d-bis/Sankofa
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7cd7022f6e0d6ff4232c47cbf4c19cfbc704e102
Sankofa/docs/proxmox/PROXMOX_CREDENTIALS.md
defiQUG 9daf1fd378 Apply Composer changes: comprehensive API updates, migrations, middleware, and infrastructure improvements 
- Add comprehensive database migrations (001-024) for schema evolution
- Enhance API schema with expanded type definitions and resolvers
- Add new middleware: audit logging, rate limiting, MFA enforcement, security, tenant auth
- Implement new services: AI optimization, billing, blockchain, compliance, marketplace
- Add adapter layer for cloud integrations (Cloudflare, Kubernetes, Proxmox, storage)
- Update Crossplane provider with enhanced VM management capabilities
- Add comprehensive test suite for API endpoints and services
- Update frontend components with improved GraphQL subscriptions and real-time updates
- Enhance security configurations and headers (CSP, CORS, etc.)
- Update documentation and configuration files
- Add new CI/CD workflows and validation scripts
- Implement design system improvements and UI enhancements
2025-12-12 18:01:35 -08:00

201 lines
5.1 KiB
Markdown
Raw Blame History

# Proxmox API Credentials Setup
**Last Updated**: 2024-12-19
## Overview
This guide explains how to create and configure Proxmox API tokens for use with the Crossplane provider.
## Current Status
Proxmox credentials are **not yet configured** in `.env`. You need to:
1. Create API tokens in each Proxmox instance
2. Add them to the `.env` file
## Creating API Tokens
### For Each Proxmox Instance
1. **Log in to Proxmox Web UI**
- Instance 1: https://ml110-01.sankofa.nexus:8006
- Instance 2: https://r630-01.sankofa.nexus:8006
2. **Navigate to API Tokens**
- Go to: **Datacenter****Permissions****API Tokens**
- Click **Add** or **Create Token**
3. **Configure Token**
- **Token ID**: `crossplane-<site-name>`
- Instance 1: `crossplane-us-sfvalley`
- Instance 2: `crossplane-us-sfvalley-2`
- **User**: `root@pam` (or dedicated service account)
- **Expiration**: Set appropriate expiration (or leave blank for no expiration)
- **Privilege Separation**: Enable if using dedicated user
- **Permissions**:
- **Administrator** (full access) - Recommended for initial setup
- Or specific permissions: VM.Allocate, VM.Audit, Datastore.Audit, etc.
4. **Save Token Secret**
- **Important**: Copy the token secret immediately
- Format: `user@realm!token-id=token-secret`
- Example: `root@pam!crossplane-us-sfvalley=abc123def456...`
- You cannot view the secret again after creation
## Adding Credentials to .env
### Option 1: Instance-Specific Credentials (Recommended)
Edit `.env` and uncomment/fill in:
```bash
# Instance 1 (ML110-01) - us-sfvalley
PROXMOX_USERNAME_ML110_01=root@pam
PROXMOX_TOKEN_ML110_01=root@pam!crossplane-us-sfvalley=your-token-secret-here
# Instance 2 (R630-01) - us-sfvalley-2
PROXMOX_USERNAME_R630_01=root@pam
PROXMOX_TOKEN_R630_01=root@pam!crossplane-us-sfvalley-2=your-token-secret-here
```
### Option 2: Generic Credentials (Same Token for Both)
If using the same token for both instances:
```bash
PROXMOX_USERNAME=root@pam
PROXMOX_TOKEN=root@pam!crossplane-token=your-token-secret-here
```
## Token Format
Proxmox API tokens use the format:
```
user@realm!token-id=token-secret
```
Where:
- `user@realm`: The Proxmox user (e.g., `root@pam`)
- `token-id`: The token identifier (e.g., `crossplane-us-sfvalley`)
- `token-secret`: The secret part of the token
## Testing Credentials
### Test Connectivity
```bash
# Test with token
export PROXMOX_TOKEN='root@pam!crossplane-us-sfvalley=your-secret'
./scripts/test-proxmox-connectivity.sh
```
### Test API Access
```bash
# Test API call
curl -k -H "Authorization: PVEAPIToken ${PROXMOX_TOKEN}" \
https://ml110-01.sankofa.nexus:8006/api2/json/version
```
## Security Best Practices
1. **Use Dedicated Service Accounts**
- Create a dedicated user for Crossplane (e.g., `crossplane@pam`)
- Grant only necessary permissions
- Use privilege separation
2. **Rotate Tokens Regularly**
- Set expiration dates
- Rotate tokens quarterly or as per security policy
- Revoke old tokens immediately
3. **Limit Permissions**
- Don't use Administrator role if not needed
- Grant only specific permissions required
- Use least privilege principle
4. **Secure Storage**
- Never commit `.env` to git (already in `.gitignore`)
- Use Kubernetes secrets for production
- Rotate credentials if exposed
## Using Credentials
### In Scripts
Scripts automatically load from `.env`:
```bash
# Scripts will use PROXMOX_TOKEN or instance-specific tokens
./scripts/test-proxmox-connectivity.sh
./scripts/create-proxmox-secret.sh
```
### In Kubernetes
Create Kubernetes secret:
```bash
# Interactive creation
./scripts/create-proxmox-secret.sh
# Or manually
kubectl create secret generic proxmox-credentials \
--from-literal=username=root@pam \
--from-literal=token='root@pam!token-id=token-secret' \
-n crossplane-system
```
## Troubleshooting
### Token Not Working
1. **Verify Token Format**
```bash
echo $PROXMOX_TOKEN
# Should be: user@realm!token-id=token-secret
```
2. **Test API Access**
```bash
curl -k -H "Authorization: PVEAPIToken ${PROXMOX_TOKEN}" \
https://ml110-01.sankofa.nexus:8006/api2/json/version
```
3. **Check Token Permissions**
- Verify token has required permissions
- Check if token is expired
- Verify user account is active
### Authentication Errors
1. **Verify .env is Loaded**
```bash
source .env
echo $PROXMOX_TOKEN
```
2. **Check Token Secret**
- Ensure token secret is correct
- No extra spaces or quotes
- Full token format included
3. **Test Each Instance**
```bash
# Test Instance 1
export PROXMOX_TOKEN='root@pam!crossplane-us-sfvalley=secret'
curl -k -H "Authorization: PVEAPIToken ${PROXMOX_TOKEN}" \
https://ml110-01.sankofa.nexus:8006/api2/json/version
# Test Instance 2
export PROXMOX_TOKEN='root@pam!crossplane-us-sfvalley-2=secret'
curl -k -H "Authorization: PVEAPIToken ${PROXMOX_TOKEN}" \
https://r630-01.sankofa.nexus:8006/api2/json/version
```
## Related Documentation
- [Environment Variables](./ENVIRONMENT_VARIABLES.md)
- [Deployment Readiness](./DEPLOYMENT_READINESS.md)
- [Quick Start Guide](./QUICK_START.md)
Reference in New Issue View Git Blame Copy Permalink