Skip to main content
Hashnodeodedia's cornerodedia's corner

Command Palette

Search for a command to run...

Get KUBECONFIG access token in PKS from Jenkins

Published
2 min read
Get KUBECONFIG access token in PKS from Jenkins
O
Oded Shopen

Hi there! I’m Oded.

I work for VMware Tanzu as a Senior Lead Solutions Engineer, spreading the message of cloud native development, cloud native platforms on Kubernetes and app transformation.

I helped design large-scale, cloud-native solutions using the microservices architecture running on Pivotal Cloud Foundry and Kubernetes, using Spring Boot and Spring Cloud.

I’m highly skilled in Kubernetes, Java, Spring Boot, Spring Cloud, Apache Kafka, Event Sourcing and DevOps practices.

I enjoy photography, video editing, and the music of the King of Pop.

Part of seriesTutorials

In many enterprises, the idea of letting developers get access to kubectl is blasphemy. kubectl is a powerful CLI and if you don't have proper RBAC setup, you can do some serious damage. The path many enterprises take is to have pipelines do all the deployment to the kubernetes cluster.

Still, developers do require access to some aspects of the Kubernetes lifecycle, mainly the Kubernetes dashboard. However, that dashboard requires an access token that is found in the KUBECONFIG file.

In PKS, it is possible to get the KUBECONFIG file that includes the access token by using the pks cli, but if kubectl is off limits, the pks cli is definetly off limits.

The solution? Run a script that talks to the UAA backend to get the access token. Pivotal and VMware provide a script under this community support article.

However, even that can be a challenge for many enterprises. Windows is still king, and running shell scripts is not possible, let alone installation of additional utilities such as jq.

The solution? Get the access token from a Jenkins job that developers already have access to in their daily work.

Let's create a new Jenkins Freestyle job:

Check the box to Discard old builds and set Max # of builds to keep to 0. You don't want to keep a history of the access tokens.

Check This project is parameterized and add the following parameters:

Make sure that PKS_PASSWORD_RAW is set to type Password Parameter.

Under Build choose Execute shell:

Paste the following script. It has been modified from the original so it would not require jq:

#!/bin/bash -e
# v 0.0.5.1

# get-pks-k8s-config.sh
# gmerlin@vmware.com
# adapted for Jenkins by Oded Shopen (odedia.org)

urlencode() {
    local l=${#1}
    for (( i = 0 ; i < l ; i++ )); do
        local c=${1:i:1}
        case "$c" in
            [a-zA-Z0-9.~_-]) printf "$c" ;;
            ' ') printf + ;;
            *) printf '%%%.2X' "'$c"
        esac
    done
}


PKS_PASSWORD=$(urlencode $PKS_PASSWORD_RAW)

# Collect Tokens from UAA
CURL_CMD="curl 'https://${PKS_API}:8443/oauth/token' -sk -X POST -H 'Accept: application/json' -d \"client_id=pks_cluster_client&client_secret=\"\"&grant_type=password&username=${PKS_USER}&password=\"${PKS_PASSWORD}\"&response_type=id_token\""

TOKENS=$(eval $CURL_CMD | python -c "import sys, json; print json.load(sys.stdin)['id_token']" ) 
echo -e "\n"
echo $TOKENS
echo -e  "\n"

Save the job.

While running the job, provide all required parameters:

The output will present your access token:

Good luck!

#kubernetes#jenkins#infrastructure
288 views

Comments

Join the discussion

No comments yet. Be the first to comment.

Tutorials

Part 3 of 8

Hands-on, demo-driven, usually with a git repo

Up next

CIFS/SMB FlexVolume driver for PKS

I've recently had a customer request to access an SMB server from their PKS Kubernetes cluster. SMB is still incredibly popular in Enterprises, often used as part of a "whitelisting" process. Still, being Kubernetes, it would be nice to treat an SMB ...

More from this blog

O

odedia's corner

31 posts

Welcome to odedia's corner. These are my thoughts, rants, and geeky projects.