Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle shoot-oidc-service extension when provisioning kyma #3316

Open
4 tasks
kwiatekus opened this issue Feb 1, 2024 · 3 comments
Open
4 tasks

Handle shoot-oidc-service extension when provisioning kyma #3316

kwiatekus opened this issue Feb 1, 2024 · 3 comments

Comments

@kwiatekus
Copy link
Contributor

kwiatekus commented Feb 1, 2024
edited by tobiscr

Description

Provisioner should always enable shoot-oidc-service feature flag when provisioning kyma runtime
When additional OIDC issuer is requested, provisioner should create this OIDC resource in the provisioned shoot cluster
https://community.sap.com/t5/additional-blogs-by-sap/using-github-actions-openid-connect-in-kubernetes/ba-p/13542513
and configure cluster admin role binding for the subject of the token issued by the additional issuer.

AC

  • OIDC is part of the technical contract for KIM (= part of Runtime-CR)
  • Following two fields are required in the final Runtime-CR, but for KEB is is not mandatory to set them initially. If one of these field is missing or empty, a default values will be set by KIM (default values are static values in the KIM configuration):
    • oidcConfig (default value is Kyma-OIDC provider - it will be only set if no configuration is provided by KEB)
    • additionalOidcConfigs (is a list, if list is empty KIM has to set one default entry to the list)

Reasons

It is required for the kyma-project/kyma#18305

Attachments
kyma-project/kyma#18519 (comment)
https://github.com/kyma-project/control-plane/tree/main/components/provisioner

Sample resource:

apiVersion: authentication.gardener.cloud/v1alpha1
kind: OpenIDConnect
metadata:
  name: actions-oidc
spec:
  issuerURL: https://token.actions.githubusercontent.com
  clientID: my-kubernetes-cluster
  usernameClaim: sub
  usernamePrefix: "actions-oidc:"
  requiredClaims:
    repository: myOrg/myRepo
    workflow: deploy-kubernetes
    ref: refs/heads/main
@kwiatekus kwiatekus mentioned this issue Feb 1, 2024
Open
3 tasks
@pPrecel pPrecel self-assigned this Feb 12, 2024
@tobiscr
Copy link
Contributor

tobiscr commented Feb 19, 2024
edited

PR from @kyma-project/otters for provisioner: #3358

Docs from Gardener: https://github.com/gardener/gardener-extension-shoot-oidc-service/blob/master/docs/usage/openidconnects.md

@tobiscr
Copy link
Contributor

tobiscr commented Feb 26, 2024
edited

We have it on our TODO list, but right now - based on the current ranked backlog it will be considered as part of our deliverables in Q2/24.

@tobiscr
Copy link
Contributor

tobiscr commented May 28, 2024

We agreed on following implementation on KIM side:

  • KIM will store the default values for some fields in our RuntimeCR (e.g. oidcConfig)
  • We will have a few fields in the RuntimeCR , which won't be necessarily provided by KEB but have to be filled out with default values by KIM (<< having them in the RuntimeCR included is helpful for later operational actions applied by SRE - they will sometimes have to adjust these values when major cluster-upgrades are applied)
  • It's KIMs responsibility, to check for each creation/update of a RuntimeCR instance, that missing fields will be added to this CR with their default values (could be done by an webhook executed before KIM starts processing the values etc.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kwiatekus @pPrecel @tobiscr