Getting started with the CLI

Konflux provides a user-friendly web interface for managing your resources. However, for advanced users or those comfortable with the command line, kubectl offers a powerful way to interact with the platform.

Prerequisites

An up-to-date kubectl binary installed on your machine. You can verify the version using kubectl version.
Alternatively, the oc binary (used with OpenShift) is also compatible with Konflux in most cases.

Granting Cluster Access (Platform Engineer Role)

Cluster Configuration (Platform Engineer): A Platform Engineer (PE) with the appropriate permissions needs to configure your Konflux instance for kubectl access. This typically involves enabling the Kubernetes API server and generating a cluster configuration file (often named kubeconfig).
Template kubeconfig File (Platform Engineer): The PE will likely provide a template kubeconfig file containing the necessary connection details. This file serves as a starting point for individual user access.

User Setup

Obtain the Template kubeconfig: Once the PE has configured cluster access and created the template file, you’ll receive a copy from your PE or IT team.
Personalize Your kubeconfig: Make a copy of the template file and personalize it with your unique user context information. This might involve setting environment variables or editing the file directly as provided by the PE.
Use kubectl: With your personalized kubeconfig in place, you can use the kubectl command-line tool to interact with your Konflux cluster.

Whether you need to enable CLI access, or to gain access once it is available, refer to the relevant procedures below.

Enabling CLI access for Konflux

Procedure

Follow these instructions to set up Keycloak as an OpenID Connect (OIDC) identity provider. Be aware that, when installing Konflux, you already set up a Keycloak server and created a realm called redhat-external.

In your preferred text editor, use the kubeconfig template below to create a template specific to your organization. Be sure to provide the following values, specific to your organization, for the corresponding fields in the template file:

The API URL for your cluster, for example: https://api-toolchain-host-operator.apps.stone-prd-host1.wdlc.p1.openshiftapps.com
Your OIDC issuer URL, for example: https://sso.redhat.com/auth/realms/redhat-external

Your OIDC client ID, for example: rhoas-cli-prod

apiVersion: v1
clusters:
- cluster:
    server: (1)
  name: konflux
contexts:
- context:
    cluster: konflux
    namespace: <username>-tenant
    user: oidc
  name: konflux
current-context: konflux
kind: Config
preferences: {}
users:
- name: oidc
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - oidc-login
      - get-token
      - --oidc-issuer-url= (2)
      - --oidc-client-id= (3)
      command: kubectl
      env: null
      interactiveMode: IfAvailable
      provideClusterInfo: false

Make this template kubeconfig, now specific to your organization, available to users of your Konflux instance.

Accessing Konflux through the CLI

Prerequisites

Install kubectl
Install kubelogin

Procedure

Get the template kubeconfig file for your organization’s instance of Konflux. A PE should be able to provide you with this.
Using your preferred text editor, in your copy of the template kubeconfig, replace <username> with your Konflux username.
Use one of these two methods for making your kubeconfig file accessible to the kubectl CLI tool:
1. In your CLI, run the following command:
  export $KUBECONFIG=<path to your kubeconfig file>
2. Or, overwrite the file located at ~/.kube/config with your kubeconfig file.
Verify your available contexts by running the following command in your CLI. You should see the konflux context.

kubectl config get-contexts
Still in your CLI, set konflux as the default context:

kubectl config use-context konflux
Trigger a round trip from your machine to the cluster and back, to verify the connection:

kubectl get cm