Re: Cronjob: Failed to pull image "...": unauthorized: authentication required

2017-06-13 Thread Philippe Lafoucrière 
Answering to myself:

https://github.com/openshift/origin/issues/13161
​
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: oauth token info

2017-06-13 Thread Andrew Lau 
Thanks! That's what I was looking for.

On Wed, 14 Jun 2017 at 01:37 Clayton Coleman  wrote:

> /oauth/info should return info about the token you pass as Authorization:
> Bearer
>
> On Mon, Jun 12, 2017 at 9:38 PM, Andrew Lau  wrote:
>
>> Is there an endpoint to retrieve the current token information?
>>
>> ie. /oapi/v1/users/~ seems to be an undocumented way to get the current
>> user information. I'm looking to obtain the expiry time on the current
>> token being used.
>>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: oauth token info

2017-06-13 Thread Aleksandar Lazic 
Title: Re: oauth token info


Hi Andrew Lau.

on Dienstag, 13. Juni 2017 at 12:14 was written:





Normal users can't query those endpoints



That's true.

I think then the easiest way is to use

https://jwt.io/ or
https://github.com/auth0/jwt-decode

Regards
Aleks





On Tue, 13 Jun 2017 at 17:46 Aleksandar Lazic  wrote:




Hi Andrew Lau.

on Dienstag, 13. Juni 2017 at 03:38 was written:





Is there an endpoint to retrieve the current token information?

ie. /oapi/v1/users/~ seems to be an undocumented way to get the current user information. I'm looking to obtain the expiry time on the current token being used.


Is the https://jwt.io/ not an option?

You can try this sequence

Search for the token if you don't know the token only the userName.
curl -k -v -H "Accept: application/json, */*" -H "User-Agent: oc/v3.4.1.18 (linux/amd64) openshift/0f9d380" -H "Authorization: Bearer ${AUTH_TOKEN}" "MASTER_URL/oapi/v1/oauthaccesstokens?pretty=true"

Get information about a token also expiresIn
curl -k -v -H "Accept: application/json, */*" -H "User-Agent: oc/v3.4.1.18 (linux/amd64) openshift/0f9d380" -H "Authorization: Bearer ${AUTH_TOKEN}" "MASTER_URL/oapi/v1/oauthaccesstokens/{metadata.name}?pretty=true"


I have found this in https://docs.openshift.org/latest/rest_api/openshift_v1.html at

GET /oapi/v1/oauthaccesstokens/{name}

Hth



-- 
Best Regards
Aleks








-- 
Best Regards
Aleks


smime.p7s
Description: S/MIME Cryptographic Signature
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Cronjob: Failed to pull image "...": unauthorized: authentication required

2017-06-13 Thread Philippe Lafoucrière 
ps: the image is an imageStream in the same namespace.​
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: origin 1.2 bad certificate

2017-06-13 Thread Andrew Butcher 
Hey Julio,

Setting openshift_ip as a host level variable within inventory will
override the IP that is selected by default for etcd hosts (IP of the
default route).
playbooks/byo/openshift-cluster/redeploy-etcd-certificates.yml can be used
to replace the etcd certificates with the overridden IP value.

For example, set openshift_ip for each etcd host within inventory:

[etcd]
host1.example.com openshift_ip=192.168.122.43
host2.example.com openshift_ip=192.168.122.44
host3.example.com openshift_ip=192.168.122.45


On Tue, Jun 13, 2017 at 9:19 AM, Julio Saura  wrote:

