maximilianbraun
commented
1 year ago Would love to test it at earliest convinience.
Open pbochynski opened 1 year ago
maximilianbraun
commented
1 year ago Would love to test it at earliest convinience.
kyma-bot
commented
11 months ago This issue or PR has been automatically marked as stale due to the lack of recent activity. Thank you for your contributions.
This bot triages issues and PRs according to the following rules:
lifecycle/stale is appliedlifecycle/stale was applied, the issue is closedYou can:
/remove-lifecycle stale/closeIf you think that I work incorrectly, kindly raise an issue with the problem.
/lifecycle stale
kwiatekus
commented
10 months ago The goal would be to allow kyma users to deploy apps (and run tests ) on the provisioned kyma runtimes in the CI jobs .
Execution can be divided into several stages:
kwiatekus
commented
9 months ago OIDC configuration will be included in the gardener provisioning in q2 https://github.com/kyma-project/infrastructure-manager/issues/381
github-actions[bot]
commented
6 months ago This issue has been automatically marked as stale due to the lack of recent activity. It will soon be closed if no further activity occurs. Thank you for your contributions.
kwiatekus
commented
6 months ago Kyma Infrastructure Manager (KIM) should apply Operator-Facing OIDC separately from User-facing OIDC(s)
In order to allow this we need to adjust the interfaces: 1) User -> Kyma Environment Broker (KEB)
User should be able to define requiedClaims (key-value pairs)
2) KEB -> KIM
additionalOidcConfigs additionalOidcConfigs[0] with the default User-facing OIDC configoidcConfig with Operator-facing OIDC 3) KIM -> Gardener
shoot-oidc-service extension in shoot CR4) KIM -> Kyma
authentication.gardener.cloud/v1alpha1/OpenIDConnect objects in kyma based on additionalOidcConfigsto avoid unwanted impersonations, we should:
Disper
commented
5 months ago Regarding migration from existing shoots to Runtime CRs.
oidcConfig <- Populate withoidcConfigadditionalOidcConfigs <- Populate as the first entry withoidcConfig 
burkardendres
commented
4 months ago Would be great to have this available soon, as a dependency we want to use requires that and also to bring our kya into production it would be kind of a prerequisite.
tobiscr
commented
2 months ago To unblock customers who are waiting for the enablement of the OIDC extension in GArdener, we updated the Provisioner last week to activate this extension per default for all new created clusters. So, any new created SKR cluster will have the OIDC extension now enabled and customers can configure their own OIDC provider by creating the corresponding CR in their SKR clusters.
It is planned to start the replacement of the Provisioner with KIM (Kyma Infrasturcture Manager) by end of this month. KIM will also per default enable the OIDC extension for all managed clusters.
s-u-b-h-a-k-a-r
commented
2 months ago it would be very helpful to have this available soon, as a dependency we want to use requires that and also to bring our kyma into production it would be kind of a prerequisite and this will help us to manage BTP Kyma Workload via Cloud Orchestrator/Crossplane without the need for manual task
vrenjith
commented
2 months ago It will be super helpful if we have this capability so that we can bootstrap ArgoCD in the provisioned Kyma cluster so that ArgoCD to take over the rest of the deployments that are coming in from the service pipelines.
ptesny
commented
1 month ago It will be super helpful if we have this capability so that we can bootstrap ArgoCD in the provisioned Kyma cluster so that ArgoCD to take over the rest of the deployments that are coming in from the service pipelines.
That's sth which is already done via a terraform based automation module: https://github.com/quovadis-btp/btp-automation/tree/main/btp-context/runtime-context At the end of kyma env provisioning an existing ArgoCD instance is being bootstrapped with the newly created kyma cluster. I also create a dedicated ArgoCD project on-the-fly
I'm trying hard to finalize a public root module which will then allow you to use the above child module. Will keep you posted. Thx
abhijith-darshan
commented
1 month ago This is great news that shoot-oidc-service extension is available in all newly created kyma clusters. What is the timeline to roll this out to already existing SAP Kyma clusters?
tobiscr
commented
4 days ago Sorry for the late reply @abhijith-darshan. We were facing and fixing several unexpected challenges in the new Infrastructure Manager during the last weeks which were again causing delay in our rollout.
Unfortunaltey, we were not able to migrate all productive clusters to the new Kyma Infrastructure Manager yet which is a pre-requisite for releasing the OIDC feature. We are currently finalising the testing phase of KIM and plan to migrate all productive clusters beginning of next year.
Our SRE team will, after KIM was released, migrate all existing clusters to support the new OIDC configuration. @ebensom can provide more details when this migration will happen.
Description Enable the option to trust the additional identity provider compliant with OpenID. The provider can be registered in the Kyma cluster and kubernetes API server will authenticate tokens that match the provider issuer. The complete solution should allow to establish the trust during the provisioning so the cluster can be accessed from fully automated processes (without user presence). To accomplish that the following changes are required:
shoot-oidc-serviceextension for shoot clustersOpenIDConnectresource in the shoot cluster as Kyma instance parameter (KEB)Acceptance Criteria
Reasons Many users request a possibility to deploy software to freshly creaated Kyma clusters in automated way. Changing the default IDP for the cluster is the only solution available for now, but then IDP has to support both human users and service accounts what is usually challenging. With additional OIDC provider it can be used only for system to system authorization and will be much easier to set up.
Links