Kubernetes Openshift Client Authentication

12/16/2018

I am working with openshift 3.9 and try to list all Pods in my Namespace with fabirc8 Kubernetes-client ( https://github.com/fabric8io/kubernetes-client ). I am using Java8 and the openshift client in version

 <dependency>
        <groupId>io.fabric8</groupId>
        <artifactId>openshift-client</artifactId>
        <version>4.1.0</version>
    </dependency>

Inside the pod I am able to get a list of pod using bash

# using TLS connection with crt file defined
curl --cacert $CERT \
  -H "Authorization: Bearer $TOKEN" \
   https://$ENDPOINT/api/v1/namespaces/$NAMESPACE/pods

This means that my serviceaccount has the permission to list pods inside the namespace.

With java I was not able to authorize jet.

 try (OpenShiftClient client = new DefaultOpenShiftClient()) {
        System.out.println("Client opened is: " + client.getConfiguration().getOauthToken());
        client.pods().list().getItems().stream().forEach(
                p -> System.out.println("pod: " + p));
    }

Even if I explicitly specify the client with a builderConfig the error is as followed:

Exception in thread "OkHttp Dispatcher" io.fabric8.kubernetes.client.KubernetesClientException: Unexpected response (401 Unauthorized), to the authorization request. Missing header:[Location]! at io.fabric8.openshift.client.internal.OpenShiftOAuthInterceptor.authorize(OpenShiftOAuthInterceptor.java:128) at io.fabric8.openshift.client.internal.OpenShiftOAuthInterceptor.intercept(OpenShiftOAuthInterceptor.java:63) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:179) at okhttp3.RealCall$AsyncCall.execute(RealCall.java:129) at okhttp3.internal.NamedRunnable.run(NamedRunnable.java:32) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)

The problem seems to be this class: https://github.com/fabric8io/kubernetes-client/blob/master/openshift-client/src/main/java/io/fabric8/openshift/client/internal/OpenShiftOAuthInterceptor.java

In line 132 the location of the token is not set, so the token can't be found. I am not able to solve this problem by myself. Maybe I have to set the Header Authorization: Bearer by myself.

Hope someone can help,

best wishes Joern

-- soa
fabric8
java
kubernetes
openshift

0 Answers