date:20171019

Re: service account for rest api

2017-10-19 Thread Frederic Giloux

Julio,

have you tried the command with higer log level as per my previous email?
# oc get rc -n project1 --as=system:serviceaccounts:project1:inciga
--loglevel=8
This gives you the successful rest call, which is made by the OC client to
the API server. You can then check whether it differs from your curl.

Regards,

Frédéric

On Fri, Oct 20, 2017 at 8:30 AM, Julio Saura  wrote:

> headers look ok in curl request
>
> * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@
> STRENGTH
> * successfully set certificate verify locations:
> *   CAfile: /etc/ssl/certs/ca-certificates.crt
>   CApath: none
> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
> * TLSv1.2 (IN), TLS handshake, Server hello (2):
> * NPN, negotiated HTTP1.1
> * TLSv1.2 (IN), TLS handshake, Certificate (11):
> * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
> * TLSv1.2 (IN), TLS handshake, Request CERT (13):
> * TLSv1.2 (IN), TLS handshake, Server finished (14):
> * TLSv1.2 (OUT), TLS handshake, Certificate (11):
> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
> * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
> * TLSv1.2 (OUT), TLS handshake, Unknown (67):
> * TLSv1.2 (OUT), TLS handshake, Finished (20):
> * TLSv1.2 (IN), TLS change cipher, Client hello (1):
> * TLSv1.2 (IN), TLS handshake, Finished (20):
> * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
> * Server certificate:
> *  subject: CN=10.1.5.31
> *  start date: Sep 21 11:19:56 2017 GMT
> *  expire date: Sep 21 11:19:57 2019 GMT
> *  issuer: CN=openshift-signer@1505992768
> *  SSL certificate verify result: self signed certificate in certificate
> chain (19), continuing anyway.
> > GET /api/v1/namespaces/project1/replicationcontrollers HTTP/1.1
> > Host: BALANCER:8443
> > User-Agent: curl/7.56.0
> > Accept: */*
> *> Authorization: Bearer
> eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJsZHAiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiaW5jaWdhLXRva2VuLTBkNDcyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImluY2lnYSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjIyMjE0YTI4LWI0ZTMtMTFlNy1hZTBhLTAwNTA1NmE0M2M0MiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpsZHA6aW5jaWdhIn0.VfJa8fLQQjSYySjWO3d_hp0kGqVFAnhvFQ2R6jTcLmtFwiA2NouO0QJCI2KZqvhXigAzPsksOKP7-BP_v2c-93UH3UyXW7RhkYKMOO7d1EMZVMGnT6NBKhVkw45wa20kH221ggh98wdv4MZRAoNEOvmN9qXHmsUWEnxfT8uNIjIkAt_aydocQ22hIbYXzd6w5x6zmOWIVWllgF3qGtY8ArTgRf4WxhuwhUJRy_Gm31WhtKioovk2Hpt6XnlPhnfvHhioqtizZsTepVOD0A-yjearxiDBE7yuIzRsMHo014Dq3O2T_qIZ2P2wvEWBzfpi7i1to4ep3jcb_qDM2vQ0IQ*
> > Content-Type: application/json
> >
> < HTTP/1.1 403 Forbidden
> < Cache-Control: no-store
> < Content-Type: application/json
> < Date: Fri, 20 Oct 2017 06:28:52 GMT
> < Content-Length: 295
> {
>   "kind": "Status",
>   "apiVersion": "v1",
>   "metadata": {},
>   "status": "Failure",
>   "message": "User \"system:serviceaccount:ldp:inciga\" cannot list
> replicationcontrollers in project \"ldp\"",
>   "reason": "Forbidden",
>   "details": {
> "kind": "replicationcontrollers"
>   },
>   "code": 403
> }
>
>
>
>
> El 19 oct 2017, a las 18:17, Frederic Giloux 
> escribió:
>
> Very good. The issue is with your curl. Next step run the same command
> with --loglevel=8 and check the queries that are sent to the API server.
>
> Regards,
>
> Frédéric
>
> On 19 Oct 2017 18:11, "Julio Saura"  wrote:
>
>> umm that works …
>>
>> weird
>>
>> *Julio Saura Alejandre*
>> *Responsable Servicios Gestionados*
>> *hiberus* TRAVEL
>> Tel.: + 34 902 87 73 92 Ext. 659 <+34%20902%2087%2073%2092>
>> Parque Empresarial PLAZA
>> Edificio EXPOINNOVACIÓN
>> C/. Bari 25 
>> Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza
>> www.hiberus.com
>>
>> Crecemos contigo
>> Este mensaje se envía desde la plataforma de correo de Hiberus Este
>> mensaje y los documentos que, en su caso, lleve anexos, se dirigen
>> exclusivamente a su destinatario y pueden contener información privilegiada
>> o confidencial. Si tú no eres el destinatario indicado, queda notificado de
>> que la utilización, divulgación y/o copia sin autorización está prohibida
>> en virtud de la legislación vigente. Por ello, se informa a quien lo reciba
>> por error, que la información contenida en el mismo es reservada y su uso
>> no autorizado está prohibido legalmente, por lo que en tal caso te rogamos
>> que nos lo comuniques vía e-mail o teléfono, te abstengas de realizar
>> copias del mensaje o remitirlo o entregarlo a terceras personas y procedas
>> a devolverlo a su emisor y/o destruirlo de inmediato.
>>
>> El 19 oct 2017, a las 18:01, Frederic Giloux 
>> escribió:
>>
>> oc get rc -n project1 --as=system:serviceaccounts:project1:inciga
>>
>>
>>
>


