OpenShift Service Account Permissions to Read Pod and Deployment Status - api

I would like to use the OpenShift REST api to make queries from a separate portal. We first created a service account using the following steps (where my-id is an admin in the project):
C:\openshift>oc login
Authentication required for https://openshift-test.foo.com:8443 (openshift)
Username: my-id
Password:
Login successful.
You have access to the following projects and can switch between them with 'oc project <projectname>':
* datalake-replication-consumers
datalake-replication-demo
Using project "datalake-replication-consumers".
C:\openshift>oc create serviceaccount gmi-registry
serviceaccount "gmi-registry" created
C:\openshift>oc policy add-role-to-user admin system:serviceaccounts:datalake-replication-consumers:gmi-registry
role "admin" added: "system:serviceaccounts:datalake-replication-consumers:gmi-registry"
C:\openshift>oc serviceaccounts get-token gmi-registry
<token here>
I then pasted that token as a bearer token into Postman to make a few api calls. Since I added my service account to the admin role within my project, I assumed this would work, but instead we're getting back a 403.
GET pods:
https://openshift-test.foo.com:8443/api/v1/namespaces/datalake-replication-consumers/pods
Response:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "User \"system:serviceaccount:datalake-replication-consumers:gmi-registry\" cannot list pods in project \"datalake-replication-consumers\"",
"reason": "Forbidden",
"details": {
"kind": "pods"
},
"code": 403
}
GET specific deployment:
https://openshift-test.foo.com:8443/oapi/v1/namespaces/datalake-replication-consumers/deploymentconfigs/entity-65869977-9d56-49a5-afa2-4a547df82d5c
Response:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "User \"system:serviceaccount:datalake-replication-consumers:gmi-registry\" cannot get deploymentconfigs in project \"datalake-replication-consumers\"",
"reason": "Forbidden",
"details": {
"name": "entity-65869977-9d56-49a5-afa2-4a547df82d5c",
"kind": "deploymentconfigs"
},
"code": 403
}
What are we missing for service account permissions here?
UDPATE: I should also add that I pulled my own bearer token out of the CLI and used that for both calls. That worked.

Not a very exciting answer, but our problem was solved when we installed a v3.7 instance. My initial tests were on v1.5, which I think corresponds to 3.5 or 3.6 in the enterprise offering?

Related

GoDaddy API to create subdoman returns "The given domain is not registered, or does not have a zone file"

I'm trying to use GoDaddy's API to create a subdomain using the following http request:
PATCH /v1/domains/domainName.com/records
Host: api.ote-godaddy.com
Authorization: sso-key API_KEY:API_SECRET
Content-Type: application/json
Content-Length: 100
[
{
"data": "111.111.111.111",
"name": "subdomainName",
"ttl": 6000,
"type": "A"
}
]
but I get the following response:
{
"code": "UNKNOWN_DOMAIN",
"message": "The given domain is not registered, or does not have a zone file"
}
Please changes the host name as https://api.godaddy.com. your request will be work only production URL.
Please generate Production level API Key & SECRET.
Body: (Raw - Json Type)
[
{
"data": "YourServerIp",
"name": "subdomainName",
"port": 80,
"priority": 10,
"protocol": "string",
"service": "string",
"ttl": 600,
"type": "A"
}
]
Note:
It's only happened when primary domain already exists on your go daddy account
I figured out these requests only work using the production authorization against the production url but won't work using ote-authorization against the ote url. Maybe the url has to be set as an ote domain and not a production domain. Not sure.

Not able to create Tag in Google Tag Manager using the Google Tag Manager API

I want to use the Google Tag Manager API to programmatically create Tags in a containers workspace from a JSON file.
In doing so I encountered the following error after sending of a create-Request:
{
"errors": {
"error": {
"errors": [
{
"domain": "global",
"reason": "invalidArgument",
"message": "Bad Request"
}
],
"code": 400,
"message": "Bad Request"
}
}
I then tried to create a minimal tag in the same workspace following this example: https://developers.google.com/tag-manager/api/v2/devguide with the same result.
Its the same for another newly created container and workspace with no other elements in it.
Does someone know a possible solution? Thanks in advance.

