New-Credentials

Objective

This guide provides instructions on how to generate various credentials related Volterra services. service credentials related to Volterra services from the VoltConsole. Volterra provides following two types of credentials:

  • My credentials - These are generated and used for different authentication and authorization purposes while accessing Volterra APIs or deploying apps using Volterra vK8s
  • Service credentials - These are generated by the administrators to create custom service roles that and associated service users.

Note: The My Credentials inherit the roles of the users. In case of service credentials, you can assign specific roles to the service user.

Using the instructions provided in this guide, you can create various types of credentials and download them for using in API requests.


Prerequisites

The following prerequisites apply:


My Credentials

The following types of My Credentials can be generated and downloaded from VoltConsole:

  • API Tokens - The tokens are used in site deployment and also for the authorization in the API requests.
  • X.509 Certificates - These certificates are used in API requests.
  • Kubeconfig - These are the kubeconfigs for deploying your applications using Volterra vK8s.

Note: You can use either API certificate or API token for authenticating. However, it is recommended to use API certificates as they offer more robust security via Mutual TLS (mTLS) authentication. The API tokens are used with one-way TLS authentication.

Generate API Certificate

Step 1: Start credential creation in VoltConsole.

Log into the VoltConsole using your tenant credentials and click on the General option in the namespace selector. Click My Credentials in the options under Personal Management and click Create credentials.

create cred new
Figure: Create Credentials

Step 2:Configure name and select credential type.

Enter a name for your certificate and select API Certificate for the Credential type field.

Step 3:Enter a password and repeat for confirmation.
Step 4: Generate the certificate and download it.

Select an expiry time as per the calendar option displayed in the Expiry Date field. Click Download to download the certificate in the .p12 file format.

api cert new
Figure: Create API Certificate

Note: The maximum allowed expiry date for users is set by the tenant administrator. The system allows the administrator to set a maximum expiry of 365 days. The default expiry is 90 days.

After generating, you can use it in API request. The following is a sample API request to delete a namespace.

curl -k  -X POST --cert-type P12 --cert ~/Downloads/<api-creds>.p12:<password> https://tenant>.console.ves.volterra.io/api/web/namespaces/<namespace>/cascade_delete -v

Note: It is recommended to specify the full path to certificate.


Generate Kubeconfig

Step 1: Start creating credentials in VoltConsole.

Log into the VoltConsole using your tenant credentials and click on the General option in the namespace selector. Click My Credentials in the options under Personal Management and click Create credentials.

create cred new
Figure: Create Credentials

Step 2:Set a name and select the type of credentials.

Enter a name for your Kubeconfig file and select Kubeconfig for the Credential type field.

Step 3: Select namespace and vK8s cluster name.

Select namespace and vK8s cluster for the Namespace and VK8s cluster name fields respectively.

Step 4:Create the kubeconfig and download.

Select an expiry time as per the calendar option displayed in the Expiry Date field. Click Download to download the file.

cred kube new
Figure: Create Kubeconfig

Note: The maximum allowed expiry date for users is set by the tenant administrator. The system allows the administrator to set a maximum expiry of 365 days. The default expiry is 90 days.

After generating, you can use it in deployments. The following is a sample kubectl request to view the configuration:

kubectl config --kubeconfig=<kubeconfig-file> view

Generate API Tokens

Step 1: Start creating credentials in VoltConsole.

Log into the VoltConsole using your tenant credentials and click on the General option in the namespace selector. Click My Credentials in the options under Personal Management and click Create credentials.

create cred new
Figure: Create Credentials

Step 2: Set a name and select type of credentials.

Enter a name for your token and select API Token for the Credential type field.

Step 3:Complete token creation.

Select an expiry time as per the calendar option displayed in the Expiry Date field. Click Generate.

api token generate new
Figure: Create Credentials

Note: The maximum allowed expiry date for users is set by the tenant administrator. The system allows the administrator to set a maximum expiry of 365 days. The default expiry is 90 days.

Step 4:Obtain the token.

Copy the API token using the Copy option and click Done.

api token generated
Figure: Generated API Token

After generating, you can use it in API request with the authorization header. The following is a sample API request:

curl -k -X GET https://<tenant>.console.ves.volterra.io/api/web/namespaces -H 'Authorization: APIToken <token value>'

Note: All API access with the token will have the same RBAC assigned to the user who created the token.


Revoke API Credentials

You can force an API credentials object to be expired before its configured or default expiry time. Perform the following to revoke the API credentials:

Step 1: Navigate to your credentials and VoltConsole.

Log into the VoltConsole using your tenant credentials and click on the General option in the namespace selector. Click My Credentials in the options under Personal Management.

Step 2: Perform revoke operation for an existing credential object.
  • In case of API tokens, select the API token for which you want to force expiry and click ...-> Force Expiry.

token fexp new
Figure: API Token Force Expiry Option

  • In case of API certificates or kubeconfigs, click ... -> Delete for the object.
Step 3: Complete revoke operation.
  • In case of API tokens, click Force Expire in the confirmation window to cause API credential object expiry.

token fexp confirm new
Figure: API Token Force Expiry Confirmation

Note: You can renew or delete an expired credential. Click ...->Renew against expired credential from the list of credentials to renew it. Set an expiry date and click Renew Credential in the confirmation box. Click ... -> Delete against expired credential from the list of credentials to delete it. Click Delete in the confirmation box.