-- 
*Frédéric Giloux*
Senior Middleware Consultant
Red Hat Germany

fgil...@redhat.com M: +49-174-172-4661

redhat.com | TRI

Re: service account for rest api

2017-10-19 Thread Julio Saura

headers look ok in curl request

* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* NPN, negotiated HTTP1.1
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Unknown (67):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
*  subject: CN=10.1.5.31
*  start date: Sep 21 11:19:56 2017 GMT
*  expire date: Sep 21 11:19:57 2019 GMT
*  issuer: CN=openshift-signer@1505992768
*  SSL certificate verify result: self signed certificate in certificate chain 
(19), continuing anyway.
> GET /api/v1/namespaces/project1/replicationcontrollers HTTP/1.1
> Host: BALANCER:8443
> User-Agent: curl/7.56.0
> Accept: */*
> Authorization: Bearer 
> eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJsZHAiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiaW5jaWdhLXRva2VuLTBkNDcyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImluY2lnYSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjIyMjE0YTI4LWI0ZTMtMTFlNy1hZTBhLTAwNTA1NmE0M2M0MiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpsZHA6aW5jaWdhIn0.VfJa8fLQQjSYySjWO3d_hp0kGqVFAnhvFQ2R6jTcLmtFwiA2NouO0QJCI2KZqvhXigAzPsksOKP7-BP_v2c-93UH3UyXW7RhkYKMOO7d1EMZVMGnT6NBKhVkw45wa20kH221ggh98wdv4MZRAoNEOvmN9qXHmsUWEnxfT8uNIjIkAt_aydocQ22hIbYXzd6w5x6zmOWIVWllgF3qGtY8ArTgRf4WxhuwhUJRy_Gm31WhtKioovk2Hpt6XnlPhnfvHhioqtizZsTepVOD0A-yjearxiDBE7yuIzRsMHo014Dq3O2T_qIZ2P2wvEWBzfpi7i1to4ep3jcb_qDM2vQ0IQ
> Content-Type: application/json
>
< HTTP/1.1 403 Forbidden
< Cache-Control: no-store
< Content-Type: application/json
< Date: Fri, 20 Oct 2017 06:28:52 GMT
< Content-Length: 295
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "User \"system:serviceaccount:ldp:inciga\" cannot list 
replicationcontrollers in project \"ldp\"",
  "reason": "Forbidden",
  "details": {
"kind": "replicationcontrollers"
  },
  "code": 403
}




> El 19 oct 2017, a las 18:17, Frederic Giloux  escribió:
> 
> Very good. The issue is with your curl. Next step run the same command with 
> --loglevel=8 and check the queries that are sent to the API server. 
> 
> Regards, 
> 
> Frédéric 
> 
> On 19 Oct 2017 18:11, "Julio Saura"  > wrote:
> umm that works …
> 
> weird
> 
> Julio Saura Alejandre
> Responsable Servicios Gestionados
> hiberus TRAVEL
> Tel.: + 34 902 87 73 92 Ext. 659 
> Parque Empresarial PLAZA
> Edificio EXPOINNOVACIÓN
> C/. Bari 25  
> Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza
> www.hiberus.com 
> Crecemos contigo
> 
> Este mensaje se envía desde la plataforma de correo de Hiberus Este mensaje y 
> los documentos que, en su caso, lleve anexos, se dirigen exclusivamente a su 
> destinatario y pueden contener información privilegiada o confidencial. Si tú 
> no eres el destinatario indicado, queda notificado de que la utilización, 
> divulgación y/o copia sin autorización está prohibida en virtud de la 
> legislación vigente. Por ello, se informa a quien lo reciba por error, que la 
> información contenida en el mismo es reservada y su uso no autorizado está 
> prohibido legalmente, por lo que en tal caso te rogamos que nos lo comuniques 
> vía e-mail o teléfono, te abstengas de realizar copias del mensaje o 
> remitirlo o entregarlo a terceras personas y procedas a devolverlo a su 
> emisor y/o destruirlo de inmediato.
> 
>> El 19 oct 2017, a las 18:01, Frederic Giloux > > escribió:
>> 
>> oc get rc -n project1 --as=system:serviceaccounts:project1:inciga
> 

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: service account for rest api

2017-10-19 Thread Julio Saura

compiled last stable curl version

same problem

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "User \"system:serviceaccount:project1:inciga\" cannot list 
replicationcontrollers in project \”project1\"",
  "reason": "Forbidden",
  "details": {
"kind": "replicationcontrollers"
  },
  "code": 403
}

curl-7.56.0

this is weird

> El 19 oct 2017, a las 19:23, Hiberus  escribió:
> 
> Yikes !!
> 
> I will check tomorrow 
> 
> Ty!
> 
> El 19 oct 2017, a las 18:16, Cesar Wong  > escribió:
> 
>> 
>> Julio, 
>> 
>> Depending on your version of curl, you may be hitting this:
>> https://bugzilla.redhat.com/show_bug.cgi?id=1260178 
>> 
>> 
>> On Thu, Oct 19, 2017 at 12:11 PM, Julio Saura > > wrote:
>> umm that works …
>> 
>> weird
>> 
>> Julio Saura Alejandre
>> Responsable Servicios Gestionados
>> hiberus TRAVEL
>> Tel.: + 34 902 87 73 92 Ext. 659
>> Parque Empresarial PLAZA
>> Edificio EXPOINNOVACIÓN
>> C/. Bari 25 Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza
>> www.hiberus.com 
>> Crecemos contigo
>> 
>> Este mensaje se envía desde la plataforma de correo de Hiberus Este mensaje 
>> y los documentos que, en su caso, lleve anexos, se dirigen exclusivamente a 
>> su destinatario y pueden contener información privilegiada o confidencial. 
>> Si tú no eres el destinatario indicado, queda notificado de que la 
>> utilización, divulgación y/o copia sin autorización está prohibida en virtud 
>> de la legislación vigente. Por ello, se informa a quien lo reciba por error, 
>> que la información contenida en el mismo es reservada y su uso no autorizado 
>> está prohibido legalmente, por lo que en tal caso te rogamos que nos lo 
>> comuniques vía e-mail o teléfono, te abstengas de realizar copias del 
>> mensaje o remitirlo o entregarlo a terceras personas y procedas a devolverlo 
>> a su emisor y/o destruirlo de inmediato.
>> 
>>> El 19 oct 2017, a las 18:01, Frederic Giloux >> > escribió:
>>> 
>>> oc get rc -n project1 --as=system:serviceaccounts:project1:inciga
>> 
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: service account for rest api

2017-10-19 Thread Julio Saura

tried

no luck :(


Julio Saura Alejandre
Responsable Servicios Gestionados
hiberus TRAVEL
Tel.: + 34 902 87 73 92 Ext. 659
Parque Empresarial PLAZA
Edificio EXPOINNOVACIÓN
C/. Bari 25 Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza
www.hiberus.com 
Crecemos contigo

Este mensaje se envía desde la plataforma de correo de Hiberus Este mensaje y 
los documentos que, en su caso, lleve anexos, se dirigen exclusivamente a su 
destinatario y pueden contener información privilegiada o confidencial. Si tú 
no eres el destinatario indicado, queda notificado de que la utilización, 
divulgación y/o copia sin autorización está prohibida en virtud de la 
legislación vigente. Por ello, se informa a quien lo reciba por error, que la 
información contenida en el mismo es reservada y su uso no autorizado está 
prohibido legalmente, por lo que en tal caso te rogamos que nos lo comuniques 
vía e-mail o teléfono, te abstengas de realizar copias del mensaje o remitirlo 
o entregarlo a terceras personas y procedas a devolverlo a su emisor y/o 
destruirlo de inmediato.

