cli icon indicating copy to clipboard operation
cli copied to clipboard

Published 20 hours ago verified publisher icon kyma-project

POC: Command to access btp kyma runtime with workflow OIDC token

Open kwiatekus opened this issue 9 months ago • 1 comments

Description

Prototype command(s) allowing to generate a kubeconfig file from reference to kyma instance and user provided GH token. Validate ( with the prototype) how cli can get all the data (environment ID) to be able to download kubeconfig file for a provisioned (via CLI) cluster and produce a changed version of kubeconfig file that includes a custom token.

Screenshot 2024-05-15 at 13 40 33

Assumptions: Kyma cli can produce a kubeconfig file for a selected kyma runtime (provisioned via kyma cli):

  • kyma cli should retrieve kyma environment details (using ENVIRONMENT ID ). Learn from where we could get environment ID in the cli. Maybe provisioning command should get it from CIS and return it.
  • kyma cli should be able to download kubeconfig file based on the environment details (see attached btp mission 👇 )
  • kyma cli should replace the user context of the downloaded file with the token that is passed as a command option

The following is a proposed draft of the flow. We should be able to test it on DEV landscape where we can manually (*) manipulate an SKR so that it will grant access when presented with GH token:

  1. kyma provision --cluster-name=foo --plan --region --credentails .. (in the future (*) here the extra config for OIDC issuer will be provided that will recognise the token )
  2. (*) This is needed only temporarily - until necessary changes are introduced in kyma provisioning
    a) Open gardener dashboard on DEV locate the cluster created in point 1 and enable the shoot-oidc-extension b)In the shoot cluster apply OIDC resource for github issuer (poc reference) c) in the shoot cluster apply cluster role binding to cluster-admin role for the github identity (identified by org, repo, ref) (poc reference)
  3. kyma access --with-token={token} --kyma-env-id={ENVIRONMENT ID AS RECOGNISED BY CIS} (or --cluster-name) --output=./action-kubeconfig.yaml
  4. export KUBECONFIG=./action-kubeconfig.yaml
  5. kubectl can I

Reasons Part of https://github.com/kyma-project/kyma/issues/18305 A CI/CD workflow which creates managed SAP btp kyma instance (with additional "worflow" OIDC config as provisioning params) in automated way should be able to access the newly created cluster with OIDC token issued by the additional oidc provider (i.e github )

Attachments See the POC Step 4 of this mission

kwiatekus avatar May 15 '24 12:05 kwiatekus