Add Workload Identity Federation like the stackit terraform provider

[mardonner]

Problem description

Recently, I saw that the stackit terraform provider added Workload Identity Federation support with examples for github and Azure DevOps. Even though I didn't adopt it yet, this seems like it'd also be useful feature for the CLI.

Part of my pipelines are a small set of kubectl commands I execute for initial ske cluster bootstrapping (I deliberately not use the kubernetes terraform provider for that). For this, I use the stackit cli to create a kubeconfig. For authentication against stackit, I have a service account key that I inject into the environment. If I understand correctly, with workload identity federation, I could skip explicitly providing the service account key in the pipeline.

Is this feature something that could be implemented for the CLI?

Proposed solution

Same implementation like the terraform provider via STACKIT_USE_OIDC="1" and STACKIT_SERVICE_ACCOUNT_EMAIL.

Currently, I do this for creating the kubeconfig:

# (simplified)
export STACKIT_ACCESS_TOKEN=$(stackit auth activate-service-account --only-print-access-token --service-account-key-path $svcAccKeyPath))
stackit ske kubeconfig create $cluster_name

With WIF, I imagine the new flow would be:

# assuming the setup in stackit portal is already done for the service account + WIF
export STACKIT_USE_OIDC="1"
export STACKIT_SERVICE_ACCOUNT_EMAIL="<svc_acc_mail>"
export STACKIT_ACCESS_TOKEN=$(stackit auth activate-service-account --only-print-access-token)
stackit ske kubeconfig create $cluster_name

Alternative solutions (optional)

Current auth method works fine for me.

Additional information

none

[Fyusel]

Hi @mardonner,
thank you for reporting this issue. We will have a look at it.