Skip to content

Commit e1ae7b4

Browse files
author
yzamir
committed
add readme
1 parent c35e77f commit e1ae7b4

File tree

1 file changed

+8
-6
lines changed

1 file changed

+8
-6
lines changed

README.md

Lines changed: 8 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -141,14 +141,17 @@ Now that the virtual machine is running, we can create a signed link to kubevirt
141141
# Copy the service account bearer token into a local file
142142
kubectl get secrets -n kube-gateway -o json | jq '[.items[] | select(.metadata.name | contains("kube-gateway-sa")) | select(.type | contains("service-account-token")) | .data.token][0]' | python -m base64 -d > token
143143

144-
# Sign a token and put it in a variable
145-
data='{"URLs":["/apis/subresources.kubevirt.io/v1/namespaces/kube-gateway/virtualmachineinstances/testvm/vnc"],"duration":"1h"}'
144+
# Create a path to the k8s resource
145+
path=/apis/subresources.kubevirt.io/v1/namespaces/kube-gateway/virtualmachineinstances/testvm/vnc
146+
147+
# Create a token payload for accessing the API path for 1 hour, starting now
148+
data='{"URLs":["${path}"],"duration":"1h"}'
146149
token=$(cat token) # Use a k8s token that can access the private key for signing the JWT
147150
proxyurl=https://192.168.39.134:30345 # Use the url of the gateway proxy
148-
jwt=$(curl -sk -H 'Accept: application/json' -H "Authorization: Bearer ${token}" -H "Content-Type: application/json" --request POST --data "${data}" "${proxyurl}/auth/jwt/request" | jq .Token)
149151

150-
# Create a path to the k8s resource
151-
path=/apis/subresources.kubevirt.io/v1/namespaces/kube-gateway/virtualmachineinstances/testvm/vnc
152+
# Use the /auth/jwt/request endpoint to sign the token payload using the private key secret
153+
# The service account bearer token used in this command must be able to access the secret holding the private key
154+
jwt=$(curl -sk -H 'Accept: application/json' -H "Authorization: Bearer ${token}" -H "Content-Type: application/json" --request POST --data "${data}" "${proxyurl}/auth/jwt/request" | jq .Token)
152155

153156
# Open the link in a browser
154157
# The link is sined using ${jwt} and will access the k8s API at ${path}
@@ -168,7 +171,6 @@ google-chrome "${signed_link}"
168171
| /auth/callback | flag -oauth-server-enable | OAuth2 authentication callback endpoint |
169172
| /auth/jwt/request | flag -jwt-request-enable | endpoint for generating JWT access keys |
170173

171-
172174
## Supported JWT Claims
173175

174176
| Claim | example | description | default |

0 commit comments

Comments
 (0)