Skip to content

Instantly share code, notes, and snippets.

@amitpj

amitpj/api_iks.md

Last active October 27, 2021 02:23
Show Gist options
  • Save amitpj/7d5e1b3c7baacbfff638850f7d8a86ec to your computer and use it in GitHub Desktop.
Save amitpj/7d5e1b3c7baacbfff638850f7d8a86ec to your computer and use it in GitHub Desktop.
Download ZIP
An API-based pattern for accessing an IBM Cloud Kubernetes Service (IKS) cluster
Raw
api_iks.md

Accessing an IKS (IBM Cloud Kubernetes Service) cluster using IBM IAM and IBM Kubernetes Service APIs

  1. Retrieve IBM Cloud IAM <access_token> and <refresh_token> using the API key
curl -X POST -H "Authorization: Basic Yng6Yng=" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=urn:ibm:params:oauth:grant-type:apikey&apikey=<APIKey>" "https://iam.cloud.ibm.com/identity/token"

The string "Yng6Yng=" is nothing but base64 encoded "bx" credentials.

Look for <access_token> and <refresh_token> in JSON output as shown below:

{
   "access_token":"<access_token>",
   "refresh_token":"<refresh_token>",
   "ims_user_id":...,
   "token_type":"Bearer",
   "expires_in":1200,
   "expiration":1633975642,
   "refresh_token_expiration":1634060845,
   "scope":"ibm openid"
}
  1. Retrieve the <api_server> of the cluster, the <base64_encoded_certificate> and the 
curl -X POST -H "Authorization: Bearer <access_token>" -H "X-Auth-Refresh-Token: <refresh_token>" -H "Content-Type: application/json" -d "{\"cluster\": \"<clusterNameOrID>\"}" "https://containers.cloud.ibm.com/global/v2/applyRBACAndGetKubeconfig"

In addition to retrieving the kubeconfig JSON containing the details we need, this API also syncs RBAC (Role-Based Access Control) information from IBM IAM to the cluster as suggested by name of the API.

Look for "server", "certificate-authority-data" and "id-token" fields in JSON output of the API as shown below:

{
  "kind": "Config",
  "apiVersion": "v1",
  "preferences": {},
  "clusters": [
    {
      "name": "...",
      "cluster": {
        "server": "<api_server>",
        "certificate-authority-data": "<base64_encoded_certificate>"
      }
    }
  ],
  "users": [
    {
      "name": "...",
      "user": {
        "auth-provider": {
          "name": "oidc",
          "config": {
            "client-id": "kube",
            "client-secret": "kube",
            "id-token": "<token>",
            "idp-issuer-url": "https://iam.cloud.ibm.com/identity",
            "refresh-token": "..."
          }
        }
      }
    }
  ],
  "contexts": [
    ...
  ],
  "current-context": "..."
}
  1. Perform base64 decoding of the <base64_encoded_certificate> and save it in a temp file e.g. /tmp/ca-iks.pem
  2. Finally, use the <api_server>, the an the /tmp/ca-iks.pem to the kubectl command or Kubernetes API
kubectl --server "<api_server>" --token "<token>" --certificate-authority "/tmp/ca-iks.pem" get namespaces

OR

curl -H "Authorization: Bearer <token>" --cacert "/tmp/ca-iks.pem" "<api_server>/api/v1/namespaces"

Reference documentation:

https://containers.cloud.ibm.com/global/swagger-global-api/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment