How to get Admin Kubeconfig with TMC API
search cancel

How to get Admin Kubeconfig with TMC API

book

Article ID: 398320

calendar_today

Updated On:

Products

VMware Tanzu Mission Control

Issue/Introduction

This KB explains how to get the admin Kubeconfig with the TMC API.

Developer Portal - Tanzu Mission Control - Admin Kubeconfig Service

Environment

Tanzu Mission Control API

Resolution

1. Check TMC API

Follow Accessing the Tanzu Mission Control (TMC) API

TMC_API_TOKEN='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
TMC_ACCESS_TOKEN=$(curl -d "refresh_token=${TMC_API_TOKEN}" https://console.tanzu.broadcom.com/csp/gateway/am/api/auth/api-tokens/authorize | jq -r '.access_token')

TMC_ENDPOINT=<YOUR_ORG_NAME>.tmc.tanzu.broadcom.com
MANAGEMENT_CLUSTER=<MANAGEMENT_CLUSTER_NAME_IN_TMC>

# Check if the TMC_ACCESS_TOKEN is working
curl -Ss https://${TMC_ENDPOINT}/v1alpha1/managementclusters/${MANAGEMENT_CLUSTER}/provisioners -H "Authorization: Bearer ${TMC_ACCESS_TOKEN}" | jq -r .provisioners

 

2. Generate an RSA key pair

openssl genrsa -out private-key.pem 4096
openssl rsa -in private-key.pem -RSAPublicKey_out -out public-key.pem

PUBLIC_KEY=$(cat public-key.pem | base64 -w0)
TIMESTAMP=$(date "+%Y-%m-%dT%H:%M:%SZ")

 

3. Get the target Workload Cluter kubeconfig binary

PROVISIONER=default # Select your Provisioner
CLUSTER_NAME=<WORKLOAD_CLUSTER_NAME_in_TMC>

# Get a kubeconfig binary
curl -Ss "https://${TMC_ENDPOINT}/v1alpha1/clusters/${CLUSTER_NAME}/adminkubeconfig?fullName.managementClusterName=${MANAGEMENT_CLUSTER}&fullName.provisionerName=${PROVISIONER}&encryptionKey.PublicKeyPem=${PUBLIC_KEY}&encryptionKey.timestamp=${TIMESTAMP}" -H 'accept: application/json' -H "authorization: Bearer ${TMC_ACCESS_TOKEN}" -H 'content-type: application/json'  | jq -r .kubeconfig | base64 -d > kubeconfig.bin

 

4. Decrypt the kubeconfig binary

# Decrypt the binary to a kubeconfig
gpg --output decrypted_kubeconfig --decrypt kubeconfig.bin

# Check
kubectl get nodes --kubeconfig decrypted_kubeconfig

Additional Information

For retrieving the admin Kubeconfig, the CLI is recommended and easy to use because it handles the key generation and data decryption process. If using the API, one must generate the key pairs and decrypt the data like this KB.

Tanzu CLI - tanzu cluster kubeconfig

Powered by Wolken Software