DEV Community: Quovadis The latest articles on DEV Community by Quovadis (@quovadis). https://dev.to/quovadis https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2598580%2Fc9a91172-852c-4f9e-ba78-f72df640c832.png DEV Community: Quovadis https://dev.to/quovadis en SAP BTP Kyma blueprints Quovadis Sun, 22 Dec 2024 15:08:46 +0000 https://dev.to/quovadis/sap-btp-kyma-blueprints-2cjf https://dev.to/quovadis/sap-btp-kyma-blueprints-2cjf <h2> SAP BTP Kyma headless kubeconfig with SAP Cloud Identity Services and kyma runtime environment bindings. </h2> <h3> Table of Contents </h3> <ul> <li>kubeconfig with the authorization-code authentication flow.</li> <li>kubeconfig with the password grant type authentication flow</li> <li><p>kubeconfig with kyma runtime environment service bindings</p></li> <li><p>Glossary</p></li> <li><p>References</p></li> </ul> <h3 id="oidc-kubeconfig">kubeconfig with the authorization-code authentication flow.</h3> <p>This is the <a href="https://help.sap.com/docs/btp/sap-business-technology-platform/authentication-in-kyma-environment?q=kyma" rel="noopener noreferrer">default</a> <em>kubeconfig</em> option with kyma clusters and requires named user(s) be defined with the global SAP ID tenant and have RBAC cluster-admin role binding(s) defined for these SAP ID users as well.<br> oidc kubeconfig <br> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Config</span> <span class="na">current-context</span><span class="pi">:</span> <span class="s">garden-kyma--&lt;shoot&gt;-external</span> <span class="na">clusters</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">garden-kyma--&lt;shoot&gt;-external</span> <span class="na">cluster</span><span class="pi">:</span> <span class="na">certificate-authority-data</span><span class="pi">:</span> <span class="s">LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQ1akNDQWs2Z0F3SUJBZ0lRYzRZRXZHOTZLdzRS0tLS0tCg==</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://api.&lt;shoot&gt;.kyma.ondemand.com</span> <span class="na">contexts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">garden-kyma--&lt;shoot&gt;-external</span> <span class="na">context</span><span class="pi">:</span> <span class="na">cluster</span><span class="pi">:</span> <span class="s">garden-kyma--&lt;shoot&gt;-external</span> <span class="na">user</span><span class="pi">:</span> <span class="s">garden-kyma--&lt;shoot&gt;-external</span> <span class="na">users</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">garden-kyma--&lt;shoot&gt;-external</span> <span class="na">user</span><span class="pi">:</span> <span class="na">exec</span><span class="pi">:</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">client.authentication.k8s.io/v1beta1</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">get-token</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--oidc-issuer-url=https://&lt;tenant-name&gt;.accounts.ondemand.com"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--oidc-client-id=6fcadde1-2660-466a-8d30-***"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--oidc-extra-scope=email"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--oidc-extra-scope=openid"</span> <span class="na">command</span><span class="pi">:</span> <span class="s">kubectl-oidc_login</span> <span class="na">installHint</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">kubelogin plugin is required to proceed with authentication</span> <span class="s"># Homebrew (macOS and Linux)</span> <span class="s">brew install int128/kubelogin/kubelogin</span> <span class="s"># Krew (macOS, Linux, Windows and ARM)</span> <span class="s">kubectl krew install oidc-login</span> <span class="s"># Chocolatey (Windows)</span> <span class="s">choco install kubelogin</span> </code></pre> </div> </p> <p>However, such an <em>oidc user</em> based kubeconfig is not suitable for use in headless and/or unmanned environments, for instance, in the remote development pipelines, github action workflows, etc.</p> <h3 id="headless-kubeconfig">kubeconfig with the password grant type authentication flow.</h3> <p>A <a href="https://help.sap.com/docs/btp/sap-business-technology-platform/configure-custom-identity-provider-for-kyma?q=kyma" rel="noopener noreferrer">custom</a> SAP Cloud Identity Service tenant with a public client OIDC application are required to achieve this goal.</p> <div class="table-wrapper-paragraph"><table> <tbody> <tr> <td> <h1><a href="https://help.sap.com/docs/btp/sap-business-technology-platform/authentication-and-authorization-in-kyma-environment?q=kyma#default-identity-provider-for-kubernetes-access" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxnkn8y4i731jutwtdmav.png" alt="" width="800" height="441"></a></h1> </td> </tr> </tbody> </table></div> <p>The SAP IAS application automation details can be found in the following blog post, namely: <a href="https://community.sap.com/t5/technology-blogs-by-sap/configure-custom-sap-ias-tenant-with-sap-btp-kyma-runtime-environment/ba-p/13676954" rel="noopener noreferrer">Configure Custom SAP IAS tenant with SAP BTP Kyma runtime environment</a>.</p> <p> kyma custom identity application <br> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"btp_subaccount_entitlement"</span> <span class="s2">"identity_application"</span> <span class="p">{</span> <span class="nx">subaccount_id</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">btp_subaccount</span><span class="p">.</span><span class="nx">context</span><span class="p">.</span><span class="nx">id</span> <span class="nx">service_name</span> <span class="p">=</span> <span class="s2">"identity"</span> <span class="nx">plan_name</span> <span class="p">=</span> <span class="s2">"application"</span> <span class="p">}</span> <span class="nx">data</span> <span class="s2">"btp_subaccount_service_plan"</span> <span class="s2">"identity_application"</span> <span class="p">{</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">btp_subaccount_entitlement</span><span class="p">.</span><span class="nx">identity_application</span><span class="p">]</span> <span class="nx">subaccount_id</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">btp_subaccount</span><span class="p">.</span><span class="nx">context</span><span class="p">.</span><span class="nx">id</span> <span class="nx">offering_name</span> <span class="p">=</span> <span class="s2">"identity"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"application"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"btp_subaccount_service_instance"</span> <span class="s2">"identity_application"</span> <span class="p">{</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">btp_subaccount_trust_configuration</span><span class="p">.