forked from pivotal-cf/docs-pks
-
Notifications
You must be signed in to change notification settings - Fork 0
/
configure-api.html.md.erb
65 lines (48 loc) · 3.08 KB
/
configure-api.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
---
title: Configuring PKS API Access
owner: PKS
---
<strong><%= modified_date %></strong>
This topic describes how to configure access to the Pivotal Container Service (PKS) API.
See [PKS API Authentication](pks-api-auth.html) for more information about how the PKS API and UAA interact with your PKS deployment.
##<a id='access'></a> Configure Access to the PKS API
1. Locate your Ops Manager root CA certificate.
* If Ops Manager generated your certificate, refer to the [Retrieve the Ops Manager Root Certificate](https://docs.pivotal.io/pivotalcf/security/pcf-infrastructure/api-cert-rotation.html#root-certs) section of _Managing Certificates_.
* If you provided your own certificate, copy and paste the certificate you entered in the **PKS API** pane into a file.
1. Target your UAA server by running the following command:
<pre>uaac target https\://PKS-API:8443 --ca-cert ROOT-CA-FILENAME</pre>
Replace the following values:
* `PKS-API`: enter the fully qualified domain name (FQDN) you use to access the PKS API. You configured this URL in the PKS API section of _Installing PKS_ for your IaaS. For example, see [Installing PKS on vSphere](installing-pks-vsphere.html#pks-api).
* `ROOT-CA-FILENAME`: enter the path for the certificate file you downloaded in a previous step.
For example:
<pre class="terminal">
$ uaac target api.pks.example.com:8443 --ca-cert my-cert.cert
</pre>
Including `https://` in the PKS API URL is optional.
1. Run `uaac token client get admin -s UAA-ADMIN-SECRET` to request a token from the UAA server.
Replace `UAA-ADMIN-SECRET` with your UAA admin secret.
Refer to **Ops Manager > Pivotal Container Service > Credentials > Pks Uaa Management Admin Client** to retrieve this value.
1. Grant cluster access to new or existing users with UAA.
For more information on granting cluster access to users or creating users, see the [Grant PKS Access to a User](manage-users.html#uaa-user) section of _Managing Users in PKS with UAA_.
##<a id='login'></a> Log in to the PKS CLI as a User
For information about logging in to the PKS CLI as a user, see the [Log in to PKS CLI](installing-pks-cli.html#login) section of _Installing the PKS CLI_.
##<a id='client'></a> Log in to PKS as an Automated Client
On the command line, run the following command to log in to the PKS CLI as an automated client for a script or service:
<pre>
pks login -a PKS-API --client-name CLIENT-NAME --client-secret CLIENT-SECRET --ca-cert CERTIFICATE-PATH
</pre>
Where:
* `PKS-API` is the domain name for the PKS API that you entered in
**Ops Manager** > **Pivotal Container Service** > **PKS API** >
**API Hostname (FQDN)**. For example, `api.pks.example.com`.
* `CLIENT-NAME` is your OAuth client ID.
* `CLIENT-SECRET` is your OAuth client secret.
* `CERTIFICATE-PATH` is the path to your root CA certificate.
Provide the certificate to validate the PKS API certificate with SSL.<br><br>
For example:
<pre class="terminal">
$ pks login -a api.pks.example.com \
--client-name automated-client \
--client-secret randomly-generated-secret \
--ca-cert /var/tempest/workspaces/default/root_ca_certificate
</pre>