garden-shoot-trust-configurator

Enable shoot clusters with Managed Service Account Issuer to be registered as trusted clusters in the Garden cluster. This reduces the need for manual service account token management and allows more secure, direct communication between shoots and the Garden cluster. This project is part of the Gardener ecosystem for managing Kubernetes clusters.

Development

As a prerequisite you need to have a Garden cluster up and running. Follow the Gardener's local setup guide which explains how to set up Gardener.

Once the Garden cluster is up and running locally, we expect to have two KUBECONFIGs for:

• Virtual Garden cluster
• Runtime Garden cluster

GARDENER_REPO_ROOT=$(pwd)/../gardener # change this if needed

export KUBECONFIG_VIRTUAL=$GARDENER_REPO_ROOT/dev-setup/kubeconfigs/virtual-garden/kubeconfig
export KUBECONFIG_RUNTIME=$GARDENER_REPO_ROOT/dev-setup/kubeconfigs/runtime/kubeconfig

For local development, make sure to install the dependency oidc-webhook-authenticator, more details are outlined here.

Now start the garden-shoot-trust-configurator

make start

Alternatively you can deploy the trust-configurator in the local cluster with the following command.

make server-up

Feedback and Support

Feedback and contributions are always welcome!

Please report bugs or suggestions as GitHub issues or reach out on Slack (join the workspace here).

Learn more

Please find further resources about our project here:

• Our landing page gardener.cloud
• "Gardener, the Kubernetes Botanist" blog on kubernetes.io
• "Gardener Project Update" blog on kubernetes.io
• Gardener Extensions Golang library
• GEP-1 (Gardener Enhancement Proposal) on extensibility
• Extensibility API documentation