The Tanzu Core CLI project provides the core functionality of the Tanzu CLI. The CLI is based on a plugin architecture where CLI command functionality can be delivered through independently developed plugin binaries
Apache License 2.0
33
stars
21
forks
source link
Add provision to update the CSP issuer to TCSP #793
This PR adds provision to update the CSP issuer to TCSP
Summary of changes:
Add provision through central configuration to update the CSP issuer from VCSP to TCSP. Also added an option in central configuration so that CLI can react to the configuration flag set in central configuration to update the issuers in the already created contexts.
Which issue(s) this PR fixes
Fixes #
Describe testing done for PR
API_TOKEN testing:
login to TAP pre-integration org using API token using the below central configuration (using the VCSP as default Issuer).
#### central configuration used for testing####
cli.core.cli_recommended_versions:
Now verfiy the $HOME/.config/tanzu/.data-store.yaml file doesn't the entry isCLIContextsUpdatedToTCSPIssuers: true. (This would be set once we set the cli.core.tanzu_cli_config_csp_issuer_update_flag: true on a cutover date to update the current CLI contexts created using the old CLI version or current CLI version using the VCSP Issuer. If we set the update the flag to true the contexts issuers would be updated to TCSP.)
Now set the cli.core.tanzu_cli_config_csp_issuer_update_flag: true in the central config file ~/.cache/tanzu/plugin_inventory/default/central_config.yaml and run any command and verify the context is updated with TCSP issuer.
# running any command would update the CLI contexts to use TCSP issuer instead of VCSP issuer.
❯ ./bin/tanzu version
version: v1.4.0-rc.0
buildDate: 2024-07-12
sha: 6ce31e03
arch: amd64
## you can check the context globalOpts.auth.issuer is updated to TCSP issuer
❯ ./bin/tanzu context get TAP_pre-integration-staging-d03c5c97
name: TAP_pre-integration-staging-d03c5c97
target: tanzu
contextType: tanzu
globalOpts:
endpoint: https://api.tanzu-dev.cloud.vmware.com
auth:
issuer: https://console-stg.tanzu.broadcom.com/csp/gateway/am/api
userName: pkalle
permissions:
- external/39721d32-3962-4a75-83d9-9b3dae23c39d/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd/tap:developer
- external/5b919bd9-b029-45c7-829d-1a30fad2808e/ensemble:admin
- external/39721d32-3962-4a75-83d9-9b3dae23c39d/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd/tap:viewer
- external/39721d32-3962-4a75-83d9-9b3dae23c39d/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj/tap:member
- csp:project_admin/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj
- csp:org_member
- external/39721d32-3962-4a75-83d9-9b3dae23c39d/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj/tap:admin
- csp:developer
- csp:project_admin/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd
- external/39721d32-3962-4a75-83d9-9b3dae23c39d/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj/tap:developer
- external/39721d32-3962-4a75-83d9-9b3dae23c39d/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj/tap:viewer
- external/39721d32-3962-4a75-83d9-9b3dae23c39d/tap:developer
- external/39721d32-3962-4a75-83d9-9b3dae23c39d/tap:viewer
- external/39721d32-3962-4a75-83d9-9b3dae23c39d/tap:admin
- external/39721d32-3962-4a75-83d9-9b3dae23c39d/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd/tap:admin
- csp:org_admin
- external/39721d32-3962-4a75-83d9-9b3dae23c39d/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd/tap:member
- external/5b919bd9-b029-45c7-829d-1a30fad2808e/instance:a8c26706-6514-4374-b825-cdb754e9faa6/ensemble:admin
- external/39721d32-3962-4a75-83d9-9b3dae23c39d/tap:member
accessToken: <REDACTED>
IDToken: <REDACTED>
refresh_token: <REDACTED>
expiration: 2024-07-14T23:40:20.616767-07:00
type: api-token
clusterOpts:
endpoint: https://api.tanzu-dev.cloud.vmware.com/org/ae93ebb4-a249-4553-aa1e-c87c4b7f75e5
path: /Users/pkalle/.config/tanzu/kube/config
context: tanzu-cli-TAP_pre-integration-staging-d03c5c97
additionalMetadata:
tanzuHubEndpoint: https://api.staging-tis.symphony-dev.com/hub
tanzuMissionControlEndpoint: https://tmc.tanzu-dev.cloud.vmware.com
tanzuOrgID: ae93ebb4-a249-4553-aa1e-c87c4b7f75e5
tanzuOrgName: TAP pre-integration
### Now running the project list should fetch the projects, but since the backend UCP is not updated to honor the tokens from TCSP it throws error. This test should be done again when UCP is updated to honor the tokens from both issuers.
