Skip to main content

Overview

Orphelix connects to Kubernetes clusters using your local kubeconfig file. Switch between multiple clusters and contexts seamlessly from the dashboard. Cluster Connection

How Cluster Connection Works

Orphelix uses the standard Kubernetes authentication method:
1

Read Kubeconfig

Loads ~/.kube/config on server startupLocation can be overridden with KUBECONFIG env var
2

List Contexts

Extracts all available contexts from kubeconfigEach context represents a cluster + user + namespace combination
3

Select Context

User selects context from dropdown in header
4

Authenticate

Uses credentials from selected context:
  • Client certificates
  • Bearer tokens
  • Cloud provider auth (AWS, GCP, Azure)
  • Service account tokens
5

Connect to API Server

Establishes connection to Kubernetes API serverAll resource queries use this connection

Kubeconfig File

Standard Kubernetes configuration file:

Location

Path: ~/.kube/config
# Check if exists
ls -la ~/.kube/config

Structure

apiVersion: v1
kind: Config
clusters:
- name: production-cluster
  cluster:
    server: https://prod-k8s.example.com
    certificate-authority-data: LS0tLS...

- name: staging-cluster
  cluster:
    server: https://staging-k8s.example.com
    certificate-authority-data: LS0tLS...

users:
- name: admin-user
  user:
    client-certificate-data: LS0tLS...
    client-key-data: LS0tLS...

- name: developer-user
  user:
    token: eyJhbGci...

contexts:
- name: prod
  context:
    cluster: production-cluster
    user: admin-user
    namespace: default

- name: staging
  context:
    cluster: staging-cluster
    user: developer-user
    namespace: staging

current-context: prod

Key Components

Kubernetes API server endpointsRequired fields:
  • server: API server URL
  • certificate-authority-data: CA certificate (or path)
Optional:
  • insecure-skip-tls-verify: Skip TLS verification (not recommended)
  • tls-server-name: Server name for TLS
Authentication credentialsMethods:
  • Client certificates (cert + key)
  • Bearer tokens
  • Username + password (deprecated)
  • Cloud provider auth plugins
  • Exec plugins (custom auth)
Examples:
# Certificate auth
user:
  client-certificate-data: LS0tLS...
  client-key-data: LS0tLS...

# Token auth
user:
  token: eyJhbGci...

# AWS EKS
user:
  exec:
    apiVersion: client.authentication.k8s.io/v1beta1
    command: aws
    args:
      - eks
      - get-token
      - --cluster-name
      - my-cluster
Cluster + User + Namespace combinationFields:
  • cluster: Which cluster to connect to
  • user: Which credentials to use
  • namespace: Default namespace (optional)
Purpose: Quick switching between environments

Context Selector

Switch contexts from the Orphelix header: Context Selector

Features

Quick Switch

Click dropdown to change contexts instantly

Search

Filter contexts by name

Connection Status

Visual indicator shows connection health

Test Connection

Verify connectivity before switching

Context Display

Each context shows:
  • Name: Context identifier
  • Cluster: Cluster name
  • Server: API server URL (truncated)
  • Namespace: Default namespace
  • Status: Connection indicator
Connection Status Icons:
  • 🟢 Connected: Active, healthy connection
  • 🟡 Connecting: Establishing connection
  • 🔴 Disconnected: Cannot connect
  • Unknown: Not yet tested

Switching Contexts

1

Click Context Dropdown

In the top header, click current context name
2

Select New Context

Click desired context from list
3

Wait for Connection

Orphelix connects to new cluster (1-2 seconds)
4

Page Refreshes

Data reloads for new cluster
  • Deployments list updates
  • Pods list updates
  • Dashboard shows new cluster stats
Context selection persists across browser sessions (stored in cookies)

Testing Connection

Verify cluster connectivity before using: Test Connection

Test Connection Dialog

1

Open Dialog

Click context dropdown → “Test Connection” button
2

Select Context

Choose context to test
3

Run Tests

Orphelix performs checks:
  1. DNS Resolution: Can resolve API server hostname?
  2. TCP Connection: Can reach API server port?
  3. TLS Handshake: Valid certificates?
  4. Authentication: Valid credentials?
  5. Authorization: Can list namespaces?
  6. API Version: Compatible Kubernetes version?
4

View Results

Each test shows:
  • ✅ Pass: Test succeeded
  • ❌ Fail: Test failed (with error message)
  • ⏭️ Skipped: Test not applicable

Test Results

Indicator: Green checkmark
✅ DNS Resolution: success
✅ TCP Connection: success (123ms)
✅ TLS Handshake: success
✅ Authentication: success (admin user)
✅ Authorization: can list namespaces
✅ API Version: v1.28.3

Connection is healthy!

