search

appuio / cloud-portal

APPUiO Cloud Portal (Web Frontend)
Apache License 2.0
5 stars 0 forks source link

Quick Download of Kubeconfig for Control API #105

Closed tobru closed 2 years ago

tobru commented 2 years ago

Summary

As advanced APPUiO Cloud Portal user I want to directly use the Control API So that I can work on the CLI.

Context

The Control API can be accessed with any kubectl client, see https://kb.vshn.ch/appuio-cloud/how-to/day2ops/connect-control-api.html. We should provide a download of the kubeconfig.

Out of Scope

No response

Further links

Acceptance Criteria

No response

Implementation Ideas

No response

steffinchen commented 2 years ago

@tobru @corvus-ch I have a few questions regarding this one:

  1. Just to be sure: the kubeconfig that can be downloaded from the cloud-portal is it the same (static) one as given in the linked knowledge base article? and if so, should users be able to download the bash or yaml version, or both?
  2. Can anyone view & download the kubeconfig, or should there be any access restrictions based on permissions?
  3. Should the configs for both the integration and production instances be available in all environments, or only the integration config in non-production environments, and the production one in production environments?
  4. When I set up the control-api locally, it generated a kind-kubeconfig file for me, which already includes authentication data (e.g. .. client-certificate-data: LS0t...== ...), so no login is needed when I use that config. Since the user is already logged in in the cloud-portal we should, in theory, be able to generate such a config as well. Is that something you'd like to have? (if so, I'd appreciate it if someone who knows how the kubeconfig in the control-api is generated could give me some more details on how it works)
tobru commented 2 years ago

Just to be sure: the kubeconfig that can be downloaded from the cloud-portal is it the same (static) one as given in the linked knowledge base article?

Yes, exactly, it's static. I'd make server: https://api.appuio.cloud/ configurable in the Cloud Portal, so that different Cloud Portal deployments can serve different URLs.

Afaik --oidc-issuer-url and --oidc-client-id should correlate to what the Cloud Portal is using already, so it's important that they are matching the Cloud Portal deployment.

and if so, should users be able to download the bash or yaml version, or both?

The YAML version.

Can anyone view & download the kubeconfig, or should there be any access restrictions based on permissions?

Anyone

Should the configs for both the integration and production instances be available in all environments, or only the integration config in non-production environments, and the production one in production environments?

Only make one kubeconfig available and make the URL configurable per environment.

When I set up the control-api locally, it generated a kind-kubeconfig file for me, which already includes authentication data (e.g. .. client-certificate-data: LS0t...== ...), so no login is needed when I use that config. Since the user is already logged in in the cloud-portal we should, in theory, be able to generate such a config as well. Is that something you'd like to have? (if so, I'd appreciate it if someone who knows how the kubeconfig in the control-api is generated could give me some more details on how it works)

I would not do that, as the token needs to be refreshed from time-to-time and this is taken care by the plugin we use: https://github.com/int128/kubelogin. We should inform the user somehow to have this plugin available, otherwise the downloaded kubeconfig won't work.