> more clues
>
> etcd nodes have two ips, public an private
>
> for some reason open shift is creating the certificates using de public ip
> instead of private
>
> so connecting to etcd gives me and error saying certificate is generated
> to this IP and not to that IP
>
> so it fails for that reason after re generating them
>
> any clue ?
>
> best regards
>
>
>
> El 13 jun 2017, a las 13:53, Julio Saura  escribió:
>
> more info
>
> i managed to connect with curl to the etcd server and queried about
> controller keys
>
> {"action":"get","node":{"key":"/openshift.io/leases/controllers
> ","value":"master-lyy7bxfg","expiration":"*2017-05-31T10:26:28.833756573Z*
> ","ttl":-1128220,"modifiedIndex":20547532,"createdIndex":18120566}
>
>
> looks that what is expired is the key on the etcd BBDD..
>
> how can i solve this?
>
> best regards
>
>
>
> El 13 jun 2017, a las 13:46, Julio Saura  escribió:
>
> sorry about wget
>
> connecting to etcd nodes using openssl and passing client certs looks good
>
> openssl s_client -cert master.etcd-client.crt  -key master.etcd-client.key
> -connect etcd-node1:2379 -debug
>
> connects without problem
>
> but api service does not
>
>
> Jun 13 15:25:04 openshift-master01 origin-master-controllers: E0613
> 15:25:04.9978612391 leaderlease.go:69] unable to check lease
> openshift.io/leases/controllers: 501: All the given peers are not
> reachable (failed to propose on members [https://etcd-node02l:2379
> https:/etcd-node01:2379] twice [last error: Put
> https://etcd-node02:2379/v2/keys/openshift.io/leases/
> controllers?prevExist=false: remote error: bad certificate
>
>
> *Julio Saura Alejandre*
> *Responsable Servicios Gestionados*
> *hiberus* TRAVEL
> Tel.: + 34 902 87 73 92 Ext. 659 <+34%20902%2087%2073%2092>
> Parque Empresarial PLAZA
> Edificio EXPOINNOVACIÓN
> C/. Bari 25 Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza
> www.hiberus.com
>
> Crecemos contigo
> Este mensaje se envía desde la plataforma de correo de Hiberus Este
> mensaje y los documentos que, en su caso, lleve anexos, se dirigen
> exclusivamente a su destinatario y pueden contener información privilegiada
> o confidencial. Si tú no eres el destinatario indicado, queda notificado de
> que la utilización, divulgación y/o copia sin autorización está prohibida
> en virtud de la legislación vigente. Por ello, se informa a quien lo reciba
> por error, que la información contenida en el mismo es reservada y su uso
> no autorizado está prohibido legalmente, por lo que en tal caso te rogamos
> que nos lo comuniques vía e-mail o teléfono, te abstengas de realizar
> copias del mensaje o remitirlo o entregarlo a terceras personas y procedas
> a devolverlo a su emisor y/o destruirlo de inmediato.
>
> El 13 jun 2017, a las 13:28, Julio Saura  escribió:
>
> Hello
>
> i have a problem in a 1.2.0 cluster with etcd ca and certificates, mainly
> they did expire
>
> i followed the doc regarding this and after update my openshift-ansible i
> got the needed playbook
>
> after running em i see etcd certs and ca are updated on my nodes, and
> dumping them with openssl looks good.
>
> ansible-playbook -v -i /etc/ansible/hosts ./playbooks/byo/openshift-
> cluster/redeploy-certificates.yml
>
> i see the ca and certs have been updates nicely on my etcd nodes, they do
> start but i still get bad certificate when api/master tries to connect to
> ectd
>
> i did check connecting with wget for example but it says bad certificate
>
> OpenSSL: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
> certificate
>
> any clue? my cluster is down right now :/
>
> best regards
>
>
>
>
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: origin 1.2 bad certificate

2017-06-13 Thread Julio Saura 
more clues

etcd nodes have two ips, public an private

for some reason open shift is creating the certificates using de public ip 
instead of private

so connecting to etcd gives me and error saying certificate is generated to 
this IP and not to that IP

so it fails for that reason after re generating them

any clue ?

