Enhance kubeconfig to display all OIDC contexts (#1936)

* Enhance kubeconfig to display all OIDC contexts

* Start indexing from 2

* Introduce multiple contexts feature flag

* Refactor after rebase

Author: KsaweryZietara

cmd/broker/main.go

@@ -159,6 +159,8 @@ type Config struct {
 	RegionsSupportingMachineFilePath string
 
 	HapRuleFilePath string
+
+	MultipleContexts bool `envconfig:"default=false"`
 }
 
 type ProfilerConfig struct {
@@ -334,7 +336,7 @@ func main() {
 	fatalOnError(err, log)
 
 	// create kubeconfig builder
-	kcBuilder := kubeconfig.NewBuilder(kcpK8sClient, skrK8sClientProvider)
+	kcBuilder := kubeconfig.NewBuilder(kcpK8sClient, skrK8sClientProvider, cfg.MultipleContexts)
 
 	// create server
 	router := httputil.NewRouter()
@@ -459,8 +461,8 @@ func createAPI(router *httputil.Router, servicesConfig broker.ServicesConfig, cf
 			valuesProvider, logs, cfg.KymaDashboardConfig, kcBuilder, convergedCloudRegionProvider, kcpK8sClient, regionsSupportingMachine, cfg.InfrastructureManager.UseSmallerMachineTypes),
 		GetInstanceEndpoint:          broker.NewGetInstance(cfg.Broker, db.Instances(), db.Operations(), kcBuilder, logs),
 		LastOperationEndpoint:        broker.NewLastOperation(db.Operations(), db.InstancesArchived(), logs),
-		BindEndpoint:                 broker.NewBind(cfg.Broker.Binding, db, logs, clientProvider, kubeconfigProvider, publisher),
-		UnbindEndpoint:               broker.NewUnbind(logs, db, brokerBindings.NewServiceAccountBindingsManager(clientProvider, kubeconfigProvider), publisher),
+		BindEndpoint:                 broker.NewBind(cfg.Broker.Binding, db, logs, clientProvider, kubeconfigProvider, publisher, cfg.MultipleContexts),
+		UnbindEndpoint:               broker.NewUnbind(logs, db, brokerBindings.NewServiceAccountBindingsManager(clientProvider, kubeconfigProvider, cfg.MultipleContexts), publisher),
 		GetBindingEndpoint:           broker.NewGetBinding(logs, db),
 		LastBindingOperationEndpoint: broker.NewLastBindingOperation(logs),
 	}

internal/broker/bind_create.go

@@ -70,14 +70,14 @@ type Credentials struct {
 }
 
 func NewBind(cfg BindingConfig, db storage.BrokerStorage, log *slog.Logger, clientProvider broker.ClientProvider, kubeconfigProvider broker.KubeconfigProvider,
-	publisher event.Publisher) *BindEndpoint {
+	publisher event.Publisher, multipleContexts bool) *BindEndpoint {
 	return &BindEndpoint{config: cfg,
 		instancesStorage:             db.Instances(),
 		bindingsStorage:              db.Bindings(),
 		publisher:                    publisher,
 		operationsStorage:            db.Operations(),
 		log:                          log.With("service", "BindEndpoint"),
-		serviceAccountBindingManager: broker.NewServiceAccountBindingsManager(clientProvider, kubeconfigProvider),
+		serviceAccountBindingManager: broker.NewServiceAccountBindingsManager(clientProvider, kubeconfigProvider, multipleContexts),
 	}
 }
 

internal/broker/bind_create_test.go

@@ -93,7 +93,7 @@ func TestCreateBindingEndpoint_dbInsertionInCaseOfError(t *testing.T) {
 	publisher := event.NewPubSub(log)
 
 	//// api handler
-	bindEndpoint := NewBind(*bindingCfg, db, fixLogger(), &dummyProvider{}, &dummyProvider{}, publisher)
+	bindEndpoint := NewBind(*bindingCfg, db, fixLogger(), &dummyProvider{}, &dummyProvider{}, publisher, false)
 
 	// test relies on checking if got nil on kubeconfig dummyProvider but the instance got inserted either way
 	t.Run("should INSERT binding despite error on k8s api call", func(t *testing.T) {
@@ -343,7 +343,7 @@ func TestCreateSecondBindingWithTheSameIdButDifferentParams(t *testing.T) {
 
 	publisher := event.NewPubSub(log)
 
-	svc := NewBind(*bindingCfg, brokerStorage, fixLogger(), nil, nil, publisher)
+	svc := NewBind(*bindingCfg, brokerStorage, fixLogger(), nil, nil, publisher, false)
 	params := BindingParams{
 		ExpirationSeconds: 601,
 	}
@@ -394,7 +394,7 @@ func TestCreateSecondBindingWithTheSameIdAndParams(t *testing.T) {
 
 	publisher := event.NewPubSub(log)
 
