Skip to main content
Skip table of contents

CLI: Prepare the Management Cluster

These pages refer to DKP Enterprise and DKP Gov Advanced products.

Identify the Management Cluster Endpoint

Execute the following command on the Management cluster to obtain the hostname and CA certificate:

CODE
hostname=$(kubectl get service -n kommander kommander-traefik -o go-template='{{with index .status.loadBalancer.ingress 0}}{{or .hostname .ip}}{{end}}')
b64ca_cert=$(kubectl get secret -n cert-manager kommander-ca -o=go-template='{{index .data "tls.crt"}}')

Specify a Workspace Namespace

Obtain the desired workspace namespace on the Management cluster for the tunnel gateway:

CODE
namespace=$(kubectl get workspace default-workspace -o jsonpath="{.status.namespaceRef.name}")

Alternatively, you can create a new workspace instead of using an existing workspace:
Run the following command, and replace the <workspace_name> with the new workspace name:

CODE
workspace=<workspace_name>

Finish creating the workspace:

CODE
namespace=${workspace}

cat > workspace.yaml <<EOF
apiVersion: workspaces.kommander.mesosphere.io/v1alpha1
kind: Workspace
metadata:
  annotations:
    kommander.mesosphere.io/display-name: ${workspace}
  name: ${workspace}
spec:
  namespaceName: ${namespace}
EOF

kubectl apply -f workspace.yaml

You can verify the workspace exists using:

CODE
kubectl get workspace ${workspace}

Create a Tunnel Gateway

Create a tunnel gateway on the Management cluster to listen for tunnel agents on remote clusters:

Kommander uses Traefik 2 ingress, which requires explicit definition of strip prefix middleware as a Kubernetes API object, opposed to a simple annotation. Kommander provides default middleware that supports creating tunnels only on the /dkp/tunnel URL prefix. This is indicated by using the extra annotation, traefik.ingress.kubernetes.io/router.middlewares: kommander-stripprefixes-kubetunnel@kubernetescrd as shown in the code sample that follows. If you want to expose a tunnel on a different URL prefix, you must manage your own middleware configuration.

Establish variables for the certificate secret and gateway. Replace the <gateway_name> placeholder with the name of the gateway:

CODE
cacert_secret=kubetunnel-ca
gateway=<gateway_name>

Create the Secret and TunnelGateway objects:

CODE
cat > gateway.yaml <<EOF
apiVersion: v1
kind: Secret
metadata:
  namespace: ${namespace}
  name: ${cacert_secret}
data:
  ca.crt:
    ${b64ca_cert}
---
apiVersion: kubetunnel.d2iq.io/v1alpha1
kind: TunnelGateway
metadata:
  namespace: ${namespace}
  name: ${gateway}
spec:
  ingress:
    caSecretRef:
      namespace: ${namespace}
      name: ${cacert_secret}
    loadBalancer:
      hostname: ${hostname}
    urlPathPrefix: /dkp/tunnel
    extraAnnotations:
      kubernetes.io/ingress.class: kommander-traefik
      traefik.ingress.kubernetes.io/router.tls: "true"
      traefik.ingress.kubernetes.io/router.middlewares: kommander-stripprefixes-kubetunnel@kubernetescrd
EOF

kubectl apply -f gateway.yaml

You can verify the gateway exists using the command:

CODE
kubectl get tunnelgateway -n ${namespace} ${gateway}

Next Step:

CLI: Create and Configure the Tunnel

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.