Prepare Access to Kubernetes Cluster(s)

After you have created Kubernetes Cluster(s), this depends on your Kubernetes Provider but in many cases, should be by the following.

Access Kubernetes with KUBECONFIG File

In case you access Kubernetes with KUBECONFIG File, store them in working directory by the following

• 🟢 Management Kubernetes Cluster

  cp /CHANGEME/PATH/TO/management_cluster.yaml $HOME/opstella-installation/kubeconfigs/management_cluster.yaml

• 🟦 Non-Production Workload Kubernetes Cluster

  cp /CHANGEME/PATH/TO/nonprod_cluster.yaml $HOME/opstella-installation/kubeconfigs/nonprod_cluster.yaml

• 🟥 Production Workload Kubernetes Cluster

  cp /CHANGEME/PATH/TO/prod_cluster.yaml $HOME/opstella-installation/kubeconfigs/prod_cluster.yaml

Create Long-lived Access Token to Kubernetes

You will need to create a Service Account binded with cluster-admin Cluster Role to gain capability of Kubernetes Cluster and Workload Management.

You also need to obtain its Access Token, a long-lived access token one for authentication to cluster which will later be used for further installing subsystems and components and integration with Opstella.

Why Long-lived Token?

Opstella’s Microservices Components (like the Dashboard, Backend, and CI/CD integrations) need to communicate with your Kubernetes Cluster(s) continuously to manage resources and retrieve status.

A standard user token (short-lived) would expire and break these connections. Therefore, a Service Account with a Long-lived Access Token is required to ensure persistent and reliable connectivity for the platform.

You will creating a Service Account named: opstella-admin, binded with cluster-admin Cluster Role with Cluster Role Binding named opstella-admin-crb-clusteradmin

You will need to create them on ALL Kubernetes Cluster(s)

The uses are

• Configuring with Opstella Platform Integration with Kubernetes
• In case your Kubernetes Cluster will be accessed with CLI instructed in specific way from the Kubernetes Provider. You can optionally replace the accessing method with this.

Caution

The Create Long-lived Access Token to Kubernetes instructions here is repetitive, instructions providing here are steps for ONE Kubernetes Cluster.

It is meant for you to repeat the steps for each of Kubernetes Cluster(s).

1. Connect to the Kubernetes Cluster with CLI instructed by your provider (if needed)

2. Create Service Account opstella-admin in kube-system Namespace

   kubectl create serviceaccount opstella-admin -n kube-system

3. Create a Cluster Role Binding to cluster-admin Built-in Cluster Role

   kubectl create clusterrolebinding opstella-admin-crb-clusteradmin --clusterrole=cluster-admin --serviceaccount=kube-system:opstella-admin

4. Create Access Token

   kubectl apply -f - <<EOF
   apiVersion: v1
   kind: Secret
   metadata:
     name: opstella-admin-token
     namespace: kube-system
     annotations:
       kubernetes.io/service-account.name: opstella-admin
   type: kubernetes.io/service-account-token
   EOF

5. Gather its Access Token and Server Certificate

   export OPSTELLA_ADMIN_CACERT=$(kubectl get secret opstella-admin-token -n kube-system --output=jsonpath='{.data.ca\.crt}')
   
   export OPSTELLA_ADMIN_TOKEN=$(kubectl get secret opstella-admin-token -n kube-system --output=jsonpath='{.data.token}' | base64 -d)

To replace the access token with long-lived access token, follow this extra step

1. Create Kubernetes Configuration File with Token from Service Account created

   Please change Kubernetes API Endpoint and file name accordingly.

   • 🟢 Management Kubernetes Cluster:

     $HOME/opstella-installation/kubeconfigs/management_cluster.yaml

   • 🟦 Non-Production Workload Kubernetes Cluster:

     $HOME/opstella-installation/kubeconfigs/nonprod_cluster.yaml

   • 🟥 Production Workload Kubernetes Cluster:

     $HOME/opstella-installation/kubeconfigs/prod_cluster.yaml

   # If your Kubernetes doesn't need to specify port, you may need to remove it.
   export KUBERNETES_API_ENDPOINT="https://CHANGEME-TO-K8S-API-ENDPOINT:6443"
   
   cat << EOF > /CHANGEME/PATH/TO/your_cluster.yaml
   apiVersion: v1
   clusters:
   - cluster:
       certificate-authority-data: ${OPSTELLA_ADMIN_CACERT}
       server: ${KUBERNETES_API_ENDPOINT}
     name: CHANGEME-YOUR-CLUSTER-NAME
   contexts:
   - context:
       cluster: CHANGEME-YOUR-CLUSTER-NAME
       user: default
     name: CHANGEME-YOUR-CLUSTER-NAME
   current-context: CHANGEME-YOUR-CLUSTER-NAME
   kind: Config
   preferences: {}
   users:
   - name: default
     user:
       token: ${OPSTELLA_ADMIN_TOKEN}
   EOF

Store in Working Directory

Put your KUBECONFIG files into the following directory.

• 🟢 Management Kubernetes Cluster:

  $HOME/opstella-installation/kubeconfigs/management_cluster.yaml

• 🟦 Non-Production Workload Kubernetes Cluster:

  $HOME/opstella-installation/kubeconfigs/nonprod_cluster.yaml

• 🟥 Production Workload Kubernetes Cluster:

  $HOME/opstella-installation/kubeconfigs/prod_cluster.yaml