❯ ./bin/tanzu project list
Error: failed to get API group resources: unable to retrieve the complete list of server APIs: ucp.tanzu.vmware.com/v1: the server has asked for the client to provide credentials
### However if you check the context token expiration, the token was refreshed successfully and token expiry is updated successfully (globalOpts.auth.expiration)
❯ ./bin/tanzu context get TAP_pre-integration-staging-d03c5c97
name: TAP_pre-integration-staging-d03c5c97
target: tanzu
contextType: tanzu
globalOpts:
endpoint: https://api.tanzu-dev.cloud.vmware.com
auth:
issuer: https://console-stg.tanzu.broadcom.com/csp/gateway/am/api
userName: pkalle
permissions:
- external/39721d32-3962-4a75-83d9-9b3dae23c39d/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd/tap:developer
- external/5b919bd9-b029-45c7-829d-1a30fad2808e/ensemble:admin
- external/39721d32-3962-4a75-83d9-9b3dae23c39d/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd/tap:viewer
- external/39721d32-3962-4a75-83d9-9b3dae23c39d/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj/tap:member
- csp:project_admin/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj
- csp:org_member
- external/39721d32-3962-4a75-83d9-9b3dae23c39d/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj/tap:admin
- csp:developer
- csp:project_admin/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd
- external/39721d32-3962-4a75-83d9-9b3dae23c39d/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj/tap:developer
- external/39721d32-3962-4a75-83d9-9b3dae23c39d/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj/tap:viewer
- external/39721d32-3962-4a75-83d9-9b3dae23c39d/tap:developer
- external/39721d32-3962-4a75-83d9-9b3dae23c39d/tap:viewer
- external/39721d32-3962-4a75-83d9-9b3dae23c39d/tap:admin
- external/39721d32-3962-4a75-83d9-9b3dae23c39d/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd/tap:admin
- csp:org_admin
- external/39721d32-3962-4a75-83d9-9b3dae23c39d/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd/tap:member
- external/5b919bd9-b029-45c7-829d-1a30fad2808e/instance:a8c26706-6514-4374-b825-cdb754e9faa6/ensemble:admin
- external/39721d32-3962-4a75-83d9-9b3dae23c39d/tap:member
- external/5b919bd9-b029-45c7-829d-1a30fad2808e/instance:a8c26706-6514-4374-b825-cdb754e9faa6/ensemble:viewer
- external/39721d32-3962-4a75-83d9-9b3dae23c39d/instance:a8c26706-6514-4374-b825-cdb754e9faa6/tap:viewer
- external/39721d32-3962-4a75-83d9-9b3dae23c39d/instance:a8c26706-6514-4374-b825-cdb754e9faa6/tap:admin
accessToken: <REDACTED>
IDToken: <REDACTED>
refresh_token: <REDACTED>
expiration: 2024-07-15T00:22:23.62953-07:00
type: api-token
clusterOpts:
endpoint: https://api.tanzu-dev.cloud.vmware.com/org/ae93ebb4-a249-4553-aa1e-c87c4b7f75e5
path: /Users/pkalle/.config/tanzu/kube/config
context: tanzu-cli-TAP_pre-integration-staging-d03c5c97
additionalMetadata:
tanzuHubEndpoint: https://api.staging-tis.symphony-dev.com/hub
tanzuMissionControlEndpoint: https://tmc.tanzu-dev.cloud.vmware.com
tanzuOrgID: ae93ebb4-a249-4553-aa1e-c87c4b7f75e5
tanzuOrgName: TAP pre-integration
Interactive login test
Updated the central config to below before running the tests
Also reset the flag in ~/.config/tanzu/.data-store.yaml to isCLIContextsUpdatedToTCSPIssuers: false
Now use login command to login to TAP pre-integration organization using interactive login as shown below
❯ unset TANZU_API_TOKEN
❯ ./bin/tanzu context list
NAME ISACTIVE TYPE PROJECT SPACE
TAP_pre-integration-staging-d03c5c97 true tanzu
[i] Use '--wide' to view additional columns.