</span><span class="nx">custom_idp</span><span class="p">]</span> <span class="nx">subaccount_id</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">btp_subaccount</span><span class="p">.</span><span class="nx">context</span><span class="p">.</span><span class="nx">id</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ias-local"</span> <span class="nx">serviceplan_id</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">btp_subaccount_service_plan</span><span class="p">.</span><span class="nx">identity_application</span><span class="p">.</span><span class="nx">id</span> <span class="nx">parameters</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">user-access</span> <span class="p">=</span> <span class="s2">"public"</span> <span class="nx">oauth2-configuration</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">grant-types</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"authorization_code"</span><span class="p">,</span> <span class="s2">"authorization_code_pkce_s256"</span><span class="p">,</span> <span class="s2">"password"</span><span class="p">,</span> <span class="s2">"refresh_token"</span> <span class="p">],</span> <span class="nx">token-policy</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">token-validity</span> <span class="p">=</span> <span class="mi">3600</span><span class="p">,</span> <span class="nx">refresh-validity</span> <span class="p">=</span> <span class="mi">15552000</span><span class="p">,</span> <span class="nx">refresh-usage-after-renewal</span> <span class="p">=</span> <span class="s2">"off"</span><span class="p">,</span> <span class="nx">refresh-parallel</span> <span class="p">=</span> <span class="mi">3</span><span class="p">,</span> <span class="nx">access-token-format</span> <span class="p">=</span> <span class="s2">"default"</span> <span class="p">},</span> <span class="nx">public-client</span> <span class="p">=</span> <span class="kc">true</span><span class="p">,</span> <span class="nx">redirect-uris</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"https://dashboard.kyma.cloud.sap"</span><span class="p">,</span> <span class="s2">"http://localhost:8000"</span> <span class="p">]</span> <span class="p">},</span> <span class="nx">subject-name-identifier</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">attribute</span> <span class="p">=</span> <span class="s2">"mail"</span><span class="p">,</span> <span class="nx">fallback-attribute</span> <span class="p">=</span> <span class="s2">"none"</span> <span class="p">},</span> <span class="nx">default-attributes</span> <span class="p">=</span> <span class="kc">null</span><span class="p">,</span> <span class="nx">assertion-attributes</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">email</span> <span class="p">=</span> <span class="s2">"mail"</span><span class="p">,</span> <span class="nx">groups</span> <span class="p">=</span> <span class="s2">"companyGroups"</span><span class="p">,</span> <span class="nx">first_name</span> <span class="p">=</span> <span class="s2">"firstName"</span><span class="p">,</span> <span class="nx">last_name</span> <span class="p">=</span> <span class="s2">"lastName"</span><span class="p">,</span> <span class="nx">login_name</span> <span class="p">=</span> <span class="s2">"loginName"</span><span class="p">,</span> <span class="nx">mail</span> <span class="p">=</span> <span class="s2">"mail"</span><span class="p">,</span> <span class="nx">scope</span> <span class="p">=</span> <span class="s2">"companyGroups"</span><span class="p">,</span> <span class="nx">user_uuid</span> <span class="p">=</span> <span class="s2">"userUuid"</span><span class="p">,</span> <span class="nx">locale</span> <span class="p">=</span> <span class="s2">"language"</span> <span class="p">},</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.BTP_KYMA_NAME}-${var.BTP_KYMA_PLAN}-${data.btp_subaccount.context.id}"</span><span class="p">,</span> <span class="nx">display-name</span> <span class="p">=</span> <span class="s2">"${var.BTP_KYMA_NAME}-${var.BTP_KYMA_PLAN}"</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <br> Last but not least, fetching a short lived kubeconfig user token requires a technical user's name and password with a public OIDC client of a custom SAP Cloud Identity Services tenant.</p> <p> user token headless kubeconfig <p>The technical user and password should be kept in a secured vault.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Config</span> <span class="na">current-context</span><span class="pi">:</span> <span class="s">garden-kyma--&lt;shoot&gt;-external</span> <span class="na">clusters</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">garden-kyma--&lt;shoot&gt;-external</span> <span class="na">cluster</span><span class="pi">:</span> <span class="na">certificate-authority-data</span><span class="pi">:</span> <span class="s">LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQ1akNDQWs2Z0F3SUJBZ0lRYzRZRXZHOTZLdzRS0tLS0tCg==</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://api.&lt;shoot&gt;.kyma.ondemand.com</span> <span class="na">contexts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">garden-kyma--&lt;shoot&gt;-external</span> <span class="na">context</span><span class="pi">:</span> <span class="na">cluster</span><span class="pi">:</span> <span class="s">garden-kyma--&lt;shoot&gt;-external</span> <span class="na">user</span><span class="pi">:</span> <span class="s">garden-kyma--&lt;shoot&gt;-external</span> <span class="na">users</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">garden-kyma--&lt;shoot&gt;-external</span> <span class="na">user</span><span class="pi">:</span> <span class="na">exec</span><span class="pi">:</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s2">"</span><span class="s">client.authentication.k8s.io/v1"</span> <span class="na">interactiveMode</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Never"</span> <span class="na">command</span><span class="pi">:</span> <span class="s2">"</span><span class="s">bash"</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-c"</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">set -e -o pipefail</span> <span class="s">ISSUER=$(btp get services/binding --name ias-local-binding | jq -r '.credentials | { clientid, url: (.url+ "/oauth2/token") }' )</span> <span class="s">echo ::debug:: ISSUER content: "$(echo "$ISSUER" )" &gt;&amp;2</span> <span class="s">IDTOKEN=$(curl -X POST $(echo $ISSUER | jq -r '. | .url' ) \</span> <span class="s">-H 'Content-Type: application/x-www-form-urlencoded' \</span> <span class="s">-d 'grant_type=password' \</span> <span class="s">-d 'username='"$QUOVADIS_USERNAME" \</span> <span class="s">-d 'password='"$QUOVADIS_PASSWORD" \</span> <span class="s">-d 'client_id='$(echo $ISSUER | jq -r '. | .clientid' ) \</span> <span class="s">-d 'scope=groups, email' \</span> <span class="s">| jq -r '. | .id_token ' ) </span> <span class="s"># Print decoded token information for debugging purposes</span> <span class="s">echo ::debug:: JWT content: "$(echo "$IDTOKEN" | jq -c -R 'split(".") | .