Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support viewer to target Shoot cluster by fetching cluster CA via ConfigMap #380

Merged
merged 2 commits into from
Feb 8, 2024
Merged

Support viewer to target Shoot cluster by fetching cluster CA via ConfigMap #380

merged 2 commits into from
Feb 8, 2024

Conversation

petersutter
Copy link
Member

@petersutter petersutter commented Feb 7, 2024
edited
Loading

What this PR does / why we need it:
This PR enables users with the Project viewer role to target the Shoot cluster by fetching the cluster CA via the <shoot-name>.ca-cluster ConfigMap.

To build the gardenlogin kubeconfig when targeting a Shoot cluster, gardenctl needs to read the cluster CA. In earlier versions, this was obtained from a .ca-cluster Secret. However, starting from Gardener v1.89, the cluster CA is also reconciled as a ConfigMap. This update allows users with the viewer role to read the ConfigMap, thereby facilitating the generation of the gardenlogin kubeconfig.

Side note:
gardenlogin v0.5 or higher is designed to fetch credentials from two subresources: shoots/adminkubeconfig and shoots/viewerkubeconfig. By default, it retrieves credentials from the shoots/adminkubeconfig subresource, providing full administrative access. Alternatively, it can fetch credentials from the shoots/viewerkubeconfig subresource for read-only access.

The plugin automatically adjusts the level of access for the fetched credentials. It first attempts to fetch admin-level credentials and, if unsuccessful, falls back to viewer-level credentials. This feature makes the gardenlogin kubeconfig versatile, as it can be used by both project admins and viewers without the need to specify the access level.

Which issue(s) this PR fixes:
Fixes #381

Special notes for your reviewer:
ref gardener/gardener#9091

Release note:

Users with the `Project` `viewer` role can now `target` shoot clusters and obtain the `kubeconfig` for these clusters. `gardenctl-v2` fetches the cluster CA via `ConfigMap` to generate the `gardenlogin` kubeconfig. This feature is supported with Gardener `v1.89` and requires `gardenlogin` `v0.5` or higher.

@petersutter petersutter requested a review from a team as a code owner February 7, 2024 13:25
@gardener-robot gardener-robot added needs/review Needs review size/m Size of pull request is medium (see gardener-robot robot/bots/size.py) labels Feb 7, 2024
@gardener-robot-ci-2 gardener-robot-ci-2 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Feb 7, 2024
@gardener-robot-ci-1 gardener-robot-ci-1 added needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Feb 7, 2024
@gardener-robot-ci-3 gardener-robot-ci-3 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Feb 7, 2024
@petersutter petersutter added the area/ipcei IPCEI (Important Project of Common European Interest) label Feb 8, 2024
grolu
grolu approved these changes Feb 8, 2024
View reviewed changes
Copy link
Contributor

@grolu grolu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@gardener-robot gardener-robot added reviewed/lgtm Has approval for merging and removed needs/review Needs review labels Feb 8, 2024
@gardener-robot-ci-1 gardener-robot-ci-1 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Feb 8, 2024
holgerkoser
holgerkoser approved these changes Feb 8, 2024
View reviewed changes
Copy link
Member

@holgerkoser holgerkoser left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@petersutter petersutter merged commit b3e5e1d into master Feb 8, 2024
8 checks passed
@gardener-robot gardener-robot added the status/closed Issue is closed (either delivered or triaged) label Feb 8, 2024
@petersutter petersutter deleted the enh/ca-cluster-configmap branch February 8, 2024 22:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@grolu grolu grolu approved these changes

@holgerkoser holgerkoser holgerkoser approved these changes

Assignees
No one assigned
Labels
area/ipcei IPCEI (Important Project of Common European Interest) needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) reviewed/lgtm Has approval for merging reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) size/m Size of pull request is medium (see gardener-robot robot/bots/size.py) status/closed Issue is closed (either delivered or triaged)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Viewers should be able to target a Shoot cluster
7 participants
@petersutter @holgerkoser @grolu @gardener-robot-ci-1 @gardener-robot-ci-2 @gardener-robot-ci-3 @gardener-robot