❯ ./bin/tanzu context delete TAP_pre-integration-staging-d03c5c97
Deleting the context entry from the config will remove it from the list of tracked contexts. You will need to use tanzu context create to re-create this context. Are you sure you want to continue? [y/N]: y
[i] Deleting kubeconfig context 'tanzu-cli-TAP_pre-integration-staging-d03c5c97' from the file '/Users/pkalle/.config/tanzu/kube/config'
[ok] Successfully deleted context "TAP_pre-integration-staging-d03c5c97"
❯ tanzu config set env.TANZU_CLI_CLOUD_SERVICES_ORGANIZATION_ID ae93ebb4-a249-4553-aa1e-c87c4b7f75e5
❯ ./bin/tanzu login --staging --endpoint https://api.tanzu-dev.cloud.vmware.com
[i] This tanzu context is being created using organization ID ae93ebb4-a249-4553-aa1e-c87c4b7f75e5 as set in the tanzu configuration (to unset, use tanzu config unset env.TANZU_CLI_CLOUD_SERVICES_ORGANIZATION_ID).
[i] Opening the browser window to complete the login
Log in by visiting this link:
https://console-stg.cloud.vmware.com/csp/gateway/discovery?client_id=tanzu-cli-client-id&code_challenge=nDaWX8MbTJYsKO9_LSMldPiBVHPFQdjnoWh3wZqzkmc&code_challenge_method=S256&orgId=ae93ebb4-a249-4553-aa1e-c87c4b7f75e5&redirect_uri=http%3A%2F%2F127.0.0.1%3A56611%2Fcallback&response_type=code&state=f556c3f4ce594330b8eb42c841c748c5
Optionally, paste your authorization code: [...]
[ok] Successfully logged into 'TAP pre-integration' organization and created a tanzu context
access the ucp project list
❯ ./bin/tanzu project list
Listing projects from TAP pre-integration org
NAME READY AGE
Sriram Test project True 5d4h
abhisheks2 True 5d4h
alb-test True 5d5h
alexd-project True 5d5h
ank-test True 5d5h
[...]
attaching the access_token obtained through interactive login for reference ( you can verify the issuer iss is VCSP issuer)
- Now create a context using context command (using login command would overwrite the existing context) to create a context using TCSP issuer by exproting the environment variable `TANZU_CLI_USE_TANZU_CLOUD_SERVICE_PROVIDER` and verify both contexts works.
❯ ./bin/tanzu context create testTCSPIssureCtx --type tanzu --staging --endpoint https://api.tanzu-dev.cloud.vmware.com
[i] This tanzu context is being created using organization ID ae93ebb4-a249-4553-aa1e-c87c4b7f75e5 as set in the tanzu configuration (to unset, use tanzu config unset env.TANZU_CLI_CLOUD_SERVICES_ORGANIZATION_ID).
[i] Opening the browser window to complete the login
Log in by visiting this link:
https://console-stg.tanzu.broadcom.com/csp/gateway/discovery?client_id=tanzu-cli-client-id&code_challenge=t8H5L_8LmH9YHGdEXViGjlow_JPjaU2WMqh1SavAaxo&code_challenge_method=S256&orgId=ae93ebb4-a249-4553-aa1e-c87c4b7f75e5&redirect_uri=http%3A%2F%2F127.0.0.1%3A57089%2Fcallback&response_type=code&state=5435ae79b573b407d5445e87cc9f9f75
Optionally, paste your authorization code: [...]
[ok] Successfully logged into 'TAP pre-integration' organization and created a tanzu context
❯ ./bin/tanzu context list
NAME ISACTIVE TYPE PROJECT SPACE
TAP_pre-integration-staging-d03c5c97 false tanzu
testTCSPIssureCtx true tanzu
[i] Use '--wide' to view additional columns.
