community.okd.openshift_route module – Expose a Service as an OpenShift Route.
Note
This module is part of the community.okd collection (version 2.2.0).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.okd
.
To use it in a playbook, specify: community.okd.openshift_route
.
New in version 0.3.0: of community.okd
Synopsis
Looks up a Service and creates a new Route based on it.
Analogous to oc expose and oc create route for creating Routes, but does not support creating Services.
For creating Services from other resources, see kubernetes.core.k8s.
Requirements
The below requirements are needed on the host that executes this module.
python >= 3.6
kubernetes >= 12.0.0
PyYAML >= 3.11
Parameters
Parameter |
Comments |
---|---|
Specify the Route Annotations. A set of key: value pairs. |
|
Token used to authenticate with the API. Can also be specified via K8S_AUTH_API_KEY environment variable. |
|
Path to a CA certificate used to authenticate with the API. The full certificate chain must be provided to avoid certificate validation errors. Can also be specified via K8S_AUTH_SSL_CA_CERT environment variable. |
|
Path to a certificate used to authenticate with the API. Can also be specified via K8S_AUTH_CERT_FILE environment variable. |
|
Path to a key file used to authenticate with the API. Can also be specified via K8S_AUTH_KEY_FILE environment variable. |
|
The name of a context found in the config file. Can also be specified via K8S_AUTH_CONTEXT environment variable. |
|
If set to Choices:
|
|
Provide a URL for accessing the API. Can also be specified via K8S_AUTH_HOST environment variable. |
|
The hostname for the Route. |
|
Group(s) to impersonate for the operation. Can also be specified via K8S_AUTH_IMPERSONATE_GROUPS environment. Example: Group1,Group2 |
|
Username to impersonate for the operation. Can also be specified via K8S_AUTH_IMPERSONATE_USER environment. |
|
Path to an existing Kubernetes config file. If not provided, and no other connection options are provided, the Kubernetes client will attempt to load the default configuration file from ~/.kube/config. Can also be specified via K8S_AUTH_KUBECONFIG environment variable. The kubernetes configuration can be provided as dictionary. This feature requires a python kubernetes client version >= 17.17.0. Added in version 2.2.0. |
|
Specify the labels to apply to the created Route. A set of key: value pairs. |
|
The desired name of the Route to be created. Defaults to the value of service |
|
The namespace of the resource being targeted. The Route will be created in this namespace as well. |
|
The comma separated list of hosts/domains/IP/CIDR that shouldn’t go through proxy. Can also be specified via K8S_AUTH_NO_PROXY environment variable. Please note that this module does not pick up typical proxy settings from the environment (e.g. NO_PROXY). This feature requires kubernetes>=19.15.0. When kubernetes library is less than 19.15.0, it fails even no_proxy set in correct. example value is “localhost,.local,.example.com,127.0.0.1,127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16” |
|
Provide a password for authenticating with the API. Can also be specified via K8S_AUTH_PASSWORD environment variable. Please read the description of the |
|
The path for the Route |
|
Whether or not to save the kube config refresh tokens. Can also be specified via K8S_AUTH_PERSIST_CONFIG environment variable. When the k8s context is using a user credentials with refresh tokens (like oidc or gke/gcloud auth), the token is refreshed by the k8s python client library but not saved by default. So the old refresh token can expire and the next auth might fail. Setting this flag to true will tell the k8s python client to save the new refresh token to the kube config file. Default to false. Please note that the current version of the k8s python client library does not support setting this flag to True yet. The fix for this k8s python library is here: https://github.com/kubernetes-client/python-base/pull/169 Choices:
|
|
Name or number of the port the Route will route traffic to. |
|
The URL of an HTTP proxy to use for the connection. Can also be specified via K8S_AUTH_PROXY environment variable. Please note that this module does not pick up typical proxy settings from the environment (e.g. HTTP_PROXY). |
|
The Header used for the HTTP proxy. Documentation can be found here https://urllib3.readthedocs.io/en/latest/reference/urllib3.util.html?highlight%3Dproxy_headers#urllib3.util.make_headers. |
|
Colon-separated username:password for basic authentication header. Can also be specified via K8S_AUTH_PROXY_HEADERS_BASIC_AUTH environment. |
|
Colon-separated username:password for proxy basic authentication header. Can also be specified via K8S_AUTH_PROXY_HEADERS_PROXY_BASIC_AUTH environment. |
|
String representing the user-agent you want, such as foo/1.0. Can also be specified via K8S_AUTH_PROXY_HEADERS_USER_AGENT environment. |
|
The name of the service to expose. Required when state is not absent. |
|
Determines if an object should be created, patched, or deleted. When set to Choices:
|
|
The termination type of the Route. If left empty no termination type will be set, and the route will be insecure. When set to insecure tls will be ignored. Choices:
|
|
TLS configuration for the newly created route. Only used when termination is set. |
|
Path to a CA certificate file on the target host. Not supported when termination is set to passthrough. |
|
Path to a certificate file on the target host. Not supported when termination is set to passthrough. |
|
Path to a CA certificate file used for securing the connection. Only used when termination is set to reencrypt. Defaults to the Service CA. |
|