-	svc := NewBind(*bindingCfg, brokerStorage, fixLogger(), nil, nil, publisher)
+	svc := NewBind(*bindingCfg, brokerStorage, fixLogger(), nil, nil, publisher, false)
 	params := BindingParams{
 		ExpirationSeconds: 600,
 	}
@@ -446,7 +446,7 @@ func TestCreateSecondBindingWithTheSameIdAndParamsForExpired(t *testing.T) {
 	// event publisher
 	publisher := event.NewPubSub(log)
 
-	svc := NewBind(*bindingCfg, brokerStorage, fixLogger(), nil, nil, publisher)
+	svc := NewBind(*bindingCfg, brokerStorage, fixLogger(), nil, nil, publisher, false)
 	params := BindingParams{
 		ExpirationSeconds: 600,
 	}
@@ -500,7 +500,7 @@ func TestCreateSecondBindingWithTheSameIdAndParamsForBindingInProgress(t *testin
 	// event publisher
 	publisher := event.NewPubSub(log)
 
-	svc := NewBind(*bindingCfg, brokerStorage, fixLogger(), nil, nil, publisher)
+	svc := NewBind(*bindingCfg, brokerStorage, fixLogger(), nil, nil, publisher, false)
 	params := BindingParams{
 		ExpirationSeconds: 600,
 	}
@@ -551,7 +551,7 @@ func TestCreateSecondBindingWithTheSameIdAndParamsNotExplicitlyDefined(t *testin
 
 	publisher := event.NewPubSub(log)
 
-	svc := NewBind(*bindingCfg, brokerStorage, fixLogger(), nil, nil, publisher)
+	svc := NewBind(*bindingCfg, brokerStorage, fixLogger(), nil, nil, publisher, false)
 
 	// when
 	resp, err := svc.Bind(context.Background(), instanceID, bindingID, domain.BindDetails{}, false)
@@ -577,5 +577,5 @@ func prepareBindingEndpoint(t *testing.T, cfg BindingConfig) (*BindEndpoint, sto
 	err = db.Operations().InsertOperation(operation)
 	require.NoError(t, err)
 
-	return NewBind(cfg, db, log, k8sClientProvider, k8sClientProvider, event.NewPubSub(log)), db
+	return NewBind(cfg, db, log, k8sClientProvider, k8sClientProvider, event.NewPubSub(log), false), db
 }

internal/broker/bind_envtest_test.go

@@ -105,8 +105,8 @@ func TestCreateBinding(t *testing.T) {
 		Level: slog.LevelDebug,
 	}))
 	publisher := event.NewPubSub(log)
-	svc := NewBind(bindingCfg, db, log, skrK8sClientProvider, skrK8sClientProvider, publisher)
-	unbindSvc := NewUnbind(log, db, brokerBindings.NewServiceAccountBindingsManager(skrK8sClientProvider, skrK8sClientProvider), publisher)
+	svc := NewBind(bindingCfg, db, log, skrK8sClientProvider, skrK8sClientProvider, publisher, false)
+	unbindSvc := NewUnbind(log, db, brokerBindings.NewServiceAccountBindingsManager(skrK8sClientProvider, skrK8sClientProvider, false), publisher)
 
 	t.Run("should create a new service binding without error", func(t *testing.T) {
 		// When

internal/broker/bindings/bindings_manager.go

@@ -44,10 +44,10 @@ type ServiceAccountBindingsManager struct {
 	kubeconfigBuilder *kubeconfig.Builder
 }
 
-func NewServiceAccountBindingsManager(clientProvider ClientProvider, kubeconfigProvider KubeconfigProvider) *ServiceAccountBindingsManager {
+func NewServiceAccountBindingsManager(clientProvider ClientProvider, kubeconfigProvider KubeconfigProvider, multipleContexts bool) *ServiceAccountBindingsManager {
 	return &ServiceAccountBindingsManager{
 		clientProvider:    clientProvider,
-		kubeconfigBuilder: kubeconfig.NewBuilder(nil, kubeconfigProvider),
+		kubeconfigBuilder: kubeconfig.NewBuilder(nil, kubeconfigProvider, multipleContexts),
 	}
 }
 

internal/kubeconfig/builder.go

@@ -19,26 +19,33 @@ type Config struct {
 type Builder struct {
 	kubeconfigProvider kubeconfigProvider
 	kcpClient          client.Client
+	multipleContexts   bool
 }
 
 type kubeconfigProvider interface {
 	KubeconfigForRuntimeID(runtimeID string) ([]byte, error)
 }
 
