Technical User Management

[gardener-robot-ci-1]

Story

• As programmatic Gardener consumer I want a technical user, so that I can manage my cluster without the use of the dashboard (create or delete them).

Motivation

Our current IdP SAML-based authentication solution works only from the dashboard. There are limitations to expand that to technical users and programmatic access.

Acceptance Criteria

• In the members area of the Gardener dashboard we should offer the possibility to create a technical user (API user). This could be done as an additional tab in the "assign user to project" popup.
• After adding the technical user as a member, a download icon should appear (next to the delete icon), which allows him to download a kubeconfig file. This kubeconfig file includes a valid token and allows the user to create shoot clusters via kubectl.
• After the enduser added the technical user the following things happen in the background
  • A ServiceAccount with the same name as the technical user is created.
  • The Service Account is added to the rolebinding 'garden-project-members' to have the same restricted permissions as all other members.
  • A kubeconfig file is created with a valid token. The token can be retrieved from a secret, which is automatically created when you create a ServiceAccount.

Note: Scripting solution is already available internally at https://github.wdf.sap.corp/kubernetes/garden-setup/tree/master/utils (by @RaphaelVogel).

Definition of Done

• Knowledge is distributed: Have you spread your knowledge in pair programming/code review?
• Unit Tests are provided: Have you written automated unit tests or added manual NGPTT tickets?
• Integration Tests are provided: Have you written automated integration tests?
• Minimum API exposure: If you have added public API, was it really necessary/is it minimal?