best regards



> El 13 jun 2017, a las 13:53, Julio Saura  escribió:
> 
> more info
> 
> i managed to connect with curl to the etcd server and queried about 
> controller keys
> 
> {"action":"get","node":{"key":"/openshift.io/leases/controllers 
> ","value":"master-lyy7bxfg","expiration":"2017-05-31T10:26:28.833756573Z","ttl":-1128220,"modifiedIndex":20547532,"createdIndex":18120566}
> 
> 
> looks that what is expired is the key on the etcd BBDD..
> 
> how can i solve this?
> 
> best regards
> 
> 
> 
>> El 13 jun 2017, a las 13:46, Julio Saura > > escribió:
>> 
>> sorry about wget
>> 
>> connecting to etcd nodes using openssl and passing client certs looks good
>> 
>> openssl s_client -cert master.etcd-client.crt  -key master.etcd-client.key 
>> -connect etcd-node1:2379 -debug
>> 
>> connects without problem
>> 
>> but api service does not
>> 
>> 
>> Jun 13 15:25:04 openshift-master01 origin-master-controllers: E0613 
>> 15:25:04.9978612391 leaderlease.go:69] unable to check lease 
>> openshift.io/leases/controllers:  
>> 501: All the given peers are not reachable (failed to propose on members 
>> [https://etcd-node02l:2379 https:/etcd-node01:2379 
>> ] twice [last error: Put 
>> https://etcd-node02:2379/v2/keys/openshift.io/leases/controllers?prevExist=false:
>>  
>> 
>>  remote error: bad certificate
>> 
>> 
>> Julio Saura Alejandre
>> Responsable Servicios Gestionados
>> hiberus TRAVEL
>> Tel.: + 34 902 87 73 92 Ext. 659
>> Parque Empresarial PLAZA
>> Edificio EXPOINNOVACIÓN
>> C/. Bari 25 Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza
>> www.hiberus.com 
>> Crecemos contigo
>> 
>> Este mensaje se envía desde la plataforma de correo de Hiberus Este mensaje 
>> y los documentos que, en su caso, lleve anexos, se dirigen exclusivamente a 
>> su destinatario y pueden contener información privilegiada o confidencial. 
>> Si tú no eres el destinatario indicado, queda notificado de que la 
>> utilización, divulgación y/o copia sin autorización está prohibida en virtud 
>> de la legislación vigente. Por ello, se informa a quien lo reciba por error, 
>> que la información contenida en el mismo es reservada y su uso no autorizado 
>> está prohibido legalmente, por lo que en tal caso te rogamos que nos lo 
>> comuniques vía e-mail o teléfono, te abstengas de realizar copias del 
>> mensaje o remitirlo o entregarlo a terceras personas y procedas a devolverlo 
>> a su emisor y/o destruirlo de inmediato.
>> 
>>> El 13 jun 2017, a las 13:28, Julio Saura >> > escribió:
>>> 
>>> Hello
>>> 
>>> i have a problem in a 1.2.0 cluster with etcd ca and certificates, mainly 
>>> they did expire
>>> 
>>> i followed the doc regarding this and after update my openshift-ansible i 
>>> got the needed playbook
>>> 
>>> after running em i see etcd certs and ca are updated on my nodes, and 
>>> dumping them with openssl looks good.
>>> 
>>> ansible-playbook -v -i /etc/ansible/hosts 
>>> ./playbooks/byo/openshift-cluster/redeploy-certificates.yml
>>> 
>>> i see the ca and certs have been updates nicely on my etcd nodes, they do 
>>> start but i still get bad certificate when api/master tries to connect to 
>>> ectd
>>> 
>>> i did check connecting with wget for example but it says bad certificate
>>> 
>>> OpenSSL: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad 
>>> certificate
>>> 
>>> any clue? my cluster is down right now :/
>>> 
>>> best regards
>>> 
>> 
> 

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Cronjob: Failed to pull image "...": unauthorized: authentication required

2017-06-13 Thread Philippe Lafoucrière 
Hi,

I created a cronJob (
https://docs.openshift.com/container-platform/3.5/dev_guide/cron_jobs.html)
in a project on openshift 1.5, and the job fails to start with:

Failed to pull image "...": unauthorized: authentication required

Error syncing pod, skipping: failed to "StartContainer" for "..." with
ErrImagePull: "unauthorized: authentication required"

Back-off pulling image "..."

Any idea why this is not working out of the box?

Thanks
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: origin 1.2 bad certificate

2017-06-13 Thread Julio Saura 
more info

i managed to connect with curl to the etcd server and queried about controller 
keys

{"action":"get","node":{"key":"/openshift.io/leases/controllers","value":"master-lyy7bxfg","expiration":"2017-05-31T10:26:28.833756573Z","ttl":-1128220,"modifiedIndex":20547532,"createdIndex":18120566}


looks that what is expired is the key on the etcd BBDD..

how can i solve this?

best regards



> El 13 jun 2017, a las 13:46, Julio Saura  escribió:
> 
> sorry about wget
> 
> connecting to etcd nodes using openssl and passing client certs looks good
> 
> openssl s_client -cert master.etcd-client.crt  -key master.etcd-client.key 
> -connect etcd-node1:2379 -debug
> 
> connects without problem
> 
> but api service does not
> 
> 
> Jun 13 15:25:04 openshift-master01 origin-master-controllers: E0613 
> 15:25:04.9978612391 leaderlease.go:69] unable to check lease 
> openshift.io/leases/controllers:  
> 501: All the given peers are not reachable (failed to propose on members 
> [https://etcd-node02l:2379 https:/etcd-node01:2379  https:/etcd-node01:2379>] twice [last error: Put 
> https://etcd-node02:2379/v2/keys/openshift.io/leases/controllers?prevExist=false:
>  
> 
>  remote error: bad certificate
> 
> 
> Julio Saura Alejandre
> Responsable Servicios Gestionados
> hiberus TRAVEL
> Tel.: + 34 902 87 73 92 Ext. 659
> Parque Empresarial PLAZA
> Edificio EXPOINNOVACIÓN
> C/. Bari 25 Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza
> www.hiberus.com 
> Crecemos contigo
> 
> Este mensaje se envía desde la plataforma de correo de Hiberus Este mensaje y 
> los documentos que, en su caso, lleve anexos, se dirigen exclusivamente a su 
> destinatario y pueden contener información privilegiada o confidencial. Si tú 
> no eres el destinatario indicado, queda notificado de que la utilización, 
> divulgación y/o copia sin autorización está prohibida en virtud de la 
> legislación vigente. Por ello, se informa a quien lo reciba por error, que la 
> información contenida en el mismo es reservada y su uso no autorizado está 
> prohibido legalmente, por lo que en tal caso te rogamos que nos lo comuniques 
> vía e-mail o teléfono, te abstengas de realizar copias del mensaje o 
> remitirlo o entregarlo a terceras personas y procedas a devolverlo a su 
> emisor y/o destruirlo de inmediato.
> 
>> El 13 jun 2017, a las 13:28, Julio Saura > > escribió:
>> 
>> Hello
>> 
>> i have a problem in a 1.2.0 cluster with etcd ca and certificates, mainly 
>> they did expire
>> 
>> i followed the doc regarding this and after update my openshift-ansible i 
>> got the needed playbook
>> 
>> after running em i see etcd certs and ca are updated on my nodes, and 
>> dumping them with openssl looks good.
>> 
>> ansible-playbook -v -i /etc/ansible/hosts 
>> ./playbooks/byo/openshift-cluster/redeploy-certificates.yml
>> 
>> i see the ca and certs have been updates nicely on my etcd nodes, they do 
>> start but i still get bad certificate when api/master tries to connect to 
>> ectd
>> 
>> i did check connecting with wget for example but it says bad certificate
>> 
>> OpenSSL: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad 
>> certificate
>> 
>> any clue? my cluster is down right now :/
>> 
>> best regards
>> 
> 

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: origin 1.2 bad certificate

2017-06-13 Thread Julio Saura 
sorry about wget

connecting to etcd nodes using openssl and passing client certs looks good

openssl s_client -cert master.etcd-client.crt  -key master.etcd-client.key 
-connect etcd-node1:2379 -debug

connects without problem

but api service does not


Jun 13 15:25:04 openshift-master01 origin-master-controllers: E0613 
15:25:04.9978612391 leaderlease.go:69] unable to check lease 
openshift.io/leases/controllers: 501: All the given peers are not reachable 
(failed to propose on members [https://etcd-node02l:2379 
https:/etcd-node01:2379] twice [last error: Put 
https://etcd-node02:2379/v2/keys/openshift.io/leases/controllers?prevExist=false:
 remote error: bad certificate


