Closed tobru closed 2 years ago
@tobru @corvus-ch I have a few questions regarding this one:
.. client-certificate-data: LS0t...== ...
), so no login is needed when I use that config. Since the user is already logged in in the cloud-portal we should, in theory, be able to generate such a config as well. Is that something you'd like to have? (if so, I'd appreciate it if someone who knows how the kubeconfig in the control-api is generated could give me some more details on how it works)Just to be sure: the kubeconfig that can be downloaded from the cloud-portal is it the same (static) one as given in the linked knowledge base article?
Yes, exactly, it's static. I'd make server: https://api.appuio.cloud/
configurable in the Cloud Portal, so that different Cloud Portal deployments can serve different URLs.
Afaik --oidc-issuer-url
and --oidc-client-id
should correlate to what the Cloud Portal is using already, so it's important that they are matching the Cloud Portal deployment.
and if so, should users be able to download the bash or yaml version, or both?
The YAML version.
Can anyone view & download the kubeconfig, or should there be any access restrictions based on permissions?
Anyone
Should the configs for both the integration and production instances be available in all environments, or only the integration config in non-production environments, and the production one in production environments?
Only make one kubeconfig available and make the URL configurable per environment.
When I set up the control-api locally, it generated a kind-kubeconfig file for me, which already includes authentication data (e.g. .. client-certificate-data: LS0t...== ...), so no login is needed when I use that config. Since the user is already logged in in the cloud-portal we should, in theory, be able to generate such a config as well. Is that something you'd like to have? (if so, I'd appreciate it if someone who knows how the kubeconfig in the control-api is generated could give me some more details on how it works)
I would not do that, as the token needs to be refreshed from time-to-time and this is taken care by the plugin we use: https://github.com/int128/kubelogin. We should inform the user somehow to have this plugin available, otherwise the downloaded kubeconfig won't work.
Summary
As advanced APPUiO Cloud Portal user I want to directly use the Control API So that I can work on the CLI.
Context
The Control API can be accessed with any kubectl client, see https://kb.vshn.ch/appuio-cloud/how-to/day2ops/connect-control-api.html. We should provide a download of the kubeconfig.
Out of Scope
No response
Further links
Acceptance Criteria
No response
Implementation Ideas
No response