InseeFrLab / onyxia

🔬 Data science environment for k8s
https://onyxia.sh
MIT License
480 stars 79 forks source link

Add a way to provide a certificate authority for kubectl configuration #756

Open micedre opened 8 months ago

micedre commented 8 months ago

When configuring the external api server for kubernetes in onyxia, the configuration script uses the flag --insecure-skip-tls-verify=true :

kubectl config set-cluster api \
  --server=https://api \
  --insecure-skip-tls-verify=true

We would like to be able to provide a certificate in onyxia configuration so that this flag is not needed. For instance:

           "k8sPublicEndpoint":
                {
                  "URL": "https://api.kube.groupe-genes.fr",
                  "certificateAuthority": "LS0tLS1CRUdJTiBDRVJUS...",
                  "oidcConfiguration":
                    {
                      "issuerURI": "https://auth.groupe-genes.fr/realms/genes",
                      "clientID": "onyxia",
                    },
                },

would gives :

kubectl config set-cluster api \
  --server=https://api \
  --certificate-authority=LS0tLS1CRUdJTiBDRVJUS...
fcomte commented 8 months ago

@micedre In documentation : --certificate-authority seem to refer to a path

micedre commented 8 months ago

You're right, but there is still a way to do it, it seems by adding a command in the list

kubectl config set clusters.api.certificate-authority-data LStFDSglfskm....
fcomte commented 8 months ago

so this is for the script provided here only ?

image

micedre commented 8 months ago

Yes, where would you want to use it ?

That script :

kubectl config set-cluster api...fr  \
  --server=https://api...fr  \
  --insecure-skip-tls-verify=true

kubectl config set-credentials user \
  --auth-provider=oidc  \
[...]
kubectl config use-context api...fr 

would become :

kubectl config set-cluster api...fr \
  --server=https://api...fr  \

kubectl config set clusters.api.certificate-authority-data LStFDSglfskm....

kubectl config set-credentials user \
  --auth-provider=oidc  \
[...]
kubectl config use-context api...fr 
fcomte commented 8 months ago

just to confirm @micedre