Allow overriding secretKey for kubeconfig #78
Conversation
kvaps
force-pushed
the
override-secret-key
branch
3 times, most recently
from
a1c7eac to
d57dc5f
Compare
kvaps
changed the title
|
Ah that was just a draft, thanks for your corrections. PR updated and ready for review. |
kvaps
force-pushed
the
override-secret-key
branch
from
d57dc5f to
e005162
Compare
kvaps
force-pushed
the
override-secret-key
branch
from
e005162 to
d760af7
Compare
|
I'm thinking of the use case you're trying to solve, here, also considering the discussion we had on Slack. Don't you think it would be better to have the TenantControlPlane exposed using the I'm a bit worried about the too many knobs we could introduce: although you know what you're doing other users could be able to shoot themselves in the foot, and this is something that must be carefully prevented to ensure the onboarding process works as expected. Happy to chat. |
|
Sure, it's open for discussion. I suggested using an annotation because this setup might be uncommon. Alternatively, I think we can introduce an option that will be completely understandable to everyone. For example, What do you think? |
|
Hello. I like this PR. Because I would prefer use super-admin.conf as generic kubeconfig (based on 'system:master' Group to prevent losing access capi to managed kubernetes clusters) |
|
@kvaps if we get clastix/kamaji#408 merged first, we could reuse the constant defined in the root repository. Overall, LGTM. |
kvaps
force-pushed
the
override-secret-key
branch
from
d760af7 to
d89c48c
Compare
|
@prometherion PR rebased. But now it depends on imported lib, so please review and merge #93 first |
|
@kvaps merged, please, rebase so we can use the last code base from Kamaji, thanks! |
kvaps
force-pushed
the
override-secret-key
branch
2 times, most recently
from
86ab061 to
19b83d6
Compare
During reconciliation, the control plane provider copies the content from the secret provided by Kamaji, named <cluster>-admin-kubeconfig, into a generic Cluster API secret, <cluster>-kubeconfig, which can then be used by the bootstrap provider and other cluster components. This change introduces a new annotation, kamaji.clastix.io/kubeconfig-secret-key, for the KamajiControlPlane resource. This annotation instructs the control plane provider to read the kubeconfig from a specific key (the default one is admin.conf). Example: ``` kamaji.clastix.io/kubeconfig-secret-key: admin.svc ``` This will instruct the system to use `admin.svc` a kubeconfig with a local service FQDN (introduced by clastix/kamaji#403). Signed-off-by: Andrei Kvapil <[email protected]>
kvaps
force-pushed
the
override-secret-key
branch
from
19b83d6 to
eb42e0e
Compare
|
job is done |
During reconciliation, the control plane provider copies the content from the secret provided by Kamaji, named -admin-kubeconfig, into a generic Cluster API secret, -kubeconfig, which can then be used by the bootstrap provider and other cluster components.
This change introduces a new annotation, kamaji.clastix.io/kubeconfig-secret-key, for the KamajiControlPlane resource. This annotation instructs the control plane provider to read the kubeconfig from a specific key (the default one is admin.conf).
Example:
This will instruct the system to use
super-admin.svca kubeconfig with a local service FQDN (introduced by clastix/kamaji#403).And also copy this annotation for TenantControlPlane object (see: clastix/kamaji#408)
requires #93 to get merged first