As expected at the moment since the backend is not updated to honor the token issued by the new CSP Issuer, it fails
❯ ./bin/tanzu project list
Error: failed to get API group resources: unable to retrieve the complete list of server APIs: ucp.tanzu.vmware.com/v1: the server has asked for the client to provide credentials
attaching the acces_token value of the testTCSPIssureCtx context (you can check the issuer iss is TCSP issuer)
- Verified the refresh tokens are obtained from the respective issuers (issuer stored in CLI contexts) for both contexts.(You can do that by modifying the expiration time to past time frame so that CLI would automatically refresh it.
- Now verify that by updating the central config to update the CLI contexts to new Issuer, the `TAP_pre-integration-staging-d03c5c97 ` context created using VCSP would be updated to new Issuer(and existing tokens are invalidated) and when we try to access the UCP plugin list it should trigger the Interactive login and fetch the access token from the new issuer. (Please set `cli.core.tanzu_cli_config_csp_issuer_update_flag: true` in "~/.cache/tanzu/plugin_inventory/default/central_config.yaml" so that CLI would update the issuer to new issuer URL and deactivate the interactive login tokens )
by running any command the CLI context are updated
❯ ./bin/tanzu context list
NAME ISACTIVE TYPE PROJECT SPACE
TAP_pre-integration-staging-d03c5c97 true tanzu
testTCSPIssureCtx false tanzu
[i] Use '--wide' to view additional columns.
Now if you try to access the UCP, it would retrigger the interactive login(old tokens are invalidated) with the new issuer( you can check the login link in the command output pointing to new TCSP Issuer). Though the login was successful, since the backend is not updated to honor the new Issuer, "tanzu project list" command fails which is expected.
❯ ./bin/tanzu project list
[i] Opening the browser window to complete the login
Log in by visiting this link:
https://console-stg.tanzu.broadcom.com/csp/gateway/discovery?client_id=tanzu-cli-client-id&code_challenge=2_iaiJj55Zagp21CfYCMjJeddWyAv7Si_FD0AD9AXHI&code_challenge_method=S256&orgId=ae93ebb4-a249-4553-aa1e-c87c4b7f75e5&redirect_uri=http%3A%2F%2F127.0.0.1%3A58430%2Fcallback&response_type=code&state=aaa4bb878a9553f2b35190bc78026a56
Optionally, paste your authorization code: [...]
Error: failed to get API group resources: unable to retrieve the complete list of server APIs: ucp.tanzu.vmware.com/v1: the server has asked for the client to provide credentials
<!-- Example: Created vSphere workload cluster to verify change. -->
### Release note
<!--
Please add a short text (limit to 1 to 2 sentences if possible) in the release-note block below if
there is anything in this PR that is worthy of mention in the next release.
See https://github.com/vmware-tanzu/tanzu-cli/blob/main/docs/release/release-notes.md#does-my-pull-request-need-a-release-note
for more details.
-->
```release-note
Add support to update the CSP issuer to TCSP
What this PR does / why we need it
This PR adds provision to update the CSP issuer to TCSP Summary of changes:
Which issue(s) this PR fixes
Fixes #
Describe testing done for PR
API_TOKEN testing:
❯ ./bin/tanzu login --staging --endpoint https://api.tanzu-dev.cloud.vmware.com [i] API token env var is set
[ok] Successfully logged into 'TAP pre-integration' organization and created a tanzu context
❯ ./bin/tanzu project list Listing projects from TAP pre-integration org
NAME READY AGE Sriram Test project True 4d17h abhisheks2 True 4d17h alb-test True 4d17h [...]
