Extend kubernetes config lease

November 8, 2018 1.6k views
Kubernetes

Currently, the only way to access Kubernetes is by downloading the config file on the dashboard: https://cloud.digitalocean.com/kubernetes/clusters/mycluster , and adding it into ~/.kube/config . By default, this config file lives a few days at most.

Is there a way to either get extended lease on this config, or generate a permanent authorization config for development?

4 Answers

For anyone else who’s interested. This API is undocumented, but if you have an api token with read access, this will get you the current valid kubeconfig.

curl --request GET \
  --url https://api.digitalocean.com/v2/kubernetes/clusters/<cluster-id>/kubeconfig \
  --header 'authorization: Bearer <digitalocean-token>'

That’s all you’d need for your CI config.

I noticed that from time-to time our pipeline fails because of conf becomes invalid? is it documented somewhere?

  • I haven’t seen any docs on this anywhere, but can vouch for observation: both CI & local dev is breaking upon cert expiry, which happens every few days

I think it’s in the known issues here: https://www.digitalocean.com/docs/kubernetes/overview/

The Certificate Authority, Client Certificate, and Client Key data in the kubeconfig.yaml file are rotated weekly.

I understand why. I just wish it was easy to generate one restricted to a namespace, or to retrieve the config somehow via an api using an API token. My CI builds fail every week because of this.

Have another answer? Share your knowledge.