Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generate a token to register in Anthos Console #32

Open
displague opened this issue Jan 4, 2021 · 2 comments
Open

Generate a token to register in Anthos Console #32

displague opened this issue Jan 4, 2021 · 2 comments
Labels
documentation Improvements or additions to documentation enhancement New feature or request

Comments

@displague
Copy link
Member

displague commented Jan 4, 2021
edited
Loading

The README.md does not walk users through connecting the new cluster to the Anthos UI.

While we do not want to repeat all of the Anthos Baremetal documentation in this project, a helper script or set of copy/paste commands would ease the process. (The Google Instructions must be hand edited and selected before they can be copy/pasted, we can be opinionated here or take values from Terraform).

https://cloud.google.com/anthos/gke/docs/bare-metal/1.6/how-to/anthos-ui#authn

Should Terraform preconfigure this?
What names should we use?
@displague
Copy link
Member Author

/cc @bikashrc25

@displague
Copy link
Member Author

displague commented Jan 11, 2021
edited
Loading

Essentially, the Google instructions require user opinions on the roles to assign and the names of the resources (accounts and role bindings). The following expresses the opinion that a single SA (named "metal-anthos") with cluster-admin is what we want to register at the login prompt:

# Configure the local kubectl to use the Anthos cluster
export KUBECONFIG=$(terraform output -raw Kubeconfig_location)
# Create a role with the cloud-console-reader resource access requirements
cat <<EOF > cloud-console-reader.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cloud-console-reader
rules:
- apiGroups: [""]
  resources: ["nodes", "persistentvolumes"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
  resources: ["storageclasses"]
  verbs: ["get", "list", "watch"]
EOF
kubectl apply -f cloud-console-reader.yaml
# Generate a token for a new service account with view, cloud-console-reader, and cluster-admin roles
KSA_NAME=metal-anthos
VIEW_BINDING_NAME=${KSA_NAME}-view
CLOUD_CONSOLE_READER_BINDING_NAME=${KSA_NAME}-cloud-console-reader
BINDING_NAME=${KSA_NAME}-cluster-admin

kubectl create serviceaccount ${KSA_NAME}
kubectl create clusterrolebinding ${VIEW_BINDING_NAME} \
--clusterrole view --serviceaccount default:${KSA_NAME}
kubectl create clusterrolebinding ${CLOUD_CONSOLE_READER_BINDING_NAME} \
--clusterrole cloud-console-reader --serviceaccount default:${KSA_NAME}

kubectl create clusterrolebinding ${BINDING_NAME} \
--clusterrole cluster-admin --serviceaccount default:${KSA_NAME}

SECRET_NAME=$(kubectl get serviceaccount ${KSA_NAME} -o jsonpath='{$.secrets[0].name}')
kubectl get secret ${SECRET_NAME} -o jsonpath='{$.data.token}' | base64 --decode; echo

The token output from this last command can be entered at the "Token" option in the "Login" dialog for the cluster listed at https://console.cloud.google.com/kubernetes/list.

@displague displague added documentation Improvements or additions to documentation enhancement New feature or request labels Jan 11, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@displague