Merge "Remote CLI (remainder)"

2025-08-22 14:09:45 +00:00
parent 71f9d45631 33a07487f1
commit 3c97dddf87
4 changed files with 16 additions and 49 deletions
--- a/doc/source/security/kubernetes/configure-kubernetes-client-access.rst
+++ b/doc/source/security/kubernetes/configure-kubernetes-client-access.rst
@@ -120,33 +120,21 @@ Kubernetes Remote Client Access using the Host Directly
        % sudo apt-get update
        % sudo apt-get install -y kubectl

-#.  Optional: Contact your system administrator for the |prod| Kubernetes
-    cluster's public root |CA| certificate. Copy this certificate to your system
-    as ``k8s-ca.crt``. This step is strongly recommended, but it still possible
-    to connect to the Kubernetes cluster without this certificate.
+#.  Contact your system administrator for the |prod| system-local-ca |CA|
+    certificate. Copy this certificate to your system as ``stx-ca.crt``.

 #.  Create an empty Kubernetes configuration file (the default path is
-    ``~/.kube/config``). Execute the commands below to update this file. Use the
-    |OAM| IP address and the Kubernetes |CA| certificate acquired in the
+    ``~/.kube/config``). Run the commands below to update this file. Use the
+    |OAM| IP address and the system-local-ca |CA| certificate acquired in the
    previous step. If the |OAM| IP is IPv6, use the IP enclosed in brackets
-    (example: "[fd00::a14:803]"). In the example below, the user is
-    "admin-user", change it to the name of user you want to authenticate.
+    (example: ``[fd00::a14:803]``). In the example below, the user is
+    ``admin-user``. Change it to the name of user you want to authenticate.

    .. code-block:: none

        $ MYUSER="admin-user"
        $ kubectl config set-cluster wrcpcluster --server=https://<OAM_IP>:6443
-        $ kubectl config set clusters.wrcpcluster.certificate-authority-data $(base64 -w0 k8s-ca.crt)
-        $ kubectl config set-context ${MYUSER}@wrcpcluster --cluster=wrcpcluster --user ${MYUSER}
-        $ kubectl config use-context ${MYUSER}@wrcpcluster
-
-    If you don't have the Kubernetes |CA| certificate, execute the following
-    commands instead.
-
-    .. code-block:: none
-
-        $ MYUSER="admin-user"
-        $ kubectl config set-cluster wrcpcluster --server=https://<OAM_IP>:6443 --insecure-skip-tls-verify
+        $ kubectl config set clusters.wrcpcluster.certificate-authority-data $(base64 -w0 stx-ca.crt)
        $ kubectl config set-context ${MYUSER}@wrcpcluster --cluster=wrcpcluster --user ${MYUSER}
        $ kubectl config use-context ${MYUSER}@wrcpcluster

--- a/doc/source/security/kubernetes/create-first-system-administrator-1775e1b20941.rst
+++ b/doc/source/security/kubernetes/create-first-system-administrator-1775e1b20941.rst
@@ -124,9 +124,9 @@ it can create subsequent system administrators and end users.
        $ USERNAME="joefulladmin"
        $ USERPASSWORD="<password>"
        $ PROJECTNAME="admin"
-        $ PROJECTID=`openstack project list | grep ${PROJECTNAME} | awk '{print $2}'\`
+        $ PROJECTID=$(openstack project list | grep "${PROJECTNAME}" | awk '{print $2}')
        $ openstack user create --password "${USERPASSWORD}" --project ${PROJECTID} "${USERNAME}"
-        $ openstack role add --project ${PROJECTNAME} --user ${USERNAME}_member_
+        $ openstack role add --project ${PROJECTNAME} --user ${USERNAME} member

     #.   Add full |prod| authorization privileges to the first system
          administrator's keystone user account.
--- a/doc/source/security/kubernetes/security-configure-container-backed-remote-clis-and-clients.rst
+++ b/doc/source/security/kubernetes/security-configure-container-backed-remote-clis-and-clients.rst
@@ -129,15 +129,6 @@ CLIs and Clients for an admin user with cluster-admin clusterrole.
            ~(keystone_admin)]$ kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.data.ca\.crt}' | base64 --decode > /home/sysadmin/stx.ca.crt
            ~(keystone_admin)]$ scp /home/sysadmin/stx.ca.crt <remote_workstation_user>@<remote_workstation_IP>:~/stx.ca.crt

