Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
29 changed files
with
1,582 additions
and
0 deletions.
There are no files selected for viewing
7 changes: 7 additions & 0 deletions
7
website/versioned_docs/version-v0.13.0/credential-plugin/_category_.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
{ | ||
"label": "credential-plugin", | ||
"position": 3, | ||
"link": { | ||
"type": "generated-index" | ||
} | ||
} |
66 changes: 66 additions & 0 deletions
66
website/versioned_docs/version-v0.13.0/credential-plugin/get-credential.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
--- | ||
slug: get-credential | ||
sidebar_position: 2 | ||
--- | ||
|
||
# get-credential | ||
|
||
Get the ExecCredential certificate data used to access the API server. | ||
|
||
It has the following features: | ||
|
||
* Automatically obtains a new certificate before the certificate expires | ||
* Supports using temporary certificate | ||
|
||
|
||
## Usage | ||
|
||
```shell | ||
$ ack-ram-tool credential-plugin get-token --cluster-id <clusterId> | ||
|
||
{ | ||
"kind": "ExecCredential", | ||
"apiVersion": "client.authentication.k8s.io/v1beta1", | ||
"spec": { | ||
"interactive": false | ||
}, | ||
"status": { | ||
"expirationTimestamp": "2023-04-20T09:29:06Z", | ||
"clientCertificateData": "-----BEGIN CERTIFICATE-----\nMIID***\n-----END CERTIFICATE-----\n", | ||
"clientKeyData": "-----BEGIN RSA PRIVATE KEY-----\nMIIE***\n-----END RSA PRIVATE KEY-----\n" | ||
} | ||
} | ||
``` | ||
|
||
## Flags | ||
|
||
``` | ||
Usage: | ||
ack-ram-tool credential-plugin get-credential [flags] | ||
Flags: | ||
--api-version string v1 or v1beta1 (default "v1beta1") | ||
-c, --cluster-id string The cluster id to use | ||
--credential-cache-dir string Directory to cache credential (default "~/.kube/cache/ack-ram-tool/credential-plugin") | ||
--expiration duration The credential expiration (default 3h0m0s) | ||
-h, --help help for get-credential | ||
Global Flags: | ||
-y, --assume-yes Automatic yes to prompts; assume "yes" as answer to all prompts and run non-interactively | ||
--ignore-aliyun-cli-credentials don't try to parse credentials from config.json of aliyun cli | ||
--ignore-env-credentials don't try to parse credentials from environment variables | ||
--log-level string log level: info, debug, error (default "info") | ||
--profile-file string Path to credential file (default: ~/.aliyun/config.json or ~/.alibabacloud/credentials) | ||
--profile-name string using this named profile when parse credentials from config.json of aliyun cli | ||
--region-id string The region to use (default "cn-hangzhou") | ||
``` | ||
|
||
|
||
Descriptions: | ||
|
||
| Flag | Default | Required | Description | | ||
|------------------------|------------------------------------------------|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | ||
| -c, --cluster-id | | Yes | Cluster ID | | ||
| --api-version | v1beta1 | | Specify which version of apiVersion to use in the returned data. `v1beta1` represents `client.authentication.k8s.io/v1beta1`, and `v1` represents `client.authentication.k8s.io/v1`. | | ||
| --expiration | 3h0m0s | | Specify the certificate expiration time. When it is 0, it means not to use a temporary certificate but to use a longer valid certificate (the expiration time is automatically determined by the server). | | ||
| --credential-cache-dir | `~/.kube/cache/ack-ram-tool/credential-plugin` | | Directory used to cache the certificate | |
66 changes: 66 additions & 0 deletions
66
website/versioned_docs/version-v0.13.0/credential-plugin/get-credential.zh-CN.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
--- | ||
slug: /zh-CN/credential-plugin/get-credential | ||
title: get-credential(中文) | ||
sidebar_position: 2 | ||
--- | ||
|
||
# get-credential | ||
|
||
获取用于访问 api server 的 ExecCredential 证书数据。 | ||
|
||
包含如下特性: | ||
|
||
* 证书过期前将自动获取新的证书 | ||
* 支持使用临时证书 | ||
|
||
|
||
## 使用示例 | ||
|
||
```shell | ||
$ ack-ram-tool credential-plugin get-token --cluster-id <clusterId> | ||
|
||
{ | ||
"kind": "ExecCredential", | ||
"apiVersion": "client.authentication.k8s.io/v1beta1", | ||
"spec": { | ||
"interactive": false | ||
}, | ||
"status": { | ||
"expirationTimestamp": "2023-04-20T09:29:06Z", | ||
"clientCertificateData": "-----BEGIN CERTIFICATE-----\nMIID***\n-----END CERTIFICATE-----\n", | ||
"clientKeyData": "-----BEGIN RSA PRIVATE KEY-----\nMIIE***\n-----END RSA PRIVATE KEY-----\n" | ||
} | ||
} | ||
``` | ||
|
||
## 命令行参数 | ||
|
||
``` | ||
Usage: | ||
ack-ram-tool credential-plugin get-credential [flags] | ||
Flags: | ||
--api-version string v1 or v1beta1 (default "v1beta1") | ||
-c, --cluster-id string The cluster id to use | ||
--credential-cache-dir string Directory to cache credential (default "~/.kube/cache/ack-ram-tool/credential-plugin") | ||
--expiration duration The credential expiration (default 3h0m0s) | ||
-h, --help help for get-credential | ||
Global Flags: | ||
-y, --assume-yes Automatic yes to prompts; assume "yes" as answer to all prompts and run non-interactively | ||
--ignore-aliyun-cli-credentials don't try to parse credentials from config.json of aliyun cli | ||
--ignore-env-credentials don't try to parse credentials from environment variables | ||
--log-level string log level: info, debug, error (default "info") | ||
--profile-file string Path to credential file (default: ~/.aliyun/config.json or ~/.alibabacloud/credentials) | ||
--profile-name string using this named profile when parse credentials from config.json of aliyun cli | ||
--region-id string The region to use (default "cn-hangzhou") | ||
``` | ||
|
||
参数说明: | ||
|
||
| 参数名称 | 默认值 | 必需参数 | 说明 | | ||
|------------------|------------------------------------------------|------|---------------------------------------------------------------------------------------------------------------------------| | ||
| -c, --cluster-id | 无 | 是 | 集群 ID | | ||
| --api-version | v1beta1 | 否 | 指定返回的数据中使用哪个版本的 apiVersion。v1beta1 表示 `client.authentication.k8s.io/v1beta1`,v1 表示 `client.authentication.k8s.io/v1beta1` | | ||
| --expiration | 3h0m0s | 否 | 指定证书过期时间。为 0 时表示不使用临时证书而是使用有效期更长的证书(过期时间由服务端自动确定) | | ||
| --credential-cache-dir | `~/.kube/cache/ack-ram-tool/credential-plugin` | 否 | 用于缓存证书的目录 | |
135 changes: 135 additions & 0 deletions
135
website/versioned_docs/version-v0.13.0/credential-plugin/get-kubeconfig.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,135 @@ | ||
--- | ||
slug: get-kubeconfig | ||
sidebar_position: 1 | ||
--- | ||
|
||
# get-kubeconfig | ||
|
||
获取使用 ack-ram-tool 作为 [credential plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins) 的 kubeconfig。 | ||
|
||
包含如下特性: | ||
|
||
* 证书过期前将自动获取新的证书 | ||
* 支持使用临时证书 | ||
* 集成 ack-ram-authenticator | ||
|
||
## 使用示例 | ||
|
||
```shell | ||
$ ack-ram-tool credential-plugin get-kubeconfig --cluster-id c5e*** | ||
|
||
kind: Config | ||
apiVersion: v1 | ||
clusters: | ||
- name: kubernetes | ||
cluster: | ||
server: https://106.*.*.*:6443 | ||
certificate-authority-data: LS0tL*** | ||
contexts: | ||
- name: 272***-c5e*** | ||
context: | ||
cluster: kubernetes | ||
user: "272***" | ||
current-context: 272***-c5e*** | ||
users: | ||
- name: "272***" | ||
user: | ||
exec: | ||
command: ack-ram-tool | ||
args: | ||
- credential-plugin | ||
- get-credential | ||
- --cluster-id | ||
- c5e*** | ||
- --api-version | ||
- v1beta1 | ||
- --expiration | ||
- 3h | ||
- --log-level | ||
- error | ||
apiVersion: client.authentication.k8s.io/v1beta1 | ||
provideClusterInfo: false | ||
