This topic describes how to create VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) admin users with User Account and Authentication (UAA).

Overview

UAA is the identity management service for TKGI. You must use UAA to create an admin user during your initial set up of TKGI.

TKGI includes a UAA server, hosted on the TKGI API VM. Use the UAA Command Line Interface (UAAC) from the VMware Tanzu Operations Manager (Ops Manager) VM to interact with the TKGI UAA server. You can also install UAAC on a workstation and run UAAC commands from there.

Prerequisites

Before setting up admin users for Tanzu Kubernetes Grid Integrated Edition, you must have one of the following:

  • SSH access to the Ops Manager VM

  • A machine that can connect to your TKGI API VM

Step 1: Connect to the TKGI API VM

You can connect to the TKGI API VM from the Ops Manager VM or from a different machine such as your local workstation.

Option 1: Connect through the Ops Manager VM

You can connect to the TKGI API VM by logging in to the Ops Manager VM through SSH. To SSH into the Ops Manager VM on AWS, do the following:

  1. Retrieve the key pair you used when you created the Ops Manager VM. To see the name of the key pair:

    1. In the AWS console, click the Ops Manager VM
    2. Locate the key pair name in the properties.
  2. On the AWS EC2 instances page, locate the Ops Manager FQDN.

  3. Change the permissions on the .pem file to be more restrictive by running the chmod 600 command. For example:

    $ chmod 600 ops_mgr.pem
    
  4. SSH into the Ops Manager VM by running the following command:

    ssh -i ops_mgr.pem ubuntu@OPS-MANAGER-FQDN
    

    Where OPS-MANAGER-FQDN is the FQDN of Ops Manager. For example:

    $ ssh -i ops_mgr.pem [email protected]
    
  5. Proceed to the Log In as a UAA Admin section to manage users with UAAC.

Option 2: Connect through a Non-Ops Manager Machine

To connect to the TKGI API VM and run UAA commands, do the following:

  1. Install UAAC on your machine. For example:

    gem install cf-uaac
    
  2. Download a copy of your Ops Manager root CA certificate to the machine. To download the certificate, do the following:

    1. In a web browser, navigate to the FQDN of Ops Manager and log in.
    2. In Ops Manager, navigate to Settings in the drop-down menu under your user name.
    3. Click Advanced Options.
    4. On the Advanced Options configuration page, click Download Root CA Cert.
    5. Move the certificate to a secure location on your machine and record the path.
  3. Proceed to the Log In as a UAA Admin section to create admin users with UAAC.

Step 2: Log In as a UAA Admin

Before creating TKGI users, you must log in to the UAA server as a UAA admin. To log in to the UAA server, do the following:

  1. Retrieve the UAA management admin client secret:

    1. In a web browser, navigate to the Ops Manager Installation Dashboard and click the Tanzu Kubernetes Grid Integrated Edition tile.

    2. Click the Credentials tab.

    3. Click Link to Credential next to Pks Uaa Management Admin Client and copy the value of
      secret.

  2. Target your UAA server by running the following command:

    uaac target https://TKGI-API:8443 --ca-cert CERTIFICATE-PATH
    

    Where:

    • TKGI-API is the domain name of your TKGI API server. You entered this domain name in the Tanzu Kubernetes Grid Integrated Edition tile > TKGI API > API Hostname (FQDN).
    • CERTIFICATE-PATH is the path to your Ops Manager root CA certificate. Provide this certificate to validate the TKGI API certificate with SSL.

      • If you are logged in to the Ops Manager VM, specify /var/tempest/workspaces/default/root_ca_certificate as the path. This is the default location of the root certificate on the Ops Manager VM.
      • If you downloaded the Ops Manager root CA certificate to your machine, specify the path where you stored the certificate.

      For example:

      $ uaac target api.tkgi.example.com:8443 --ca-cert /var/tempest/workspaces/default/root_ca_certificate
      

      Note: If you receive an Unknown key: Max-Age = 86400 warning message, you can ignore it because it has no impact.

  3. Authenticate with UAA by running the following command:

    uaac token client get admin -s ADMIN-CLIENT-SECRET
    

    Where ADMIN-CLIENT-SECRET is your UAA management admin client secret that you retrieved in a previous step. The client user name is admin.

Step 3: Assign Tanzu Kubernetes Grid Integrated Edition Cluster Scopes

The pks.clusters.manage and pks.clusters.admin UAA scopes grant users the ability to create and manage Kubernetes clusters in Tanzu Kubernetes Grid Integrated Edition. For information about UAA scopes in Tanzu Kubernetes Grid Integrated Edition, see UAA Scopes for Tanzu Kubernetes Grid Integrated Edition Users.

To create Tanzu Kubernetes Grid Integrated Edition users with the pks.clusters.manage or pks.clusters.admin UAA scope, perform one or more of the following procedures based on the needs of your deployment:

Next Step

After you create admin users in Tanzu Kubernetes Grid Integrated Edition, the admin users can create and manage Kubernetes clusters in Tanzu Kubernetes Grid Integrated Edition. For more information, see Managing Kubernetes Clusters and Workloads.

check-circle-line exclamation-circle-line close-line
Scroll to top icon