community.okd.k8s – Manage OpenShift objects

Note

This plugin is part of the community.okd collection (version 1.0.0).

To install it use: ansible-galaxy collection install community.okd.

To use it in a playbook, specify: community.okd.k8s.

Synopsis

  • Use the OpenShift Python client to perform CRUD operations on K8s objects.

  • Pass the object definition from a source file or inline. See examples for reading files and using Jinja templates or vault-encrypted files.

  • Access to the full range of K8s APIs.

  • Use the k8s_info module to obtain a list of items about an object of type kind

  • Authenticate using either a config file, certificates, password or token.

  • Supports check mode.

  • Optimized for OKD/OpenShift Kubernetes flavors

Requirements

The below requirements are needed on the host that executes this module.

  • python >= 2.7

  • openshift >= 0.6

  • PyYAML >= 3.11

Parameters

Parameter Choices/Defaults Comments
api_key
string
Token used to authenticate with the API. Can also be specified via K8S_AUTH_API_KEY environment variable.
api_version
string
Default:
"v1"
Use to specify the API version.
Use to create, delete, or discover an object without providing a full resource definition.
Use in conjunction with kind, name, and namespace to identify a specific object.
If resource definition is provided, the apiVersion value from the resource_definition will override this option.

aliases: api, version
append_hash
boolean
    Choices:
  • no
  • yes
Whether to append a hash to a resource name for immutability purposes
Applies only to ConfigMap and Secret resources
The parameter will be silently ignored for other resource kinds
The full definition of an object is needed to generate the hash - this means that deleting an object created with append_hash will only work if the same object is passed with state=absent (alternatively, just use state=absent with the name including the generated hash and append_hash=no)
apply
boolean
    Choices:
  • no
  • yes
apply compares the desired resource definition with the previously supplied resource definition, ignoring properties that are automatically generated
apply works better with Services than 'force=yes'
mutually exclusive with merge_type
ca_cert
path
Path to a CA certificate used to authenticate with the API. The full certificate chain must be provided to avoid certificate validation errors. Can also be specified via K8S_AUTH_SSL_CA_CERT environment variable.

aliases: ssl_ca_cert
client_cert
path
Path to a certificate used to authenticate with the API. Can also be specified via K8S_AUTH_CERT_FILE environment variable.

aliases: cert_file
client_key
path
Path to a key file used to authenticate with the API. Can also be specified via K8S_AUTH_KEY_FILE environment variable.