interactiveMode: Never | ||
preferences: {} | ||
|
||
$ ack-ram-tool credential-plugin get-kubeconfig --cluster-id c5e*** > kubeconfig | ||
$ proxy_ack kubectl --kubeconfig kubeconfig get ns | ||
NAME STATUS AGE | ||
default Active 6d3h | ||
kube-node-lease Active 6d3h | ||
kube-public Active 6d3h | ||
kube-system Active 6d3h | ||
|
||
### --mode ram-authenticator-token | ||
|
||
$ ack-ram-tool credential-plugin get-kubeconfig --mode ram-authenticator-token --cluster-id c5e*** | ||
|
||
kind: Config | ||
apiVersion: v1 | ||
clusters: | ||
- name: kubernetes | ||
cluster: | ||
server: https://106.*.*.*:6443 | ||
certificate-authority-data: LS0t*** | ||
contexts: | ||
- name: 272***-c5e*** | ||
context: | ||
cluster: kubernetes | ||
user: "272***" | ||
current-context: 272***-c5e*** | ||
users: | ||
- name: "272***" | ||
user: | ||
exec: | ||
command: ack-ram-tool | ||
args: | ||
- credential-plugin | ||
- get-token | ||
- --cluster-id | ||
- c5e*** | ||
- --api-version | ||
- v1beta1 | ||
- --log-level | ||
- error | ||
apiVersion: client.authentication.k8s.io/v1beta1 | ||
provideClusterInfo: false | ||
interactiveMode: Never | ||
preferences: {} | ||
|
||
``` | ||
|
||
## 命令行参数 | ||
|
||
``` | ||
Usage: | ||
ack-ram-tool credential-plugin get-kubeconfig [flags] | ||
Flags: | ||
--api-version string v1 or v1beta1 (default "v1beta1") | ||
-c, --cluster-id string The cluster id to use | ||
--credential-cache-dir string Directory to cache certificate (default "~/.kube/cache/ack-ram-tool/credential-plugin") | ||
--expiration duration The certificate expiration (default 3h0m0s) | ||
-h, --help help for get-kubeconfig | ||
-m, --mode string credential mode: certificate or ram-authenticator-token (default "certificate") | ||
--private-address Use private ip as api-server address | ||
Global Flags: | ||
-y, --assume-yes Automatic yes to prompts; assume "yes" as answer to all prompts and run non-interactively | ||
--ignore-aliyun-cli-credentials don't try to parse credentials from config.json of aliyun cli | ||
--ignore-env-credentials don't try to parse credentials from environment variables | ||
--log-level string log level: info, debug, error (default "info") | ||
--profile-file string Path to credential file (default: ~/.aliyun/config.json or ~/.alibabacloud/credentials) | ||
--profile-name string using this named profile when parse credentials from config.json of aliyun cli | ||
--region-id string The region to use (default "cn-hangzhou") | ||
``` | ||
|
||
Descriptions: | ||
|
||
| Flag | Default | Required | Description | | ||
|------------------------|------------------------------------------------|----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | ||
| -c, --cluster-id | | Yes | Cluster ID | | ||
| -m, --mode | certificate | | Authentication methods in kubeconfig: `certificate` indicates certificate authentication, and `ram-authenticator-token` indicates token authentication based on ack-ram-authenticator | | ||
| --expiration | 3h | | When --mode is set to `certificate`, set the certificate expiration time through this parameter. When it is 0, it means not to use a temporary certificate but to use a longer valid certificate (the expiration time is automatically determined by the server). | | ||
| --private-address | false | | Whether to use the intranet API server address? | | ||
| --api-version | v1beta1 | | Specify which version of apiVersion to use in the returned data. `v1beta1` represents `client.authentication.k8s.io/v1beta1`, and `v1` represents `client.authentication.k8s.io/v1`. | | ||
| --credential-cache-dir | `~/.kube/cache/ack-ram-tool/credential-plugin` | | The directory used to cache the certificate is only valid when `--mode` is set to `certificate` | |
Oops, something went wrong.