Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add authentication method for Gardener Shoot Clusters #244

Open
Avarei opened this issue May 15, 2024 · 3 comments · May be fixed by #265
Open

Add authentication method for Gardener Shoot Clusters #244

Avarei opened this issue May 15, 2024 · 3 comments · May be fixed by #265
Labels
enhancement New feature or request

Comments

@Avarei
Copy link

Avarei commented May 15, 2024

What problem are you facing?

I would like to manage freshly created Gardener Shoot Clusters in this provider. While Most Cluster Management Tools give a AdminKubeConfig, which can be used for setting up permissions for other users and groups - Gardener uses short lived AdminKubeConfigs that are made by creating a subresource on the Shoot Object in the “Seed” cluster.

How could Crossplane help solve your problem?

The Provider could use a Seed KubeConfig to dynamically request and cache the kubeconfig for a referenced shoot cluster.

I would love to implement and contribute this feature if you are open to it.
@Avarei Avarei added the enhancement New feature or request label May 15, 2024
@Avarei Avarei linked a pull request Jun 3, 2024 that will close this issue
Draft
2 tasks
@j2L4e
Copy link
Contributor

j2L4e commented Sep 17, 2024

@Avarei I've been looking to solve the same thing. Is maintaining this in a fork what you went for in the end or did you choose a different path?

@Avarei
Copy link
Author

Avarei commented Sep 17, 2024

@j2L4e sadly I had to prioritize other tasks above managing gardener from crossplane. I hope to get back to it early next year but for the moment I don't have the capacity.

Back then I was not really sure how actively I should push for this change, since it uses the providerConfig fields in quite an unusual/different way.
The kubeconfig contains the credentials to the seed-cluster, instead of the actual target cluster and the identity section contains a secretRef which just contains a reference to the actual cluster to use.

I also thought of an alternative approach that might be a good substitute.
The idea is to create a Disposable Request in provider-http.
it could create the kubeconfig secret and refresh it automatically.
sadly it also needs a PR to work, since provider-http needs mTLS support to work with the kubernetes API.
If this sounds interesting, take a look at crossplane-contrib/provider-http#21

@j2L4e
Copy link
Contributor

j2L4e commented Sep 18, 2024
edited
Loading

Frankly, having provider-kubernetes depend on gardener/gardener for this rather specific use-case, doesn't feel quite right.
Using provider-http to reconcile ProviderConfigs for provider-kubernetes much better aligns with how you would handle kubeconfigs coming from other cluster-providers.
Thanks for linking the mtls-issue, I'll look into that!

Edit: Got it working using provider-http, token auth instead of certs and insecureSkipTLSVerify. Which is good enough for a POC. Thanks for the hint, @Avarei.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add gardener shoot authentication Avarei/provider-kubernetes
2 participants
@j2L4e @Avarei