starlingx/docs
Code Issues Proposed changes
master
docs/doc/source/usertasks/kubernetes/using-container-based-remote-clis-and-clients.rst
Joao Victor Portal 191b184763 Review K8s local and remote auth instructions (cherry pick to stx 9.0) 
This change replaces the usage of Service Tokens by OIDC tokens in the
instructions of Kubernetes cluster local and remote access. Some other
changes were made, like the deletion of redundant pages.

Story: 2010738
Task: 49561

Change-Id: Ie8206ecd316efd356a5889899a68f9a9ddbcdfa6
Signed-off-by: Joao Victor Portal <Joao.VictorPortal@windriver.com>
2024-03-11 10:51:09 -03:00

6.3 KiB
Raw Permalink Blame History

Use Container-backed Remote and Clients

Remote platform can be used in any shell after sourcing the generated remote CLI/client RC file. This RC file sets up the required environment variables and aliases for the remote commands.

Note

Consider adding this command to your .login or shell rc file, such that your shells will automatically be initialized with the environment variables and aliases for the remote CLI commands.

Otherwise, execute the following before proceeding:

root@myclient:/home/user/remote_cli_wd# source remote_client_platform.sh
Please enter your OpenStack Password for project admin as user admin-user:

If you specified repositories that require authentication when configuring the container-backed remote , you must perform a docker login to that repository before using remote for the first time

  • You must complete the configuration steps described in :ref:`Configure Container-backed Remote CLIs <kubernetes-user-tutorials-configuring-container-backed-remote-clis-and-clients>` before proceeding.
  • You must have the oidc-auth-apps Identity Provider (dex) configured on the target environment to get Kubernetes authentication tokens.

  • To be able to execute kubectl commands, first it is needed to get a Kubernetes authentication token. Execute the command below to get it. In this example, the user is called "user1", you should change this to your username. The token is stored in the "user-kubeconfig" file. The validity of the token is up to 24 hours. A new token should be generated regularly. The IP mentioned below is the IP of the target environment.

    Note

    The first usage of a remote command will be slow as it requires that the docker image supporting the remote CLIs/clients be pulled from the remote registry.

    root@myclient:/home/user/remote_cli_wd# oidc-auth -c <OAM_IP> -u user1 -p <USER_PASSWORD>

  • For Kubernetes kubectl commands:

    root@myclient:/home/user/remote_cli_wd# kubectl -n kube-system get pods
NAME                                       READY   STATUS      RESTARTS   AGE
calico-kube-controllers-767467f9cf-wtvmr   1/1     Running     1          3d2h
calico-node-j544l                          1/1     Running     1          3d
calico-node-ngmxt                          1/1     Running     1          3d1h
calico-node-qtc99                          1/1     Running     1          3d
calico-node-x7btl                          1/1     Running     4          3d2h
ceph-pools-audit-1569848400-rrpjq          0/1     Completed   0          12m
ceph-pools-audit-1569848700-jhv5n          0/1     Completed   0          7m26s
ceph-pools-audit-1569849000-cb988          0/1     Completed   0          2m25s
coredns-7cf476b5c8-5x724                   1/1     Running     1          3d2h
...
root@myclient:/home/user/remote_cli_wd#

    Note

    Some commands are designed to leave you in a shell prompt, for example:

    root@myclient:/home/user/remote_cli_wd# openstack

    or

    root@myclient:/home/user/remote_cli_wd# kubectl exec -ti <pod_name> -- /bin/bash

    In most cases, the remote CLI will detect and handle these commands correctly. If you encounter cases that are not handled correctly, you can force-enable or disable the shell options using the <FORCE_SHELL> or <FORCE_NO_SHELL> variables before the command.

    For example:

    root@myclient:/home/user/remote_cli_wd# FORCE_SHELL=true kubectl exec -ti <pod_name> -- /bin/bash
root@myclient:/home/user/remote_cli_wd# FORCE_NO_SHELL=true kubectl exec <pod_name> -- ls

    You cannot use both variables at the same time.

  • If you need to run a remote command that references a local file, then that file must be copied to or created in the working directory specified in the -w option on the ./config_client.sh command.

    For example:

    root@myclient:/home/user# cp /<someDir>/test.yml $HOME/remote_cli_wd/test.yml
root@myclient:/home/user# cd $HOME/remote_cli_wd
root@myclient:/home/user/remote_cli_wd# kubectl -n kube-system  create -f test.yml
pod/test-pod created
root@myclient:/home/user/remote_cli_wd# kubectl -n kube-system  delete -f test.yml
pod/test-pod deleted

  • Do the following to use helm.

Related information

Configuring Container-backed Remote CLIs and Clients <kubernetes-user-tutorials-configuring-container-backed-remote-clis-and-clients>

Installing Kubectl and Helm Clients Directly on a Host <kubernetes-user-tutorials-installing-kubectl-and-helm-clients-directly-on-a-host>

Configuring Remote Helm Client <configuring-remote-helm-client>