Step 3: Generate tokens
Now that the system is up and running you can create tokens.
libopenstorage
open source golang example application openstorage-sdk-auth.
SSH to one of your nodes and follow the steps below to use pxctl
to generate tokens:
Create user files
pxctl
uses YAML
configuration files to create tokens. Create two files, one for the storage admin token used for pxctl
to communicate with Portworx
(like root in Linux), and the second for Kubernetes to provision
and manage volumes.
Create a file called
admin.yaml
with the following:name: Storage Administrator email: the email of the storage admin sub: ${uuid} or email of the storage admin roles: ["system.admin"] groups: ["*"]
Create a file called
kubernetes.yaml
with the following:name: Kubernetes email: the email of the kubernetes admin sub: ${uuid} or email of the kubernetes admin roles: ["system.user"] groups: ["kubernetes"]
Note: The
sub
is the unique identifier for this user and must not be shared amongst other tokens according to the JWT standard. This is the value used by Portworx to track ownership of resources. Ifemail
is also used as thesub
unique identifier, ensure it is not used by any other tokens.For more information on the rules of each of the values, visit the openstorage-sdk-auth repo.
Generate tokens
You can create a token. In the following example, the
issuer is set to match the setting in the Portworx manifest to portworx.com
as set
the value for -jwt-issuer
. The example also sets the duration of the token
to one day, which can be set manually with an API request.
You will also need to have the shared secret created above. In the example below,
the secret is saved in the environment variable $PORTWORX_AUTH_SHARED_SECRET
.
Get the shared secret:
PORTWORX_AUTH_SHARED_SECRET=$(kubectl -n kube-system get secret pxkeys -o json \ | jq -r '.data."shared-secret"' \ | base64 -d)
Create a token for the storage administrator using
admin.yaml
:ADMIN_TOKEN=$(/opt/pwx/bin/pxctl auth token generate \ --auth-config=admin.yaml \ --issuer=portworx.com \ --shared-secret=$PORTWORX_AUTH_SHARED_SECRET \ --token-duration=1d)
Create a token for the Kubernetes using
kubernetes.yaml
:KUBE_TOKEN=$(/opt/pwx/bin/pxctl auth token generate \ --auth-config=kube.yaml \ --issuer=portworx.com \ --shared-secret=$PORTWORX_AUTH_SHARED_SECRET \ --token-duration=1d)
Save the storage admin token in the
pxctl
context:/opt/pwx/bin/pxctl context create admin --token=$ADMIN_TOKEN
Save the Kubernetes token in a secret called
portworx/px-user-token
:kubectl -n kube-system create secret \ generic px-user-token --from-literal=auth-token=$KUBE_TOKEN
Annotate the Kubernetes secret so that other components like Stork and PX-Backup do not backup this resource.
kubectl -n kube-system annotate secret px-user-token \ stork.libopenstorage.org/skipresource=true
You can set up Kubernetes storage classes to use this secret to get access to the token to communicate with Portworx.
After you have completed the steps in this section, continue to the Storage class setup section.