Have you tried hardcoding key and secret in inventory file rather than having it look up from environment variable?
On Wed, Nov 15, 2017 at 10:20 AM, Md Faizan Ali <mdfaizanal...@gmail.com> wrote: > Thanks for pointing it out. > > So in the file: > > *$> cat origin-master-controllers* > *OPTIONS=--loglevel=2 --listen=https://0.0.0.0:8444 <https://0.0.0.0:8444>* > *CONFIG_FILE=/etc/origin/master/master-config.yaml* > *OPENSHIFT_DEFAULT_REGISTRY=docker-registry.default.svc:5000* > > *AWS_ACCESS_KEY_ID=* > *AWS_SECRET_ACCESS_KEY=* > > *# Proxy configuration* > *# See > https://docs.openshift.com/enterprise/latest/install_config/install/advanced_install.html#configuring-global-proxy > <https://docs.openshift.com/enterprise/latest/install_config/install/advanced_install.html#configuring-global-proxy>* > > Is my understanding incorrect that during install, if i provided > key/secret key as environment variables, those values will not be captured > here? Do i need to hardcode the key/secretkey here and restart master > service? > > > > On Wed, Nov 15, 2017 at 8:11 PM, Hemant Kumar <heku...@redhat.com> wrote: > >> The AWS access key and secret key should be accessible to openshift >> controller manager [usually] via environment variables. Can you double >> check if - /etc/sysconfig/atomic-openshift-* has those keys and secrets >> listed? >> >> If inventory and openshift-ansible had access to those keys during >> cluster creation then those keys should be correctly placed in >> /etc/sysconfig/atomic-openshift-* files. >> >> >> >> >> >> On Wed, Nov 15, 2017 at 9:17 AM, Md Faizan Ali <mdfaizanal...@gmail.com> >> wrote: >> >>> I am running openshift origin 3.6 ( kube v1.6.1+5115d708d7) in AWS. >>> Ansible inventory contains cloud provider configuration and I can see the >>> config files on the master nodes. >>> >>> >>> *# From inventory* >>> * # AWS* >>> * openshift_cloudprovider_kind=aws* >>> * openshift_cloudprovider_aws_access_key="{{ >>> lookup('env','AWS_ACCESS_KEY_ID') }}"* >>> * openshift_cloudprovider_aws_secret_key="{{ >>> lookup('env','AWS_SECRET_ACCESS_KEY') }}"* >>> >>> *I have also provisioned a storageclass * >>> >>> * # oc get storageclass* >>> * NAME TYPE* >>> * fast (default) kubernetes.io/aws-ebs >>> <http://kubernetes.io/aws-ebs>* >>> *However, when i try to create a pvc:* >>> >>> * kind: "PersistentVolumeClaim"* >>> * apiVersion: "v1"* >>> * metadata:* >>> * name: "testclaim"* >>> * namespace: testns* >>> * spec:* >>> * accessModes:* >>> * - "ReadWriteOnce"* >>> * resources:* >>> * requests:* >>> * storage: "3Gi"* >>> * storageClassName: fast* >>> It just goes in infinite loop trying to get the pvc created. Events show >>> me this error: >>> >>> *(combined from similar events): Failed to provision volume with >>> StorageClass "fast": UnauthorizedOperation: You are not authorized to >>> perform this operation. Encoded authorization failure message: >>> $(encoded-message) status code: 403, request id: >>> d0742e84-a2e1-4bfd-b642-c6f1a61ddc1b* >>> >>> Unfortunately I cannot decode the encoded message using aws cli as it >>> gives error. >>> >>> *aws sts decode-authorization-message -–encoded-message >>> $(encoded-message) * >>> * Error: UnicodeWarning: Unicode equal comparison failed to >>> convert both arguments to Unicode - interpreting them as being unequal* >>> >>> I have now also tried pv+pvc and using that in a pod. Everything gets >>> created and I can see the claim. However when I try to mount it, I see >>> similar errors with permission denied. Any pointers please. >>> >>> >>> >>> So far I have been able to deploy pods, services etc and they seem to be >>> working fine. >>> >>> _______________________________________________ >>> users mailing list >>> users@lists.openshift.redhat.com >>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>> >>> >> >
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users