Renewing cluster kubeconfig from the command line

Hey,

Thanks for sharing. Any chance you have the Dockerfile or Docker image available to share with the community?

Thanks for sharing @clindevall - good stuff!

BTW - love the avatar!

Hello,

Here’s the current Dockerfile:

FROM centos:7

COPY karbonctl /usr/local/bin

COPY kubeconfig /usr/local/bin

ENTRYPOINT ["/usr/local/bin/kubeconfig"]

The “kubeconfig” shell script looks like this:

#!/bin/sh

if [ $# -lt 2 ]

then

echo "Usage: kubeconfig <Office 365 login> <Karbon cluster name>"

exit 1

fi

karbonctl login --pc-ip prism-central.host.local --pc-username "$1"

if [ ! -z "$3" ]

then

karbonctl cluster kubeconfig --cluster-name "$2" >"$3"

else

karbonctl cluster kubeconfig --cluster-name "$2"

fi
 

There’s room for improvement, but for now we use the docker image like this:

docker run --rm -it -v "$(pwd)":/tmp docker.registry.local/karbon:latest john.doe@office365.com mycluster /tmp/mycluster.cfg

Where does one get the karbonctl binary from?

It is in Prism Central. Login via SSH with nutanix user and look in /home/nutanix/karbon

Is it possible to download this somewhere else? I’m trying to setup another VM or find a scalable way to renew contexts as sharing the admin credentials isn’t ideal

Is there a passwordless way to do this?

The help claims a karbonctl configuration is generated to allow passwordless authentication to Karbon using karbonctl login, but I have to enter a login and password every time.

Here are example commands I have tried:

karbonctl login --config /root/.karbon/config/karbonctl.yaml --pc-username <username>

karbonctl login --config /root/.karbon/config/karbonctl.yaml

karbonctl login

karbonctl login --pc-ip <cluster ip> --pc-username <username> --pc-password <password> --output json

karbonctl login --pc-ip <cluster ip> --pc-username <username> --pc-password <password> --output 'json'

Ultimately, I am trying to grab the kubeconfig for a Jenkins setup where I am trying to deploy to the cluster. This should be automated and not require a password to be entered everytime.

Why do you want password for Jenkins?

My recommendation is that you create a service account in K8s for Jenkins and use it, instead of the Kubeconfig that will require to retrieve it every 24h.

I was misunderstood. I do not want a password for Jenkins. I want a passwordless way to login to the cluster to be able to retrieve the kubeconfig.

I believe the only way to accomplish this is to use passwords by logging in to PrismCentral and get the context remotely using karbonctl. Also, doing an unset prior to renewal is the only way to ensure credentials renew after 24h expiration.

@JoseNutanix  - I would like to echo @RichardCZ ‘s request for another way to access this binary (karbonctl).

I am a developer and only have ssh access to the underlying kubernetes cluster nodes (not prism).

I can get the Kubeconfig from the UI, but doing that every day is very tedious.  It would be great to have a way to give my password and be up and running with a fresh config.

You just need to create a service account with clusterrole and generate your kubeconfig file

i created a job in jenkins for creating rbac role, service account and kube config for every new k8s cluster

Hi all.

You also can download kubeconfig via Karbon API and you can automate it.

Read my article - https://vmik.net/2020/09/23/nutanix-karbon-kubeconfig/ . It’s in Russian, but translate button in the left bottom corner.