This topic describes how to create admin users in VMware Tanzu Kubernetes Grid Integrated Edition with User Account and Authentication (UAA). Creating at least one admin user is a necessary step during the initial set up of Tanzu Kubernetes Grid Integrated Edition.
UAA is the identity management service for Tanzu Kubernetes Grid Integrated Edition. Tanzu Kubernetes Grid Integrated Edition includes a UAA server, which is hosted on the TKGI API VM.
To interact with the UAA server, you can use the UAA Command Line Interface (UAAC). You can either run UAAC commands from the Ops Manager VM or install UAAC on your local workstation.
Before setting up admin users for Tanzu Kubernetes Grid Integrated Edition, you must have one of the following:
SSH access to the Ops Manager VM
A machine that can connect to your TKGI API VM
You can connect to the TKGI API VM from the Ops Manager VM or from a different machine such as your local workstation.
You can connect to the TKGI API VM by logging in to the Ops Manager VM through SSH.
To log in to the Ops Manager VM using SSH on Azure, you need the SSH key pair you used when you created the Ops Manager VM. If you need to reset the SSH key, locate the Ops Manager VM in the Azure portal and click Reset Password.
To SSH into the Ops Manager VM on Azure, do the following:
From the Azure portal, locate the Ops Manager FQDN by selecting the VM.
Change the permissions for your SSH private key by running the following command:
chmod 600 PRIVATE-KEY
Where PRIVATE-KEY
is the name of your SSH private key.
SSH into the Ops Manager VM by running the following command:
ssh -i PRIVATE-KEY ubuntu@OPS-MANAGER-FQDN
Where:
OPS-MANAGER-FQDN
is FQDN of Ops Manager.PRIVATE-KEY
is the name of your SSH private key.For example:
$ ssh -i id_rsa ubuntu@my-opsmanager-fqdn.example.com
Proceed to the Log in as a UAA Admin section to manage users with UAAC.
To connect to the TKGI API VM and run UAA commands, do the following:
Install UAAC on your machine. For example:
gem install cf-uaac
Download a copy of your Ops Manager root CA certificate to the machine. To download the certificate, do the following:
Proceed to the Log In as a UAA Admin section to create admin users with UAAC.
Before creating TKGI users, you must log in to the UAA server as a UAA admin. To log in to the UAA server, do the following:
Retrieve the UAA management admin client secret:
In a web browser, navigate to the Ops Manager Installation Dashboard and click the Tanzu Kubernetes Grid Integrated Edition tile.
Click the Credentials tab.
Click Link to Credential next to Pks Uaa Management Admin Client and copy the value of
secret
.
Target your UAA server by running the following command:
uaac target https://TKGI-API:8443 --ca-cert CERTIFICATE-PATH
Where:
TKGI-API
is the domain name of your TKGI API server. You entered this domain name in the Tanzu Kubernetes Grid Integrated Edition tile > TKGI API > API Hostname (FQDN).CERTIFICATE-PATH
is the path to your Ops Manager root CA certificate. Provide this certificate to validate the TKGI API certificate with SSL.
/var/tempest/workspaces/default/root_ca_certificate
as the path. This is the default location of the root certificate on the Ops Manager VM.For example:
$ uaac target api.tkgi.example.com:8443 –ca-cert /var/tempest/workspaces/default/root_ca_certificate
Note: If you receive an Unknown key: Max-Age = 86400
warning message, you can ignore it because it has no impact.
Authenticate with UAA by running the following command:
uaac token client get admin -s ADMIN-CLIENT-SECRET
Where ADMIN-CLIENT-SECRET
is your UAA management admin client secret that you retrieved in a previous step. The client username is admin
.
The pks.clusters.manage
and pks.clusters.admin
UAA scopes grant users the ability to create and manage Kubernetes clusters in Tanzu Kubernetes Grid Integrated Edition. For information about UAA scopes in Tanzu Kubernetes Grid Integrated Edition, see UAA Scopes for Tanzu Kubernetes Grid Integrated Edition Users.
To create Tanzu Kubernetes Grid Integrated Edition users with the pks.clusters.manage
or pks.clusters.admin
UAA scope, perform one or more of the following procedures based on the needs of your deployment:
After you create admin users in Tanzu Kubernetes Grid Integrated Edition, the admin users can create and manage Kubernetes clusters in Tanzu Kubernetes Grid Integrated Edition. For more information, see Managing Kubernetes Clusters and Workloads.