Import the Certifai remote configuration
Prerequisites
- You have a remote installation (Certifai Pro or Enterprise) on one of the following platforms:
- If you are using Certifai Pro instance, you have downloaded the
certifai-kubeconfig.json
file - If you are using a Certifai Enterprise instance on RHOS, you have the following information provided by your administrator and based on the operator instance installation.
- Project name/Namespace
- Login token
Configure your remote information
If you are using a Certifai Enterprise instance:
Connect to your Kubernetes cluster. If your Certifai Enterprise instance is on RHOS, then run the following commands to login to your OpenShift cluster:
oc login --token=<TOKEN> --server=https://api.<OPENSHIFT_CLUSTER>:6443oc project <PROJECT_NAME>See the OpenShift Setup for additional instructions on getting your OpenShift token to login to your OpenShift cluster.
Once you have connected to your Kubernetes cluster you can use your local Kubernetes config file,
~/.kube/config
, to configure the Certifai CLI, as shown below. Contact your cluster administrator if you do not have a Kubernetes config file or are unsure how to connect to your cluster. Example:certifai remote config -f <kube-config-file> -n <namespace>The output should be similar to:
Checking for access to Kubernetes cluster with context - <your-context>Connection to cluster succeeded, found API - v1Updating alias - defaultConfiguration updated from - <kube-config-file>If you are using Certifai Pro instance:
After downloading Kubernetes config, import the configuration into your Certifai toolkit.
If you downloaded the certifai_kubeconfig.zip to a different location, substitute
~/Downloads/
with that location.certifai remote config -f ~/Downloads/certifai-kubeconfig.jsonThe output is:
Checking for access to Kubernetes cluster with context - certifai-proConnection to cluster succeeded, found API - v1Scanner image found - cortex-certifai-scanner:localUpdating alias - defaultConfiguration updated from - ~/.kube/config
A Certifai remote configuration is created at ~/.certifai/remoteConfig
that contains the information the Certifai toolkit
requires to connect to and generate Kubernetes resource definitions for your scans.
Advanced remote configuration usage
Additional remote configuration options are described below.
Aliases
-a
Multiple remote Certifai installations can be configured using aliases. An alias can be defined when importing your remote configuration by running:
certifai remote config -f <kube config file> -a <alias name>
A default alias is used when no -a
option is defined. If the -a
option is set then any certifai remote
commands
that use that configuration must also set the -a
option.
Contexts
-c
Contexts are useful for users who are adding on to existing clusters or Certifai Enterprise users. When you import a Kubernetes configuration and you have multiple contexts, you can set the context to import using the -c
option. A context is like a kubectl profile that allows you have multiple servers/auth tokens configured.
certifai remote config -f <kube config file> -c <context name>
When no -c
option is set, the current-context in the Kubernetes configuration is imported.
Namespaces
-n
Certifai is normally installed in the Kubernetes certifai
namespace. If it is installed in a different namespace, you can set that namespace during configuration import.
certifai remote config -f <kube config file> -n <Certifai kube namespace>
Troubleshooting
Errors may occur while using the certifai remote [cmd]
commands. This section identifies some of them and provides instructions for how to resolve them.
Additional troubleshooting can be found at Remote Scan Management.
File not found
Failed to update configuration - [Errno 2] No such file or directory: '<file defined with -f option>'
The Kubernetes config file was not found at the location expected, check to ensure the -f
is set to a file location that exists and can be accessed.
Connection timeout
```Failed to update configuration - HTTPSConnectionPool(host='111.111.111.111', port=16443):Max retries exceeded with url: /apis/ (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7fb9701d32e8>:Failed to establish a new connection: [Errno X] Message',))```
The imported Kubernetes configuration points to a location that is unreachable.
- Verify that you are online.
- Verify that you can communicate with the cluster from your machine by accessing your remote console.
- Verify that port 16443 is exposed.
Unauthorized
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
The token used with the Kubernetes configuration is no longer valid. In RHOS the token will expire and should be refreshed by
logging into the RHOS console and under the logged-in user's name clicking Copy login command
and then Display token
. An oc (openshift command) login command
is displayed. Run it in your terminal.
oc login --token=<token> --server=<server>
After the authorization is updated, import the configuration again
Certifai operator not found
Reason: Certifai operator not found, is Certifai installed in namespace - "<-n value or certifai>" of context - "<-c value or current-context>"
The Certifai operator was not found in the namespace set with the -n
option or certifai
by default. Verify that you specified a valid namespace.