Add guide for enabling Shoot trust in Garden clusters with OIDC

[theoddora]

How to categorize this PR?

/kind enhancement

What this PR does / why we need it:
Add a guide for enabling trust between a shoot and the garden clusters with OIDC.

Which issue(s) this PR fixes:
Part of gardener/garden-shoot-trust-configurator#23

Special notes for your reviewer:
N/A

CC: @dimityrmirchev

Summary by CodeRabbit

Release Notes

• Documentation
  • Added new guide documenting how to establish OIDC-based trust between Garden and shoot clusters. Covers the complete authentication flow, setup instructions, verification procedures, and RBAC examples for identity-based access control.

[netlify]

✅ Deploy Preview for gardener-docs ready!

Name	Link
🔨 Latest commit	6280a8c
🔍 Latest deploy log	https://app.netlify.com/projects/gardener-docs/deploys/69e87f7337dc4c0008c5fa88
😎 Deploy Preview	https://deploy-preview-943--gardener-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
Lighthouse	1 paths audited Performance: 65 (🔴 down 7 from production) Accessibility: 97 (no change from production) Best Practices: 92 (no change from production) SEO: 98 (no change from production) PWA: 90 (no change from production) View the detailed breakdown and full score reports

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

📝 Walkthrough

Walkthrough

A new operator-facing documentation guide was added describing how to establish OIDC-based trust between a Gardener “shoot” and a “garden” cluster, detailing required shoot annotations, the authentication flow, OpenID Connect discovery/JWKS, configurator behavior, verification steps, and an RBAC example. (48 words)

Changes

Cohort / File(s)

Summary

OIDC Trust Documentation website/documentation/guides/administer-shoots/garden-shoot-trust.md