> El 19 oct 2017, a las 21:40, Luke Meyer  escribió:
> 
> oc policy add-role-to-user admin

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: service account for rest api

2017-10-19 Thread Hiberus

Hello

I tried with view and cluster-admin too. No luck

Guess is the curl issue

Ty!

> El 19 oct 2017, a las 21:40, Luke Meyer  escribió:
> 
> 
> 
>> On Thu, Oct 19, 2017 at 10:58 AM, Julio Saura  wrote:
>> yes ofc
>> 
>> oc create serviceaccount icinga -n project1
>> 
>> oadm policy add-cluster-role-to-user admin 
>> system:serviceaccounts:project1:icinga
> 
> There is no cluster role "admin" (... by default anyway, you could of course 
> create one).
> 
> You probably wanted `oc policy add-role-to-user admin ...` to make the user 
> an admin of the project.
> 
> Unless you actually wanted them to be an admin of the entire cluster, in 
> which case the role is cluster-admin not admin.
> 
>  
>> 
>> oadm policy reconcile-cluster-roles —confirm
>> 
>> and then dump the token
>> 
>> oc serviceaccounts get-token icing
>> 
>> 
>> ty frederic!
>> 
>> i do login with curl but i get 
>> 
>> {
>>   "kind": "Status",
>>   "apiVersion": "v1",
>>   "metadata": {},
>>   "status": "Failure",
>>   "message": "User \"system:serviceaccount:project1:icinga\" cannot list 
>> replicationcontrollers in project \”project1\"",
>>   "reason": "Forbidden",
>>   "details": {
>> "kind": "replicationcontrollers"
>>   },
>>   "code": 403
>> }
>> 
>> 
>> 
>> 
>> 
>>> El 19 oct 2017, a las 16:55, Frederic Giloux  escribió:
>>> 
>>> Hi Julio, 
>>> 
>>> Could you copy the commands you have used?
>>> 
>>> Regards, 
>>> 
>>> Frédéric 
>>> 
 On 19 Oct 2017 11:43, "Julio Saura"  wrote:
 Hello
 
 i am trying to create a sa for accessing rest api with token ..
 
 i have followed the doc steps
 
 creating the account, applying admin role to that account and getting the 
 token
 
 trying to access replicacioncontroller info with bearer in curl, i can 
 auth into but i get i have no permission to list rc on the project
 
 i also did a reconciliate role on cluster
 
 i also logged in with oc login passing token as parameter, i log in but it 
 says i have no projects ..
 
 what else i am missing?
 
 ty
 
 
 
 ___
 users mailing list
 users@lists.openshift.redhat.com
 http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>> 
>> 
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>> 
> 
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: service account for rest api

2017-10-19 Thread Luke Meyer

On Thu, Oct 19, 2017 at 10:58 AM, Julio Saura  wrote:

> yes ofc
>
> oc create serviceaccount icinga -n project1
>
> oadm policy add-cluster-role-to-user admin system:serviceaccounts:
> project1:icinga
>

There is no cluster role "admin" (... by default anyway, you could of
course create one).

You probably wanted `oc policy add-role-to-user admin ...` to make the user
an admin of the project.

Unless you actually wanted them to be an admin of the entire cluster, in
which case the role is cluster-admin not admin.



>
> oadm policy reconcile-cluster-roles —confirm
>
> and then dump the token
>
> oc serviceaccounts get-token icing
>
>
> ty frederic!
>
> i do login with curl but i get
>
> {
>   "kind": "Status",
>   "apiVersion": "v1",
>   "metadata": {},
>   "status": "Failure",
>   "message": "User \"system:serviceaccount:project1:icinga\" cannot list
> replicationcontrollers in project \”project1\"",
>   "reason": "Forbidden",
>   "details": {
> "kind": "replicationcontrollers"
>   },
>   "code": 403
> }
>
>
>
>
>
> El 19 oct 2017, a las 16:55, Frederic Giloux 
> escribió:
>
> Hi Julio,
>
> Could you copy the commands you have used?
>
> Regards,
>
> Frédéric
>
> On 19 Oct 2017 11:43, "Julio Saura"  wrote:
>
>> Hello
>>
>> i am trying to create a sa for accessing rest api with token ..
>>
>> i have followed the doc steps
>>
>> creating the account, applying admin role to that account and getting the
>> token
>>
>> trying to access replicacioncontroller info with bearer in curl, i can
>> auth into but i get i have no permission to list rc on the project
>>
>> i also did a reconciliate role on cluster
>>
>> i also logged in with oc login passing token as parameter, i log in but
>> it says i have no projects ..
>>
>> what else i am missing?
>>
>> ty
>>
>>
>>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: service account for rest api

2017-10-19 Thread Hiberus

Yikes !!

I will check tomorrow 

Ty!

> El 19 oct 2017, a las 18:16, Cesar Wong  escribió:
> 
> 
> Julio, 
> 
> Depending on your version of curl, you may be hitting this:
> https://bugzilla.redhat.com/show_bug.cgi?id=1260178
> 
> On Thu, Oct 19, 2017 at 12:11 PM, Julio Saura  wrote:
> umm that works …
> 
> weird
> 
> Julio Saura Alejandre
> Responsable Servicios Gestionados
> hiberus TRAVEL
> Tel.: + 34 902 87 73 92 Ext. 659
> Parque Empresarial PLAZA
> Edificio EXPOINNOVACIÓN
> C/. Bari 25 Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza
> www.hiberus.com
> Crecemos contigo
> 
> Este mensaje se envía desde la plataforma de correo de Hiberus Este mensaje y 
> los documentos que, en su caso, lleve anexos, se dirigen exclusivamente a su 
> destinatario y pueden contener información privilegiada o confidencial. Si tú 
> no eres el destinatario indicado, queda notificado de que la utilización, 
> divulgación y/o copia sin autorización está prohibida en virtud de la 
> legislación vigente. Por ello, se informa a quien lo reciba por error, que la 
> información contenida en el mismo es reservada y su uso no autorizado está 
> prohibido legalmente, por lo que en tal caso te rogamos que nos lo comuniques 
> vía e-mail o teléfono, te abstengas de realizar copias del mensaje o 
> remitirlo o entregarlo a terceras personas y procedas a devolverlo a su 
> emisor y/o destruirlo de inmediato.
> 
>> El 19 oct 2017, a las 18:01, Frederic Giloux  escribió:
>> 
>> oc get rc -n project1 --as=system:serviceaccounts:project1:inciga
> 
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: service account for rest api

2017-10-19 Thread Frederic Giloux

Very good. The issue is with your curl. Next step run the same command with
--loglevel=8 and check the queries that are sent to the API server.

Regards,

Frédéric

On 19 Oct 2017 18:11, "Julio Saura"  wrote:

> umm that works …
>
> weird
>
> *Julio Saura Alejandre*
> *Responsable Servicios Gestionados*
> *hiberus* TRAVEL
> Tel.: + 34 902 87 73 92 Ext. 659 <+34%20902%2087%2073%2092>
> Parque Empresarial PLAZA
> Edificio EXPOINNOVACIÓN
> C/. Bari 25 
> Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza
> www.hiberus.com
>
> Crecemos contigo
> Este mensaje se envía desde la plataforma de correo de Hiberus Este
> mensaje y los documentos que, en su caso, lleve anexos, se dirigen
> exclusivamente a su destinatario y pueden contener información privilegiada
> o confidencial. Si tú no eres el destinatario indicado, queda notificado de
> que la utilización, divulgación y/o copia sin autorización está prohibida
> en virtud de la legislación vigente. Por ello, se informa a quien lo reciba
> por error, que la información contenida en el mismo es reservada y su uso
> no autorizado está prohibido legalmente, por lo que en tal caso te rogamos
> que nos lo comuniques vía e-mail o teléfono, te abstengas de realizar
> copias del mensaje o remitirlo o entregarlo a terceras personas y procedas
> a devolverlo a su emisor y/o destruirlo de inmediato.
>
> El 19 oct 2017, a las 18:01, Frederic Giloux 
> escribió:
>
> oc get rc -n project1 --as=system:serviceaccounts:project1:inciga
>
>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: service account for rest api

2017-10-19 Thread Cesar Wong

Julio,

Depending on your version of curl, you may be hitting this: 
https://bugzilla.redhat.com/show_bug.cgi?id=1260178 
[https://bugzilla.redhat.com/show_bug.cgi?id=1260178]
On Thu, Oct 19, 2017 at 12:11 PM, Julio Saura  wrote:
umm that works …
weird
Julio Saura Alejandre Responsable Servicios Gestionados hiberus TRAVEL Tel.: + 
34 902 87 73 92 Ext. 659 Parque Empresarial PLAZA Edificio EXPOINNOVACIÓN C/. 
Bari 25 Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza www.hiberus.com 
[http://www.hiberus.com]Crecemos contigo

Este mensaje se envía desde la plataforma de correo de Hiberus Este mensaje y 
los documentos que, en su caso, lleve anexos, se dirigen exclusivamente a su 
destinatario y pueden contener información privilegiada o confidencial. Si tú 
no eres el destinatario indicado, queda notificado de que la utilización, 
divulgación y/o copia sin autorización está prohibida en virtud de la 
legislación vigente. Por ello, se informa a quien lo reciba por error, que la 
información contenida en el mismo es reservada y su uso no autorizado está 
prohibido legalmente, por lo que en tal caso te rogamos que nos lo comuniques 
vía e-mail o teléfono, te abstengas de realizar copias del mensaje o remitirlo 
o entregarlo a terceras personas y procedas a devolverlo a su emisor y/o 
destruirlo de inmediato.
El 19 oct 2017, a las 18:01, Frederic Giloux < fgil...@redhat.com 
[fgil...@redhat.com] > escribió:
oc get rc -n project1 --as=system:serviceaccounts:project1:inciga___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: service account for rest api

2017-10-19 Thread Julio Saura

umm that works …

weird

Julio Saura Alejandre
Responsable Servicios Gestionados
hiberus TRAVEL
Tel.: + 34 902 87 73 92 Ext. 659
Parque Empresarial PLAZA
Edificio EXPOINNOVACIÓN
C/. Bari 25 Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza
www.hiberus.com 
Crecemos contigo

Este mensaje se envía desde la plataforma de correo de Hiberus Este mensaje y 
los documentos que, en su caso, lleve anexos, se dirigen exclusivamente a su 
destinatario y pueden contener información privilegiada o confidencial. Si tú 
no eres el destinatario indicado, queda notificado de que la utilización, 
divulgación y/o copia sin autorización está prohibida en virtud de la 
legislación vigente. Por ello, se informa a quien lo reciba por error, que la 
información contenida en el mismo es reservada y su uso no autorizado está 
prohibido legalmente, por lo que en tal caso te rogamos que nos lo comuniques 
vía e-mail o teléfono, te abstengas de realizar copias del mensaje o remitirlo 
o entregarlo a terceras personas y procedas a devolverlo a su emisor y/o 
destruirlo de inmediato.

