[POC] Authenticate towards gardener's shoot cluster using `shoot-oidc-service` extension and GH token

Question

[POC] Authenticate towards gardener's shoot cluster using `shoot-oidc-service` extension and GH token

kwiatekus opened this issue a year ago · 3 comments

Description

Manually provision gardener shoot cluster with oidc service extension enabled. Configure github as additional oidc issuer at the shoot spec.
Try to deploy sample manifest (or prove oidc communication with the cluster in another way) from gh action using token from github as credentials to access gardener shoot runtime.

Reasons
Prove the concept behind #18305

kwiatekus commented a year ago

thank you

Answer 1 · 2024-01-31T11:59:12.000Z

1 - Kyma creation request must be extended by additional "workflow OIDC issuer"

3...6 - provisioning includes enabling shoot-oidc-servic feature flag, defining OpenIDConnect, Role binding resources in the shoot,
8..9 - CI/CD workflow requests kyma instance data upon succesful instance creation
10..11 - CI/CD workflow gets token from the "workflow OIDC issuer"
12 - CI/CD workflow combines cluster.certificate-authority-data and cluster.server data from kubeconfig with token received from the "workflow OIDC issuer" to setup kubeconfig context towards the SKR
13. workflow accesses freshly provisioned cluster to deploy&test customer's app

Answer 2 · 2024-01-31T13:04:57.000Z

It's possible to setup oicd from action to the gardener cluster. Here is the example of the scenario described in the issue.