-    #.  Optional: copy the Kubernetes |CA| certificate
-        ``/etc/kubernetes/pki/ca.crt`` from the active controller to the remote
-        workstation. This step is strongly recommended, but it still possible
-        to connect to the Kubernetes cluster without this certificate.
-
-        .. code-block:: none
-
-            ~(keystone_admin)]$ scp /etc/kubernetes/pki/ca.crt <remote_workstation_user>@<remote_workstation_IP>:~/k8s-ca.crt
-
 #.  In the remote workstation, do the actions listed below.

    #.  Create a working directory that will be mounted by the container
@@ -294,27 +285,16 @@ CLIs and Clients for an admin user with cluster-admin clusterrole.

    #.  Update the contents in the admin-kubeconfig file using the
        :command:`kubectl` command from the container. Use the |OAM| IP address
-        and the Kubernetes |CA| certificate acquired in the steps above. If the
-        |OAM| IP is IPv6, use the IP enclosed in brackets (example:
-        "[fd00::a14:803]").
+        and the |prod| system-local-ca certificate acquired in the steps above.
+        If the |OAM| IP is IPv6, use the IP enclosed in brackets (example:
+        ``[fd00::a14:803]``).

        .. code-block:: none

            $ cd $HOME/remote_cli_wd
            $ source remote_client_platform.sh
            $ kubectl config set-cluster wrcpcluster --server=https://<OAM_IP>:6443
-            $ kubectl config set clusters.wrcpcluster.certificate-authority-data $(base64 -w0 k8s-ca.crt)
-            $ kubectl config set-context ${MYUSER}@wrcpcluster --cluster=wrcpcluster --user ${MYUSER}
-            $ kubectl config use-context ${MYUSER}@wrcpcluster
-
-        If you don't have the Kubernetes |CA| certificate, execute the following
-        commands instead.
-
-        .. code-block:: none
-
-            $ cd $HOME/remote_cli_wd
-            $ source remote_client_platform.sh
-            $ kubectl config set-cluster wrcpcluster --server=https://<OAM_IP>:6443 --insecure-skip-tls-verify
+            $ kubectl config set clusters.wrcpcluster.certificate-authority-data $(base64 -w0 ~/stx.ca.crt)
            $ kubectl config set-context ${MYUSER}@wrcpcluster --cluster=wrcpcluster --user ${MYUSER}
            $ kubectl config use-context ${MYUSER}@wrcpcluster

--- a/doc/source/security/kubernetes/system-administrator-collect-system-information-for-user-8502c985343d.rst
+++ b/doc/source/security/kubernetes/system-administrator-collect-system-information-for-user-8502c985343d.rst
@@ -62,16 +62,15 @@ The following data needs to be collected:

     .. code-block::

-        $ kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.data.tls\.crt}' | base64 --decode > ~/stx-remote-access-info/stx.ca.crt
+         $ kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.data.ca\.crt}' | base64 --decode > ~/stx-remote-access-info/stx.ca.crt

-#.   Get the kubernetes environment data for the |prod| system.
+#.   Get the Kubernetes environment data for the |prod| system.

     .. code-block::

         $ OAMIP=$(system oam-show | egrep "(oam_ip|oam_floating_ip)" | awk '{print $4}')
-
         $ touch ~/stx-remote-access-info/kubeconfig
-         $ kubectl config --kubeconfig ~/stx-remote-access-info/kubeconfig set-cluster stx-cluster --server=https://${OAMIP}:6443 --embed-certs --certificate-authority=/etc/kubernetes/pki/ca.crt
+         $ kubectl config --kubeconfig ~/stx-remote-access-info/kubeconfig set-cluster stx-cluster --server=https://${OAMIP}:6443 --embed-certs --certificate-authority=~/stx-remote-access-info/stx.ca.crt
         $ kubectl config --kubeconfig ~/stx-remote-access-info/kubeconfig set-context YOURUSERNAMEHERE@stx-cluster --cluster=stx-cluster --user YOURUSERNAMEHERE
         $ kubectl config --kubeconfig ~/stx-remote-access-info/kubeconfig use-context YOURUSERNAMEHERE@stx-cluster