[1] | @base64d | fromjson')" &gt;&amp;2</span> <span class="s">cat &lt;&lt; EOF</span> <span class="s">{</span> <span class="s">"apiVersion": "client.authentication.k8s.io/v1",</span> <span class="s">"kind": "ExecCredential",</span> <span class="s">"status": {</span> <span class="s">"token": "$IDTOKEN"</span> <span class="s">}</span> <span class="s">}</span> <span class="s">EOF</span> </code></pre> </div> <br> </p> <h3 id="service-bindings-kubeconfig">kubeconfig with kymaruntime environment service bindings</h3> <p>This mechanism allows to acquire a short-lived, service account token based kubeconfig during the provisioning of a kymaruntime environment.</p> <p>An instance of a cis-local plan <a href="https://discovery-center.cloud.sap/serviceCatalog/cloud-management-service?region=all" rel="noopener noreferrer">Cloud Management service</a> must be provisioned as well for this to work.</p> <div class="table-wrapper-paragraph"><table> <tbody> <tr> <td> <h1><a href="https://help.sap.com/docs/btp/sap-business-technology-platform/managing-kyma-runtime-using-provisioning-service-api" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffrvdaeuarikexpnoxupr.png" alt="" width="800" height="478"></a></h1> <h1><a href="https://help.sap.com/docs/btp/sap-business-technology-platform/managing-kyma-runtime-using-provisioning-service-api" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvwet5zm41hsy7c5gi0u8.png" alt="" width="800" height="472"></a></h1> </td> </tr> </tbody> </table></div> <p>The kymaruntime kubeconfig is returned from the <a href="https://api.sap.com/api/APIProvisioningService/path/createEnvironmentInstanceBinding" rel="noopener noreferrer">SAP Provisioning Service environment bindings API</a>, as follows:</p> <div class="table-wrapper-paragraph"><table> <tbody> <tr> <td> <h1><a href="https://api.sap.com/api/APIProvisioningService/path/createEnvironmentInstanceBinding" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4vcntu0ah877nb108uqp.png" alt="" width="800" height="598"></a></h1> <h1><a href="https://help.sap.com/docs/btp/sap-business-technology-platform/managing-kyma-runtime-using-provisioning-service-api" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuw91wlapb7wjhs71369e.png" alt="" width="800" height="284"></a></h1> </td> </tr> </tbody> </table></div> <p> kymaruntime kubeconfig <br> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Config</span> <span class="na">current-context</span><span class="pi">:</span> <span class="s">garden-kyma--&lt;shoot&gt;-external</span> <span class="na">clusters</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">garden-kyma--&lt;shoot&gt;-external</span> <span class="na">cluster</span><span class="pi">:</span> <span class="na">certificate-authority-data</span><span class="pi">:</span> <span class="s">LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQ1ekNDQWsrZ0F3SUJBZ0lSQU42Q0VSVElGSUNBVEUtLS0tLQo=</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://api.&lt;shoot&gt;.kyma.ondemand.com</span> <span class="na">contexts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">garden-kyma--&lt;shoot&gt;-external</span> <span class="na">context</span><span class="pi">:</span> <span class="na">cluster</span><span class="pi">:</span> <span class="s">garden-kyma--&lt;shoot&gt;-external</span> <span class="na">user</span><span class="pi">:</span> <span class="s">garden-kyma--&lt;shoot&gt;-external</span> <span class="na">users</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">garden-kyma--&lt;shoot&gt;-external</span> <span class="na">user</span><span class="pi">:</span> <span class="na">token</span><span class="pi">:</span> <span class="s">eyJhbGciOiJSUzI1NiIsImtpZCI6IjFxQW56bFp2SnlVNmRwdDBYMnhhbVJLOXV3UjNqOgkyKI-xVJ_LUWqAkm3ek1m4eC8DqMO0WAm4xP-dpwOKho-Uu9-Ls7Y</span> </code></pre> </div> </p> <h2 id="glossary">Glossary</h2> <ul> <li> <p>SAP BTP Kyma Authentication Configurations</p> <ul> <li><a href="https://claude.site/artifacts/f8fe097f-0421-44de-9e77-5d3d912d8433" rel="noopener noreferrer">https://claude.site/artifacts/f8fe097f-0421-44de-9e77-5d3d912d8433</a></li> </ul> </li> <li> <p>Password Grant Type Authentication Setup</p> <ul> <li><a href="https://claude.site/artifacts/462ab590-c570-4215-9153-7c633ddd21f4" rel="noopener noreferrer">https://claude.site/artifacts/462ab590-c570-4215-9153-7c633ddd21f4</a></li> </ul> </li> <li> <p>Kyma Runtime Environment Bindings Configuration</p> <ul> <li><a href="https://claude.site/artifacts/730ba679-8130-4155-a6b3-52caf9ad7ca6" rel="noopener noreferrer">https://claude.site/artifacts/730ba679-8130-4155-a6b3-52caf9ad7ca6</a></li> </ul> </li> </ul> <h2 id="additional-resource">References</h2> <ul> <li><p><a href="https://help.sap.com/docs/btp/sap-business-technology-platform/6a2c1ab5a31b4ed9a2ce17a5329e1dd8.html?q=kyma" rel="noopener noreferrer">SAP Business Technology Platform - Kyma Runtime</a></p></li> <li><p><a href="https://help.sap.com/docs/btp/sap-business-technology-platform/managing-kyma-runtime-using-provisioning-service-api" rel="noopener noreferrer">Managing Kyma Runtime Using the Provisioning Service API</a></p></li> <li><p><a href="https://community.sap.com/t5/technology-blogs-by-sap/configure-custom-sap-ias-tenant-with-sap-btp-kyma-runtime-environment/ba-p/13676954" rel="noopener noreferrer">Configure Custom SAP IAS tenant with SAP BTP Kyma runtime environment</a></p></li> <li><p><a href="https://community.sap.com/t5/technology-q-a/how-to-configure-github-identity-federation-with-sap-btp-kyma/qaq-p/12684314" rel="noopener noreferrer">How to configure GitHub Identity Federation with SAP BTP, Kyma?</a></p></li> <li><p><a href="https://community.sap.com/t5/additional-blogs-by-sap/using-github-actions-openid-connect-in-kubernetes/ba-p/13542513" rel="noopener noreferrer">Using GitHub Actions OpenID Connect in Kubernetes</a></p></li> <li><p><a href="https://community.sap.com/t5/additional-blogs-by-sap/using-github-actions-openid-connect-in-kubernetes/ba-p/13542513#utilizing-a-kubernetes-credential-plugin" rel="noopener noreferrer">Utilizing a Kubernetes Credential Plugin</a></p></li> </ul> quovadis quovadiskyma btpkymablueprints Terraform stories. Quovadis Sat, 21 Dec 2024 21:52:29 +0000 https://dev.to/quovadis/terraform-stories-5deh https://dev.to/quovadis/terraform-stories-5deh <h2> SAP Kyma with dynamic OIDC credentials with HCP Terraform </h2> <p>HCP Terraform already supports <a href="https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/kubernetes-configuration#use-dynamic-credentials-with-the-kubernetes-and-helm-providers" rel="noopener noreferrer">dynamic credentials</a> with Kubernetes providers with AWS and GCP platforms.