Set a custom domain for an azure Storage Account through an ARM template

I'm trying to setup an ARM template to set a custom domain for an Azure storage account. I am only running this portion of my ARM template after the storage account is initially setup and a DNS record has been created, but it still fails with this error:
: The custom domain name could not be verified. CNAME mapping from myStorage.mydomain.com to .blob.core.windows.net does not exist.
I've replaced my domain in the error, but the rest is exact. I notice that it looks suspicious since it doesn't list the name of my storage account, but the storage account is named, so I can't figure out how to affect that. Here's the resource definition (again, the account name and domain are replaced, but all else is the same)
"resources": [
{
"name": "myStorageAccount",
"type": "Microsoft.Storage/storageAccounts",
"location": "[resourceGroup().location]",
"apiVersion": "2017-06-01",
"sku": {
"name": "Standard_LRS"
},
"dependsOn": [],
"tags": {
"displayName": "Storage Account"
},
"kind": "BlobStorage",
"properties":{
"customDomain":{
"name":"myStorage.mydomain.com",
"useSubDomain":false
}
}
}
]
I can set it to the same custom domain through the Azure portal. It validates fine there. I'm sure I could do it through a separate PowerShell script, but I prefer to do it in the ARM, so as to minimize the need for additional scripts when setting up my environment.
Any thoughts would be appreciated.

How can I test the Google Translate API with cURL?

I'm attempting to use cURL to test the Google Translate API to see if it will suit my needs. But when I run this
$ curl https://www.googleapis.com/language/translate/v2?key=mykeyhere&source=en&target=de&q=Hello
I receive this in response:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "required",
"message": "Required parameter: q",
"locationType": "parameter",
"location": "q"
},
{
"domain": "global",
"reason": "required",
"message": "Required parameter: target",
"locationType": "parameter",
"location": "target"
}
],
"code": 400,
"message": "Required parameter: q"
}
}
Any ideas what I am doing wrong?
(Also, I understand StackOverflow may not be the best place for the question. I am happy to request that this question be moved to a different StackExchange site if someone will be kind enough to suggest an appropriate site for this question.)
I ended up using this NPM package to test, and once I enabled billing in the Google Developer Console, things worked: https://www.npmjs.org/package/google-translate

GitHub API File Update : "Not Found"

I am attempting to update a file in one of my repos via the API.
Here is my get of that file (works nicely):
curl -XGET 'https://git.fake.local/api/v3/repos/jsmith/repo_version/contents/version.html?ref=gh-pages'
{
"name": "version.html",
"path": "version.html",
"sha": "b1b716105590454bfc4c0247f193a04088f39c7f",
"size": 5,
"url": "https://git.fake.local/api/v3/repos/jsmith/post_version/contents/version.html?ref=gh-pages",
"html_url": "https://git.fake.local/jsmith/post_version/blob/gh-pages/version.html",
"git_url": "https://git.fake.local/api/v3/repos/jsmith/post_version/git/blobs/b1b716105590454bfc4c0247f193a04088f39c7f",
"type": "file",
"content": "aW5pdAo=\n",
"encoding": "base64",
"_links": {
...
}
}
Here is my attempt to update that file via PUT:
curl -XPUT 'https://git.fake.local/api/v3/repos/jsmith/repo_version/contents/version.html?ref=gh-pages' -d '{
"message": "update from api",
"committer": {
"name": "Joe Smith",
"email": "jsmith#fake.com"
},
"content": "bXkgdXBkYXRlZCBmaWxlIGNvbnRlbnRz",
"sha": "b1b716105590454bfc4c0247f193a04088f39c7f"
}'
RESULT:
{
"message": "Not Found"
}
Okay... I think I got it.
From the github doco:
Authentication
There are three ways to authenticate through GitHub API v3. Requests
that require authentication will return 404 Not Found, instead
of 403 Forbidden, in some places. This is to prevent the
accidental leakage of private repositories to unauthorized users.
I was expecting a 403 if Auth was a problem but they are throwing a 404, so basically I probably need to make sure I am auth'd correctly and all will be well.
SOLVED:
I created a personal oauth token (under settings/applications) and add to curl request in header and it all works great.
curl -XPUT -H "Authorization: token MYSECRETTOKEN"