This topic describes how to log in to VMware Tanzu Kubernetes Grid Integrated Edition.
To manage Tanzu Kubernetes Grid Integrated Edition-deployed clusters, you use the TKGI Command Line Interface (TKGI CLI). When you log in to Tanzu Kubernetes Grid Integrated Edition successfully for the first time, the TKGI CLI generates a local creds.yml
file that contains the API endpoint, refresh token, access token, and CA certificate, if applicable.
By default, creds.yml
is saved in the ~/.pks
directory on your local system. You can use the TKGI_HOME
environment variable to override this location and store creds.yml
in any directory on your system.
Before you can log in to Tanzu Kubernetes Grid Integrated Edition, you must have the following:
Use the command in this section to log in as an individual user. The login procedure is the same for users created in UAA or users from external LDAP groups.
On the command line, run the following command in your terminal to log in to the TKGI CLI:
tkgi login -a TKGI-API -u USERNAME -p PASSWORD –ca-cert CERT-PATH
Replace the placeholder values in the command as follows:
TKGI-API
is the domain name for the TKGI API that you entered in Ops Manager > Tanzu Kubernetes Grid Integrated Edition > TKGI API > API Hostname (FQDN). For example, api.tkgi.example.com
.
USERNAME
and PASSWORD
belong to the account you created in the Grant Tanzu Kubernetes Grid Integrated Edition Access to an Individual User section of Managing Tanzu Kubernetes Grid Integrated Edition Users with UAA. If you do not use -p
to provide a password, the TKGI CLI prompts for the password interactively. VMware recommends running the login command without the -p
flag for added security.
CERT-PATH
is the path to your root CA certificate. Provide the certificate to validate the TKGI API certificate with SSL.
For example:
$ tkgi login -a api.tkgi.example.com -u alana \
–ca-cert /var/tempest/workspaces/default/root_ca_certificate
If you are logging in to a trusted environment, you can use -k
to skip SSL verification instead of --ca-cert CERT-PATH
.
For example:
$ tkgi login -a api.tkgi.example.com -u alana -k
Note: If your operator has configured Tanzu Kubernetes Grid Integrated Edition to use a SAML identity provider, you must include an additional SSO flag to use the above command. For information about the SSO flags, see the section for the above command in TKGI CLI. For information about configuring SAML, see Connecting Tanzu Kubernetes Grid Integrated Edition to a SAML Identity Provider
To log in to the TKGI CLI as an automated client for a script or service, run the following command:
tkgi login -a TKGI-API --client-name CLIENT-NAME --client-secret CLIENT-SECRET --ca-cert CERTIFICATE-PATH
Where:
TKGI-API
is the domain name for the TKGI API that you entered in Ops Manager > Tanzu Kubernetes Grid Integrated Edition > TKGI API > API Hostname (FQDN). For example, api.tkgi.example.com
.CLIENT-NAME
is an OAuth client ID for either:
--authorities "pks.clusters.admin"
CLIENT-SECRET
the OAuth client secret for the --client-name
value above.CERTIFICATE-PATH
is the path to your root CA certificate. Provide the certificate to validate the TKGI API certificate with SSL.
For example:
$ tkgi login -a api.tkgi.example.com \
–client-name automated-client \
–client-secret randomly-generated-secret \
–ca-cert /var/tempest/workspaces/default/root_ca_certificate
For information on how to create a UAA client, see Grant Tanzu Kubernetes Grid Integrated Edition Access to a Client in Managing Tanzu Kubernetes Grid Integrated Edition Users with UAA.
This procedure stores a TKGI API access token as an environment variable that you can use when executing TKGI API calls on the command line.
ß1. To export your access token into an environment variable, run the following command:
```
tkgi login -a TKGI-API -u USER-ID -p 'PASSWORD' -k; \
export YOUR-ACCESS-TOKEN=$(bosh int ~/.pks/creds.yml --path /access_token)
```
Where:
* `TKGI-API` is the FQDN of your TKGI API endpoint. For example, `api.tkgi.example.com`.
* `USER-ID` is your Tanzu Kubernetes Grid Integrated Edition user ID.
* `PASSWORD` is your Tanzu Kubernetes Grid Integrated Edition password.
* `YOUR-ACCESS-TOKEN` is the name of your access token environment variable.
For example:
<pre class="terminal">
$ tkgi login -a tkgi.my.lab -u alana -p 'psswrdabc123...!' -k; \ <br>
export my\_token=$(bosh int ~/.pks/creds.yml --path /access\_token)<br>
</pre>
Note: If your operator has configured Tanzu Kubernetes Grid Integrated Edition to use a SAML identity provider, you must include an additional SSO flag to use the above command. For information about the SSO flags, see the section for the above command in TKGI CLI. For information about configuring SAML, see Connecting Tanzu Kubernetes Grid Integrated Edition to a SAML Identity Provider