CLI: Prepare the Management Cluster
Identify the Management Cluster Endpoint
Execute the following command on the Management cluster to obtain the hostname and CA certificate:
hostname=$(kubectl get service -n kommander kommander-traefik -o go-template='{{with index .status.loadBalancer.ingress 0}}{{or .hostname .ip}}{{end}}')
b64ca_cert=$(kubectl get secret -n cert-manager kommander-ca -o=go-template='{{index .data "tls.crt"}}')
Specify a Workspace Namespace
Obtain the desired workspace namespace on the Management cluster for the tunnel gateway:
namespace=$(kubectl get workspace default-workspace -o jsonpath="{.status.namespaceRef.name}")
Alternatively, you can create a new workspace instead of using an existing workspace:
Run the following command, and replace the <workspace_name>
with the new workspace name:
workspace=<workspace_name>
Finish creating the workspace:
namespace=${workspace}
cat > workspace.yaml <<EOF
apiVersion: workspaces.kommander.mesosphere.io/v1alpha1
kind: Workspace
metadata:
annotations:
kommander.mesosphere.io/display-name: ${workspace}
name: ${workspace}
spec:
namespaceName: ${namespace}
EOF
kubectl apply -f workspace.yaml
You can verify the workspace exists using:
kubectl get workspace ${workspace}
Create a Tunnel Gateway
Create a tunnel gateway on the Management cluster to listen for tunnel agents on remote clusters:
Kommander uses Traefik 2 ingress, which requires explicit definition of strip prefix middleware as a Kubernetes API object, opposed to a simple annotation. Kommander provides default middleware that supports creating tunnels only on the /dkp/tunnel URL
prefix. This is indicated by using the extra annotation, traefik.ingress.kubernetes.io/router.middlewares: kommander-stripprefixes-kubetunnel@kubernetescrd
as shown in the code sample that follows. If you want to expose a tunnel on a different URL prefix, you must manage your own middleware configuration.
Establish variables for the certificate secret and gateway. Replace the <gateway_name>
placeholder with the name of the gateway:
cacert_secret=kubetunnel-ca
gateway=<gateway_name>
Create the Secret
and TunnelGateway
objects:
cat > gateway.yaml <<EOF
apiVersion: v1
kind: Secret
metadata:
namespace: ${namespace}
name: ${cacert_secret}
data:
ca.crt:
${b64ca_cert}
---
apiVersion: kubetunnel.d2iq.io/v1alpha1
kind: TunnelGateway
metadata:
namespace: ${namespace}
name: ${gateway}
spec:
ingress:
caSecretRef:
namespace: ${namespace}
name: ${cacert_secret}
loadBalancer:
hostname: ${hostname}
urlPathPrefix: /dkp/tunnel
extraAnnotations:
kubernetes.io/ingress.class: kommander-traefik
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.middlewares: kommander-stripprefixes-kubetunnel@kubernetescrd
EOF
kubectl apply -f gateway.yaml
You can verify the gateway exists using the command:
kubectl get tunnelgateway -n ${namespace} ${gateway}