Comments (7)
ebensom
commented on June 26, 2024
1
@Disper Yes AFAIK this is expected behavior, as tokens obtained via Gardener TokenRequest are OIDC tokens with exp field. When new token is requested via API, the old tokens are not invalidated, they are still valid until the expiration.
from infrastructure-manager.
akgalwas
commented on June 26, 2024
The POC code is here: kyma-project/control-plane#3017.
What needs to be done to productise the POC:
- Code fetching the dynamic kubeconfig from Gardener
- Kubeconfig for shoot cluster, and control plane needs to be passed
- Tests, and code implemented as a part of POC must be reviewed, and refined.
- Cluster CR status needs to be set when error occurs, or the operator successfully creates/rotates secret
from infrastructure-manager.
akgalwas
commented on June 26, 2024
Workplan:
- Secret creation
- Secret deletion
- Secret rotation functionality
- Additional stuff
from infrastructure-manager.
akgalwas
commented on June 26, 2024
There is couple of things to be done as follow up:
- Context management : we probably should pass the context from reconciliation loop everywhere
- Getting secret : there is no need to find the secret by label, as
GardenerClusterspec contains secret name
from infrastructure-manager.
Disper
commented on June 26, 2024
Currently, the secret is rotated both periodically and if operator.kyma-project.io/force-kubeconfig-rotation is added to the GardenCluster CR. That means that secrets
.data.configis regenerated.metadata.annotations.operator.kyma-project.io/last-syncis updated with the time of the rotation.
from infrastructure-manager.
Disper
commented on June 26, 2024
As of now, if you will get the kubeconfig from that secret using e.g. k get secret kubeconfig-md-im -n kcp-system -ojsonpath={.data.config} | base64 -D > ~/kubeconfig.yaml, you will still be able to access the cluster with that kubeconfig after the secret is rotated. Regardless if the rotation happened periodically or was forced.
@ebensom could you help us understand whether this is acceptable behavior?
from infrastructure-manager.
Disper
commented on June 26, 2024
We will do a tiny refactoring in the code to reflect that we're not doing the revocation, but rotation.
But it will not affect the functionality so I'm closing the issue.
from infrastructure-manager.
Related Issues (20)
- KIM should be able to deprovision clusters
- MVP: KIM can successfully create Gardener clusters on Azure, and AWS HOT 1
- Establish testing approach for KIM and KIM related components
- Adjust KIM to support CN Hyperscaler
- Adjust log format of KIM to RFC3339
- Performance of provisioning area in KIM HOT 1
- Runtime CRs should be validated to assure they're correct
- Implement remaining converter features HOT 1
- Converters hardening
- Have a strategy on how to react if Gardener changes the Shoot spec
- Support the configuration of seeds within the same region as the shoot
- KIM and migration should correctly populate OIDC fields
- Add validation for `Runtime` CRs created via KEB and that are available as samples
- Run KIM and Provisioner in parallel and compare generated Shoot-Specs
- Migrate from GardenerCluster CR to KIM
- Integrate state machine into KIM
- Implement mechanism for copying types related to provider specific config from Gardener
- Provisioner should persist shoots under a feature flag and not manage runtimes HOT 1
- Runtime CR controller available on DEV HOT 2
- Upgrading Runtime CR should lead to changes on Gardener Cluster
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from infrastructure-manager.