aliases: key_file
context
string
The name of a context found in the config file. Can also be specified via K8S_AUTH_CONTEXT environment variable.
force
boolean
    Choices:
  • no ←
  • yes
If set to yes, and state is present, an existing object will be replaced.
host
string
Provide a URL for accessing the API. Can also be specified via K8S_AUTH_HOST environment variable.
kind
string
Use to specify an object model.
Use to create, delete, or discover an object without providing a full resource definition.
Use in conjunction with api_version, name, and namespace to identify a specific object.
If resource definition is provided, the kind value from the resource_definition will override this option.
kubeconfig
path
Path to an existing Kubernetes config file. If not provided, and no other connection options are provided, the openshift client will attempt to load the default configuration file from ~/.kube/config.json. Can also be specified via K8S_AUTH_KUBECONFIG environment variable.
merge_type
list / elements=string
    Choices:
  • json
  • merge
  • strategic-merge
Whether to override the default patch merge approach with a specific type. By default, the strategic merge will typically be used.
For example, Custom Resource Definitions typically aren't updatable by the usual strategic merge. You may want to use merge if you see "strategic merge patch format is not supported"
Requires openshift >= 0.6.2
If more than one merge_type is given, the merge_types will be tried in order
If openshift >= 0.6.2, this defaults to ['strategic-merge', 'merge'], which is ideal for using the same parameters on resource kinds that combine Custom Resources and built-in resources. For openshift < 0.6.2, the default is simply strategic-merge.
mutually exclusive with apply
name
string
Use to specify an object name.
Use to create, delete, or discover an object without providing a full resource definition.
Use in conjunction with api_version, kind and namespace to identify a specific object.
If resource definition is provided, the metadata.name value from the resource_definition will override this option.
namespace
string
Use to specify an object namespace.
Useful when creating, deleting, or discovering an object without providing a full resource definition.
Use in conjunction with api_version, kind, and name to identify a specific object.
If resource definition is provided, the metadata.namespace value from the resource_definition will override this option.
password
string
Provide a password for authenticating with the API. Can also be specified via K8S_AUTH_PASSWORD environment variable.
Please read the description of the username option for a discussion of when this option is applicable.
persist_config
boolean
    Choices:
  • no
  • yes
Whether or not to save the kube config refresh tokens. Can also be specified via K8S_AUTH_PERSIST_CONFIG environment variable.
When the k8s context is using a user credentials with refresh tokens (like oidc or gke/gcloud auth), the token is refreshed by the k8s python client library but not saved by default. So the old refresh token can expire and the next auth might fail. Setting this flag to true will tell the k8s python client to save the new refresh token to the kube config file.
Default to false.
Please note that the current version of the k8s python client library does not support setting this flag to True yet.
The fix for this k8s python library is here: https://github.com/kubernetes-client/python-base/pull/169
proxy
string
The URL of an HTTP proxy to use for the connection. Can also be specified via K8S_AUTH_PROXY environment variable.
Please note that this module does not pick up typical proxy settings from the environment (e.g. HTTP_PROXY).
resource_definition
string
Provide a valid YAML definition (either as a string, list, or dict) for an object when creating or updating.
NOTE: kind, api_version, name, and namespace will be overwritten by corresponding values found in the provided resource_definition.

aliases: definition, inline
src
path
Provide a path to a file containing a valid YAML definition of an object or objects to be created or updated. Mutually exclusive with resource_definition. NOTE: kind, api_version, name, and namespace will be overwritten by corresponding values found in the configuration read in from the src file.
Reads from the local file system. To read from the Ansible controller's file system, including vaulted files, use the file lookup plugin or template lookup plugin, combined with the from_yaml filter, and pass the result to resource_definition. See Examples below.
Mutually exclusive with template in case of k8s module.
state
string
    Choices:
  • absent
  • present ←
Determines if an object should be created, patched, or deleted. When set to present, an object will be created, if it does not already exist. If set to absent, an existing object will be deleted. If set to present, an existing object will be patched, if its attributes differ from those specified using resource_definition or src.
username
string
Provide a username for authenticating with the API. Can also be specified via K8S_AUTH_USERNAME environment variable.
Please note that this only works with clusters configured to use HTTP Basic Auth. If your cluster has a different form of authentication (e.g. OAuth2 in OpenShift), this option will not work as expected and you should look into the k8s_auth module, as that might do what you need.
validate
dictionary
how (if at all) to validate the resource definition against the kubernetes schema. Requires the kubernetes-validate python module
fail_on_error
boolean
    Choices:
  • no
  • yes
whether to fail on validation errors.
strict
boolean
    Choices:
  • no
  • yes ←
whether to fail when passing unexpected properties
version
string
version of Kubernetes to validate against. defaults to Kubernetes server version
validate_certs
boolean
    Choices:
  • no
  • yes
Whether or not to verify the API server's SSL certificates. Can also be specified via K8S_AUTH_VERIFY_SSL environment variable.