-func NewBuilder(kcpClient client.Client, provider kubeconfigProvider) *Builder {
+func NewBuilder(kcpClient client.Client, provider kubeconfigProvider, multipleContexts bool) *Builder {
 	return &Builder{
 		kcpClient:          kcpClient,
 		kubeconfigProvider: provider,
+		multipleContexts:   multipleContexts,
 	}
 }
 
 type kubeconfigData struct {
-	ContextName   string
-	CAData        string
-	ServerURL     string
-	OIDCIssuerURL string
-	OIDCClientID  string
-	Token         string
+	ContextName string
+	CAData      string
+	ServerURL   string
+	OIDCConfigs []OIDCConfig
+	Token       string
+}
+
+type OIDCConfig struct {
+	Name      string
+	IssuerURL string
+	ClientID  string
 }
 
 func (b *Builder) BuildFromAdminKubeconfigForBinding(runtimeID string, token string) (string, error) {
@@ -64,12 +71,9 @@ func (b *Builder) BuildFromAdminKubeconfig(instance *internal.Instance, adminKub
 	if instance.RuntimeID == "" {
 		return "", fmt.Errorf("RuntimeID must not be empty")
 	}
-	issuerURL, clientID, err := b.getOidcDataFromRuntimeResource(instance.RuntimeID)
-	if err != nil {
-		return "", fmt.Errorf("while fetching oidc data: %w", err)
-	}
 
 	var kubeconfigContent []byte
+	var err error
 	if adminKubeconfig == "" {
 		kubeconfigContent, err = b.kubeconfigProvider.KubeconfigForRuntimeID(instance.RuntimeID)
 		if err != nil {
@@ -84,12 +88,16 @@ func (b *Builder) BuildFromAdminKubeconfig(instance *internal.Instance, adminKub
 		return "", fmt.Errorf("during unmarshal invocation: %w", err)
 	}
 
+	OIDCConfigs, err := b.getOidcDataFromRuntimeResource(instance.RuntimeID, kubeCfg.CurrentContext)
+	if err != nil {
+		return "", fmt.Errorf("while fetching oidc data: %w", err)
+	}
+
 	return b.parseTemplate(kubeconfigData{
-		ContextName:   kubeCfg.CurrentContext,
-		CAData:        kubeCfg.Clusters[0].Cluster.CertificateAuthorityData,
-		ServerURL:     kubeCfg.Clusters[0].Cluster.Server,
-		OIDCIssuerURL: issuerURL,
-		OIDCClientID:  clientID,
+		ContextName: kubeCfg.CurrentContext,
+		CAData:      kubeCfg.Clusters[0].Cluster.CertificateAuthorityData,
+		ServerURL:   kubeCfg.Clusters[0].Cluster.Server,
+		OIDCConfigs: OIDCConfigs,
 	}, kubeconfigTemplate)
 }
 
@@ -158,25 +166,36 @@ func (b *Builder) validKubeconfig(kc kubeconfig) error {
 	return nil
 }
 
-func (b *Builder) getOidcDataFromRuntimeResource(id string) (string, string, error) {
+func (b *Builder) getOidcDataFromRuntimeResource(id string, currentContext string) ([]OIDCConfig, error) {
 	var runtime imv1.Runtime
+	var oidcConfigs []OIDCConfig
 	err := b.kcpClient.Get(context.Background(), client.ObjectKey{Name: id, Namespace: kcpNamespace}, &runtime)
 	if err != nil {
-		return "", "", err
+		return nil, err
 	}
-
-	oidcConfig := runtime.Spec.Shoot.Kubernetes.KubeAPIServer.AdditionalOidcConfig
-	if oidcConfig == nil || len(*oidcConfig) == 0 {
-		return "", "", fmt.Errorf("runtime resource contains no OIDC config")
-	}
-
-	config := (*oidcConfig)[0]
-	if config.IssuerURL == nil || *config.IssuerURL == "" {
-		return "", "", fmt.Errorf("runtime resource contains an empty OIDC issuer URL")
+	additionalConfigs := runtime.Spec.Shoot.Kubernetes.KubeAPIServer.AdditionalOidcConfig
+	if additionalConfigs == nil {
+		return nil, fmt.Errorf("Runtime Resource contains no additional OIDC config")
 	}
-	if config.ClientID == nil || *config.ClientID == "" {
-		return "", "", fmt.Errorf("runtime resource contains an empty OIDC client ID")
+	for i, config := range *additionalConfigs {
+		if config.IssuerURL == nil {
+			return nil, fmt.Errorf("Runtime Resource contains an empty OIDC issuer URL")
+		}
+		if config.ClientID == nil {
+			return nil, fmt.Errorf("Runtime Resource contains an empty OIDC client ID")
+		}
+		name := currentContext
+		if i > 0 {
+			name = fmt.Sprintf("%s-%d", currentContext, i+1)
+		}
+		oidcConfigs = append(oidcConfigs, OIDCConfig{
+			Name:      name,
+			IssuerURL: *config.IssuerURL,
+			ClientID:  *config.ClientID,
+		})
+		if !b.multipleContexts {
+			return oidcConfigs, nil
+		}
 	}
-
-	return *config.IssuerURL, *config.ClientID, nil
+	return oidcConfigs, nil
 }