This topic describes how to log in to VMware Tanzu Kubernetes Grid Integrated Edition.

Overview

To manage Tanzu Kubernetes Grid Integrated Edition-deployed clusters, you use the TKGI Command Line Interface (TKGI CLI). When you log in to Tanzu Kubernetes Grid Integrated Edition successfully for the first time, the TKGI CLI generates a local creds.yml file that contains the API endpoint, refresh token, access token, and CA certificate, if applicable.

By default, creds.yml is saved in the ~/.pks directory on your local system. You can use the TKGI_HOME environment variable to override this location and store creds.yml in any directory on your system.

Prerequisites

Before you can log in to Tanzu Kubernetes Grid Integrated Edition, you must have the following:

  • A running Tanzu Kubernetes Grid Integrated Edition environment, including an external load balancer configured to forward traffic to the TKGI API endpoint. See the Installing Tanzu Kubernetes Grid Integrated Edition section for your cloud provider.
  • A username and password that has access to the TKGI API. See Managing Tanzu Kubernetes Grid Integrated Edition Users with UAA.
  • The TKGI CLI installed on your local system. See Installing the TKGI CLI.

Log in to the TKGI CLI

Use the command in this section to log in as an individual user. The login procedure is the same for users created in UAA or users from external LDAP groups.

On the command line, run the following command in your terminal to log in to the TKGI CLI:

 tkgi login -a TKGI-API -u USERNAME -p PASSWORD –ca-cert CERT-PATH 

Replace the placeholder values in the command as follows:

  • TKGI-API is the domain name for the TKGI API that you entered in Ops Manager > Tanzu Kubernetes Grid Integrated Edition > TKGI API > API Hostname (FQDN). For example, api.tkgi.example.com.

  • USERNAME and PASSWORD belong to the account you created in the Grant Tanzu Kubernetes Grid Integrated Edition Access to an Individual User section of Managing Tanzu Kubernetes Grid Integrated Edition Users with UAA. If you do not use -p to provide a password, the TKGI CLI prompts for the password interactively. VMware recommends running the login command without the -p flag for added security.

  • CERT-PATH is the path to your root CA certificate. Provide the certificate to validate the TKGI API certificate with SSL.

    For example:

     $ tkgi login -a api.tkgi.example.com -u alana \ 
    –ca-cert /var/tempest/workspaces/default/root_ca_certificate

    If you are logging in to a trusted environment, you can use -k to skip SSL verification instead of --ca-cert CERT-PATH.

    For example:

     $ tkgi login -a api.tkgi.example.com -u alana -k

    Note: If your operator has configured Tanzu Kubernetes Grid Integrated Edition to use a SAML identity provider, you must include an additional SSO flag to use the above command. For information about the SSO flags, see the section for the above command in TKGI CLI. For information about configuring SAML, see Connecting Tanzu Kubernetes Grid Integrated Edition to a SAML Identity Provider

Log in to the TKGI CLI as an Automated Client

To log in to the TKGI CLI as an automated client for a script or service, run the following command:

tkgi login -a TKGI-API --client-name CLIENT-NAME --client-secret CLIENT-SECRET --ca-cert CERTIFICATE-PATH

Where:

  • TKGI-API is the domain name for the TKGI API that you entered in Ops Manager > Tanzu Kubernetes Grid Integrated Edition > TKGI API > API Hostname (FQDN). For example, api.tkgi.example.com.
  • CLIENT-NAME is an OAuth client ID for either:
    • A UAA admin client created with --authorities "pks.clusters.admin"
    • The default admin client Pks Uaa Management Admin Client
  • CLIENT-SECRET the OAuth client secret for the --client-name value above.
  • CERTIFICATE-PATH is the path to your root CA certificate. Provide the certificate to validate the TKGI API certificate with SSL.

    For example:

     $ tkgi login -a api.tkgi.example.com \ 
    –client-name automated-client \
    –client-secret randomly-generated-secret \
    –ca-cert /var/tempest/workspaces/default/root_ca_certificate

For information on how to create a UAA client, see Grant Tanzu Kubernetes Grid Integrated Edition Access to a Client in Managing Tanzu Kubernetes Grid Integrated Edition Users with UAA.

Export TKGI API Access Token

This procedure stores a TKGI API access token as an environment variable that you can use when executing TKGI API calls on the command line.

ß1. To export your access token into an environment variable, run the following command:

```
tkgi login -a TKGI-API -u USER-ID -p 'PASSWORD' -k; \
export YOUR-ACCESS-TOKEN=$(bosh int ~/.pks/creds.yml --path /access_token)
```
Where:  

* `TKGI-API` is the FQDN of your TKGI API endpoint. For example, `api.tkgi.example.com`.  
* `USER-ID` is your Tanzu Kubernetes Grid Integrated Edition user ID.  
* `PASSWORD` is your Tanzu Kubernetes Grid Integrated Edition password.  
* `YOUR-ACCESS-TOKEN` is the name of your access token environment variable.

For example:
<pre class="terminal">
$ tkgi login -a tkgi.my.lab -u alana -p 'psswrdabc123...!' -k; \ <br>
export my\_token=$(bosh int ~/.pks/creds.yml --path /access\_token)<br>
</pre>

Note: If your operator has configured Tanzu Kubernetes Grid Integrated Edition to use a SAML identity provider, you must include an additional SSO flag to use the above command. For information about the SSO flags, see the section for the above command in TKGI CLI. For information about configuring SAML, see Connecting Tanzu Kubernetes Grid Integrated Edition to a SAML Identity Provider

check-circle-line exclamation-circle-line close-line
Scroll to top icon