Cluster Aliases

Give clusters friendly names: Cluster Aliases

Creating Aliases

1

Open Settings

Navigate to Settings → Cluster Configuration tab
2

Add Alias

Click “Add Alias” button
3

Configure Alias

  • Context Name: Select from dropdown
  • Friendly Name: Enter display name
  • Icon: Choose emoji/icon (optional)
  • Description: Add notes (optional)
Example:
Context: arn:aws:eks:us-east-1:123456:cluster/prod
Friendly Name: 🚀 Production (US East)
Description: Main production cluster
4

Save

Click “Save” - alias appears in context selector

Alias Benefits

Replace long, cryptic context names with readable labelsBefore: gke_my-project_us-central1-a_cluster-1After: 🌎 GKE Production
Prevent accidental operations on wrong clusterClear visual distinction between prod/staging/dev
Everyone sees same cluster namesShared aliases configuration via settings file

Multi-Cluster Management

Manage multiple clusters simultaneously:

Common Scenarios

Setup: Dev, Staging, Production
contexts:
- name: dev
  context:
    cluster: dev-cluster
    namespace: default

- name: staging
  context:
    cluster: staging-cluster
    namespace: default

- name: prod
  context:
    cluster: prod-cluster
    namespace: default
Workflow:
  1. Test changes in dev
  2. Promote to staging
  3. Deploy to production

Switching Best Practices

Always check current context before:
  • Restarting deployments
  • Editing YAML
  • Scaling resources
Context shown in header - confirm it’s correct
Context names should indicate:
  • Environment (dev/staging/prod)
  • Region (if multi-region)
  • Purpose (monitoring/management)
Example: prod-us-east-1-monitoring
Separate kubeconfig files for production:
# Development clusters
export KUBECONFIG=~/.kube/dev-config

# Production clusters (separate terminal)
export KUBECONFIG=~/.kube/prod-config
Prevents accidental production changes

Authentication Methods

Orphelix supports all standard Kubernetes authentication:

Client Certificates

Most common method: 
users:
- name: admin
  user:
    client-certificate-data: LS0tLS1CRUd...
    client-key-data: LS0tLS1CRUdJT...
Pros:
  • Widely supported
  • No token expiration
  • Offline authentication
Cons:
  • Certificate rotation needed
  • Key must be kept secure

Bearer Tokens

Service account or OAuth tokens: 
users:
- name: sa-user
  user:
    token: eyJhbGciOiJSUzI1NiIsImtpZCI6Ik...
Pros:
  • Easy to distribute
  • Can have expiration
  • Revocable
Cons:
  • May expire
  • Must be refreshed

Cloud Provider Auth

AWS, GCP, Azure authentication: 
users:
- name: aws-user
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      command: aws
      args:
        - eks
        - get-token
        - --cluster-name
        - my-cluster
        - --region
        - us-east-1
Requirements:
  • AWS CLI installed
  • AWS credentials configured
  • IAM permissions for EKS

Troubleshooting

Cannot List Contexts

Symptom: Context dropdown is empty Causes:
  1. Kubeconfig Not Found 
    ls ~/.kube/config
# If missing, create one
  2. Invalid Kubeconfig 
    kubectl config view
# Check for syntax errors
  3. Wrong KUBECONFIG Path 
    echo $KUBECONFIG
# Verify path is correct
Solutions:
  • Create valid kubeconfig file
  • Fix YAML syntax errors
  • Set correct KUBECONFIG environment variable

Connection Failed

Symptom: “Failed to connect to cluster” Diagnostic Steps:
1

Test with kubectl

kubectl cluster-info
kubectl get nodes
If kubectl fails, issue is with cluster/credentials, not Orphelix
2

Check Network

# Test API server connectivity
curl -k https://api-server-url:6443
Should return error (expected), but confirms connectivity
3

Verify Credentials

kubectl config view --minify
# Check current context credentials
4

Check Certificates

# Verify certificates are valid
openssl x509 -in cert.pem -text -noout

Authentication Failed

Symptom: “Unauthorized” or “Forbidden” errors Common Issues:
Token-based auth expiredSolution: Refresh token:
# For cloud providers
aws eks update-kubeconfig --name cluster-name
gcloud container clusters get-credentials cluster-name
az aks get-credentials --name cluster-name --resource-group rg
User lacks RBAC permissionsSolution: Grant necessary permissions:
kubectl create clusterrolebinding orphelix-admin \
  --clusterrole=cluster-admin \
  --user=myuser
Context using incorrect userSolution: Update context:
kubectl config set-context <context> --user=<correct-user>

Certificate Errors

Symptom: TLS handshake failures Solutions:
  1. Untrusted CA 
    # Option 1: Add CA to system trust store
# Option 2: Skip verification (not recommended)
kubectl config set-cluster <cluster> --insecure-skip-tls-verify=true
  2. Certificate Name Mismatch 
    # Set correct TLS server name
kubectl config set-cluster <cluster> --tls-server-name=kubernetes.example.com
  3. Expired Certificate
    • Renew cluster certificates
    • Update kubeconfig with new certificates

Next Steps

Namespaces

Configure namespace filtering

Demo Mode

Try demo mode without cluster

Settings

Configure Orphelix settings

Dashboard

View cluster resources