# Kubernetes Authentication Role

This role manages authentication to Kubernetes/OpenShift clusters for Ansible playbooks, providing a consistent authentication interface.

## Overview

The Kubernetes Authentication role:

1. Logs in to OpenShift/Kubernetes clusters using kubeadmin credentials
2. Configures and manages kubeconfig files
3. Provides logout functionality
4. Sets global authentication parameters for other roles

## Role Variables

| Variable | Description | Default |
|----------|-------------|---------|
| kubeadmin_username | Username for cluster authentication | "kubeadmin" |
| kubeadmin_password | Password for cluster authentication | From vault |
| openshift_cluster_api | API URL for the cluster | From inventory |
| kubeconfig_path | Path to kubeconfig file | "/tmp/kubeconfig-{{ cluster_name }}-{{ cluster_region }}" |
| validate_certs | Whether to validate API server certificates | false |

## Directory Structure

```
kubernetes_auth/
├── defaults/           # Default variables
│   └── main.yml
├── meta/               # Role metadata
│   └── main.yml
├── tasks/              # Tasks for authentication
│   ├── logout.yml      # Logout and cleanup
│   └── main.yml        # Main authentication tasks
└── vars/               # Role-specific variables
```

## Authentication Process

The role performs the following steps:

1. Creates a temporary directory for kubeconfig
2. Logs in using the oc/kubectl command with provided credentials
3. Sets up a k8s_auth_params dictionary with authentication details
4. Makes this dictionary available globally for other roles

## Logout and Cleanup

The role provides a logout task that:
1. Logs out from the cluster
2. Removes temporary kubeconfig files
3. Cleans up any other authentication artifacts

## Required Vault Variables

The following variable must be set in your Ansible vault (secrets.yml) for each cluster:

```yaml
euw:
  hub:
    kubeadmin_password: "your-kubeadmin-password"

euc:
  wlk1:
    kubeadmin_password: "your-kubeadmin-password"
```

## Example Usage

```yaml
- name: Set up Kubernetes authentication
  hosts: localhost
  roles:
    - role: kubernetes_auth
      vars:
        kubeadmin_username: "kubeadmin"
        openshift_cluster_api: "https://api.hub.euw.container.mom:6443"
```

## Example Variables Output

This role sets the following variables for use by other roles:

```yaml
k8s_auth_params:
  kubeconfig: "/tmp/kubeconfig-hub-euw"
  validate_certs: false
```

## Dependencies

This role has no dependencies on other roles.

## Notes

- The role is designed for OpenShift clusters but works with standard Kubernetes
- For security, kubeconfig files are stored in temporary directories
- Login tokens have an expiration time (typically 24 hours)
- The role can be included by other roles through dependencies