-
Notifications
You must be signed in to change notification settings - Fork 408
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support additional OIDC configuration with shoot-oidc-service extension #18305
Comments
Would love to test it at earliest convinience. |
This issue or PR has been automatically marked as stale due to the lack of recent activity. This bot triages issues and PRs according to the following rules:
You can:
If you think that I work incorrectly, kindly raise an issue with the problem. /lifecycle stale |
The goal would be to allow kyma users to deploy apps (and run tests ) on the provisioned kyma runtimes in the CI jobs . Execution can be divided into several stages:
|
OIDC configuration will be included in the gardener provisioning in q2 |
This issue has been automatically marked as stale due to the lack of recent activity. It will soon be closed if no further activity occurs. |
Kyma Infrastructure Manager (KIM) should apply Operator-Facing OIDC separately from User-facing OIDC(s) In order to allow this we need to adjust the interfaces:
to avoid unwanted impersonations, we should:
|
Regarding migration from existing shoots to
|
Description
Enable the option to trust the additional identity provider compliant with OpenID. The provider can be registered in the Kyma cluster and kubernetes API server will authenticate tokens that match the provider issuer.
The complete solution should allow to establish the trust during the provisioning so the cluster can be accessed from fully automated processes (without user presence). To accomplish that the following changes are required:
shoot-oidc-service
extension for shoot clustersOpenIDConnect
resource in the shoot cluster as Kyma instance parameter (KEB)Acceptance Criteria
Reasons
Many users request a possibility to deploy software to freshly creaated Kyma clusters in automated way. Changing the default IDP for the cluster is the only solution available for now, but then IDP has to support both human users and service accounts what is usually challenging. With additional OIDC provider it can be used only for system to system authorization and will be much easier to set up.
Links
The text was updated successfully, but these errors were encountered: