Step 3: Generate tokens
Now that the system is up and running you can create tokens.
libopenstorage
open source golang example application openstorage-sdk-auth.
SSH to one of your nodes and follow the steps below to use pxctl
to generate tokens:
Create user files
pxctl
uses YAML
configuration files to create tokens. You will be creating two files, one for the storage admin token used for pxctl
to communicate with Portworx
(like root in Linux), and the second for Kubernetes to provision
and manage volumes.
Create a file called
admin.yaml
with the the following:name: Storage Administrator email: the email of the storage admin sub: ${uuid} or email of the storage admin roles: ["system.admin"] groups: ["*"]
Create a file called
kubernetes.yaml
with the the following:name: Kubernetes email: the email of the kubernetes admin sub: ${uuid} or email of the kubernetes admin roles: ["system.user"] groups: ["kubernetes"]
The
sub
is the unique identifier for this user and must not be shared amongst other tokens according to the JWT standard. This is the value used by Portworx to track ownership of resources. Ifemail
is also used as thesub
unique identifier, please make sure it is not used by any other tokens.For more information on the rules of each of the values, visit the openstorage-sdk-auth repo.
Generate tokens
Now you can create a token. Notice in the example below that they have set the
issuer to match the setting in the Portworx manifest to portworx.com
as set
the value for -jwt-issuer
. The example also sets the duration of the token
to one year. You may want to adjust it to a much shorter duration if you plan
on refreshing the token often.
You will also need to have the shared secret created above. In the example below,
the secret is saved in the environment variable $PORTWORX_AUTH_SHARED_SECRET
.
Get the shared secret:
PORTWORX_AUTH_SHARED_SECRET=$(kubectl -n kube-system get secret pxkeys -o json \ | jq -r '.data."shared-secret"' \ | base64 -d)
Create a token for the storage administrator using
admin.yaml
:ADMIN_TOKEN=$(/opt/pwx/bin/pxctl auth token generate \ --auth-config=admin.yaml \ --issuer=portworx.com \ --shared-secret=$PORTWORX_AUTH_SHARED_SECRET \ --token-duration=1y)
Create a token for the Kubernetes using
kubernetes.yaml
:KUBE_TOKEN=$(/opt/pwx/bin/pxctl auth token generate \ --auth-config=kube.yaml \ --issuer=portworx.com \ --shared-secret=$PORTWORX_AUTH_SHARED_SECRET \ --token-duration=1y)
Save the storage admin token in the
pxctl
context:/opt/pwx/bin/pxctl context create admin --token=$ADMIN_TOKEN
Save the Kubernetes token in a secret called
portworx/px-k8s-user
:kubectl -n portworx create secret \ generic px-k8s-user --from-literal=auth-token=$KUBE_TOKEN
You can now set up Kubernetes storage classes to use this secret to get access to the token to communicate with Portworx.
Once you have completed the steps in this section, continue to the Storage class setup section.