> El 19 oct 2017, a las 18:01, Frederic Giloux  escribió:
> 
> oc get rc -n project1 --as=system:serviceaccounts:project1:inciga

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: service account for rest api

2017-10-19 Thread Frederic Giloux

You can try the following: oc get rc -n project1
--as=system:serviceaccounts:project1:inciga

On 19 Oct 2017 17:51, "Julio Saura"  wrote:

> typo yes sorry
>
> curl -k -H "Authorization: Bearer $(oc sa get-token inciga -n project1)"
>  -H "Content-Type: application/json" https://MASTER_BALANCER_IP:8443/api/
> v1/namespaces/project1/replicationcontrollers
> 
>  —insecure
>
>
>
> is not project1 really i change the project name when i write the email
> sorry
>
>
>
> *Julio Saura Alejandre*
> *Responsable Servicios Gestionados*
> *hiberus* TRAVEL
> Tel.: + 34 902 87 73 92 Ext. 659 <+34%20902%2087%2073%2092>
> Parque Empresarial PLAZA
> Edificio EXPOINNOVACIÓN
> C/. Bari 25 
> Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza
> www.hiberus.com
>
> Crecemos contigo
> Este mensaje se envía desde la plataforma de correo de Hiberus Este
> mensaje y los documentos que, en su caso, lleve anexos, se dirigen
> exclusivamente a su destinatario y pueden contener información privilegiada
> o confidencial. Si tú no eres el destinatario indicado, queda notificado de
> que la utilización, divulgación y/o copia sin autorización está prohibida
> en virtud de la legislación vigente. Por ello, se informa a quien lo reciba
> por error, que la información contenida en el mismo es reservada y su uso
> no autorizado está prohibido legalmente, por lo que en tal caso te rogamos
> que nos lo comuniques vía e-mail o teléfono, te abstengas de realizar
> copias del mensaje o remitirlo o entregarlo a terceras personas y procedas
> a devolverlo a su emisor y/o destruirlo de inmediato.
>
> El 19 oct 2017, a las 17:49, Frederic Giloux 
> escribió:
>
> Hi Julio
>
> I don't know whether that's a typo when you wrote the email but you get
> the sa token from project and request rc from project1.
>
> Regards,
>
> Frédéric
>
>
> On 19 Oct 2017 17:41, "Julio Saura"  wrote:
>
> typed same command than you
>
> still not working
>
> i have 3 masters balanced .. maybe is that
>
> i am doing the curl against the balancer..
>
> curl -k -H "Authorization: Bearer $(oc sa get-token inciga -n project)"
>  -H "Content-Type: application/json" https://MASTER_BALANCER_IP:844
> 3/api/v1/namespaces/project1/replicationcontrollers
> 
> --insecure
> {
>   "kind": "Status",
>   "apiVersion": "v1",
>   "metadata": {},
>   "status": "Failure",
>   "message": "User \"system:serviceaccount:project1:inciga\" cannot list
> replicationcontrollers in project \"project1\"",
>   "reason": "Forbidden",
>   "details": {
> "kind": "replicationcontrollers"
>   },
>   "code": 403
> }
>
>
> *Julio Saura Alejandre*
> *Responsable Servicios Gestionados*
> *hiberus* TRAVEL
> Tel.: + 34 902 87 73 92 Ext. 659 <+34%20902%2087%2073%2092>
> Parque Empresarial PLAZA
> Edificio EXPOINNOVACIÓN
> C/. Bari 25 
> Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza
> www.hiberus.com
>
> Crecemos contigo
> Este mensaje se envía desde la plataforma de correo de Hiberus Este
> mensaje y los documentos que, en su caso, lleve anexos, se dirigen
> exclusivamente a su destinatario y pueden contener información privilegiada
> o confidencial. Si tú no eres el destinatario indicado, queda notificado de
> que la utilización, divulgación y/o copia sin autorización está prohibida
> en virtud de la legislación vigente. Por ello, se informa a quien lo reciba
> por error, que la información contenida en el mismo es reservada y su uso
> no autorizado está prohibido legalmente, por lo que en tal caso te rogamos
> que nos lo comuniques vía e-mail o teléfono, te abstengas de realizar
> copias del mensaje o remitirlo o entregarlo a terceras personas y procedas
> a devolverlo a su emisor y/o destruirlo de inmediato.
>
> El 19 oct 2017, a las 17:29, Frederic Giloux 
> escribió:
>
> curl -k -H "Authorization: Bearer $(oc sa get-token inciga -n project1)"
> -H "Content-Type: application/json" https://192.
> 168.42.199:8443/api/v1/namespaces/project1/replicationcontrollers
>
>
>
>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: service account for rest api

2017-10-19 Thread Julio Saura

typo yes sorry

> curl -k -H "Authorization: Bearer $(oc sa get-token inciga -n project1)"  -H 
> "Content-Type: application/json" 
> https://MASTER_BALANCER_IP:8443/api/v1/namespaces/project1/replicationcontrollers
>  
> 
>  —insecure


is not project1 really i change the project name when i write the email sorry



Julio Saura Alejandre
Responsable Servicios Gestionados
hiberus TRAVEL
Tel.: + 34 902 87 73 92 Ext. 659
Parque Empresarial PLAZA
Edificio EXPOINNOVACIÓN
C/. Bari 25 Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza
www.hiberus.com 
Crecemos contigo

Este mensaje se envía desde la plataforma de correo de Hiberus Este mensaje y 
los documentos que, en su caso, lleve anexos, se dirigen exclusivamente a su 
destinatario y pueden contener información privilegiada o confidencial. Si tú 
no eres el destinatario indicado, queda notificado de que la utilización, 
divulgación y/o copia sin autorización está prohibida en virtud de la 
legislación vigente. Por ello, se informa a quien lo reciba por error, que la 
información contenida en el mismo es reservada y su uso no autorizado está 
prohibido legalmente, por lo que en tal caso te rogamos que nos lo comuniques 
vía e-mail o teléfono, te abstengas de realizar copias del mensaje o remitirlo 
o entregarlo a terceras personas y procedas a devolverlo a su emisor y/o 
destruirlo de inmediato.