Sets the InsecureEdgeTerminationPolicy for the Route. Not supported when termination is set to reencrypt. When termination is set to passthrough, only redirect is supported. If not provided, insecure traffic will be disallowed. Choices:
|
|
Path to a key file on the target host. Not supported when termination is set to passthrough. |
|
Provide a username for authenticating with the API. Can also be specified via K8S_AUTH_USERNAME environment variable. Please note that this only works with clusters configured to use HTTP Basic Auth. If your cluster has a different form of authentication (e.g. OAuth2 in OpenShift), this option will not work as expected and you should look into the community.okd.k8s_auth module, as that might do what you need. |
|
Whether or not to verify the API server’s SSL certificates. Can also be specified via K8S_AUTH_VERIFY_SSL environment variable. Choices:
|
|
Whether to wait for certain resource kinds to end up in the desired state. By default the module exits once Kubernetes has received the request. Implemented for For resource kinds without an implementation, Choices:
|
|
Specifies a custom condition on the status to wait for. Ignored if |
|
The value of the reason field in your desired condition For example, if a The possible reasons in a condition are specific to each resource type in Kubernetes. See the API documentation of the status field for a given resource to see possible choices. |
|
The value of the status field in your desired condition. For example, if a Choices:
|
|
The type of condition to wait for. For example, the Required if you are specifying a If left empty, the The possible types for a condition are specific to each resource type in Kubernetes. See the API documentation of the status field for a given resource to see possible choices. |
|
Number of seconds to sleep between checks. Default: 5 |
|
How long in seconds to wait for the resource to end up in the desired state. Ignored if Default: 120 |
|
The wildcard policy for the hostname. Currently only Subdomain is supported. If not provided, the default of None will be used. Choices:
|
Notes
Note
To avoid SSL certificate validation errors when
validate_certs
is True, the full certificate chain for the API server must be provided viaca_cert
or in the kubeconfig file.
Examples
- name: Create hello-world deployment
community.okd.k8s:
definition:
apiVersion: apps/v1
kind: Deployment
metadata:
name: hello-kubernetes
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: hello-kubernetes
template:
metadata:
labels:
app: hello-kubernetes
spec:
containers:
- name: hello-kubernetes
image: paulbouwer/hello-kubernetes:1.8
ports:
- containerPort: 8080
- name: Create Service for the hello-world deployment
community.okd.k8s:
definition:
apiVersion: v1
kind: Service
metadata:
name: hello-kubernetes
namespace: default
spec:
ports:
- port: 80
targetPort: 8080
selector:
app: hello-kubernetes
- name: Expose the insecure hello-world service externally
community.okd.openshift_route:
service: hello-kubernetes
namespace: default
insecure_policy: allow
annotations:
haproxy.router.openshift.io/balance: roundrobin
register: route
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
elapsed time of task in seconds Returned: when Sample: 48 |
|
The Route object that was created or updated. Will be empty in the case of deletion. Returned: success |
|
The versioned schema of this representation of an object. Returned: success |
|
Represents the REST resource this object represents. Returned: success |
|
Standard object metadata. Includes name, namespace, annotations, labels, etc. Returned: success |
|
The name of the created Route Returned: success |
|
The namespace of the create Route Returned: success |
|
Specification for the Route Returned: success |
|
Host is an alias/DNS that points to the service. Returned: success |
|
Path that the router watches for, to route traffic for to the service. Returned: success |
|
Defines a port mapping from a router to an endpoint in the service endpoints. Returned: success |
|
The target port on pods selected by the service this route points to. Returned: success |
|
Defines config used to secure a route and provide termination. Returned: success |
|
Provides the cert authority certificate contents. Returned: success |
|
Provides certificate contents. Returned: success |
|
Provides the contents of the ca certificate of the final destination. Returned: success |
|
Indicates the desired behavior for insecure connections to a route. Returned: success |
|
Provides key file contents. Returned: success |
|
Indicates termination type. Returned: success |
|
Specifies the target that resolve into endpoints. Returned: success |
|
The kind of target that the route is referring to. Currently, only ‘Service’ is allowed. Returned: success |
|
Name of the service/target that is being referred to. e.g. name of the service. Returned: success |
|
Specifies the target’s relative weight against other target reference objects. Returned: success |
|
Wildcard policy if any for the route. Returned: success |
|
Current status details for the Route Returned: success |
|
List of places where the route may be exposed. Returned: success |
|
Array of status conditions for the Route ingress. Returned: success |
|
The status of the condition. Can be True, False, Unknown. Returned: success |
|
The type of the condition. Currently only ‘Ready’. Returned: success |
|
The host string under which the route is exposed. Returned: success |
|
The external host name for the router that can be used as a CNAME for the host requested for this route. May not be set. Returned: success |
|
A name chosen by the router to identify itself. Returned: success |
|
The wildcard policy that was allowed where this route is exposed. Returned: success |
Authors
Fabian von Feilitzsch (@fabianvf)