DigitalOcean is a unique and straightforward cloud hosting provider. DigitalOcean offers cloud computing services to customers to deploy and develop applications that need to be run across multiple cloud servers. DigitalOcean infrastructure is one of the leading cloud service providers based in the USA. Even though the headquarters of DigitalOcean is located in New York City, their data centers are prevalent in every corner of the world to offer seamless cloud services across the globe. In addition, DigitalOcean provides a simple interface and set-up along with a very affordable price.
DigitalOcean Kubernetes (DOKS) is a managed Kubernetes service offered by DigitalOcean that lets users deploy Kubernetes clusters without the complexities of handling the control panel and containerized infrastructure. Kubernetes clusters are compatible with standard Kubernetes toolchains and integrate natively with DigitalOcean block storage volumes and load balancers. The users are charged for a Kubernetes cluster based on the cluster’s resources. Users can view all charges for Kubernetes clusters in the Kubernetes section of monthly invoices. At least one data center in every region supports Kubernetes in DigitalOcean. Note that Kubernetes is not offered in the AMS2, NYC2, or SFO1 region.
Kubernetes clusters offered by DigitalOcean are typically managed from a local system or sometimes from a remote management server. In either case, the management system needs the following things:
- Install kubectl, the official Kubernetes command-line tool. kubectl helps to connect and interact with the Kubernetes cluster in DigitalOcean. After installing the Kubernetes command-line tool, verify the installation by executing the following command. kubectl version
- Install doctl, the official DigitalOcean command-line tool. doctl helps to manage configuration files and set the context. Follow the instructions mentioned in the doctl GitHub repo to install doctl.
Get an Authentication Token or Certificate
After creating a Kubernetes cluster, users need to add an authentication token or certificate to their kubectl configuration file to connect.
Version requirements for obtaining tokens
When connecting to these Kubernetes versions, the system generates credentials by creating a revocable OAuth token. As recommended, if the user is using doctl, they must also have version 1.32.2 or higher installed to obtain an OAuth token.
Some of the Kubernetes versions that are required to obtain the authentication token or certificate are:
- Kubernetes version 1.13.10-do.3 or higher.
- Kubernetes version 1.14.6-do.3 or higher.
- Kubernetes version 1.15.3-do.3 or higher.
- Any release of Kubernetes after version 1.16.
If the users are not running these versions of Kubernetes or are using a legacy version of doctl, they will be granted a certificate instead.
Generating Credentials using the doctl
Note that this is the widely recommended method to generate certificates in Kubernetes. To configure authentication from the DigitalOcean command-line tool, execute the following command. Replace the your_cluster_name parameter with the name of the Kubernetes cluster for which the user wants to configure authentication.
doctl kubernetes cluster kubeconfig save your_cluster_name
The above command will do the following:
- download the kubeconfig for the cluster,
- merges the kubeconfig file with any existing configuration from ~/.kube/config,
- automatically handles the authentication token or certificate.
Under the hood, the Kubernetes cluster automatically generates a revocable OAuth token when using the recent versions of Kubernetes and doctl. It also automatically renews a certificate with legacy versions, such as:
- Revocable OAuth token. If the user has met the version requirements listed above, they will obtain an OAuth token. Users can view and revoke this token in the Applications & API section of the DigitalOcean control panel.
- Automatic certificate renewal. With legacy versions of doctl or Kubernetes, this creates a valid certificate for seven days and renews them automatically. Note that users cannot revoke these certificates.
Users can upgrade Kubernetes clusters to newer patch versions and minor versions to use tokens instead of certificates.
Download the Configuration File from the DigitalOcean Control Panel
There is also a DigitalOcean cluster configuration file that the users can download manually from the DigitalOcean control panel. For that, follow the below steps:
- First, log in to the DigitalOcean control panel and click the name of the cluster to go to its Overview tab.
- In the Access Cluster Config File section, click Download Config File to download the kubeconfig file. The file format will be <cluster_name>-kubeconfig.yaml.
- Move the <cluster_name>-kubeconfig.yaml file into the ~/.kube directory and pass it to kubectl with the –kubeconfig flag. For example:
kubectl --kubeconfig=~/.kube/<cluster_name>-kubeconfig.yaml get nodes
The above command will generate a revocable OAuth token when using recent versions of Kubernetes and generates a certificate for legacy versions, such as:
- Revocable OAuth token. If the user has met the version requirements listed above, they will obtain an OAuth token. Users can view and revoke this token in the Applications & API section of the DigitalOcean control panel.
- Expiring certificate. With the Kubernetes legacy versions, this creates a valid certificate for 7 days that cannot be revoked. Users need to download the file again every 7 days to retain access to the cluster.
Users can upgrade Kubernetes clusters to newer patch versions and minor versions to use tokens instead of certificates.
Connect to the Kubernetes Cluster
Once the cluster configuration file is in place, users can create, deploy, and manage clusters using the command-line tool (kubectl).
Contexts
In Kubernetes, a context is a concept used to group access parameters under a convenient name. The configuration for every Kubernetes cluster will contain a stanza for contexts with cluster-specific values similar to the one shown below:
Sample Context Configuration Stanza
contexts:
- context:
cluster: do-sfo2-sample-cluster-01
user: do-sfo2-sample-cluster-01-admin
name: do-sfo2-sample-cluster-01
current-context: do-sfo2-sample-cluster-01
When the user uses kubectl, the commands they run will affect the default context unless they specify another one with the –context flag, such as:
kubectl get nodes --context=do-nyc1-stage
To check the current default context, execute the following kubectl command:
kubectl config current-context
If the user gets a current-context is not set error, they need to set a default context. Execute the following command to list all available contexts:
kubectl config get-contexts
Sample Output CURRENT NAME CLUSTER AUTHINFO NAMESPACE * do-sfo2-sample-cluster-01 do-sfo2-sample-cluster-01 do-sfo2-sample-cluster-01-admin
The default context is specified with an asterisk mark under “CURRENT”. To set the default context to another one, execute the following command:
kubectl config use-context do-sfo2-sample-cluster-01
Namespaces
Namespaces are a way to divide resources between multiple users in the Kubernetes cluster. They are helpful when an organization has many users working on the same cluster. Users can create multiple namespaces in a cluster, and resources in one namespace are hidden from other namespaces.
Conclusion
This tutorial presents the process to generate tokens and connect to the Kubernetes cluster in DigitalOcean. Hope this tutorial was helpful, and do reach out to us if you have any query or suggestions.