Julio Saura Alejandre
Responsable Servicios Gestionados
hiberus TRAVEL
Tel.: + 34 902 87 73 92 Ext. 659
Parque Empresarial PLAZA
Edificio EXPOINNOVACIÓN
C/. Bari 25 Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza
www.hiberus.com 
Crecemos contigo

Este mensaje se envía desde la plataforma de correo de Hiberus Este mensaje y 
los documentos que, en su caso, lleve anexos, se dirigen exclusivamente a su 
destinatario y pueden contener información privilegiada o confidencial. Si tú 
no eres el destinatario indicado, queda notificado de que la utilización, 
divulgación y/o copia sin autorización está prohibida en virtud de la 
legislación vigente. Por ello, se informa a quien lo reciba por error, que la 
información contenida en el mismo es reservada y su uso no autorizado está 
prohibido legalmente, por lo que en tal caso te rogamos que nos lo comuniques 
vía e-mail o teléfono, te abstengas de realizar copias del mensaje o remitirlo 
o entregarlo a terceras personas y procedas a devolverlo a su emisor y/o 
destruirlo de inmediato.

> El 13 jun 2017, a las 13:28, Julio Saura  escribió:
> 
> Hello
> 
> i have a problem in a 1.2.0 cluster with etcd ca and certificates, mainly 
> they did expire
> 
> i followed the doc regarding this and after update my openshift-ansible i got 
> the needed playbook
> 
> after running em i see etcd certs and ca are updated on my nodes, and dumping 
> them with openssl looks good.
> 
> ansible-playbook -v -i /etc/ansible/hosts 
> ./playbooks/byo/openshift-cluster/redeploy-certificates.yml
> 
> i see the ca and certs have been updates nicely on my etcd nodes, they do 
> start but i still get bad certificate when api/master tries to connect to ectd
> 
> i did check connecting with wget for example but it says bad certificate
> 
> OpenSSL: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad 
> certificate
> 
> any clue? my cluster is down right now :/
> 
> best regards
> 

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

origin 1.2 bad certificate

2017-06-13 Thread Julio Saura 
Hello

i have a problem in a 1.2.0 cluster with etcd ca and certificates, mainly they 
did expire

i followed the doc regarding this and after update my openshift-ansible i got 
the needed playbook

after running em i see etcd certs and ca are updated on my nodes, and dumping 
them with openssl looks good.

ansible-playbook -v -i /etc/ansible/hosts 
./playbooks/byo/openshift-cluster/redeploy-certificates.yml

i see the ca and certs have been updates nicely on my etcd nodes, they do start 
but i still get bad certificate when api/master tries to connect to ectd

i did check connecting with wget for example but it says bad certificate

OpenSSL: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate

any clue? my cluster is down right now :/

best regards


___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: oauth token info

2017-06-13 Thread Aleksandar Lazic 
Title: Re: oauth token info


Hi Andrew Lau.

on Dienstag, 13. Juni 2017 at 03:38 was written:





Is there an endpoint to retrieve the current token information?

ie. /oapi/v1/users/~ seems to be an undocumented way to get the current user information. I'm looking to obtain the expiry time on the current token being used.



Is the https://jwt.io/ not an option?

You can try this sequence

Search for the token if you don't know the token only the userName.
curl -k -v -H "Accept: application/json, */*" -H "User-Agent: oc/v3.4.1.18 (linux/amd64) openshift/0f9d380" -H "Authorization: Bearer ${AUTH_TOKEN}" "MASTER_URL/oapi/v1/oauthaccesstokens?pretty=true"

Get information about a token also expiresIn
curl -k -v -H "Accept: application/json, */*" -H "User-Agent: oc/v3.4.1.18 (linux/amd64) openshift/0f9d380" -H "Authorization: Bearer ${AUTH_TOKEN}" "MASTER_URL/oapi/v1/oauthaccesstokens/{metadata.name}?pretty=true"


I have found this in https://docs.openshift.org/latest/rest_api/openshift_v1.html at

GET /oapi/v1/oauthaccesstokens/{name}

Hth


-- 
Best Regards
Aleks


smime.p7s
Description: S/MIME Cryptographic Signature
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users