> El 19 oct 2017, a las 17:49, Frederic Giloux  escribió:
> 
> Hi Julio
> 
> I don't know whether that's a typo when you wrote the email but you get the 
> sa token from project and request rc from project1.
> 
> Regards, 
> 
> Frédéric 
> 
> 
> On 19 Oct 2017 17:41, "Julio Saura"  > wrote:
> typed same command than you
> 
> still not working
> 
> i have 3 masters balanced .. maybe is that
> 
> i am doing the curl against the balancer..
> 
> curl -k -H "Authorization: Bearer $(oc sa get-token inciga -n project)"  -H 
> "Content-Type: application/json" 
> https://MASTER_BALANCER_IP:8443/api/v1/namespaces/project1/replicationcontrollers
>  
> 
>  --insecure
> {
>   "kind": "Status",
>   "apiVersion": "v1",
>   "metadata": {},
>   "status": "Failure",
>   "message": "User \"system:serviceaccount:project1:inciga\" cannot list 
> replicationcontrollers in project \"project1\"",
>   "reason": "Forbidden",
>   "details": {
> "kind": "replicationcontrollers"
>   },
>   "code": 403
> }
> 
> 
> Julio Saura Alejandre
> Responsable Servicios Gestionados
> hiberus TRAVEL
> Tel.: + 34 902 87 73 92 Ext. 659 
> Parque Empresarial PLAZA
> Edificio EXPOINNOVACIÓN
> C/. Bari 25  
> Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza
> www.hiberus.com 
> Crecemos contigo
> 
> Este mensaje se envía desde la plataforma de correo de Hiberus Este mensaje y 
> los documentos que, en su caso, lleve anexos, se dirigen exclusivamente a su 
> destinatario y pueden contener información privilegiada o confidencial. Si tú 
> no eres el destinatario indicado, queda notificado de que la utilización, 
> divulgación y/o copia sin autorización está prohibida en virtud de la 
> legislación vigente. Por ello, se informa a quien lo reciba por error, que la 
> información contenida en el mismo es reservada y su uso no autorizado está 
> prohibido legalmente, por lo que en tal caso te rogamos que nos lo comuniques 
> vía e-mail o teléfono, te abstengas de realizar copias del mensaje o 
> remitirlo o entregarlo a terceras personas y procedas a devolverlo a su 
> emisor y/o destruirlo de inmediato.
> 
>> El 19 oct 2017, a las 17:29, Frederic Giloux > > escribió:
>> 
>> curl -k -H "Authorization: Bearer $(oc sa get-token inciga -n project1)"  -H 
>> "Content-Type: application/json" 
>> https://192.168.42.199:8443/api/v1/namespaces/project1/replicationcontrollers
>>  
>> 
> 

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: service account for rest api

2017-10-19 Thread Frederic Giloux

Hi Julio

I don't know whether that's a typo when you wrote the email but you get the
sa token from project and request rc from project1.

Regards,

Frédéric


On 19 Oct 2017 17:41, "Julio Saura"  wrote:

typed same command than you

still not working

i have 3 masters balanced .. maybe is that

i am doing the curl against the balancer..

curl -k -H "Authorization: Bearer $(oc sa get-token inciga -n project)"  -H
"Content-Type: application/json" https://MASTER_BALANCER_IP:
8443/api/v1/namespaces/project1/replicationcontrollers

--insecure
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "User \"system:serviceaccount:project1:inciga\" cannot list
replicationcontrollers in project \"project1\"",
  "reason": "Forbidden",
  "details": {
"kind": "replicationcontrollers"
  },
  "code": 403
}


*Julio Saura Alejandre*
*Responsable Servicios Gestionados*
*hiberus* TRAVEL
Tel.: + 34 902 87 73 92 Ext. 659 <+34%20902%2087%2073%2092>
Parque Empresarial PLAZA
Edificio EXPOINNOVACIÓN
C/. Bari 25 
Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza
www.hiberus.com

Crecemos contigo
Este mensaje se envía desde la plataforma de correo de Hiberus Este mensaje
y los documentos que, en su caso, lleve anexos, se dirigen exclusivamente a
su destinatario y pueden contener información privilegiada o confidencial.
Si tú no eres el destinatario indicado, queda notificado de que la
utilización, divulgación y/o copia sin autorización está prohibida en
virtud de la legislación vigente. Por ello, se informa a quien lo reciba
por error, que la información contenida en el mismo es reservada y su uso
no autorizado está prohibido legalmente, por lo que en tal caso te rogamos
que nos lo comuniques vía e-mail o teléfono, te abstengas de realizar
copias del mensaje o remitirlo o entregarlo a terceras personas y procedas
a devolverlo a su emisor y/o destruirlo de inmediato.

El 19 oct 2017, a las 17:29, Frederic Giloux  escribió:

curl -k -H "Authorization: Bearer $(oc sa get-token inciga -n project1)"
-H "Content-Type: application/json" https://192.168.42.199:8443/api/v1/
namespaces/project1/replicationcontrollers
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: service account for rest api

2017-10-19 Thread Julio Saura

typed same command than you

still not working

i have 3 masters balanced .. maybe is that

i am doing the curl against the balancer..

curl -k -H "Authorization: Bearer $(oc sa get-token inciga -n project)"  -H 
"Content-Type: application/json" 
https://MASTER_BALANCER_IP:8443/api/v1/namespaces/project1/replicationcontrollers
 --insecure
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "User \"system:serviceaccount:project1:inciga\" cannot list 
replicationcontrollers in project \"project1\"",
  "reason": "Forbidden",
  "details": {
"kind": "replicationcontrollers"
  },
  "code": 403
}


Julio Saura Alejandre
Responsable Servicios Gestionados
hiberus TRAVEL
Tel.: + 34 902 87 73 92 Ext. 659
Parque Empresarial PLAZA
Edificio EXPOINNOVACIÓN
C/. Bari 25 Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza
www.hiberus.com 
Crecemos contigo

Este mensaje se envía desde la plataforma de correo de Hiberus Este mensaje y 
los documentos que, en su caso, lleve anexos, se dirigen exclusivamente a su 
destinatario y pueden contener información privilegiada o confidencial. Si tú 
no eres el destinatario indicado, queda notificado de que la utilización, 
divulgación y/o copia sin autorización está prohibida en virtud de la 
legislación vigente. Por ello, se informa a quien lo reciba por error, que la 
información contenida en el mismo es reservada y su uso no autorizado está 
prohibido legalmente, por lo que en tal caso te rogamos que nos lo comuniques 
vía e-mail o teléfono, te abstengas de realizar copias del mensaje o remitirlo 
o entregarlo a terceras personas y procedas a devolverlo a su emisor y/o 
destruirlo de inmediato.

> El 19 oct 2017, a las 17:29, Frederic Giloux  escribió:
> 
> curl -k -H "Authorization: Bearer $(oc sa get-token inciga -n project1)"  -H 
> "Content-Type: application/json" 
> https://192.168.42.199:8443/api/v1/namespaces/project1/replicationcontrollers 
> 
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Q: Refer to runtime properties from within "templates"?

2017-10-19 Thread Tako Schotanus

Hi,

is it possible in some way to refer to actual runtime values from within an
OpenShift template (I'm calling it templates because I don't know the
official terminology. I'm referring to the json/yaml files that can be
applied using "oc apply" for example).