  • In case of API certificates or kubeconfigs, click Delete in the confirmation window. This forces the expiry for the object and also deletes it from the Volterra system.

Service Credentials

Service credentials can be created by administrator users and these credentials have roles assigned to provide API access to Volterra services. While creating service credentials, roles can be specified and these roles are assigned to the created user called as ServiceUser.

Generate API Certificate

Step 1: Start credential creation in VoltConsole.

Log into the VoltConsole using your tenant credentials and click on the General option in the namespace selector. Click Service Credentials in the options under IAM and click Create service credentials.

nav screds
Figure: Navigate to Service Credentials

Step 2:Configure user email and select credential type.

Enter a string for service user email in the Credential Email field. Select API Certificate for the Credential type field.

Step 3:Enter a password and repeat for confirmation.
  • Enter password in the Password and repeat in the Confirm Password fields.
  • Select an expiry time as per the calendar option displayed in the Expiry Date field.

screds apicert
Figure: Navigate to Service Credentials

Step 4:Optionally, assign roles.
  • Click Assign roles and namespaces to open the namespace and role assignment screen.
  • Select a namespace in the Namespace field. Optionally, select Make Admin checkbox to grant the admin role.
  • Click on Select role field and select a role from the displayed choices. You can add more roles using the Add another role.

scred roles
Figure: Service Credentials Roles

  • Click Add roles.
Step 5: Generate the certificate and download it.

Click Download to download the certificate in the .p12 file format.

Note: The maximum allowed expiry date for users is set by the tenant administrator. The system allows the administrator to set a maximum expiry of 365 days. The default expiry is 90 days.


Generate Kubeconfig

Step 1: Start creating credentials in VoltConsole.

Log into the VoltConsole using your tenant credentials and click on the General option in the namespace selector. Click Service Credentials in the options under IAM and click Create service credentials.

Step 2:Set user email and select the type of credentials.

Enter a string for service user email in the Credential Email field. Select Kubeconfig for the Credential type field.

Step 3: Select namespace and vK8s cluster name.
  • Select namespace and vK8s cluster for the Namespace and VK8s cluster name fields respectively.
  • Select an expiry time as per the calendar option displayed in the Expiry Date field.
Step 4:Optionally, assign roles.
  • Click Assign roles and namespaces to open the namespace and role assignment screen.
  • Select a namespace in the Namespace field. Optionally, select Make Admin checkbox to grant the admin role.
  • Click on Select role field and select a role from the displayed choices. You can add more roles using the Add another role.
  • Click Add roles.
Step 5:Create the kubeconfig and download.

Click Download to download the file.

Note: The maximum allowed expiry date for users is set by the tenant administrator. The system allows the administrator to set a maximum expiry of 365 days. The default expiry is 90 days.


Generate API Token

Step 1: Start credential creation in VoltConsole.

Log into the VoltConsole using your tenant credentials and click on the General option in the namespace selector. Select IAM -> Service Credentials in the configuration menu and click Create service credentials.

nav screds
Figure: Navigate to Service Credentials

Step 2:Configure user email and select credential type.
  • Enter email for the user and select API Token for the Credential type field.
  • Select an expiry date in the Expiry Date field.

create stoken
Figure: Service Credentials Basic Configuration

Step 3:Optionally, assign roles.
  • Click Assign roles and namespaces to open the namespace and role assignment screen.
  • Select a namespace in the Namespace field. Optionally, select Make Admin checkbox to grant the admin role.
  • Click on Select role field and select a role from the displayed choices. You can add more roles using the Add another role.

scred roles
Figure: Service Credentials Roles

  • Click Add roles.
Step 4: Generate the credentials and copy it.
  • Click Generate to generate the service API token.

stoken final
Figure: Create Service API Token

  • Generated service API token gets displayed. Click Copy to copy the token and click Done. Ensure that you save the copied token for later use.

stoken copy
Figure: Copy Service API Token


Revoke Service Credentials

You can force credentials to be expired before the configured expiry time. Perform the following to revoke service credentials:

Step 1: Navigate to your service credentials and VoltConsole.

Log into the VoltConsole using your tenant credentials and click on the General option in the namespace selector. Click IAM -> Service Credentials.

Step 2: Perform revoke operation for an existing service credential object.
  • In case of API tokens, select the API token for which you want to force expiry and click ...-> Force Expiry.

stoken fexp
Figure: Service API Token Force Expiry Option

  • In case of API certificates or kubeconfigs, click ... -> Delete.
Step 3: Complete revoke operation.
  • In case of API tokens, click Force Expire in the confirmation window to cause API token expiry.

stoken fexp confirm
Figure: Service API Token Force Expiry Confirmation

Note: You can renew or delete an expired credential. Click ...->Renew against expired credential from the list of credentials to renew it. Set an expiry date and click Renew Credential in the confirmation box. Click ... -> Delete against expired credential from the list of credentials to delete it. Click Delete in the confirmation box.

  • In case of API certificates or kubeconfigs, click Delete in the confirmation window. This forces the credentials to be expired and also deletes the object from Volterra system.

Concepts