Skip to main content
Skip table of contents

CLI: Prepare the Management Cluster

Identify the Management Cluster Endpoint

Execute the following command on the Management cluster to obtain the hostname and CA certificate:

CODE
hostname=$(kubectl get service -n kommander kommander-traefik -o go-template='{{with index .status.loadBalancer.ingress 0}}{{or .hostname .ip}}{{end}}')
b64ca_cert=$(kubectl get secret -n cert-manager kommander-ca -o=go-template='{{index .data "tls.crt"}}')

Specify a Workspace Namespace

Obtain the desired workspace namespace on the Management cluster for the tunnel gateway:

CODE
namespace=$(kubectl get workspace default-workspace -o jsonpath="{.status.namespaceRef.name}")

Alternatively, you can create a new workspace instead of using an existing workspace:
Run the following command, and replace the <workspace_name> with the new workspace name:

CODE
workspace=<workspace_name>

Finish creating the workspace:

CODE
namespace=${workspace}

cat > workspace.yaml <<EOF
apiVersion: workspaces.kommander.mesosphere.io/v1alpha1
kind: Workspace
metadata:
  annotations:
    kommander.mesosphere.io/display-name: ${workspace}
  name: ${workspace}
spec:
  namespaceName: ${namespace}
EOF

kubectl apply -f workspace.yaml

You can verify the workspace exists using:

CODE
kubectl get workspace ${workspace}

Create a Tunnel Gateway

Create a tunnel gateway on the Management cluster to listen for tunnel agents on remote clusters:

Kommander uses Traefik 2 ingress, which requires explicit definition of strip prefix middleware as a Kubernetes API object, opposed to a simple annotation. Kommander provides default middleware that supports creating tunnels only on the /dkp/tunnel URL prefix. This is indicated by using the extra annotation, traefik.ingress.kubernetes.io/router.middlewares: kommander-stripprefixes-kubetunnel@kubernetescrd as shown in the code sample that follows. If you want to expose a tunnel on a different URL prefix, you must manage your own middleware configuration.

Establish variables for the certificate secret and gateway. Replace the <gateway_name> placeholder with the name of the gateway:

CODE
cacert_secret=kubetunnel-ca
gateway=<gateway_name>

Create the Secret and TunnelGateway objects:

CODE
cat > gateway.yaml <<EOF
apiVersion: v1
kind: Secret
metadata:
  namespace: ${namespace}
  name: ${cacert_secret}
data:
  ca.crt:
    ${b64ca_cert}
---
apiVersion: kubetunnel.d2iq.io/v1alpha1
kind: TunnelGateway
metadata:
  namespace: ${namespace}
  name: ${gateway}
spec:
  ingress:
    caSecretRef:
      namespace: ${namespace}
      name: ${cacert_secret}
    loadBalancer:
      hostname: ${hostname}
    urlPathPrefix: /dkp/tunnel
    extraAnnotations:
      kubernetes.io/ingress.class: kommander-traefik
      traefik.ingress.kubernetes.io/router.tls: "true"
      traefik.ingress.kubernetes.io/router.middlewares: kommander-stripprefixes-kubetunnel@kubernetescrd
EOF

kubectl apply -f gateway.yaml

You can verify the gateway exists using the command:

CODE
kubectl get tunnelgateway -n ${namespace} ${gateway}

Next Step:

CLI: Create and Configure the Tunnel

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.