Run Azure CLI and log in
In code check for variables and if they don't exist then run CLI command
az account get-access-token --resource 'https://vault.azure.net'
In CLI simply log into either principal or your account. Make sure to add this account/your account to KeyVault policy.
I know it's weird but I you can even check it HERE on their GitHub.
I might have an article that will help you in case you want more details
https://marczak.io/posts/2019/07/securing-websites-with-msi/
I'm deploying my java application in openshift project. I have created service account, but now I dont know how to obtain token for this account inside my java application, that relates to this account.
I'm using openshift java rest client v.6.1.1. My authorization looks like
Client client = new ClientBuilder(KEY_SERVER_URL).build();
client.getAuthorizationContext().setToken(System.getenv(TOKEN));
and it seems unsecure to pass token as environment variable.
Can you help me with obtaining AuthorizationContext using service account, related to this application?
The token for the service account is mounted inside the pod and can be read from /var/run/secrets/kubernetes.io/serviceaccount/token
I am using google app engine and google datastore.
I am using the google library
com.google.cloud.datastore.Datastore
My sample code is:
Datastore datastore = DatastoreOptions.getDefaultInstance().getService();
Key taskKey = datastore.newKeyFactory().setKind(entityName).newKey(id);
//populate some fields....
datastore.put(task);
I am using spring-boot and jetty as a container.
On local, it is working properly and the data updated in the google datastore.
The issue is when im deploying the app to the google-app-engine, im getting the Below exception when i get to datastore.put method.
com.google.cloud.datastore.DatastoreException: Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.
com.google.cloud.datastore.spi.v1.HttpDatastoreRpc.translate(HttpDatastoreRpc.java:129)
com.google.cloud.datastore.spi.v1.HttpDatastoreRpc.commit(HttpDatastoreRpc.java:155)
com.google.cloud.datastore.DatastoreImpl$4.call(DatastoreImpl.java:485)
Note: in both, on local environment and google-app-engine, i defined the environment variable GOOGLE_APPLICATION_CREDENTIALS that point to json file with all required credentials generated by google API.
According to the documentation for connecting to Datastore from App Engine in Java, there are several options available, so you can either go with Objectify (third party library), Datastore API or Datastore Client Library.
With the usage of Client Libraries, you must know that they make use of the Application Default Credentials, in such a way that, as documented, if the environment variable GOOGLE_APPLICATION_CREDENTIALS, ADC uses the default service account that App Engine provides for applications running over that service. So in your case, I think you should not define the environment variable, so that App Engine uses its default Service Account.
if you still struggling with com.google.cloud.datastore.DatastoreException: Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. you can set credentials explicitly, like it is shown in the example below:
Resource credentialsCyberpower = resourceLoader.getResource("classpath:yourservice-datastore-access.json");
GoogleCredentials credentials = GoogleCredentials.fromStream(credentialsCyberpower.getInputStream())
.createScoped(Lists.newArrayList("https://www.googleapis.com/auth/cloud-platform"));
DatastoreOptions options =
DatastoreOptions.newBuilder().setProjectId("XXXXXX").setCredentials(credentials).build();
Datastore datastore = options.getService();
ObjectifyService.init(new ObjectifyFactory(datastore));
generate yourservice-datastore-access.json in IAM service accounts. working with Objectify 6.0.5
If you are using <url-stream-handler>urlfetch</url-stream-handler> with Java8 and Objectify 6 you will have to switch into native and enable billing.
I was hit by this issue recently and spend a lot of time on fixing the problem, more info can be found here
I've worked through the examples for performing OOB OAuth2 connections and it works fine from my laptop.
The challenge I'm having is that it fires up a browser, asking me to verify if I want to grant access for my app to the documents in question. From then on it stores my credential set in a local file and continues to work just fine.
The use case I have is that I have a number of departments in my company that want to leverage Google Docs spreadsheets for reporting. I then want to be able to run a program on a server (from a cron job) that can scrape this data and build an aggregated report for all departments.
I had intended on creating a "reporting user" that is granted read access to all of the documents in question, then run the report process using that identity.
I tried running it on my laptop, then copying the stored credentials to my server for it to use. But it seems those credentials are tied to the machine and so it forces a new verification flow via browser.
Any suggestions on how to work with the auth flow for Google Drive to allow me to do what I need?
TIA
Rather than needing to grant some user read-only access to all docs, I'd suggest using a service account which has been granted read-only access to all of your Google Apps domain user's docs:
https://developers.google.com/drive/delegation
use:
https://www.googleapis.com/auth/drive.readonly
as the OAuth scope that you grant the service account access to in the Control Panel. That way if the server is compromised you've limited access to read-only.
Create GoogleCredential with p12 file from API console (API Access > Create Another Client ID > Service Account etc):
GoogleCredential.Builder#setServiceAccountPrivateKeyFromP12File(File)
more info on Service Accounts
The other answers are better than this, but you can always get a set of credentials and save them in a file for reuse. Getting the credentials could be done with a web browser, but only once, and then your server could use them forever (as long as you request offline access and get a refresh token).