❯ ./bin/tanzu context get TAP_pre-integration-staging-d03c5c97 name: TAP_pre-integration-staging-d03c5c97 target: tanzu contextType: tanzu globalOpts: endpoint: https://api.tanzu-dev.cloud.vmware.com auth: issuer: https://console-stg.cloud.vmware.com/csp/gateway/am/api userName: pkalle permissions:
$HOME/.config/tanzu/.data-store.yaml
file doesn't the entryisCLIContextsUpdatedToTCSPIssuers: true
. (This would be set once we set thecli.core.tanzu_cli_config_csp_issuer_update_flag: true
on a cutover date to update the current CLI contexts created using the old CLI version or current CLI version using the VCSP Issuer. If we set the update the flag to true the contexts issuers would be updated to TCSP.)Now set the
cli.core.tanzu_cli_config_csp_issuer_update_flag: true
in the central config file~/.cache/tanzu/plugin_inventory/default/central_config.yaml
and run any command and verify the context is updated with TCSP issuer.Interactive login test
~/.config/tanzu/.data-store.yaml
toisCLIContextsUpdatedToTCSPIssuers: false
TAP pre-integration
organization using interactive login as shown below❯ ./bin/tanzu context list NAME ISACTIVE TYPE PROJECT SPACE TAP_pre-integration-staging-d03c5c97 true tanzu
[i] Use '--wide' to view additional columns. ❯ ./bin/tanzu context delete TAP_pre-integration-staging-d03c5c97 Deleting the context entry from the config will remove it from the list of tracked contexts. You will need to use
tanzu context create
to re-create this context. Are you sure you want to continue? [y/N]: y [i] Deleting kubeconfig context 'tanzu-cli-TAP_pre-integration-staging-d03c5c97' from the file '/Users/pkalle/.config/tanzu/kube/config' [ok] Successfully deleted context "TAP_pre-integration-staging-d03c5c97" ❯ tanzu config set env.TANZU_CLI_CLOUD_SERVICES_ORGANIZATION_ID ae93ebb4-a249-4553-aa1e-c87c4b7f75e5 ❯ ./bin/tanzu login --staging --endpoint https://api.tanzu-dev.cloud.vmware.com [i] This tanzu context is being created using organization ID ae93ebb4-a249-4553-aa1e-c87c4b7f75e5 as set in the tanzu configuration (to unset, usetanzu config unset env.TANZU_CLI_CLOUD_SERVICES_ORGANIZATION_ID
). [i] Opening the browser window to complete the login Log in by visiting this link:[ok] Successfully logged into 'TAP pre-integration' organization and created a tanzu context
access the ucp project list
❯ ./bin/tanzu project list Listing projects from TAP pre-integration org
NAME READY AGE Sriram Test project True 5d4h abhisheks2 True 5d4h alb-test True 5d5h alexd-project True 5d5h ank-test True 5d5h [...]
attaching the access_token obtained through interactive login for reference ( you can verify the issuer
iss
is VCSP issuer){ "sub": "vmware.com:30236c0a-9626-46f3-ba9f-679776686a95", "iss": "https://console-stg.cloud.vmware.com", "context_name": "ae93ebb4-a249-4553-aa1e-c87c4b7f75e5", "_nonce": "7da40b60-33fd-11ef-9890-2d15ad0bbfa1", "azp": "tanzu-cli-client-id", "authorization_details": [], "domain": "vmware.com", "context": "38846449-0ad5-4211-8ccf-030dc3e2b209", "perms": [ "external/39721d32-3962-4a75-83d9-9b3dae23c39d/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd/tap:developer", "external/39721d32-3962-4a75-83d9-9b3dae23c39d/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd/tap:viewer", "external/39721d32-3962-4a75-83d9-9b3dae23c39d/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj/tap:member", "csp:org_member", "external/39721d32-3962-4a75-83d9-9b3dae23c39d/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj/tap:admin", "external/39721d32-3962-4a75-83d9-9b3dae23c39d/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj/tap:developer", "external/39721d32-3962-4a75-83d9-9b3dae23c39d/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj/tap:viewer", "external/39721d32-3962-4a75-83d9-9b3dae23c39d/tap:developer", "external/39721d32-3962-4a75-83d9-9b3dae23c39d/tap:viewer", "external/39721d32-3962-4a75-83d9-9b3dae23c39d/tap:admin", "external/39721d32-3962-4a75-83d9-9b3dae23c39d/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd/tap:admin", "external/39721d32-3962-4a75-83d9-9b3dae23c39d/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd/tap:member", "external/39721d32-3962-4a75-83d9-9b3dae23c39d/tap:member" ], "exp": 1721067587, "iat": 1721065787, "jti": "3fb4d34d-a3d9-4a63-a9a7-a95105870744", "acct": "pkalle@vmware.com", "username": "pkalle" }
❯ export TANZU_CLI_USE_TANZU_CLOUD_SERVICE_PROVIDER=true
❯ ./bin/tanzu context create testTCSPIssureCtx --type tanzu --staging --endpoint https://api.tanzu-dev.cloud.vmware.com [i] This tanzu context is being created using organization ID ae93ebb4-a249-4553-aa1e-c87c4b7f75e5 as set in the tanzu configuration (to unset, use
tanzu config unset env.TANZU_CLI_CLOUD_SERVICES_ORGANIZATION_ID
). [i] Opening the browser window to complete the login Log in by visiting this link:[ok] Successfully logged into 'TAP pre-integration' organization and created a tanzu context
❯ ./bin/tanzu context list NAME ISACTIVE TYPE PROJECT SPACE TAP_pre-integration-staging-d03c5c97 false tanzu testTCSPIssureCtx true tanzu
[i] Use '--wide' to view additional columns.
