Steps to Generate Token for Agent/Controller v5.x

The details in this page apply to all the release versions post v4.1.7

The agents in remote clusters require JWT token to communicate with the controller in ISD. If the ISD installation is done through HELM charts the token is generated automatically.

If not, you need to generate the token manually. Follow the steps given below to create the token manually:

Prerequisite:

Install latest 4.1.7 images.

To Create Controller Token

Execute the following command to access the controller pod.

k exec -it <controller pod name> -n <namesapce> -- sh

Ex: kubectl exec -it  opsmx-controller-controller1-b96c76db4-6lwrr 4  -n  isd414  -- sh

Run the following command in the controller pod.

./agent-controller -generate-control-tokens controller

The token will be generated and is similar to the example shown below:

eyJhbGciOiJIUzI1NiIsImtpZCI6InB1YmxpYy5wZW0iLCJ0eXAiOiJKV1QifQ.eyJpYXQiOjE3MTMyODM0MTMsImlzcyI6Im9wc214LWNvbnRyb2wtYXV0aCIsIm9wc214Lm5hbWUiOiJjb250cm9sbGVyIiwib3BzbXgucHVycG9zZSI6ImNvbnRyb2wifQ.1RPnYwWTemO7-u3yzftDhU5rs5OO13p185nsqCYrK7Y

Configuration changes

a) Create ingress and service

Add the ingress yaml file given below:

INGRESS YAML: (tcb-ingress  )

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: tcb-ingress  
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod  
    cert-manager.io/issue-temporary-certificate: 'true' 
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/backend-protocol: GRPC
    nginx.ingress.kubernetes.io/ssl-redirect: 'true'
  
spec:
  tls:
    - hosts:
        - argo.tcb.opsmx.net 
      secretName: controller-secret-tls-grpc 
  rules:
    - host: argo.tcb.opsmx.net  
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: agent-grpc  
                port:
                  number: 9001

The agent-grpc service should be of type: ClusterIP

b) In controller configmap:

Change the agentHostname, remoteCommandHostname with the newly created ingress.
Add the following param agentAdvertisePort: 443

Eg: See the below configuration added to the controller configmap

c) Add the generated token in the oes-carina-config secret (carina-manager.yaml)

d) Remove the following:

caPath: /app/secrets/controller-ca.crt
certificatePath: /app/secrets/controller-control/tls.crt
keyPath: /app/secrets/controller-control/tls.key

in the url use http instead of https

url: 'http://opsmx-controller-controller1:9003'

token: eyJhbGciOiJIUzI1NiIsImtpZCI6InB1YmxpYy5wZW0iLCJ0eXAiOiJKV1QifQ.eyJpYXQiOjE3MTEwMjMzMDYsImlzcyI6Im9wc214LWNvbnRyb2wtYXV0aCIsIm9wc214Lm5hbWUiOiJjb250cm9sbGVyIiwib3BzbXgucHVycG9zZSI6ImNvbnRyb2wifQ.NQD5GBP9mQlK8b5K-wIou9lz6Gp4j2iPigSrGzzxwW8

d) Add token in the oes-sapor-config secret (application.yml)

Add below details before secretManagement: (replace your token)

controller:

3. Upgrade the existing agents (This step is required for upgrading existing agents only)

Go to Setup > CD integrations.
Edit the existing CD integration.
Save the existing CD integration (This action will refresh the agent-manifest.yaml file
Download the agent-manifest file.
Execute the following command to replace the old agent manifest with new agent.

kubectl replace - - force -f <newly generated manifest file name> -n <namepace of argocd>

Repeat these steps for all the existing agents.

PreviousConfiguration Changes for 4.1.8 NextSAML 2 Configuration

Last updated 1 year ago