redhat-actions / oc-login Goto Github PK

I just noticed that:

oc login --token=<token> --server=<server>

sets a namespace in kubeconfig.

but:

 - name: Authenticate and set context
        uses: redhat-actions/oc-login@v1

        with:
          openshift_server_url: ${{ secrets.OPENSHIFT_SERVER }}
          openshift_token: ${{ secrets.OPENSHIFT_TOKEN }}

does not.

Resulting in different behavior - and in case of openshift sandbox it means oc login works and I can deploy, but oc login with github action I end up in the wrong place.

Workaround is to set namespace explicitly but I would expect the two would/should behave the same ?

Similar to redhat-actions/push-to-registry#51

if the workflow is using a self-hosted runner, a user would likely want to log out after their oc workflow finishes.

Version

redhat-actions/[email protected]

Describe the bug

Node.js 16 actions are deprecated. Please update the following actions to use Node.js 20: redhat-actions/oc-login@v1. For more information see: https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/.
 

Steps to reproduce, workflow links, screenshots

Any attempt to use the actions should show this warning.

Version

redhat-actions/[email protected]

Describe the bug

Node.js 12 actions are deprecated. For more information see: https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/. Please update the following actions to use Node.js 16: redhat-actions/openshift-tools-installer, redhat-actions/oc-login

Steps to reproduce, workflow links, screenshots

Any attempt to use the actions should show this warning.
I already reported in 2 other actions that apparently also used deprecated versions of Node.js. here & here

It should exit as soon as the token login failed.

Version

redhat-actions/oc-login@v1

with: oc_version: '3.11.374' or any 3.x actually

Describe the bug

It seems that by default, the oc-login action will use the --current flag when setting the context.

Unfortunately, --current does not exist in oc config set-context v3

The action should not try to set --current when used in conjuntion with oc v3.

Steps to reproduce, workflow links, screenshots

Use the action with:

      - name: Install oc
        uses: redhat-actions/oc-installer@v1
        with:
          oc_version: '3.11.374'


      - name: Authenticate and set context
        uses: Actions/oc-login@v1
        with:
          # URL to your OpenShift cluster.
          # Refer to Step 2.
          openshift_server_url:  ${{ env.OPENSHIFT_URL }}
          # Authentication Token. Can use username and password instead.
          # Refer to Step 3.
          openshift_token: ${{ env.OC_TOKEN }}
          # Optional - this sets your Kubernetes context's current namespace after logging in.
          namespace: ${{ env.OPENSHIFT_NAMESPACE }}

and you'll get:

*** Suppressing command output
Set current context's namespace to "myns"
/usr/local/bin/oc config set-context --current --namespace=myns
Error: unknown flag: --current


Usage:
  oc config set-context NAME [--cluster=cluster_nickname] [--user=user_nickname] [--namespace=namespace] [flags]

Examples:
  # Set the user field on the gce context entry without touching other values
  oc config set-context gce --user=cluster-admin

Use "oc options" for a list of global command-line options (applies to all commands).

Error: Error: oc exited with code 1
Error: unknown flag: --current

Workaround:

don't set the optional namespace ; context won't be set to a given namespace, but at least login will succeed

Question

Hello, I am trying to setup an action that will oc-login with TLS enabled. I am passing in certificate_authority_data from a repository secret, which contains the certificate data from the tls.crt field from openshift-service-ca/signing-key secret from the cluster.

Running oc-login with the parameters I pass to the action works fine, however I'm always met with error: The server uses a certificate signed by unknown authority. You may need to use the --certificate-authority flag to provide the path to a certificate file for the certificate authority, or --insecure-skip-tls-verify to bypass the certificate check and use insecure connections. when running from the action.

Would I need to populate the certificate data with something else?

Context

Step snippet

  - name: Authenticate and set context
    uses: redhat-actions/oc-login@v1
    with:
      openshift_server_url: ${{ secrets.OPENSHIFT_SERVER }}
      openshift_token: ${{ secrets.OPENSHIFT_TOKEN }}
      certificate_authority_data: ${{ secrets.CA_DATA }}
      namespace: ci-test

The secret CA_DATA contains the certificate in it's standard format like so:

-----BEGIN CERTIFICATE-----
            ***
-----END CERTIFICATE-----

Is your feature request related to a problem? Please describe.

As pointed out in the OpenShift documentation on how to use a service account, see step #2 of the section titled "Using a service account’s credentials externally". The API token generated for service account allows login using only the token, omitting the server url.

Describe the solution you'd like

It would be nice if the input openshift_server_url of this action was optional.

Describe alternatives you've considered

Alternative is to put the server url, which is more likely to change than the token itself in our use case.

Additional context

Please close this bug