As of the 2.1.0 release of gardenctl-v2 this component is deprecated.
The gardenlogin-controller-manager renders kubeconfigs for accessing Shoot clusters. The authentication to the Shoot cluster is handled transparently by the gardenlogin kubectl credential plugin. See the gardenlogin authentication flow for more details.
As the kubeconfigs do not contain any credentials, the gardenlogin-controller-manager stores the kubeconfigs in ConfigMaps under the path data.kubeconfig. The ConfigMap is named <shoot-name>.kubeconfig.
A kubeconfig for Shoot clusters with spec.kubernetes.version >= v1.20.0 is rendered like below. In this case the shoot reference and garden cluster identity is passed through the cluster extensions (clusters[].cluster.extensions[]), which is supported starting with kubectl version v1.20.0.
# supported with kubectl version v1.20.0 onwards
apiVersion: v1
kind: Config
clusters:
- name: shoot--myproject--mycluster
cluster:
server: https://api.mycluster.myproject.example.com
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi4uLgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t
extensions:
- name: client.authentication.k8s.io/exec
extension:
shootRef:
namespace: garden-myproject
name: mycluster
gardenClusterIdentity: landscape-dev # must match with the garden cluster identity from the gardenlogin config
contexts:
- name: shoot--myproject--mycluster
context:
cluster: shoot--myproject--mycluster
user: shoot--myproject--mycluster
current-context: shoot--myproject--mycluster
users:
- name: shoot--myproject--mycluster
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
provideClusterInfo: true
command: kubectl
args:
- gardenlogin
- get-client-certificateFor Shoot clusters with spec.kubernetes.version < v1.20.0 a kubeconfig like example/01-kubeconfig-legacy.yaml is rendered. For these kubeconfigs, the gardenlogin plugin receives the shoot reference and garden cluster identity as command line flags. This allows us to support kubectl versions v1.11.0 - v1.19.x.