As expected at the moment since the backend is not updated to honor the token issued by the new CSP Issuer, it fails
❯ ./bin/tanzu project list Error: failed to get API group resources: unable to retrieve the complete list of server APIs: ucp.tanzu.vmware.com/v1: the server has asked for the client to provide credentials
attaching the acces_token value of the testTCSPIssureCtx context (you can check the issuer
iss
is TCSP issuer){ "sub": "vmware.com:30236c0a-9626-46f3-ba9f-679776686a95", "iss": "https://console-stg.tanzu.broadcom.com", "context_name": "ae93ebb4-a249-4553-aa1e-c87c4b7f75e5", "_nonce": "5bb05470-42d3-11ef-80b0-b13079511a9f", "azp": "tanzu-cli-client-id", "authorization_details": [], "domain": "vmware.com", "context": "38846449-0ad5-4211-8ccf-030dc3e2b209", "perms": [ "external/39721d32-3962-4a75-83d9-9b3dae23c39d/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd/tap:developer", "external/39721d32-3962-4a75-83d9-9b3dae23c39d/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd/tap:viewer", "external/39721d32-3962-4a75-83d9-9b3dae23c39d/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj/tap:member", "csp:org_member", "external/39721d32-3962-4a75-83d9-9b3dae23c39d/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj/tap:admin", "external/39721d32-3962-4a75-83d9-9b3dae23c39d/instance:a8c26706-6514-4374-b825-cdb754e9faa6/tap:viewer", "external/39721d32-3962-4a75-83d9-9b3dae23c39d/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj/tap:developer", "external/39721d32-3962-4a75-83d9-9b3dae23c39d/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj/tap:viewer", "external/39721d32-3962-4a75-83d9-9b3dae23c39d/tap:developer", "external/39721d32-3962-4a75-83d9-9b3dae23c39d/tap:viewer", "external/39721d32-3962-4a75-83d9-9b3dae23c39d/tap:admin", "external/39721d32-3962-4a75-83d9-9b3dae23c39d/instance:a8c26706-6514-4374-b825-cdb754e9faa6/tap:admin", "external/39721d32-3962-4a75-83d9-9b3dae23c39d/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd/tap:admin", "external/39721d32-3962-4a75-83d9-9b3dae23c39d/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd/tap:member", "external/39721d32-3962-4a75-83d9-9b3dae23c39d/tap:member" ], "exp": 1721067902, "iat": 1721066102, "jti": "d8cf0762-0db1-452e-8988-329e8c6e892a", "acct": "pkalle@vmware.com", "username": "pkalle" }
by running any command the CLI context are updated
❯ ./bin/tanzu version version: v1.4.0-rc.0 buildDate: 2024-07-12 sha: 6ce31e03 arch: amd64
❯ ./bin/tanzu context list NAME ISACTIVE TYPE PROJECT SPACE TAP_pre-integration-staging-d03c5c97 true tanzu testTCSPIssureCtx false tanzu
[i] Use '--wide' to view additional columns.
Now if you try to access the UCP, it would retrigger the interactive login(old tokens are invalidated) with the new issuer( you can check the login link in the command output pointing to new TCSP Issuer). Though the login was successful, since the backend is not updated to honor the new Issuer, "tanzu project list" command fails which is expected.
❯ ./bin/tanzu project list [i] Opening the browser window to complete the login Log in by visiting this link:
Error: failed to get API group resources: unable to retrieve the complete list of server APIs: ucp.tanzu.vmware.com/v1: the server has asked for the client to provide credentials
Additional information
Special notes for your reviewer