Added a new guide covering end-to-end OIDC trust setup: minimal shoot annotations (authentication.gardener.cloud/issuer: managed, authentication.gardener.cloud/trusted: 'true'), advertised service-account-issuer verification, OIDC discovery/JWKS checks, token issuance and inspection, webhook authenticator validation, configurator-created OpenIDConnect resources, and an RBAC Role/RoleBinding verification example. Areas to review: correctness of annotation names/values, verification command examples, and RBAC subject formatting.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐇 I hopped through docs, nibbling trust and keys,
Garden and Shoot now whisper on the breeze,
Tokens hum softly, claims gleam in the night,
With JWKS and discovery, everything’s right,
A rabbit cheers: secure clusters take flight! 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and concisely describes the main change: adding a guide for enabling Shoot-Garden trust with OIDC, which matches the documentation file introduced.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description follows the repository template with all required sections completed: kind is specified as 'enhancement', the purpose is clearly stated, a related issue is referenced, and special notes are provided.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@website/documentation/guides/administer-shoots/garden-shoot-trust.md`:
- Line 201: Typo in the markdown header "# Shoot cluser" should be corrected to
"# Shoot cluster": update the header text in the document (look for the string
"Shoot cluser") and change it to "Shoot cluster" so the heading is spelled
correctly.
- Line 131: Replace the misspelled word "essense" in the sentence "In essense,
this will create the following OIDC resource in the Garden cluster:" with the
correct spelling "essence" (edit the markdown text where that sentence appears).
- Around line 192-194: The fenced code block containing the claim example
"ns:<project-namespace>:shoot:<shoot-name>:<shoot-uid>:<sub-claim>" should
include a language specifier (use "text") so update the block fence from ``` to
```text to enable proper syntax highlighting and satisfy the markdown lint rule.
- Line 29: Update the incomplete sentence "Additionally, RBAC rules in the
Garden cluster that grant permissions to the shoot's service account identity
which will perform requests to the Garden cluster." to a complete sentence by
adding the modal verb "must" (e.g., "Additionally, RBAC rules in the Garden
cluster must grant permissions to the shoot's service account identity which
will perform requests to the Garden cluster.") so the phrase referencing RBAC
rules and the shoot's service account identity is grammatically correct and
clear.
- Around line 138-152: The placeholders in the YAML are inconsistent; replace
all occurrences of <shoot-id> and <project-ns> with the standardized
placeholders <shoot-uid> and <project-namespace> respectively so they match
earlier usage; specifically update the name field and the groupsPrefix and
usernamePrefix values, and ensure issuerURL still uses <shoot-uid> and any other
occurrences in the block (e.g., groupsClaim, jwks, supportedSigningAlgs
sections) reflect the unified <project-namespace> and <shoot-uid> naming.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ca01fc62-02a6-465a-9c2a-49b8e758bdcb

📥 Commits

Reviewing files that changed from the base of the PR and between 90ada9a and 37aacf3.

⛔ Files ignored due to path filters (1)

• website/documentation/guides/administer-shoots/images/garden-shoot-trust.png is excluded by !**/*.png

📒 Files selected for processing (1)

• website/documentation/guides/administer-shoots/garden-shoot-trust.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix incomplete sentence.

The sentence is grammatically incomplete. It should read: "Additionally, RBAC rules in the Garden cluster must grant permissions to the shoot's service account identity which will perform requests to the Garden cluster."

📝 Proposed fix

-Additionally, RBAC rules in the Garden cluster that grant permissions to the shoot's service account identity which will perform requests to the Garden cluster.
+Additionally, RBAC rules in the Garden cluster must grant permissions to the shoot's service account identity which will perform requests to the Garden cluster.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	Additionally, RBAC rules in the Garden cluster that grant permissions to the shoot's service account identity which will perform requests to the Garden cluster.
	Additionally, RBAC rules in the Garden cluster must grant permissions to the shoot's service account identity which will perform requests to the Garden cluster.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@website/documentation/guides/administer-shoots/garden-shoot-trust.md` at line
29, Update the incomplete sentence "Additionally, RBAC rules in the Garden
cluster that grant permissions to the shoot's service account identity which
will perform requests to the Garden cluster." to a complete sentence by adding
the modal verb "must" (e.g., "Additionally, RBAC rules in the Garden cluster
must grant permissions to the shoot's service account identity which will
perform requests to the Garden cluster.") so the phrase referencing RBAC rules
and the shoot's service account identity is grammatically correct and clear.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Inconsistent placeholder naming.

The placeholders use both <shoot-id> and <shoot-uid> interchangeably, as well as <project-ns> and <project-namespace>. This inconsistency may confuse readers.

Consider standardizing to either <shoot-uid> and <project-namespace> throughout the document (since these match the earlier usage in line 70 where the status shows <shoot-uid>).

🔧 Proposed fix to standardize placeholders

-  name: <project-ns>--<shoot-name>--<shoot-id>
+  name: <project-namespace>--<shoot-name>--<shoot-uid>
 spec:
   audiences:
   - garden
   groupsClaim: groups
-  groupsPrefix: 'ns:<project-ns>:shoot:<shoot-name>:<shoot-id>:'
+  groupsPrefix: 'ns:<project-namespace>:shoot:<shoot-name>:<shoot-uid>:'
   issuerURL: "https://discovery.<service-account-issuer-hostname>/projects/<project-name>/shoots/<shoot-uid>/issuer"
   jwks:
     distributedClaims: true
   maxTokenExpirationSeconds: 7200
   supportedSigningAlgs:
   - RS256
   usernameClaim: sub
-  usernamePrefix: 'ns:<project-ns>:shoot:<shoot-name>:<shoot-id>:'
+  usernamePrefix: 'ns:<project-namespace>:shoot:<shoot-name>:<shoot-uid>:'

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	name: <project-ns>--<shoot-name>--<shoot-id>
	spec:
	audiences:
	- garden
	groupsClaim: groups
	groupsPrefix: 'ns:<project-ns>:shoot:<shoot-name>:<shoot-id>:'
	issuerURL: "https://discovery.<service-account-issuer-hostname>/projects/<project-name>/shoots/<shoot-uid>/issuer"
	jwks:
	distributedClaims: true
	maxTokenExpirationSeconds: 7200
	supportedSigningAlgs:
	- RS256
	usernameClaim: sub
	usernamePrefix: 'ns:<project-ns>:shoot:<shoot-name>:<shoot-id>:'
	```
	name: <project-namespace>--<shoot-name>--<shoot-uid>
	spec:
	audiences:
	- garden
	groupsClaim: groups
	groupsPrefix: 'ns:<project-namespace>:shoot:<shoot-name>:<shoot-uid>:'
	issuerURL: "https://discovery.<service-account-issuer-hostname>/projects/<project-name>/shoots/<shoot-uid>/issuer"
	jwks:
	distributedClaims: true
	maxTokenExpirationSeconds: 7200
	supportedSigningAlgs:
	- RS256
	usernameClaim: sub
	usernamePrefix: 'ns:<project-namespace>:shoot:<shoot-name>:<shoot-uid>:'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@website/documentation/guides/administer-shoots/garden-shoot-trust.md` around
lines 138 - 152, The placeholders in the YAML are inconsistent; replace all
occurrences of <shoot-id> and <project-ns> with the standardized placeholders
<shoot-uid> and <project-namespace> respectively so they match earlier usage;
specifically update the name field and the groupsPrefix and usernamePrefix
values, and ensure issuerURL still uses <shoot-uid> and any other occurrences in
the block (e.g., groupsClaim, jwks, supportedSigningAlgs sections) reflect the
unified <project-namespace> and <shoot-uid> naming.

[n-boshnakov]

Great documentation, just some minor notes!

[n-boshnakov]

When using Gardener specific terminology, it's best to stick to the Gardener glossary. As an example:
Garden API server -> should be Gardener API server
Garden cluster -> should be garden cluster

Could you please update the terms used throughout the topic?