</p> <p>I have extended this support to SAP BTP, Kyma runtime clusters with SAP Business Technology Platform. </p> <p>Let's see how...</p> <h3> 1. <a href="https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/kubernetes-configuration#configure-kubernetes" rel="noopener noreferrer">Configure Kubernetes</a> </h3> <h4> Configure HCP Terraform OIDC identity provider with SAP Kyma cluster. </h4> <p>SAP Kyma supports the gardener's <a href="https://github.com/gardener/gardener-extension-shoot-oidc-service" rel="noopener noreferrer">oidc-shoot-extension</a>, thus, effectively allowing for an arbitrary number of OIDC providers in a single shoot cluster.</p> <p>The following has to be done upfront during the kyma cluster bootstrapping phase.</p> <p> OpenIDConnect_HCP <br> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">locals</span> <span class="p">{</span> <span class="nx">OpenIDConnect_HCP</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="s2">"apiVersion"</span><span class="err">:</span> <span class="s2">"authentication.gardener.cloud/v1alpha1"</span><span class="p">,</span> <span class="s2">"kind"</span><span class="err">:</span> <span class="s2">"OpenIDConnect"</span><span class="p">,</span> <span class="s2">"metadata"</span><span class="err">:</span> <span class="p">{</span> <span class="s2">"name"</span><span class="err">:</span> <span class="s2">"terraform-cloud"</span> <span class="p">},</span> <span class="s2">"spec"</span><span class="err">:</span> <span class="p">{</span> <span class="s2">"issuerURL"</span><span class="err">:</span> <span class="s2">"https://app.terraform.io"</span><span class="p">,</span> <span class="s2">"clientID"</span><span class="err">:</span> <span class="s2">"terraform-cloud"</span><span class="p">,</span> <span class="s2">"usernameClaim"</span><span class="err">:</span> <span class="s2">"sub"</span><span class="p">,</span> <span class="s2">"usernamePrefix"</span><span class="err">:</span> <span class="s2">"-"</span><span class="p">,</span> <span class="s2">"groupsClaim"</span><span class="err">:</span> <span class="s2">"terraform_organization_name"</span><span class="p">,</span> <span class="s2">"groupsPrefix"</span><span class="err">:</span> <span class="s2">""</span> <span class="p">}</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"terraform_data"</span> <span class="s2">"bootstrap-tfc-oidc"</span> <span class="p">{</span> <span class="nx">triggers_replace</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">always_run</span> <span class="p">=</span> <span class="s2">"${timestamp()}"</span> <span class="p">}</span> <span class="c1"># the input becomes a definition of an OpenIDConnect provider as a non-sensitive json encoded string </span> <span class="c1">#</span> <span class="nx">input</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">nonsensitive</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">OpenIDConnect_HCP</span><span class="p">)</span> <span class="p">]</span> <span class="nx">provisioner</span> <span class="s2">"local-exec"</span> <span class="p">{</span> <span class="nx">interpreter</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"/bin/bash"</span><span class="p">,</span> <span class="s2">"-c"</span><span class="p">]</span> <span class="nx">command</span> <span class="p">=</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> ( KUBECONFIG=kubeconfig-headless.yaml NAMESPACE=quovadis-btp set -e -o pipefail ;\ curl -LO https://dl.k8s.io/release/v1.31.0/bin/linux/amd64/kubectl chmod +x kubectl while ! ./kubectl get crd openidconnects.authentication.gardener.cloud --kubeconfig $KUBECONFIG; do echo "Waiting for OpenIDConnect CRD..."; sleep 1; done ./kubectl wait --for condition=established crd openidconnects.authentication.gardener.cloud --timeout=480s --kubeconfig $KUBECONFIG crd=$(./kubectl get crd openidconnects.authentication.gardener.cloud --kubeconfig $KUBECONFIG -ojsonpath='{.metadata.name}' --ignore-not-found) if [ "$crd" = "openidconnects.authentication.gardener.cloud" ] then OpenIDConnect='${self.input[0]}' echo $(jq -r '.' &lt;&lt;&lt; $OpenIDConnect) echo $OpenIDConnect echo | ./kubectl get nodes --kubeconfig $KUBECONFIG ./kubectl create ns $NAMESPACE --kubeconfig $KUBECONFIG --dry-run=client -o yaml | ./kubectl apply --kubeconfig $KUBECONFIG -f - ./kubectl label namespace $NAMESPACE istio-injection=enabled --kubeconfig $KUBECONFIG echo $OpenIDConnect | ./kubectl apply --kubeconfig $KUBECONFIG -n $NAMESPACE -f - else echo $crd fi ) </span><span class="no"> EOF </span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> </p> <p>As a result, the following OpenIDConnect CR will become available in your kyma cluster.</p> <div class="table-wrapper-paragraph"><table> <tbody> <tr> <td> <h1><a href="https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/kubernetes-configuration#use-dynamic-credentials-with-the-kubernetes-and-helm-providers" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frlav29tx69hxrayjlcr2.png" alt="" width="800" height="582"></a></h1> </td> </tr> </tbody> </table></div> <p>The OIDC identity resolves the authentication requests to the Kubernetes API. However, it must be first authorised to interact with the cluster API.<br><br> In order to do so, one must create custom cluster roles to the terraform OIDC identity in the kyma cluster with either "User" and/or "Group" subjects.</p> <p>For OIDC identities coming from TFC (HCP Terraform), the role binding "User" value is formatted as follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>organization:&lt;MY-ORG-NAME&gt;:project:&lt;MY-PROJECT-NAME&gt;:workspace:&lt;MY-WORKSPACE-NAME&gt;:run_phase:&lt;plan|apply&gt;. </code></pre> </div> <p>I have opted for generating these RBAC identities in the initial kyma cluster terraform configuration, thus, adding both <strong>plan</strong> and <strong>apply</strong> phase identities to the initial kyma runtime environment configuration as <a href="https://help.sap.com/docs/btp/sap-business-technology-platform/provisioning-and-update-parameters-in-kyma-environment#administrators" rel="noopener noreferrer">administrators</a>.</p> <p> User identities <br> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="err">/</span> <span class="nx">https</span><span class="err">:</span><span class="c1">//developer.hashicorp.com/terraform/cloud-docs/run/run-environment#environment-variables</span> <span class="c1">//</span> <span class="nx">variable</span> <span class="s2">"TFC_WORKSPACE_NAME"</span> <span class="p">{</span> <span class="c1">// HCP Terraform automatically injects the following environment variables for each run. </span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The name of the workspace used in this run."