Generate Non-Expiring Token in TKG cluster
search cancel

Generate Non-Expiring Token in TKG cluster

book

Article ID: 423015

calendar_today

Updated On:

Products

VMware vSphere Kubernetes Service

Issue/Introduction

Application may sometimes require non-expiring token in ./kube/config.
This article provides guidance on how to generate non-expiring token.

Environment

VMware Supervisor 8.x
Kubernetes version 1.24 and later

Cause

The default kubeconfig file in a VMware vSphere with Tanzu Kubernetes Guest Cluster contains a token which expires after ten hours.

Resolution

Deploy non-expiring token via followings:

  1. Generate an administrator service account and create a cluster role binding.
    kubectl create serviceaccount <account name> -n kube-system
    kubectl create clusterrolebinding <role binding name> --serviceaccount=kube-system:<account name> --clusterrole=cluster-admin
  2. Manually create the authentication token for the administrator service account.
    Create a yaml file with service account:
    apiVersion: v1
    kind: Secret
    type: kubernetes.io/service-account-token
    metadata:
       name: <account name>
       namespace: kube-system
       annotations:
          kubernetes.io/service-account.name: "<account name>"
    Use the following command to create the authentication token with a service account.
    kubectl apply -f <filename create above.yaml>
  3. Obtain the authentication token for the administrator service account and the cluster certificate authority.
    SECRET=$(kubectl get secrets <account name> -n kube-system -ojsonpath='{.metadata.name}')
    TOKEN=$(kubectl get secret $SECRET -n kube-system -ojsonpath='{.data.token}' | base64 -d)
    kubectl get secrets $SECRET -n kube-system -o jsonpath='{.data.ca\.crt}' | base64 -d > ./ca.crt
  4. Compose a new kubeconfig file using newly created service account
    TO_BE_CREATED_KUBECONFIG_FILE="<file-name>"
    kubectl config --kubeconfig=$TO_BE_CREATED_KUBECONFIG_FILE set-cluster $CLUSTER --server=$URL --certificate-authority=./ca.crt --embed-certs=true
    kubectl config --kubeconfig=$TO_BE_CREATED_KUBECONFIG_FILE set-credentials <account name> --token=$TOKEN 
    kubectl config --kubeconfig=$TO_BE_CREATED_KUBECONFIG_FILE set-context $CONTEXT --cluster=$CLUSTER --user=<account name>
    kubectl config --kubeconfig=$TO_BE_CREATED_KUBECONFIG_FILE use-context $CONTEXT
  5. Delete ca.crt, which is a temporary file created during the generation of the new kubeconfig file.
  6. Use newly generated kubeconfig file.

Additional Information

Generate a TKG Cluster on Supervisor Configuration File with a Non-Expiring Token

Powered by Wolken Software