Skip to content

Commit

Permalink
preparse v0.13.0
Browse files Browse the repository at this point in the history
  • Loading branch information
@mozillazg
mozillazg committed Apr 24, 2023
1 parent 2e92e64 commit f63db3f
Show file tree
Hide file tree
Showing 29 changed files with 1,582 additions and 0 deletions.
7 changes: 7 additions & 0 deletions website/versioned_docs/version-v0.13.0/credential-plugin/_category_.json
View file
@@ -0,0 +1,7 @@
{
"label": "credential-plugin",
"position": 3,
"link": {
"type": "generated-index"
}
}
66 changes: 66 additions & 0 deletions website/versioned_docs/version-v0.13.0/credential-plugin/get-credential.md
View file
@@ -0,0 +1,66 @@
---
slug: get-credential
sidebar_position: 2
---

# get-credential

Get the ExecCredential certificate data used to access the API server.

It has the following features:

* Automatically obtains a new certificate before the certificate expires
* Supports using temporary certificate


## Usage

```shell
$ ack-ram-tool credential-plugin get-token --cluster-id <clusterId>

{
"kind": "ExecCredential",
"apiVersion": "client.authentication.k8s.io/v1beta1",
"spec": {
"interactive": false
},
"status": {
"expirationTimestamp": "2023-04-20T09:29:06Z",
"clientCertificateData": "-----BEGIN CERTIFICATE-----\nMIID***\n-----END CERTIFICATE-----\n",
"clientKeyData": "-----BEGIN RSA PRIVATE KEY-----\nMIIE***\n-----END RSA PRIVATE KEY-----\n"
}
}
```

## Flags

```
Usage:
ack-ram-tool credential-plugin get-credential [flags]
Flags:
--api-version string v1 or v1beta1 (default "v1beta1")
-c, --cluster-id string The cluster id to use
--credential-cache-dir string Directory to cache credential (default "~/.kube/cache/ack-ram-tool/credential-plugin")
--expiration duration The credential expiration (default 3h0m0s)
-h, --help help for get-credential
Global Flags:
-y, --assume-yes Automatic yes to prompts; assume "yes" as answer to all prompts and run non-interactively
--ignore-aliyun-cli-credentials don't try to parse credentials from config.json of aliyun cli
--ignore-env-credentials don't try to parse credentials from environment variables
--log-level string log level: info, debug, error (default "info")
--profile-file string Path to credential file (default: ~/.aliyun/config.json or ~/.alibabacloud/credentials)
--profile-name string using this named profile when parse credentials from config.json of aliyun cli
--region-id string The region to use (default "cn-hangzhou")
```


Descriptions:

| Flag | Default | Required | Description |
|------------------------|------------------------------------------------|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| -c, --cluster-id | | Yes | Cluster ID |
| --api-version | v1beta1 | | Specify which version of apiVersion to use in the returned data. `v1beta1` represents `client.authentication.k8s.io/v1beta1`, and `v1` represents `client.authentication.k8s.io/v1`. |
| --expiration | 3h0m0s | | Specify the certificate expiration time. When it is 0, it means not to use a temporary certificate but to use a longer valid certificate (the expiration time is automatically determined by the server). |
| --credential-cache-dir | `~/.kube/cache/ack-ram-tool/credential-plugin` | | Directory used to cache the certificate |
66 changes: 66 additions & 0 deletions website/versioned_docs/version-v0.13.0/credential-plugin/get-credential.zh-CN.md
View file
@@ -0,0 +1,66 @@
---
slug: /zh-CN/credential-plugin/get-credential
title: get-credential(中文)
sidebar_position: 2
---

# get-credential

获取用于访问 api server 的 ExecCredential 证书数据。

包含如下特性:

* 证书过期前将自动获取新的证书
* 支持使用临时证书


## 使用示例

```shell
$ ack-ram-tool credential-plugin get-token --cluster-id <clusterId>

{
"kind": "ExecCredential",
"apiVersion": "client.authentication.k8s.io/v1beta1",
"spec": {
"interactive": false
},
"status": {
"expirationTimestamp": "2023-04-20T09:29:06Z",
"clientCertificateData": "-----BEGIN CERTIFICATE-----\nMIID***\n-----END CERTIFICATE-----\n",
"clientKeyData": "-----BEGIN RSA PRIVATE KEY-----\nMIIE***\n-----END RSA PRIVATE KEY-----\n"
}
}
```

## 命令行参数

```
Usage:
ack-ram-tool credential-plugin get-credential [flags]
Flags:
--api-version string v1 or v1beta1 (default "v1beta1")
-c, --cluster-id string The cluster id to use
--credential-cache-dir string Directory to cache credential (default "~/.kube/cache/ack-ram-tool/credential-plugin")
--expiration duration The credential expiration (default 3h0m0s)
-h, --help help for get-credential
Global Flags:
-y, --assume-yes Automatic yes to prompts; assume "yes" as answer to all prompts and run non-interactively
--ignore-aliyun-cli-credentials don't try to parse credentials from config.json of aliyun cli
--ignore-env-credentials don't try to parse credentials from environment variables
--log-level string log level: info, debug, error (default "info")
--profile-file string Path to credential file (default: ~/.aliyun/config.json or ~/.alibabacloud/credentials)
--profile-name string using this named profile when parse credentials from config.json of aliyun cli
--region-id string The region to use (default "cn-hangzhou")
```