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"TFC_PROJECT_NAME"</span> <span class="p">{</span> <span class="c1">// HCP Terraform automatically injects the following environment variables for each run. </span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The name of the project used in this run."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"TFC_WORKSPACE_SLUG"</span> <span class="p">{</span> <span class="c1">// HCP Terraform automatically injects the following environment variables for each run. </span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The slug consists of the organization name and workspace name, joined with a slash."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="c1">// organization:&lt;MY-ORG-NAME&gt;:project:&lt;MY-PROJECT-NAME&gt;:workspace:&lt;MY-WORKSPACE-NAME&gt;:run_phase:&lt;plan|apply&gt;.</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">organization_name</span> <span class="p">=</span> <span class="nx">split</span><span class="p">(</span><span class="s2">"/"</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">TFC_WORKSPACE_SLUG</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> <span class="nx">user_plan</span> <span class="p">=</span> <span class="s2">"organization:${local.organization_name}:project:${var.TFC_PROJECT_NAME}:workspace:${var.TFC_WORKSPACE_NAME}:run_phase:plan"</span> <span class="nx">user_apply</span> <span class="p">=</span> <span class="s2">"organization:${local.organization_name}:project:${var.TFC_PROJECT_NAME}:workspace:${var.TFC_WORKSPACE_NAME}:run_phase:apply"</span> <span class="p">}</span> </code></pre> </div> </p> <p>This way, as soon as the kyma runtime environment has been provisioned, the required identities are in place in the kyma cluster.</p> <p>After the kyma cluster has been bootstrapped with the HCP Terraform’s OIDC provider in place, one can bind RBAC roles to groups.</p> <p> Group identity <br> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"kubernetes_cluster_role_binding_v1"</span> <span class="s2">"oidc_role"</span> <span class="p">{</span> <span class="c1">//depends_on = [ &lt;list of dependencies&gt; ] </span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"terraform-identity-admin"</span> <span class="p">}</span> <span class="c1">//</span> <span class="c1">// Groups are extracted from the token claim designated by 'rbac_group_oidc_claim'</span> <span class="c1">//</span> <span class="nx">role_ref</span> <span class="p">{</span> <span class="nx">api_group</span> <span class="p">=</span> <span class="s2">"rbac.authorization.k8s.io"</span> <span class="nx">kind</span> <span class="p">=</span> <span class="s2">"ClusterRole"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"cluster-admin"</span> <span class="p">}</span> <span class="nx">subject</span> <span class="p">{</span> <span class="nx">api_group</span> <span class="p">=</span> <span class="s2">"rbac.authorization.k8s.io"</span> <span class="nx">kind</span> <span class="p">=</span> <span class="s2">"Group"</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tfc_organization_name</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">""</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbb3mjc8t2tk2wtgdqgdz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbb3mjc8t2tk2wtgdqgdz.png" alt="Role bindings" width="800" height="200"></a></p> <h3> 2. <a href="https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/kubernetes-configuration#configure-hcp-terraform" rel="noopener noreferrer">Configure HCP Terraform</a> </h3> <h4> Required Environment Variables </h4> <p>HCP Terraform will require these two environment variables to enable kubernetes dynamic credentials</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Variable</th> <th>Value</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td>TFC_KUBERNETES_PROVIDER_AUTH TFC_KUBERNETES_PROVIDER_AUTH[_TAG]</td> <td>true</td> <td>Must be present and set to true, or HCP Terraform will not attempt to authenticate to Kubernetes.</td> </tr> <tr> <td>TFC_KUBERNETES_WORKLOAD_IDENTITY_AUDIENCE TFC_KUBERNETES_WORKLOAD_IDENTITY_AUDIENCE[_TAG] TFC_DEFAULT_KUBERNETES_WORKLOAD_IDENTITY_AUDIENCE</td> <td>The audience name in your cluster's OIDC configuration, such as kubernetes.</td> <td></td> </tr> </tbody> </table></div> <p>You can set these as workspace variables, or if you’d like to share one Kubernetes role across multiple workspaces, you can use a variable set. </p> <h3> 3. <a href="https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/kubernetes-configuration#configure-the-provider" rel="noopener noreferrer">Configure the provider</a> </h3> <p>HCP Terraform will assign the <code>tfc_kubernetes_dynamic_credentials</code> variable the kubeconfig token valid for 90 minutes.</p> <p> tfc_kubernetes_dynamic_credentials <br> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">variable</span> <span class="s2">"tfc_kubernetes_dynamic_credentials"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Object containing Kubernetes dynamic credentials configuration"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">object</span><span class="p">({</span> <span class="nx">default</span> <span class="p">=</span> <span class="nx">object</span><span class="p">({</span> <span class="nx">token_path</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">})</span> <span class="nx">aliases</span> <span class="p">=</span> <span class="nx">map</span><span class="p">(</span><span class="nx">object</span><span class="p">({</span> <span class="nx">token_path</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}))</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"kube_token"</span> <span class="p">{</span> <span class="nx">sensitive</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">file</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">tfc_kubernetes_dynamic_credentials</span><span class="p">.</span><span class="nx">default</span><span class="p">.</span><span class="nx">token_path</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> </p> <p> provider configuration <br> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="cm">/**/</span> <span class="nx">cloud</span> <span class="p">{</span> <span class="nx">organization</span> <span class="p">=</span> <span class="s2">"&lt;organization&gt;"</span> <span class="nx">workspaces</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="s2">"terraform-stories"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"runtime-context"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="cm">/**/</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">btp</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"SAP/btp"</span> <span class="p">}</span> <span class="c1"># https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs</span> <span class="nx">kubernetes</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/kubernetes"</span> <span class="p">}</span> <span class="c1"># https://registry.terraform.io/providers/alekc/kubectl/latest/docs</span> <span class="nx">kubectl</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"alekc/kubectl"</span> <span class="c1">//version = "~&gt; 2.