Service binding for Kyma service instance

kyma-project / kyma-environment-broker

Kyma Environment Broker

Apache License 2.0

0 stars 19 forks source link

Service binding for Kyma service instance #284

Open pbochynski opened 6 months ago

pbochynski commented 6 months ago

Description Provide a service binding for Kyma Runtime instance. The binding should contain all the information to connect to the runtime (KUBECONFIG or all the information required to build a KUBECONFIG). The binding request can create TokenRequest and return the token in the binding.

Reasons Users can create Kyma Runtime instances with API or BTP CLI. But the instance cannot be accessed without user being authenticated (OIDC flow). Therefore any automation flow that involves provisioning Kyma and deploying any workload there cannot be easily implemented. The only way to do that is to use custom OIDC provider, but that option is not easy to set up and use.

Attachments Other way to achieve the automation would be https://github.com/kyma-project/kyma/issues/18305

kwiatekus commented 6 months ago

the static bootstrap token created at the provisioning is extremely short living. (~5min)

pbochynski commented 6 months ago

As we discussed we should not use static token. I think TokenRequest api would be the best. KEB can call it directly (without provisioner / infrastructure manager in the middle) using own Kubeconfig. That would be quick and easy solution.

PK85 commented 6 months ago

POCs: 1) create a technical user in BTP and with BTP CLI create Kyma instance and Kyma binding 2) create a technical user in BTP and create btpOperator instance and then with clientCredential create Kyma instance and Kyma binding

danail-branekov commented 5 months ago

FWIW, in order to address https://github.com/kyma-project/kyma/issues/18092 in our project we have come up with a script that

Uses the kyma human user kubeconfig to create an admin service account
Generates a kubeconfig containing the service account secret

The human user has to be a cluster admin in order to be able to create the service account though.

szwedm commented 4 months ago

Next steps should be discussed with @pbochynski @PK85 @piotrmiskiewicz.

kwiatekus commented 3 months ago

@PK85, @tobiscr, @pbochynski wouldnt' this gardener's feature offer an alternative, shortcut solution? https://github.com/gardener/gardener/blob/master/docs/usage/shoot_access.md#shootsadminkubeconfig-subresource

PK85 commented 2 months ago

Another meeting with CIS team needed

PK85 commented 1 month ago

We had a meeting again, and we agreed to implement MVP with Service Bindings. The MVP proposal is already to CIS team, awaiting timelines

PK85 commented 1 month ago

MVP proposal, awaiting for CIS team: https://wiki.one.int.sap/wiki/display/kyma/Kyma+Environment+Service+Binding+-+MVP+proposal