What I'm really trying to do is to figure out what hostname was used for a
Route that was created using an earlier apply and use it in the template
that is to be applied.

I'm guessing there's no such thing, but I want to make sure before coming
up with some kind of system ourselves to do replacements in template files.

Thanks

-- 

TAKO SCHOTANUS

SENIOR SOFTWARE ENGINEER

Red Hat



___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: service account for rest api

2017-10-19 Thread Frederic Giloux

Hi Julio,

the following works for me:
# oc new-project project1
# oc create serviceaccount inciga -n project1
# oc policy add-role-to-user admin system:serviceaccounts:project1:inciga
-n project1
# curl -k -H "Authorization: Bearer $(oc sa get-token inciga -n project1)"
-H "Content-Type: application/json"
https://192.168.42.199:8443/api/v1/namespaces/project1/replicationcontrollers

Regards,

Frédéric

On Thu, Oct 19, 2017 at 4:58 PM, Julio Saura  wrote:

> yes ofc
>
> oc create serviceaccount icinga -n project1
>
> oadm policy add-cluster-role-to-user admin system:serviceaccounts:
> project1:icinga
>
> oadm policy reconcile-cluster-roles —confirm
>
> and then dump the token
>
> oc serviceaccounts get-token icing
>
>
> ty frederic!
>
> i do login with curl but i get
>
> {
>   "kind": "Status",
>   "apiVersion": "v1",
>   "metadata": {},
>   "status": "Failure",
>   "message": "User \"system:serviceaccount:project1:icinga\" cannot list
> replicationcontrollers in project \”project1\"",
>   "reason": "Forbidden",
>   "details": {
> "kind": "replicationcontrollers"
>   },
>   "code": 403
> }
>
>
>
>
>
> El 19 oct 2017, a las 16:55, Frederic Giloux 
> escribió:
>
> Hi Julio,
>
> Could you copy the commands you have used?
>
> Regards,
>
> Frédéric
>
> On 19 Oct 2017 11:43, "Julio Saura"  wrote:
>
>> Hello
>>
>> i am trying to create a sa for accessing rest api with token ..
>>
>> i have followed the doc steps
>>
>> creating the account, applying admin role to that account and getting the
>> token
>>
>> trying to access replicacioncontroller info with bearer in curl, i can
>> auth into but i get i have no permission to list rc on the project
>>
>> i also did a reconciliate role on cluster
>>
>> i also logged in with oc login passing token as parameter, i log in but
>> it says i have no projects ..
>>
>> what else i am missing?
>>
>> ty
>>
>>
>>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>
>


-- 
*Frédéric Giloux*
Senior Middleware Consultant
Red Hat Germany

fgil...@redhat.com M: +49-174-172-4661

redhat.com | TRIED. TESTED. TRUSTED. | redhat.com/trusted

Red Hat GmbH, http://www.de.redhat.com/ Sitz: Grasbrunn,
Handelsregister: Amtsgericht München, HRB 153243
Geschäftsführer: Paul Argiry, Charles Cachera, Michael Cunningham, Michael
O'Neill
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: service account for rest api

2017-10-19 Thread Julio Saura

yes ofc

oc create serviceaccount icinga -n project1

oadm policy add-cluster-role-to-user admin 
system:serviceaccounts:project1:icinga

oadm policy reconcile-cluster-roles —confirm

and then dump the token

oc serviceaccounts get-token icing


ty frederic!

i do login with curl but i get 

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "User \"system:serviceaccount:project1:icinga\" cannot list 
replicationcontrollers in project \”project1\"",
  "reason": "Forbidden",
  "details": {
"kind": "replicationcontrollers"
  },
  "code": 403
}





> El 19 oct 2017, a las 16:55, Frederic Giloux  escribió:
> 
> Hi Julio, 
> 
> Could you copy the commands you have used?
> 
> Regards, 
> 
> Frédéric 
> 
> On 19 Oct 2017 11:43, "Julio Saura"  > wrote:
> Hello
> 
> i am trying to create a sa for accessing rest api with token ..
> 
> i have followed the doc steps
> 
> creating the account, applying admin role to that account and getting the 
> token
> 
> trying to access replicacioncontroller info with bearer in curl, i can auth 
> into but i get i have no permission to list rc on the project
> 
> i also did a reconciliate role on cluster
> 
> i also logged in with oc login passing token as parameter, i log in but it 
> says i have no projects ..
> 
> what else i am missing?
> 
> ty
> 
> 
> 
> ___
> users mailing list
> users@lists.openshift.redhat.com 
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users 
> 

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: service account for rest api

2017-10-19 Thread Frederic Giloux

Hi Julio,

Could you copy the commands you have used?

Regards,

Frédéric

On 19 Oct 2017 11:43, "Julio Saura"  wrote:

> Hello
>
> i am trying to create a sa for accessing rest api with token ..
>
> i have followed the doc steps
>
> creating the account, applying admin role to that account and getting the
> token
>
> trying to access replicacioncontroller info with bearer in curl, i can
> auth into but i get i have no permission to list rc on the project
>
> i also did a reconciliate role on cluster
>
> i also logged in with oc login passing token as parameter, i log in but it
> says i have no projects ..
>
> what else i am missing?
>
> ty
>
>
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: authentication required even for pulling images from private registry

2017-10-19 Thread Yu Wei

I fixed the problem by changing setting in registry console.

For my project, change the permissions to "Project access policy allows 
anonymous users to pull images. Grant additional push or admin access to 
specific members below."



Thanks,

Jared, (韦煜）
Software developer
Interested in open source software, big data, Linux


From: Łukasz Strzelec 
Sent: Thursday, October 19, 2017 6:37:46 PM
To: Yu Wei
Cc: users@lists.openshift.redhat.com
Subject: Re: authentication required even for pulling images from private 
registry

Hello:)

I had the same issue. In our ENV we are obligated to use proxy server. Thus we 
put to inventory statements regarding proxy. We forgot to add registry to 
"noproxy" line.  The result was exactly as you pointed.

I hope this may help you or at least  guide to diffrent solution.

Best regards

2017-10-18 19:31 GMT+02:00 Yu Wei 
mailto:yu20...@hotmail.com>>:

Hi,

I setup openshift origin cluster 3.6 and found a problem with private registry.