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">provider</span> <span class="s2">"kubernetes"</span> <span class="p">{</span> <span class="nx">host</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster-endpoint-url</span> <span class="nx">cluster_ca_certificate</span> <span class="p">=</span> <span class="nx">base64decode</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">cluster-endpoint-ca</span><span class="p">)</span> <span class="nx">token</span> <span class="p">=</span> <span class="nx">file</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">tfc_kubernetes_dynamic_credentials</span><span class="p">.</span><span class="nx">default</span><span class="p">.</span><span class="nx">token_path</span><span class="p">)</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"kubectl"</span> <span class="p">{</span> <span class="nx">host</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster-endpoint-url</span> <span class="nx">cluster_ca_certificate</span> <span class="p">=</span> <span class="nx">base64decode</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">cluster-endpoint-ca</span><span class="p">)</span> <span class="nx">token</span> <span class="p">=</span> <span class="nx">file</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">tfc_kubernetes_dynamic_credentials</span><span class="p">.</span><span class="nx">default</span><span class="p">.</span><span class="nx">token_path</span><span class="p">)</span> <span class="nx">load_config_file</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> </code></pre> </div> </p> <p>One can retrieve both <code>host</code> and <code>cluster_ca_certificate</code> from the kyma cluster kubeconfig as follows:</p> <p> kyma cluster kubeconfig <br> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">locals</span> <span class="p">{</span> <span class="nx">labels</span> <span class="p">=</span> <span class="nx">btp_subaccount_environment_instance</span><span class="p">.</span><span class="nx">kyma</span><span class="p">.</span><span class="nx">labels</span> <span class="p">}</span> <span class="nx">data</span> <span class="s2">"http"</span> <span class="s2">"kubeconfig"</span> <span class="p">{</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">btp_subaccount_environment_instance</span><span class="p">.</span><span class="nx">kyma</span><span class="p">]</span> <span class="nx">url</span> <span class="p">=</span> <span class="nx">jsondecode</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">labels</span><span class="p">)[</span><span class="s2">"KubeconfigURL"</span><span class="p">]</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">postcondition</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">can</span><span class="p">(</span><span class="nx">regex</span><span class="p">(</span><span class="s2">"kind: Config"</span><span class="p">,</span><span class="nx">self</span><span class="p">.</span><span class="nx">response_body</span><span class="p">))</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Invalid content of downloaded kubeconfig"</span> <span class="p">}</span> <span class="nx">postcondition</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">([</span><span class="mi">200</span><span class="p">],</span> <span class="nx">self</span><span class="p">.</span><span class="nx">status_code</span><span class="p">)</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="nx">self</span><span class="p">.</span><span class="nx">response_body</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># yaml formatted default (oid-based) kyma kubeconfig</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">kubeconfig</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">http</span><span class="p">.</span><span class="nx">kubeconfig</span><span class="p">.</span><span class="nx">response_body</span> <span class="nx">cluster_ca_certificate</span> <span class="p">=</span> <span class="nx">base64decode</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">kubeconfig</span><span class="p">.</span><span class="nx">clusters</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">cluster</span><span class="p">.</span><span class="nx">certificate-authority-data</span><span class="p">)</span> <span class="nx">host</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">kubeconfig</span><span class="p">.</span><span class="nx">clusters</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">cluster</span><span class="p">.</span><span class="nx">server</span> <span class="p">}</span> </code></pre> </div> </p> <p> summary <p>Let me explain the provider configuration in detail, as it's a crucial part of connecting HCP Terraform with your Kyma cluster.</p> <p>The provider configuration starts with the Terraform block that sets up the basic framework:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">cloud</span> <span class="p">{</span> <span class="nx">organization</span> <span class="p">=</span> <span class="s2">"&lt;organization&gt;"</span> <span class="nx">workspaces</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="s2">"terraform-stories"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"runtime-context"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">btp</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"SAP/btp"</span> <span class="p">}</span> <span class="nx">kubernetes</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/kubernetes"</span> <span class="p">}</span> <span class="nx">kubectl</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"alekc/kubectl"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This configuration sets up three important providers: the SAP Business Technology Platform (BTP) provider, the official Kubernetes provider, and a kubectl provider for additional Kubernetes operations. The cloud block configures the Terraform Cloud workspace, which is essential for the OIDC authentication flow.