Version: 1.3.14

Import the Certifai remote configuration

Prerequisites

  • You have a remote installation (Certifai Pro or Enterprise) on one of the following platforms:
  • If you are using Certifai Pro instance, you have downloaded the certifai-kubeconfig.json file
  • If you are using a Certifai Enterprise instance on RHOS, you have the following information provided by your administrator and based on the operator instance installation.
    • Project name/Namespace
    • Login token

Configure your remote information

  • If you are using a Certifai Enterprise instance:

    Connect to your Kubernetes cluster. If your Certifai Enterprise instance is on RHOS, then run the following commands to login to your OpenShift cluster:

    oc login --token=<TOKEN> --server=https://api.<OPENSHIFT_CLUSTER>:6443
    oc project <PROJECT_NAME>

    See the OpenShift Setup for additional instructions on getting your OpenShift token to login to your OpenShift cluster.

    Once you have connected to your Kubernetes cluster you can use your local Kubernetes config file, ~/.kube/config, to configure the Certifai CLI, as shown below. Contact your cluster administrator if you do not have a Kubernetes config file or are unsure how to connect to your cluster. Example:

    certifai remote config -f <kube-config-file> -n <namespace>

    The output should be similar to:

    Checking for access to Kubernetes cluster with context - <your-context>
    Connection to cluster succeeded, found API - v1
    Updating alias - default
    Configuration updated from - <kube-config-file>
  • If you are using Certifai Pro instance:

    After downloading Kubernetes config, import the configuration into your Certifai toolkit.

    If you downloaded the certifai_kubeconfig.zip to a different location, substitute ~/Downloads/ with that location.

    certifai remote config -f ~/Downloads/certifai-kubeconfig.json

    The output is:

    Checking for access to Kubernetes cluster with context - certifai-pro
    Connection to cluster succeeded, found API - v1
    Scanner image found - cortex-certifai-scanner:local
    Updating alias - default
    Configuration updated from - ~/.kube/config

A Certifai remote configuration is created at ~/.certifai/remoteConfig that contains the information the Certifai toolkit requires to connect to and generate Kubernetes resource definitions for your scans.

Advanced remote configuration usage

Additional remote configuration options are described below.

Aliases

-a

Multiple remote Certifai installations can be configured using aliases. An alias can be defined when importing your remote configuration by running:

certifai remote config -f <kube config file> -a <alias name>

A default alias is used when no -a option is defined. If the -a option is set then any certifai remote commands that use that configuration must also set the -a option.

Contexts

-c

Contexts are useful for users who are adding on to existing clusters or Certifai Enterprise users. When you import a Kubernetes configuration and you have multiple contexts, you can set the context to import using the -c option. A context is like a kubectl profile that allows you have multiple servers/auth tokens configured.

certifai remote config -f <kube config file> -c <context name>

When no -c option is set, the current-context in the Kubernetes configuration is imported.

Namespaces

-n

Certifai is normally installed in the Kubernetes certifai namespace. If it is installed in a different namespace, you can set that namespace during configuration import.

certifai remote config -f <kube config file> -n <Certifai kube namespace>

Troubleshooting

Errors may occur while using the certifai remote [cmd] commands. This section identifies some of them and provides instructions for how to resolve them.

Additional troubleshooting can be found at Remote Scan Management.

File not found

Failed to update configuration - [Errno 2] No such file or directory: '<file defined with -f option>'

The Kubernetes config file was not found at the location expected, check to ensure the -f is set to a file location that exists and can be accessed.

Connection timeout

```
Failed to update configuration - HTTPSConnectionPool(host='111.111.111.111', port=16443):
Max retries exceeded with url: /apis/ (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7fb9701d32e8>:
Failed to establish a new connection: [Errno X] Message',))
```

The imported Kubernetes configuration points to a location that is unreachable.

  • Verify that you are online.
  • Verify that you can communicate with the cluster from your machine by accessing your remote console.
  • Verify that port 16443 is exposed.

Unauthorized

HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}

The token used with the Kubernetes configuration is no longer valid. In RHOS the token will expire and should be refreshed by logging into the RHOS console and under the logged-in user's name clicking Copy login command and then Display token. An oc (openshift command) login command is displayed. Run it in your terminal.

oc login --token=<token> --server=<server>

After the authorization is updated, import the configuration again

Certifai operator not found

Reason: Certifai operator not found, is Certifai installed in namespace - "<-n value or certifai>" of context - "<-c value or current-context>"

The Certifai operator was not found in the namespace set with the -n option or certifai by default. Verify that you specified a valid namespace.