参数说明:

| 参数名称 | 默认值 | 必需参数 | 说明 |
|------------------|------------------------------------------------|------|---------------------------------------------------------------------------------------------------------------------------|
| -c, --cluster-id ||| 集群 ID |
| --api-version | v1beta1 || 指定返回的数据中使用哪个版本的 apiVersion。v1beta1 表示 `client.authentication.k8s.io/v1beta1`,v1 表示 `client.authentication.k8s.io/v1beta1` |
| --expiration | 3h0m0s || 指定证书过期时间。为 0 时表示不使用临时证书而是使用有效期更长的证书(过期时间由服务端自动确定) |
| --credential-cache-dir | `~/.kube/cache/ack-ram-tool/credential-plugin` || 用于缓存证书的目录 |
135 changes: 135 additions & 0 deletions website/versioned_docs/version-v0.13.0/credential-plugin/get-kubeconfig.md
View file
@@ -0,0 +1,135 @@
---
slug: get-kubeconfig
sidebar_position: 1
---

# get-kubeconfig

获取使用 ack-ram-tool 作为 [credential plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins) 的 kubeconfig。

包含如下特性:

* 证书过期前将自动获取新的证书
* 支持使用临时证书
* 集成 ack-ram-authenticator

## 使用示例

```shell
$ ack-ram-tool credential-plugin get-kubeconfig --cluster-id c5e***

kind: Config
apiVersion: v1
clusters:
- name: kubernetes
cluster:
server: https://106.*.*.*:6443
certificate-authority-data: LS0tL***
contexts:
- name: 272***-c5e***
context:
cluster: kubernetes
user: "272***"
current-context: 272***-c5e***
users:
- name: "272***"
user:
exec:
command: ack-ram-tool
args:
- credential-plugin
- get-credential
- --cluster-id
- c5e***
- --api-version
- v1beta1
- --expiration
- 3h
- --log-level
- error
apiVersion: client.authentication.k8s.io/v1beta1
provideClusterInfo: false
interactiveMode: Never
preferences: {}

$ ack-ram-tool credential-plugin get-kubeconfig --cluster-id c5e*** > kubeconfig
$ proxy_ack kubectl --kubeconfig kubeconfig get ns
NAME STATUS AGE
default Active 6d3h
kube-node-lease Active 6d3h
kube-public Active 6d3h
kube-system Active 6d3h

### --mode ram-authenticator-token

$ ack-ram-tool credential-plugin get-kubeconfig --mode ram-authenticator-token --cluster-id c5e***

kind: Config
apiVersion: v1
clusters:
- name: kubernetes
cluster:
server: https://106.*.*.*:6443
certificate-authority-data: LS0t***
contexts:
- name: 272***-c5e***
context:
cluster: kubernetes
user: "272***"
current-context: 272***-c5e***
users:
- name: "272***"
user:
exec:
command: ack-ram-tool
args:
- credential-plugin
- get-token
- --cluster-id
- c5e***
- --api-version
- v1beta1
- --log-level
- error
apiVersion: client.authentication.k8s.io/v1beta1
provideClusterInfo: false
interactiveMode: Never
preferences: {}

```

## 命令行参数

```
Usage:
ack-ram-tool credential-plugin get-kubeconfig [flags]
Flags:
--api-version string v1 or v1beta1 (default "v1beta1")
-c, --cluster-id string The cluster id to use
--credential-cache-dir string Directory to cache certificate (default "~/.kube/cache/ack-ram-tool/credential-plugin")
--expiration duration The certificate expiration (default 3h0m0s)
-h, --help help for get-kubeconfig
-m, --mode string credential mode: certificate or ram-authenticator-token (default "certificate")
--private-address Use private ip as api-server address
Global Flags:
-y, --assume-yes Automatic yes to prompts; assume "yes" as answer to all prompts and run non-interactively
--ignore-aliyun-cli-credentials don't try to parse credentials from config.json of aliyun cli
--ignore-env-credentials don't try to parse credentials from environment variables
--log-level string log level: info, debug, error (default "info")
--profile-file string Path to credential file (default: ~/.aliyun/config.json or ~/.alibabacloud/credentials)
--profile-name string using this named profile when parse credentials from config.json of aliyun cli
--region-id string The region to use (default "cn-hangzhou")
```

Descriptions:

| Flag | Default | Required | Description |
|------------------------|------------------------------------------------|----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| -c, --cluster-id | | Yes | Cluster ID |
| -m, --mode | certificate | | Authentication methods in kubeconfig: `certificate` indicates certificate authentication, and `ram-authenticator-token` indicates token authentication based on ack-ram-authenticator |
| --expiration | 3h | | When --mode is set to `certificate`, set the certificate expiration time through this parameter. When it is 0, it means not to use a temporary certificate but to use a longer valid certificate (the expiration time is automatically determined by the server). |
| --private-address | false | | Whether to use the intranet API server address? |
| --api-version | v1beta1 | | Specify which version of apiVersion to use in the returned data. `v1beta1` represents `client.authentication.k8s.io/v1beta1`, and `v1` represents `client.authentication.k8s.io/v1`. |
| --credential-cache-dir | `~/.kube/cache/ack-ram-tool/credential-plugin` | | The directory used to cache the certificate is only valid when `--mode` is set to `certificate` |

0 comments on commit f63db3f

Please sign in to comment.