</p> <p>The dynamic credentials configuration is handled through a special variable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"tfc_kubernetes_dynamic_credentials"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Object containing Kubernetes dynamic credentials configuration"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">object</span><span class="p">({</span> <span class="nx">default</span> <span class="p">=</span> <span class="nx">object</span><span class="p">({</span> <span class="nx">token_path</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">})</span> <span class="nx">aliases</span> <span class="p">=</span> <span class="nx">map</span><span class="p">(</span><span class="nx">object</span><span class="p">({</span> <span class="nx">token_path</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}))</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>This variable structure allows Terraform to manage the authentication tokens. The <code>token_path</code> points to where Terraform can find the temporary authentication token. The aliases map allows you to configure multiple Kubernetes contexts if needed, though in most cases you'll just use the default.</p> <p>The actual provider configurations use these credentials along with cluster information:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">provider</span> <span class="s2">"kubernetes"</span> <span class="p">{</span> <span class="nx">host</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster-endpoint-url</span> <span class="nx">cluster_ca_certificate</span> <span class="p">=</span> <span class="nx">base64decode</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">cluster-endpoint-ca</span><span class="p">)</span> <span class="nx">token</span> <span class="p">=</span> <span class="nx">file</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">tfc_kubernetes_dynamic_credentials</span><span class="p">.</span><span class="nx">default</span><span class="p">.</span><span class="nx">token_path</span><span class="p">)</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"kubectl"</span> <span class="p">{</span> <span class="nx">host</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster-endpoint-url</span> <span class="nx">cluster_ca_certificate</span> <span class="p">=</span> <span class="nx">base64decode</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">cluster-endpoint-ca</span><span class="p">)</span> <span class="nx">token</span> <span class="p">=</span> <span class="nx">file</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">tfc_kubernetes_dynamic_credentials</span><span class="p">.</span><span class="nx">default</span><span class="p">.</span><span class="nx">token_path</span><span class="p">)</span> <span class="nx">load_config_file</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> </code></pre> </div> <p>The cluster information (host and CA certificate) typically comes from the Kyma cluster's kubeconfig. You can retrieve this information using an HTTP data source:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">data</span> <span class="s2">"http"</span> <span class="s2">"kubeconfig"</span> <span class="p">{</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">btp_subaccount_environment_instance</span><span class="p">.</span><span class="nx">kyma</span><span class="p">]</span> <span class="nx">url</span> <span class="p">=</span> <span class="nx">jsondecode</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">labels</span><span class="p">)[</span><span class="s2">"KubeconfigURL"</span><span class="p">]</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">postcondition</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">can</span><span class="p">(</span><span class="nx">regex</span><span class="p">(</span><span class="s2">"kind: Config"</span><span class="p">,</span> <span class="nx">self</span><span class="p">.</span><span class="nx">response_body</span><span class="p">))</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Invalid content of downloaded kubeconfig"</span> <span class="p">}</span> <span class="nx">postcondition</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">([</span><span class="mi">200</span><span class="p">],</span> <span class="nx">self</span><span class="p">.</span><span class="nx">status_code</span><span class="p">)</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="nx">self</span><span class="p">.</span><span class="nx">response_body</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">kubeconfig</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">http</span><span class="p">.</span><span class="nx">kubeconfig</span><span class="p">.</span><span class="nx">response_body</span> <span class="nx">cluster_ca_certificate</span> <span class="p">=</span> <span class="nx">base64decode</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">kubeconfig</span><span class="p">.</span><span class="nx">clusters</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">cluster</span><span class="p">.</span><span class="nx">certificate-authority-data</span><span class="p">)</span> <span class="nx">host</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">kubeconfig</span><span class="p">.</span><span class="nx">clusters</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">cluster</span><span class="p">.</span><span class="nx">server</span> <span class="p">}</span> </code></pre> </div> <p>This configuration includes several important security and reliability features:</p> <ol> <li>The dynamic token is automatically rotated by HCP Terraform (valid for 90 minutes)</li> <li>The configuration includes validation checks for the kubeconfig download</li> <li>The CA certificate is properly decoded from base64 format</li> <li>The kubectl provider has <code>load_config_file</code> set to false to ensure it uses only the provided configuration</li> </ol> <p>The combination of these providers gives you full access to both the standard Kubernetes resources (through the kubernetes provider) and custom resources or kubectl commands (through the kubectl provider), all authenticated through the secure OIDC mechanism.<br> </p> <br> </p> <h3> 4. Retrieve kyma cluster configuration </h3> <h4> Examples </h4> <p> kyma cluster shoot_info <br> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">data</span> <span class="s2">"kubernetes_config_map_v1"</span> <span class="s2">"shoot_info"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"shoot-info"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"kube-system"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"shoot_info"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">jsondecode</span><span class="p">(</span><span class="nx">jsonencode</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">kubernetes_config_map_v1</span><span class="p">.</span><span class="nx">shoot_info</span><span class="p">.