Getting started with the CLI
Konflux provides a user-friendly web interface for managing your resources. However, for advanced users or those comfortable with the command line, kubectl offers a powerful way to interact with the platform.
-
An up-to-date kubectl binary installed on your machine. You can verify the version using
kubectl version
. -
Alternatively, the
oc
binary (used with OpenShift) is also compatible with Konflux in most cases.
Granting Cluster Access (Platform Engineer Role)
-
Cluster Configuration (Platform Engineer): A Platform Engineer (PE) with the appropriate permissions needs to configure your Konflux instance for kubectl access. This typically involves enabling the Kubernetes API server and generating a cluster configuration file (often named
kubeconfig
). -
Template kubeconfig File (Platform Engineer): The PE will likely provide a template
kubeconfig
file containing the necessary connection details. This file serves as a starting point for individual user access.
User Setup
-
Obtain the Template kubeconfig: Once the PE has configured cluster access and created the template file, you’ll receive a copy from your PE or IT team.
-
Personalize Your kubeconfig: Make a copy of the template file and personalize it with your unique user context information. This might involve setting environment variables or editing the file directly as provided by the PE.
-
Use kubectl: With your personalized
kubeconfig
in place, you can use the kubectl command-line tool to interact with your Konflux cluster.
Whether you need to enable CLI access, or to gain access once it is available, refer to the relevant procedures below.
Enabling CLI access for Konflux
-
Follow these instructions to set up Keycloak as an OpenID Connect (OIDC) identity provider. Be aware that, when installing Konflux, you already set up a Keycloak server and created a realm called
redhat-external
. -
In your preferred text editor, use the
kubeconfig
template below to create a template specific to your organization. Be sure to provide the following values, specific to your organization, for the corresponding fields in the template file:-
The API URL for your cluster, for example:
https://api-toolchain-host-operator.apps.stone-prd-host1.wdlc.p1.openshiftapps.com
-
Your OIDC issuer URL, for example:
https://sso.redhat.com/auth/realms/redhat-external
-
Your OIDC client ID, for example:
rhoas-cli-prod
apiVersion: v1 clusters: - cluster: server: (1) name: konflux contexts: - context: cluster: konflux namespace: <username>-tenant user: oidc name: konflux current-context: konflux kind: Config preferences: {} users: - name: oidc user: exec: apiVersion: client.authentication.k8s.io/v1beta1 args: - oidc-login - get-token - --oidc-issuer-url= (2) - --oidc-client-id= (3) command: kubectl env: null interactiveMode: IfAvailable provideClusterInfo: false
-
-
Make this template
kubeconfig
, now specific to your organization, available to users of your Konflux instance.
Accessing Konflux through the CLI
-
Get the template
kubeconfig
file for your organization’s instance of Konflux. A PE should be able to provide you with this. -
Using your preferred text editor, in your copy of the template
kubeconfig
, replace <username> with your Konflux username. -
Use one of these two methods for making your
kubeconfig
file accessible to thekubectl
CLI tool:-
In your CLI, run the following command:
export $KUBECONFIG=<path to your kubeconfig file>
-
Or, overwrite the file located at
~/.kube/config
with yourkubeconfig
file.
-
-
Verify your available contexts by running the following command in your CLI. You should see the
konflux
context.kubectl config get-contexts
-
Still in your CLI, set
konflux
as the default context:kubectl config use-context konflux
-
Trigger a round trip from your machine to the cluster and back, to verify the connection:
kubectl get cm