Skip to content

Fix local deployment with static provider credentials #12748

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Aug 19, 2025
Merged

Fix local deployment with static provider credentials #12748

merged 5 commits into from
Aug 19, 2025

Conversation

wpross
Copy link
Contributor

@wpross wpross commented Aug 14, 2025
edited by LucaBernstein
Loading

How to categorize this PR?

/area usability
/area dev-productivity
/area documentation
/kind bug

What this PR does / why we need it:
This PR makes sure that workload identity related config files are only checked if the deployment is done using workload identity, so using DEV_SETUP_WITH_WORKLOAD_IDENTITY_SUPPORT=true make gardener-extensions-up. Some info related to required configs is added to the getting_started_locally_with_extensions.md. In addition, a bunch of links that do not work since they are pointing to files that do not originally exist in this repo are removed in this doc.

Which issue(s) this PR fixes:
Fixes #12746

Special notes for your reviewer:

Release note:

The local Gardener development setup has been restructured:

- The location of key config files has changed. In particular, `project.yaml` now has to be created at `example/provider-extensions/garden/project/base/project.yaml`.
- The deprecated `SecretBinding` resource has been removed from the local deployment. Developers should now use `CredentialsBinding` resources instead.
- The template for credentials bindings is now located at:
  - For static credentials: [`example/provider-extensions/garden/project/without-workload-identity/credentials/credentialsbindings.yaml.tmpl`](https://github.com/gardener/gardener/blob/master/example/provider-extensions/garden/project/without-workload-identity/credentials/credentialsbindings.yaml.tmpl)
  - For workload identity: [`example/provider-extensions/garden/project/with-workload-identity/credentials/credentialsbindings.yaml.tmpl`](https://github.com/gardener/gardener/blob/master/example/provider-extensions/garden/project/with-workload-identity/credentials/credentialsbindings.yaml.tmpl)
- When referencing static credentials, update your configuration to use `CredentialsBinding` referencing `Secret` objects, as shown in the new template file. The previous `secretbindings.yaml` file and template have been removed.

**Action required:**
If you use static credentials for your local setup, update your configuration to:
- Use the new location for `project.yaml`.
- Replace any usage of `secretbindings.yaml` with `credentialsbindings.yaml` as per the new template and location.
- In your shoot spec, use `spec.credentialsBindingName` instead of `spec.secretBindingName`

@gardener-prow gardener-prow bot added the area/usability Usability related label Aug 14, 2025
@gardener-prow gardener-prow bot requested review from acumino and tobschli August 14, 2025 15:06
@gardener-prow gardener-prow bot added area/documentation Documentation related kind/bug Bug labels Aug 14, 2025
@gardener-prow Gardener Prow
Copy link
Contributor

gardener-prow bot commented Aug 14, 2025

@wpross: The label(s) area/dev-producitivity cannot be applied, because the repository doesn't have them.

In response to this:

How to categorize this PR?

/area usability
/area dev-producitivity
/area documentation
/kind bug

What this PR does / why we need it:
This PR makes sure that workload identity related config files are only checked if the deployment is done using workload identity, so using DEV_SETUP_WITH_WORKLOAD_IDENTITY_SUPPORT=true make gardener-extensions-up. Some info related to required configs is added to the getting_started_locally_with_extensions.md. In addition, a bunch of links that do not work since they are pointing to files that do not originally exist in this repo are removed in this doc.

Which issue(s) this PR fixes:
Fixes #12746

Special notes for your reviewer:

Release note:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@gardener-prow gardener-prow bot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. cla: yes Indicates the PR's author has signed the cla-assistant.io CLA. labels Aug 14, 2025
marc1404
marc1404 reviewed Aug 15, 2025
View reviewed changes
@gardener-prow gardener-prow bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Aug 15, 2025
vpnachev
vpnachev suggested changes Aug 18, 2025
View reviewed changes
marc1404
marc1404 reviewed Aug 18, 2025
View reviewed changes
Copy link
Member

@marc1404 marc1404 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

Thanks for integrating my suggestion! 🙏

@gardener-prow gardener-prow bot added the lgtm Indicates that a PR is ready to be merged. label Aug 18, 2025
@gardener-prow Gardener Prow
Copy link
Contributor

gardener-prow bot commented Aug 18, 2025

LGTM label has been added.

Git tree hash: bce2fc14138e6aaabe9038a25725fcce9d47db30

@gardener-prow gardener-prow bot removed the lgtm Indicates that a PR is ready to be merged. label Aug 18, 2025
@gardener-prow gardener-prow bot requested review from marc1404 and vpnachev August 18, 2025 16:41
@wpross
Replace SecretBinding with CredentialsBinding
33efb0e 
In addition revert removing dead links from getting_started_locally_with_extensions.md,
and fix API version of `CredentialsBinding`.
@wpross wpross force-pushed the fix-local-deployment branch from 9530641 to 33efb0e Compare August 18, 2025 16:53
vpnachev
vpnachev approved these changes Aug 19, 2025
View reviewed changes
Copy link
Member

@vpnachev vpnachev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!
/lgtm

@gardener-prow gardener-prow bot added the lgtm Indicates that a PR is ready to be merged. label Aug 19, 2025
@gardener-prow Gardener Prow
Copy link
Contributor

gardener-prow bot commented Aug 19, 2025

LGTM label has been added.

Git tree hash: 6ac2bfb1136a0522d20eee3dfba23177f809d8e0

marc1404
marc1404 reviewed Aug 19, 2025
View reviewed changes
Copy link
Member

@marc1404 marc1404 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

Thanks for addressing the suggestions! 🙏

@gardener-prow Gardener Prow
Copy link
Contributor

gardener-prow bot commented Aug 19, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: marc1404, vpnachev

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@gardener-prow gardener-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 19, 2025
@gardener-prow gardener-prow bot merged commit df3b7fc into gardener:master Aug 19, 2025
19 checks passed
@wpross wpross mentioned this pull request Aug 20, 2025
Merged
Duciwuci pushed a commit to stackitcloud/gardener that referenced this pull request Sep 1, 2025
@wpross @Duciwuci
Fix local deployment with static provider credentials (gardener#12748)
5b542ef 
* Fix dead links in getting started doc

* Add info about workload identity support to getting started doc

* Fix deployment that does not use workload identity

Do not ckeck for files related to workload identity if it's not enabled.

* Add kustomize overlays for projects w/ and w/o workload identity

* Replace `SecretBinding` with `CredentialsBinding`

In addition revert removing dead links from getting_started_locally_with_extensions.md,
and fix API version of `CredentialsBinding`.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marc1404 marc1404 marc1404 left review comments

@acumino acumino Awaiting requested review from acumino

@tobschli tobschli Awaiting requested review from tobschli

+1 more reviewer

@vpnachev vpnachev vpnachev approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees

@marc1404 marc1404

@vpnachev vpnachev

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/documentation Documentation related area/usability Usability related cla: yes Indicates the PR's author has signed the cla-assistant.io CLA. kind/bug Bug lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Local setup with provider-extensions failing when using static provider credentials.
3 participants
@wpross @marc1404 @vpnachev