aliases: verify_ssl
wait
boolean
    Choices:
  • no ←
  • yes
Whether to wait for certain resource kinds to end up in the desired state. By default the module exits once Kubernetes has received the request
Implemented for state=present for Deployment, DaemonSet and Pod, and for state=absent for all resource kinds.
For resource kinds without an implementation, wait returns immediately unless wait_condition is set.
wait_condition
dictionary
Specifies a custom condition on the status to wait for. Ignored if wait is not set or is set to False.
reason
string
The value of the reason field in your desired condition
For example, if a Deployment is paused, The Progressing type will have the DeploymentPaused reason.
The possible reasons in a condition are specific to each resource type in Kubernetes. See the API documentation of the status field for a given resource to see possible choices.
status
string
    Choices:
  • True ←
  • False
  • Unknown
The value of the status field in your desired condition.
For example, if a Deployment is paused, the Progressing type will have the Unknown status.
type
string
The type of condition to wait for. For example, the Pod resource will set the Ready condition (among others)
Required if you are specifying a wait_condition. If left empty, the wait_condition field will be ignored.
The possible types for a condition are specific to each resource type in Kubernetes. See the API documentation of the status field for a given resource to see possible choices.
wait_sleep
integer
Default:
5
Number of seconds to sleep between checks.
wait_timeout
integer
Default:
120
How long in seconds to wait for the resource to end up in the desired state. Ignored if wait is not set.

Notes

Note

  • If your OpenShift Python library is not 0.9.0 or newer and you are trying to remove an item from an associative array/dictionary, for example a label or an annotation, you will need to explicitly set the value of the item to be removed to null. Simply deleting the entry in the dictionary will not remove it from openshift or kubernetes.

  • The OpenShift Python client wraps the K8s Python client, providing full access to all of the APIS and models available on both platforms. For API version details and additional information visit https://github.com/openshift/openshift-restclient-python

  • To avoid SSL certificate validation errors when validate_certs is True, the full certificate chain for the API server must be provided via ca_cert or in the kubeconfig file.

Examples

- name: Create a k8s namespace
  community.okd.k8s:
    name: testing
    api_version: v1
    kind: Namespace
    state: present

- name: Create a Service object from an inline definition
  community.okd.k8s:
    state: present
    definition:
      apiVersion: v1
      kind: Service
      metadata:
        name: web
        namespace: testing
        labels:
          app: galaxy
          service: web
      spec:
        selector:
          app: galaxy
          service: web
        ports:
        - protocol: TCP
          targetPort: 8000
          name: port-8000-tcp
          port: 8000

- name: Remove an existing Service object
  community.okd.k8s:
    state: absent
    api_version: v1
    kind: Service
    namespace: testing
    name: web

# Passing the object definition from a file

- name: Create a Deployment by reading the definition from a local file
  community.okd.k8s:
    state: present
    src: /testing/deployment.yml

- name: >-
    Read definition file from the Ansible controller file system.
    If the definition file has been encrypted with Ansible Vault it will automatically be decrypted.
  community.okd.k8s:
    state: present
    definition: "{{ lookup('file', '/testing/deployment.yml') | from_yaml }}"

- name: Read definition file from the Ansible controller file system after Jinja templating
  community.okd.k8s:
    state: present
    definition: "{{ lookup('template', '/testing/deployment.yml') | from_yaml }}"

- name: fail on validation errors
  community.okd.k8s:
    state: present
    definition: "{{ lookup('template', '/testing/deployment.yml') | from_yaml }}"
    validate:
      fail_on_error: yes

- name: warn on validation errors, check for unexpected properties
  community.okd.k8s:
    state: present
    definition: "{{ lookup('template', '/testing/deployment.yml') | from_yaml }}"
    validate:
      fail_on_error: no
      strict: yes

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
result
complex
success
The created, patched, or otherwise present object. Will be empty in the case of a deletion.

 
api_version
string
success
The versioned schema of this representation of an object.

 
duration
integer
when wait is true
elapsed time of task in seconds

Sample:
48
 
items
list / elements=string
when resource_definition or src contains list of objects
Returned only when multiple yaml documents are passed to src or resource_definition

 
kind
string
success
Represents the REST resource this object represents.

 
metadata
complex
success
Standard object metadata. Includes name, namespace, annotations, labels, etc.

 
spec
complex
success
Specific attributes of the object. Will vary based on the api_version and kind.

 
status
complex
success
Current status details for the object.



Authors

  • Chris Houseknecht (@chouseknecht)

  • Fabian von Feilitzsch (@fabianvf)