Using Secure Tunnel with scripts

If you don't have a IBM Cloud Pak console, or prefer using Secure Tunnel with automation scripts, see the following steps.

• Creating a tunnel network
• Creating a port forwarding group with port forwarding
• Installing the tunnel client
• Deleting tunnel networks and port forwarding

Creating a tunnel network

1. Create a YAML file tunnel_network_example.yaml as follows to define a tunnel network.

   apiVersion: tunnel.management.ibm.com/v1
   kind: TunnelNetwork
   metadata:
     name: example-tunnel-network
     # The namespace of the tunnel installed in.
     namespace: <tunnel-namespace>
   spec:
     # tenant id of this tunnel network, by default it's ''
     account_id: ''
     # Which address of the tunnel network can be exported by tunnel.
     # The format is a CIDR notation IP range and port range
     # For example: 10.17.56.1/24 22-443 means IP: 10.17.56.1 to 10.17.56.255 and port 22 to 443 can be exported by tunnel.*
     allowedList:
       - allow 9.0.0.1/8 1-65535
       - allow 9.1.1.12 443
       - allow 9.30.193.132 443
     # The reverse tunnel network client address. The tunnel server will connect this address actively.
     # Just for reverse tunnel network.
     clientAddrs:
       - address: 'reverse-example-tunnel-client.apps.sre15.cp.fyre.ibm.com:443'
     labels: 'label-1,label-2'
     # If false means it is a forward tunnel network, otherwise it is a reverse tunnel network.
     reverse: false
     # The resources configuration of the tunnel network. 
     tunnelWorkerResources:
       limits:
         cpu: 300m
         memory: 256Mi
       requests:
         cpu: 100m
         memory: 128Mi
   

2. Create the tunnel network by running the following command:

   kubectl -n <tunnel-namespace> apply -f <tunnel_network_name>.yaml
   

   Where <tunnel-namespace> is the namespace for tunnel, <tunnel_network_name> is the tunnel network name that you set in the YAML file in step 1.

3. Validate the tunnel network by running the following commands:

   ID=`kubectl -n <tunnel-namespace> get TunnelNetworks <tunnel-network-name> -o=jsonpath='{.status.id}'`
   kubectl -n <tunnel-namespace> get pod | grep ${ID}
   

   Where <tunnel-namespace> is the namespace for tunnel, <tunnel_network_name> is the tunnel network name that you set in the YAML file in step 1.

   The result might be as follows if it is created successful.

   sandbox-d1cb47762a6e45bc-79f5cf675b-6tgjc        1/1     Running   0          20h
   

Creating a port forwarding group with port forwarding

1. Create a YAML file port_forward_group_example.yaml as follows to define a port forwarding group.

   apiVersion: tunnel.management.ibm.com/v1
   kind: PortForwardGroup
   metadata:
     name: example-port-forward-group
     # The namespace of the tunnel installed in.
     namespace: <tunnel-namespace>
   spec:
     # If this this port-forward can be accessed in hub cluster.
     accessInCluster: true
     # If this this port-forward can be accessed out hub cluster. (Not impemented yet.)
     accessOutCluster: false
     # tenant id of this tunnel network, by default it's ''
     account_id: ''
     creater: ''
     # The name of this port forwarding group.
     name: example-groupname
     # The tunnel network name of this port forwarding belong to.
     networkName: example-tunnel-network
     # This is **spec > ingress > from** part of the kubernetes NetworkPolicy, by default It's '' means all the applications can access port forwarding of this group.
     # Following is a example of the network_policy.
     # Reference https://kubernetes.io/docs/concepts/services-networking/network-policies/
     network_policy: |-
       - ipBlock:
           cidr: 172.17.0.0/16
           except:
           - 172.17.1.0/24
       - namespaceSelector:
           matchLabels:
           project: myproject
       - podSelector:
           matchLabels:
           role: frontend
     # The port forwarding of this group
     port_forwards:
       - createTime: '2021-01-19T09:51:34Z'
         # The exposed service IP of the port forwarding
         exposeServiceIP: 9.30.193.132
         # The exposed service port of the port forwarding
         exposeServicePort: 8080
         labels: 'label-1,label-2'
         # The name of the port forwarding
         name: port-forward-1
         # Port mapping in **kubernetes service**. By default it is the same as the exposeServicePort.
         portMapping: 8080
       # You can add more than one port forwarding in one PortForwardGrup.
       # - createTime: '2021-01-20T02:59:47Z'
       #   exposeServiceIP: 9.30.193.132
       #   exposeServicePort: 8081
       #   labels: 'label-1,label-2'
       #   name: port-forward-2
       #   portMapping: 8081
   

   Notes:

   • The combination of exposeService and exposeServicePort is the same as the Private service address field on the IBM Cloud Pak console tunnel user interface.
   • portMapping is the same as the Service port field on the IBM Cloud Pak console tunnel user interface.
   • Each portMapping must have a unique value within a PortForwardGroup. If you need to use the same portMapping value for more than one port_forward, put each one in a separate PortForwardGroup.

2. Create a port forwarding group by running the following command:

   kubectl -n <tunnel-namespace> apply -f port_forward_group_example.yaml
   

3. Validate the port forwarding group by running the following command:

   kubectl -n <tunnel-namespace> get PortForwardGroup <port-forward-group> -o=jsonpath='{.status.status}'
   

   The result valid means that the port forwarding group is created successful.

4. To get the Kubernetes service of the port forwarding group:

   • If the tunnel network is a forward tunnel network, run the following command:

     kubectl -n <tunnel-namespace> get PortForwardGroup <port-forward-group> -o=jsonpath='{.status.k8sServiceName}'
     

   • If the tunnel network is a reverse tunnel network, run the following command:

     kubectl -n <tunnel-namespace> get PortForwardGroup <port-forward-group> -o=jsonpath='{.status.reverseServiceName}'
     

   Then, you can access the exposed services through this Kubernetes service.

Installing the tunnel client

1. Download the installation scripts by running the following command:

   ID=`kubectl -n <tunnel-namespace> get TunnelNetworks <tunnel-network-name> -o=jsonpath='{.status.id}'`
   POD_NAME=`kubectl -n <tunnel-namespace> get pod | grep ${ID} | awk '{print $1}'`
   kubectl -n <tunnel-namespace> cp ${POD_NAME}:opt/ibm/data/download/tunnel-client-install-scripts.tar.gz ./tunnel-client-install-scripts.tar.gz
   

2. Obtain the tunnel client image. See Obtaining the tunnel client image.

3. Install the tunnel client in a linux VM or a managed cluster. For more information, see Installing the tunnel client in the managed cluster and Installing the tunnel client in a linux VM.

Resetting the certificate of a tunnel network

You can delete the tunnel network certificate by running the following command:

kubectl -n <tunnel-namespace> delete secret `kubectl -n <tunnel-namespace> get TunnelNetworks <tunnel-network-name> -o=jsonpath='{.status.certificate.certificate_client.name} {.status.certificate.certificate_server.name}'`

A new certificate can be created automatically by IBM Cert Manager. Then, it is loaded by the tunnel network after about 1 minute.

Deleting tunnel networks and port forwarding

1. To delete a tunnel network, you can delete the TunnelNetworks CR.

2. To delete port forwarding, you can delete the PortForwardGroup CR.