Open kwiatekus opened 7 months ago
PR from @kyma-project/otters for provisioner: https://github.com/kyma-project/control-plane/pull/3358
Docs from Gardener: https://github.com/gardener/gardener-extension-shoot-oidc-service/blob/master/docs/usage/openidconnects.md
We have it on our TODO list, but right now - based on the current ranked backlog it will be considered as part of our deliverables in Q2/24.
We agreed on following implementation on KIM side:
oidcConfig
: if missing, KIM will set the operator-OIDC configuration (operator=on-call engineer) as defaultadditionalOidcConfigs
(is a list): if the list is empty, KIM will add the first entry to be the Kyma OIDC configurationSee also https://github.com/kyma-project/kyma/issues/18305#issuecomment-2128866460
First implementation is ready for OIDC extender: https://github.com/kyma-project/infrastructure-manager/blob/main/internal/gardener/shoot/extender/oidc.go
To unblock customers who are waiting for the enablement of the OIDC extension in GArdener, we updated the Provisioner last week to activate this extension per default for all new created clusters. So, any new created SKR cluster will have the OIDC extension now enabled and customers can configure their own OIDC provider by creating the corresponding CR in their SKR clusters.
It is planned to start the replacement of the Provisioner with KIM (Kyma Infrasturcture Manager) by end of this month. KIM will also per default enable the OIDC extension for all managed clusters.
Technical workplan
ensure prefixes in Operator-facing OIDC (for username and groups)
partgithub.com/gardener/oidc-webhook-authenticator@v0.31.0 gopkg.in/square/go-jose.v2@v2.6.0
)
Description
Provisioner should always enable
shoot-oidc-service
feature flag when provisioning kyma runtime When additional OIDC issuer is requested, provisioner should create this OIDC resource in the provisioned shoot cluster https://community.sap.com/t5/additional-blogs-by-sap/using-github-actions-openid-connect-in-kubernetes/ba-p/13542513 and configure cluster admin role binding for the subject of the token issued by the additional issuer.AC
oidcConfig
(default value is Kyma-OIDC provider - it will be only set if no configuration is provided by KEB)additionalOidcConfigs
(is a list, if list is empty KIM has to set one default entry to the list)Reasons
It is required for the https://github.com/kyma-project/kyma/issues/18305
Attachments https://github.com/kyma-project/kyma/issues/18519#issuecomment-1918966750 https://github.com/kyma-project/control-plane/tree/main/components/provisioner
Sample resource: