mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
83 lines
2.3 KiB
Plaintext
83 lines
2.3 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * virt/managing_vms/virt-accessing-vm-consoles.adoc
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="virt-temporary-token-VNC_{context}"]
|
|
= Generating a temporary token for the VNC console
|
|
|
|
To access the VNC of a virtual machine (VM), generate a temporary authentication bearer token for the Kubernetes API.
|
|
|
|
[NOTE]
|
|
====
|
|
Kubernetes also supports authentication using client certificates, instead of a bearer token, by modifying the curl command.
|
|
====
|
|
|
|
.Prerequisites
|
|
|
|
* A running VM with {VirtProductName} 4.14 or later and `ssp-operator` 4.14 or later.
|
|
* You have installed the {oc-first}.
|
|
|
|
.Procedure
|
|
|
|
. Set the `deployVmConsoleProxy` field value in the HyperConverged (`HCO`) custom resource (CR) to `true`:
|
|
+
|
|
[source,terminal,subs="attributes+"]
|
|
----
|
|
$ oc patch hyperconverged kubevirt-hyperconverged -n {CNVNamespace} --type json -p '[{"op": "replace", "path": "/spec/deployVmConsoleProxy", "value": true}]'
|
|
----
|
|
|
|
. Generate a token by entering the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ curl --header "Authorization: Bearer ${TOKEN}" \
|
|
"https://api.<cluster_fqdn>/apis/token.kubevirt.io/v1alpha1/namespaces/<namespace>/virtualmachines/<vm_name>/vnc?duration=<duration>"
|
|
----
|
|
+
|
|
The `<duration>` parameter can be set in hours and minutes, with a minimum duration of 10 minutes. For example: `5h30m`. If this parameter is not set, the token is valid for 10 minutes by default.
|
|
+
|
|
Sample output:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
{ "token": "eyJhb..." }
|
|
----
|
|
|
|
. Optional: Use the token provided in the output to create a variable:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ export VNC_TOKEN="<token>"
|
|
----
|
|
|
|
You can now use the token to access the VNC console of a VM.
|
|
|
|
.Verification
|
|
|
|
. Log in to the cluster by entering the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc login --token ${VNC_TOKEN}
|
|
----
|
|
|
|
. Test access to the VNC console of the VM by using the `virtctl` command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ virtctl vnc <vm_name> -n <namespace>
|
|
----
|
|
|
|
[WARNING]
|
|
====
|
|
It is currently not possible to revoke a specific token.
|
|
|
|
To revoke a token, you must delete the service account that was used to create it. However, this also revokes all other tokens that were created by using the service account. Use the following command with caution:
|
|
|
|
[source,terminal]
|
|
----
|
|
$ virtctl delete serviceaccount --namespace "<namespace>" "<vm_name>-vnc-access"
|
|
----
|
|
====
|