[n-boshnakov]

Suggested change

	To have the Garden cluster trust this shoot's issuer, add the trusted annotation:
	To have the Garden cluster trust this shoot's issuer, add the `trusted` annotation:

[n-boshnakov]

Suggested change

	The authentication flow, when a request is made is:
	When a request is made, the authentication flow is:

[n-boshnakov]

Thank you for the changes!

Are you waiting for another reviewer or can the PR be merged?

/lgtm

[gardener-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: n-boshnakov

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [n-boshnakov]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gardener-prow]

LGTM label has been added.

Details

Git tree hash: f3d1d255d1e488732bb3c6ba362aeb0644d2bfaa

[theoddora]

Thank you for the review and suggestions @n-boshnakov !

If @dimityrmirchev or @vpnachev can also take a look? Please let me know if you find anything incorrect, I can address it in a follow-up PR.

[dimityrmirchev]

@n-boshnakov the approve function in github acts as an /approve label for prow. That combined with the /lgtm label will directly merge the PR. If you do not to directly merge it, you can use a "comment" review together with the /lgtm label (see gardener/garden-shoot-trust-configurator#111 (review) as an example).

I will take a look at this PR, however I am occupied with other work and will take some time until I have the capacity to review.

[n-boshnakov]

@n-boshnakov the approve function in github acts as an /approve label for prow. That combined with the /lgtm label will directly merge the PR. If you do not to directly merge it, you can use a "comment" review together with the /lgtm label (see gardener/garden-shoot-trust-configurator#111 (review) as an example).

I will take a look at this PR, however I am occupied with other work and will take some time until I have the capacity to review.

Thank you, I'll use the comment option from now on.

[vpnachev]

Overall looks very nice, I have just some minor comments.

[vpnachev]

Authorization decisions are then handled by RBAC in the garden cluster.

Actually, it is not necessary the authorization to be handled by RBAC, it could be a webhook or some other plugin. I would change this sentence to be more inclusive/open towards other authorizers or remove it.

[vpnachev]

authentication.gardener.cloud/trusted requires the gardener installation to have oidc extension and the trust-configurator installed, right?

[theoddora]

Correct. I have briefly mentioned below that

The following components help to enable this feature in the garden cluster:
oidc-webhook-authenticator
garden-shoot-trust-configurator

Not sure if I should explicitly outline a sample gardener setup with garden extensions shoot-oidc-service and garden-shoot-trust-configurator and also the discovery server. What do you think?

[vpnachev]

Gardener operator deploys the discovery server unless it is disabled, i.e. when Garden.Spec.VirtualCluster.Gardener.DiscoveryServer=nil. I think you can add a Prerequisite subsection between Overview and How It Works, it will need a clarification that the prerequisites are fulfilled by the Garden admins, end-users are not expected to control enablement of the discovery server, oidc extension and shoot-trust configurator, so - they will have to check with their admin.

[vpnachev]

Suggested change

	Additionally, RBAC rules in the garden cluster should grant permissions to the shoot's service account identity which will perform requests to the garden cluster.
	Additionally, authorization in the garden cluster should be configured to grant permissions to the shoot's service account identity which will perform requests to the garden cluster.

[vpnachev]

If you can, remove the authorization part from the diagram.

[vpnachev]

configures the shoot API server to sign service account tokens with a managed key pair

I think this is always the case, not only when the managed issuer is enabled, so maybe it can be removed (cc @dimityrmirchev for opinion)

[vpnachev]

If I am not mistaken, usually commands are prefixed with some prompt symbol to distinguish them from the command output.

Suggested change

	curl https://discovery.<domain>/projects/<project-name>/shoots/<shoot-uid>/issuer/.well-known/openid-configuration | jq .
	$ curl https://discovery.<domain>/projects/<project-name>/shoots/<shoot-uid>/issuer/.well-known/openid-configuration | jq .

[vpnachev]

discovery.<domain> vs discovery.<service-account-issuer-hostname>, this will need to be unified accrross the document.

[vpnachev]

Suggested change

	Authentication (token verification) is now handled automatically, but the authenticated identity has no permissions by default. You must create RBAC rules in the garden cluster to authorize the requested actions.
	Authentication (token verification) is now handled automatically, but the authenticated identity has very restricted permissions by default, i.e. those available via the `system:authenticated` group. You must create RBAC rules, or configure any other authorizer that is in place, in the garden cluster to authorize the requested actions.

[vpnachev]

For completeness, add the group prefix (even though it is available above).

[vpnachev]

Suggested change

	curl -k -H "Authorization: Bearer $TOKEN" \
	curl -H "Authorization: Bearer $TOKEN" \

[theoddora]

Thank you @vpnachev and @dimityrmirchev for reviewing and providing suggestions - I have addressed the comments in a follow-up PR: #944