|
27 | 27 | when: openshift_release_pull_spec is not defined or openshift_release_pull_spec == '' |
28 | 28 |
|
29 | 29 | - name: Extract pull secret from host cluster via Kubernetes API |
30 | | - ansible.builtin.script: |
31 | | - cmd: python3 - |
32 | | - stdin: | |
33 | | - import yaml, json, base64, subprocess, os, sys |
34 | | -
|
35 | | - kubeconfig_path = "{{ rhoso_kubeconfig }}" |
36 | | - output_path = "{{ pull_secret_file }}" |
37 | | -
|
38 | | - with open(kubeconfig_path) as f: |
39 | | - kc = yaml.safe_load(f) |
40 | | -
|
41 | | - server = kc['clusters'][0]['cluster']['server'] |
42 | | - user = kc['users'][0]['user'] |
43 | | -
|
44 | | - ca_path = '/tmp/k8s-ca.crt' |
45 | | - cert_path = '/tmp/k8s-client.crt' |
46 | | - key_path = '/tmp/k8s-client.key' |
47 | | -
|
48 | | - with open(ca_path, 'wb') as f: |
49 | | - f.write(base64.b64decode(kc['clusters'][0]['cluster']['certificate-authority-data'])) |
50 | | - with open(cert_path, 'wb') as f: |
51 | | - f.write(base64.b64decode(user['client-certificate-data'])) |
52 | | - with open(key_path, 'wb') as f: |
53 | | - f.write(base64.b64decode(user['client-key-data'])) |
54 | | -
|
55 | | - result = subprocess.run([ |
56 | | - 'curl', '-s', '--fail', |
57 | | - '--cacert', ca_path, |
58 | | - '--cert', cert_path, |
59 | | - '--key', key_path, |
60 | | - f'{server}/api/v1/namespaces/openshift-config/secrets/pull-secret' |
61 | | - ], capture_output=True, text=True) |
62 | | -
|
63 | | - for f in [ca_path, cert_path, key_path]: |
64 | | - os.remove(f) |
65 | | -
|
66 | | - if result.returncode != 0: |
67 | | - print(f"Failed to fetch pull secret from {server}: {result.stderr}", file=sys.stderr) |
68 | | - sys.exit(1) |
69 | | -
|
70 | | - data = json.loads(result.stdout) |
71 | | - decoded = base64.b64decode(data['data']['.dockerconfigjson']).decode() |
72 | | - auths = json.loads(decoded) |
73 | | -
|
74 | | - with open(output_path, 'w') as f: |
75 | | - f.write(decoded) |
76 | | -
|
77 | | - print(f"Pull secret extracted: {len(auths.get('auths', {}))} registries") |
| 30 | + ansible.builtin.shell: | |
| 31 | + python3 << 'PYEOF' |
| 32 | + import yaml, json, base64, subprocess, os, sys |
| 33 | +
|
| 34 | + kubeconfig_path = "{{ rhoso_kubeconfig }}" |
| 35 | + output_path = "{{ pull_secret_file }}" |
| 36 | +
|
| 37 | + with open(kubeconfig_path) as f: |
| 38 | + kc = yaml.safe_load(f) |
| 39 | +
|
| 40 | + server = kc['clusters'][0]['cluster']['server'] |
| 41 | + user = kc['users'][0]['user'] |
| 42 | +
|
| 43 | + ca_path = '/tmp/k8s-ca.crt' |
| 44 | + cert_path = '/tmp/k8s-client.crt' |
| 45 | + key_path = '/tmp/k8s-client.key' |
| 46 | +
|
| 47 | + with open(ca_path, 'wb') as f: |
| 48 | + f.write(base64.b64decode(kc['clusters'][0]['cluster']['certificate-authority-data'])) |
| 49 | + with open(cert_path, 'wb') as f: |
| 50 | + f.write(base64.b64decode(user['client-certificate-data'])) |
| 51 | + with open(key_path, 'wb') as f: |
| 52 | + f.write(base64.b64decode(user['client-key-data'])) |
| 53 | +
|
| 54 | + result = subprocess.run([ |
| 55 | + 'curl', '-s', '--fail', |
| 56 | + '--cacert', ca_path, |
| 57 | + '--cert', cert_path, |
| 58 | + '--key', key_path, |
| 59 | + f'{server}/api/v1/namespaces/openshift-config/secrets/pull-secret' |
| 60 | + ], capture_output=True, text=True) |
| 61 | +
|
| 62 | + for f in [ca_path, cert_path, key_path]: |
| 63 | + os.remove(f) |
| 64 | +
|
| 65 | + if result.returncode != 0: |
| 66 | + print(f"Failed to fetch pull secret from {server}: {result.stderr}", file=sys.stderr) |
| 67 | + sys.exit(1) |
| 68 | +
|
| 69 | + data = json.loads(result.stdout) |
| 70 | + decoded = base64.b64decode(data['data']['.dockerconfigjson']).decode() |
| 71 | + auths = json.loads(decoded) |
| 72 | +
|
| 73 | + with open(output_path, 'w') as f: |
| 74 | + f.write(decoded) |
| 75 | +
|
| 76 | + print(f"Pull secret extracted: {len(auths.get('auths', {}))} registries") |
| 77 | + PYEOF |
78 | 78 | register: _pull_secret_result |
79 | 79 | no_log: true |
80 | 80 |
|
|
0 commit comments