Image was failed to be pulled by work node with error as below,

rpc error: code = 2 desc = unauthorized: authentication required


However, the registry works well and I also could find the image via 
docker-console.

I installed the cluster via "Advanced installation". It seemed insecure 
registry is not enabled.


How could I check what's wrong in my env?



Thanks,

Jared, (韦煜）
Software developer
Interested in open source software, big data, Linux

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users




--
Ł.S.
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: DNS resolving problem - in pod

2017-10-19 Thread Mateus Caruccio

Alpine's musl libc only supports "search" starting from version 1.1.13.
Check if this is your case.

--
Mateus Caruccio / Master of Puppets
GetupCloud.com
We make the infrastructure invisible
Gartner Cool Vendor 2017

2017-10-19 10:58 GMT-02:00 Cameron Braid :

> I had that happen quite a bit within containers based on alpine linux
>
> Cam
>
> On Thu, 19 Oct 2017 at 23:49 Łukasz Strzelec 
> wrote:
>
>> Dear all :)
>>
>> I have following problem:
>>
>> [image: Obraz w treści 1]
>>
>>
>> Frequently I have to restart origin-node to solve this issue, but I can't
>> find  the root cause of it.
>> Does anybody has got any idea ? Where to start looking ?
>> In addition , this problem is affecting different cluster nodes -
>> randomly diffrent pods have got this issues.
>>
>>
>> Best regards
>> --
>> Ł.S.
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: DNS resolving problem - in pod

2017-10-19 Thread Cameron Braid

I had that happen quite a bit within containers based on alpine linux

Cam

On Thu, 19 Oct 2017 at 23:49 Łukasz Strzelec 
wrote:

> Dear all :)
>
> I have following problem:
>
> [image: Obraz w treści 1]
>
>
> Frequently I have to restart origin-node to solve this issue, but I can't
> find  the root cause of it.
> Does anybody has got any idea ? Where to start looking ?
> In addition , this problem is affecting different cluster nodes - randomly
> diffrent pods have got this issues.
>
>
> Best regards
> --
> Ł.S.
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

DNS resolving problem - in pod

2017-10-19 Thread Łukasz Strzelec

Dear all :)

I have following problem:

[image: Obraz w treści 1]


Frequently I have to restart origin-node to solve this issue, but I can't
find  the root cause of it.
Does anybody has got any idea ? Where to start looking ?
In addition , this problem is affecting different cluster nodes - randomly
diffrent pods have got this issues.


Best regards
-- 
Ł.S.
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: authentication required even for pulling images from private registry

2017-10-19 Thread Łukasz Strzelec

Hello:)

I had the same issue. In our ENV we are obligated to use proxy server. Thus
we put to inventory statements regarding proxy. We forgot to add registry
to "noproxy" line.  The result was exactly as you pointed.

I hope this may help you or at least  guide to diffrent solution.

Best regards

2017-10-18 19:31 GMT+02:00 Yu Wei :

> Hi,
>
> I setup openshift origin cluster 3.6 and found a problem with private
> registry.
>
> Image was failed to be pulled by work node with error as below,
>
> rpc error: code = 2 desc = unauthorized: authentication required
>
>
> However, the registry works well and I also could find the image via
> docker-console.
>
> I installed the cluster via "Advanced installation". It seemed insecure
> registry is not enabled.
>
>
> How could I check what's wrong in my env?
>
>
>
> Thanks,
>
> Jared, (韦煜）
> Software developer
> Interested in open source software, big data, Linux
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>


-- 
Ł.S.
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

service account for rest api

2017-10-19 Thread Julio Saura

Hello

i am trying to create a sa for accessing rest api with token ..

i have followed the doc steps

creating the account, applying admin role to that account and getting the token

trying to access replicacioncontroller info with bearer in curl, i can auth 
into but i get i have no permission to list rc on the project

i also did a reconciliate role on cluster

i also logged in with oc login passing token as parameter, i log in but it says 
i have no projects ..

what else i am missing?

ty



___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Re: authentication required even for pulling images from private registry

2017-10-19 Thread Daniel Kučera

Hi Jared,

can you post your Deployment config?

2017-10-19 2:37 GMT+02:00 Yu Wei :
> Image and pods are in the same project.
>
> Jared
> Interested in cloud computing,big data processing,linux
>
> 2017年10月19日 上午4:39于 Joel Pearson 写道：
> Is the image in a different project that which you’re trying to run it in?
>
> Ie the image lives in project a and you’re trying to run the pod in project
> b
>
> In that scenario you need to grant some sort of permissions (image-pull or
> something).
> On Thu, 19 Oct 2017 at 4:32 am, Yu Wei  wrote:
>>
>> Hi,
>>
>> I setup openshift origin cluster 3.6 and found a problem with private
>> registry.
>>
>> Image was failed to be pulled by work node with error as below,
>>
>> rpc error: code = 2 desc = unauthorized: authentication required
>>
>>
>> However, the registry works well and I also could find the image via
>> docker-console.
>>
>> I installed the cluster via "Advanced installation". It seemed insecure
>> registry is not enabled.
>>
>>
>> How could I check what's wrong in my env?
>>
>>
>>
>> Thanks,
>>
>> Jared, (韦煜）
>> Software developer
>> Interested in open source software, big data, Linux
>>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
> --
> Kind Regards,
>
> Joel Pearson
> Agile Digital | Senior Software Consultant
>
> Love Your Software™ | ABN 98 106 361 273
> p: 1300 858 277 | m: 0405 417 843 | w: agiledigital.com.au
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>



-- 

S pozdravom / Best regards
Daniel Kucera.

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: service account for rest api

Re: service account for rest api

Re: service account for rest api

Re: service account for rest api

Re: service account for rest api

Re: service account for rest api

Re: service account for rest api

Re: service account for rest api

Re: service account for rest api

Re: service account for rest api

Re: service account for rest api

Re: service account for rest api

Re: service account for rest api

Re: service account for rest api

Q: Refer to runtime properties from within "templates"?

Re: service account for rest api

Re: service account for rest api

Re: service account for rest api

Re: authentication required even for pulling images from private registry

Re: DNS resolving problem - in pod

Re: DNS resolving problem - in pod

DNS resolving problem - in pod

Re: authentication required even for pulling images from private registry

service account for rest api

Re: Re: authentication required even for pulling images from private registry

25 matches

Site Navigation

Mail list logo

Footer information