</span><span class="nx">data</span><span class="p">))</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">shoot_info</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">domain</span> <span class="p">=</span> <span class="s2">"&lt;shootName&gt;.kyma.ondemand.com"</span> <span class="nx">extensions</span> <span class="p">=</span> <span class="s2">"shoot-auditlog-service,shoot-cert-service,shoot-dns-service,shoot-lakom-service,shoot-networking-filter,shoot-networking-problemdetector,shoot-oidc-service"</span> <span class="nx">kubernetesVersion</span> <span class="p">=</span> <span class="s2">"1.30.6"</span> <span class="nx">maintenanceBegin</span> <span class="p">=</span> <span class="s2">"200000+0000"</span> <span class="nx">maintenanceEnd</span> <span class="p">=</span> <span class="s2">"000000+0000"</span> <span class="nx">nodeNetwork</span> <span class="p">=</span> <span class="s2">"10.250.0.0/16"</span> <span class="nx">nodeNetworks</span> <span class="p">=</span> <span class="s2">"10.250.0.0/16"</span> <span class="nx">podNetwork</span> <span class="p">=</span> <span class="s2">"100.64.0.0/12"</span> <span class="nx">podNetworks</span> <span class="p">=</span> <span class="s2">"100.64.0.0/12"</span> <span class="nx">projectName</span> <span class="p">=</span> <span class="s2">"kyma"</span> <span class="nx">provider</span> <span class="p">=</span> <span class="s2">"azure"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"westeurope"</span> <span class="nx">serviceNetwork</span> <span class="p">=</span> <span class="s2">"100.104.0.0/13"</span> <span class="nx">serviceNetworks</span> <span class="p">=</span> <span class="s2">"100.104.0.0/13"</span> <span class="nx">shootName</span> <span class="p">=</span> <span class="s2">"&lt;shootName&gt;"</span> <span class="p">}</span> </code></pre> </div> </p> <p> kyma cluster availability zones <br> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">data</span> <span class="s2">"kubernetes_nodes"</span> <span class="s2">"k8s_nodes"</span> <span class="p">{}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">k8s_nodes</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">node</span> <span class="nx">in</span> <span class="nx">data</span><span class="p">.</span><span class="nx">kubernetes_nodes</span><span class="p">.</span><span class="nx">k8s_nodes</span><span class="p">.</span><span class="nx">nodes</span> <span class="err">:</span> <span class="nx">node</span><span class="p">.</span><span class="nx">metadata</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="nx">name</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">node</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">data</span> <span class="s2">"jq_query"</span> <span class="s2">"k8s_nodes"</span> <span class="p">{</span> <span class="nx">data</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">k8s_nodes</span><span class="p">)</span> <span class="nx">query</span> <span class="p">=</span> <span class="s2">"[ .[].metadata[] | { NAME: .name, ZONE: .labels.</span><span class="se">\"</span><span class="s2">topology.kubernetes.io/zone</span><span class="se">\"</span><span class="s2">, REGION: .labels.</span><span class="se">\"</span><span class="s2">topology.kubernetes.io/region</span><span class="se">\"</span><span class="s2"> } ]"</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"k8s_zones"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">jsondecode</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">jq_query</span><span class="p">.</span><span class="nx">k8s_nodes</span><span class="p">.</span><span class="nx">result</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>k8s_zones = [ { NAME = "shoot--kyma--&lt;shootName&gt;-cpu-worker-0-z1-5759f-j6tsf" REGION = "westeurope" ZONE = "westeurope-1" }, { NAME = "shoot--kyma--&lt;shootName&gt;-cpu-worker-0-z2-76d84-br7v6" REGION = "westeurope" ZONE = "westeurope-2" }, { NAME = "shoot--kyma--&lt;shootName&gt;-cpu-worker-0-z3-5b77f-scbpv" REGION = "westeurope" ZONE = "westeurope-3" }, ] </code></pre> </div> </p> <p> kyma cluster list of modules <br> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">data</span> <span class="s2">"kubernetes_resource"</span> <span class="s2">"KymaModules"</span> <span class="p">{</span> <span class="nx">api_version</span> <span class="p">=</span> <span class="s2">"operator.kyma-project.io/v1beta2"</span> <span class="nx">kind</span> <span class="p">=</span> <span class="s2">"Kyma"</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"default"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"kyma-system"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">KymaModules</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">kubernetes_resource</span><span class="p">.</span><span class="nx">KymaModules</span><span class="p">.</span><span class="nx">object</span><span class="p">.</span><span class="nx">status</span><span class="p">.</span><span class="nx">modules</span> <span class="p">}</span> <span class="nx">data</span> <span class="s2">"jq_query"</span> <span class="s2">"KymaModules"</span> <span class="p">{</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">data</span><span class="p">.</span><span class="nx">kubernetes_resource</span><span class="p">.</span><span class="nx">KymaModules</span> <span class="p">]</span> <span class="nx">data</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">KymaModules</span><span class="p">)</span> <span class="nx">query</span> <span class="p">=</span> <span class="s2">"[ .[] | { channel, name, version, state, api: .resource.apiVersion, fqdn } ]"</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"KymaModules"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">jsondecode</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">jq_query</span><span class="p">.</span><span class="nx">KymaModules</span><span class="p">.</span><span class="nx">result</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>KymaModules = [ { api = "operator.kyma-project.io/v1alpha1" channel = "regular" fqdn = "kyma-project.io/module/btp-operator" name = "btp-operator" state = "Ready" version = "1.1.18" }, { api = "operator.kyma-project.io/v1alpha1" channel = "regular" fqdn = "kyma-project.io/module/serverless" name = "serverless" state = "Ready" version = "1.5.1" }, { api = "connectivityproxy.sap.com/v1" channel = "regular" fqdn = "kyma-project.io/module/connectivity-proxy" name = "connectivity-proxy" state = "Ready" version = "1.0.4" }, { api = "operator.kyma-project.io/v1alpha1" channel = "regular" fqdn = "kyma-project.io/module/api-gateway" name = "api-gateway" state = "Ready" version = "2.10.1" }, { api = "operator.kyma-project.io/v1alpha2" channel = "regular" fqdn = "kyma-project.io/module/istio" name = "istio" state = "Ready" version = "1.11.1" }, ] </code></pre> </div> </p> quovadis terraformstories quovadiskyma