Renewing cluster kubeconfig from the command line

  • 29 April 2020
  • 12 replies
  • 3362 views

Userlevel 1

Just wanted to share how we are renewing the kubeconfig from the command line.

Background:
In our organization it was considered a bit clumsy to download the kubeconfig from the Karbon UI. We love the command line and wanted a quick’n’easy way to renew the authentication token.

The solution:
We created a docker image that contains the “karbonctl” binary and a wrapper script. The Dockerfile was also included into our CI/CD pipeline to automate the image creation.

The wrapper script does two things:

  • karbonctl login --pc-ip prism.nightingale.nu --pc-username “$1”
  • karbonctl cluster kubeconfig --cluster-name “$2” >”$3”

The commands that the end user run:

  • docker run --rm -it -v “$(pwd)”:/tmp docker.registry.local/karbonctl:latest <login> mycluster /tmp/karbon.cfg
  • export KUBECONFIG=”$(pwd)/karbon.cfg”

 


12 replies

Userlevel 4
Badge +1

Hey,

Thanks for sharing. Any chance you have the Dockerfile or Docker image available to share with the community?

 

Userlevel 7
Badge +35

Thanks for sharing @clindevall - good stuff!

BTW - love the avatar!

Userlevel 1

Hello,

Here’s the current Dockerfile:

FROM centos:7

COPY karbonctl /usr/local/bin

COPY kubeconfig /usr/local/bin

ENTRYPOINT ["/usr/local/bin/kubeconfig"]

The “kubeconfig” shell script looks like this:

#!/bin/sh

if [ $# -lt 2 ]

then

echo "Usage: kubeconfig <Office 365 login> <Karbon cluster name>"

exit 1

fi

karbonctl login --pc-ip prism-central.host.local --pc-username "$1"

if [ ! -z "$3" ]

then

karbonctl cluster kubeconfig --cluster-name "$2" >"$3"

else

karbonctl cluster kubeconfig --cluster-name "$2"

fi
 

Userlevel 1

There’s room for improvement, but for now we use the docker image like this:

docker run --rm -it -v "$(pwd)":/tmp docker.registry.local/karbon:latest john.doe@office365.com mycluster /tmp/mycluster.cfg

Where does one get the karbonctl binary from?

Userlevel 4
Badge +1

It is in Prism Central. Login via SSH with nutanix user and look in /home/nutanix/karbon

It is in Prism Central. Login via SSH with nutanix user and look in /home/nutanix/karbon

Is it possible to download this somewhere else? I’m trying to setup another VM or find a scalable way to renew contexts as sharing the admin credentials isn’t ideal

Is there a passwordless way to do this?

The help claims a karbonctl configuration is generated to allow passwordless authentication to Karbon using karbonctl login, but I have to enter a login and password every time.

 

 

Here are example commands I have tried:

 

karbonctl login --config /root/.karbon/config/karbonctl.yaml --pc-username <username>

karbonctl login --config /root/.karbon/config/karbonctl.yaml

karbonctl login

karbonctl login --pc-ip <cluster ip> --pc-username <username> --pc-password <password> --output json

karbonctl login --pc-ip <cluster ip> --pc-username <username> --pc-password <password> --output 'json'

 

Ultimately, I am trying to grab the kubeconfig for a Jenkins setup where I am trying to deploy to the cluster. This should be automated and not require a password to be entered everytime.

 

Badge +4

Why do you want password for Jenkins?

My recommendation is that you create a service account in K8s for Jenkins and use it, instead of the Kubeconfig that will require to retrieve it every 24h.

I was misunderstood. I do not want a password for Jenkins.

 

I want a passwordless way to login to the cluster to be able to retrieve the kubeconfig.

I was misunderstood. I do not want a password for Jenkins.

 

I want a passwordless way to login to the cluster to be able to retrieve the kubeconfig.

 

I believe the only way to accomplish this is to use passwords by logging in to PrismCentral and get the context remotely using karbonctl. Also, doing an unset prior to renewal is the only way to ensure credentials renew after 24h expiration.

It is in Prism Central. Login via SSH with nutanix user and look in /home/nutanix/karbon

@JoseNutanix  - I would like to echo @RichardCZ ‘s request for another way to access this binary (karbonctl).

I am a developer and only have ssh access to the underlying kubernetes cluster nodes (not prism).

I can get the Kubeconfig from the UI, but doing that every day is very tedious.  It would be great to have a way to give my password and be up and running with a fresh config.

Reply