Getting started with the CLI

Konflux provides a user-friendly web interface for managing your resources. However, for advanced users or those comfortable with the command line, kubectl offers a powerful way to interact with the platform.

Prerequisites
  • An up-to-date kubectl binary installed on your machine. You can verify the version using kubectl version.

  • Alternatively, the oc binary (used with OpenShift) is also compatible with Konflux in most cases.

Granting Cluster Access (Platform Engineer Role)

  1. Cluster Configuration (Platform Engineer): A Platform Engineer (PE) with the appropriate permissions needs to configure your Konflux instance for kubectl access. This typically involves enabling the Kubernetes API server and generating a cluster configuration file (often named kubeconfig).

  2. Template kubeconfig File (Platform Engineer): The PE will likely provide a template kubeconfig file containing the necessary connection details. This file serves as a starting point for individual user access.

User Setup

  1. Obtain the Template kubeconfig: Once the PE has configured cluster access and created the template file, you’ll receive a copy from your PE or IT team.

  2. Personalize Your kubeconfig: Make a copy of the template file and personalize it with your unique user context information. This might involve setting environment variables or editing the file directly as provided by the PE.

  3. Use kubectl: With your personalized kubeconfig in place, you can use the kubectl command-line tool to interact with your Konflux cluster.

Whether you need to enable CLI access, or to gain access once it is available, refer to the relevant procedures below.

Enabling CLI access for Konflux

Procedure
  1. Follow these instructions to set up Keycloak as an OpenID Connect (OIDC) identity provider. Be aware that, when installing Konflux, you already set up a Keycloak server and created a realm called redhat-external.

  2. In your preferred text editor, use the kubeconfig template below to create a template specific to your organization. Be sure to provide the following values, specific to your organization, for the corresponding fields in the template file:

    1. The API URL for your cluster, for example: https://api-toolchain-host-operator.apps.stone-prd-host1.wdlc.p1.openshiftapps.com

    2. Your OIDC issuer URL, for example: https://sso.redhat.com/auth/realms/redhat-external

    3. Your OIDC client ID, for example: rhoas-cli-prod

      apiVersion: v1
      clusters:
      - cluster:
          server: (1)
        name: konflux
      contexts:
      - context:
          cluster: konflux
          namespace: <username>-tenant
          user: oidc
        name: konflux
      current-context: konflux
      kind: Config
      preferences: {}
      users:
      - name: oidc
        user:
          exec:
            apiVersion: client.authentication.k8s.io/v1beta1
            args:
            - oidc-login
            - get-token
            - --oidc-issuer-url= (2)
            - --oidc-client-id= (3)
            command: kubectl
            env: null
            interactiveMode: IfAvailable
            provideClusterInfo: false
  3. Make this template kubeconfig, now specific to your organization, available to users of your Konflux instance.

Accessing Konflux through the CLI

Prerequisites
Procedure
  1. Get the template kubeconfig file for your organization’s instance of Konflux. A PE should be able to provide you with this.

  2. Using your preferred text editor, in your copy of the template kubeconfig, replace <username> with your Konflux username.

  3. Use one of these two methods for making your kubeconfig file accessible to the kubectl CLI tool:

    1. In your CLI, run the following command:

      export $KUBECONFIG=<path to your kubeconfig file>
    2. Or, overwrite the file located at ~/.kube/config with your kubeconfig file.

  4. Verify your available contexts by running the following command in your CLI. You should see the konflux context.

    kubectl config get-contexts

  5. Still in your CLI, set konflux as the default context:

    kubectl config use-context konflux

  6. Trigger a round trip from your machine to the cluster and back, to verify the connection:

    kubectl get cm