Gardener

Appearance

Configure Cloud Provider CLIs with provider-env ​

The provider-env command generates a shell script to configure cloud provider CLIs (aws, az, gcloud, openstack, aliyun, hcloud) for the currently targeted Shoot. Evaluate the generated script in your shell to export the required environment variables and perform any necessary provider CLI setup.

Basic usage ​

Generate and evaluate the script for your shell. Example for bash:

bash
eval "$(gardenctl provider-env bash)"

Alternatively, you can generate the script for other shells using subcommands: bash, zsh, fish, powershell.

The generated script:

  • Sets provider-specific environment variables for the targeted Shoot
  • Uses a temporary session directory so your default CLI configs are not modified
  • Supports --unset to clean up and log out/revoke credentials

Ensure the respective provider CLI is installed on your system. See the gardenctl provider-env help for links.

Overriding templates or adding custom providers ​

To override templates or add support for an out-of-tree provider, place a template file under the templates directory in your gardenctl home ($GCTL_HOME or $HOME/.garden). Use existing templates under pkg/env/templates/ as reference.

OpenStack: Allowed authURL patterns (required) ​

For Shoots with provider type openstack, gardenctl validates the authURL (the OpenStack Keystone authentication endpoint) from the credentials against a list of allowed patterns.
You can configure allowed patterns via the gardenctl configuration file or via command-line flags.

NOTE

  • You must configure these allowed patterns; otherwise provider-env will fail with a validation error for OpenStack.
  • There are no built-in defaults because OpenStack auth endpoints are installation-specific.

Configure via gardenctl config ​

Use the gardenctl config set-openstack-authurl command to configure allowed OpenStack auth endpoints. Example:

bash
# Set allowed authURL (replaces existing patterns)
gardenctl config set-openstack-authurl --uri-pattern https://keystone.example.com:5000/v3

# Set multiple authURLs (replaces existing patterns)
gardenctl config set-openstack-authurl \
  --uri-pattern https://keystone.example.com:5000/v3 \
  --uri-pattern https://keystone.another.com/v3

# Clear all authURL patterns
gardenctl config set-openstack-authurl --clear

Alternatively, you can manually edit the config file at ~/.garden/gardenctl-v2.yaml:

yaml
provider:
  openstack:
    allowedPatterns:
    - field: authURL
      uri: https://keystone.example.com:5000/v3

Configure via command-line flags ​

You can augment configuration with flags when running provider-env:

  • --openstack-allowed-uri-patterns allows a simplified field=uri syntax. Example:

    bash
    gardenctl provider-env bash \
  --openstack-allowed-uri-patterns="authURL=https://keystone.example.com:5000/v3"

For GCP, gardenctl uses built-in default validation patterns for standard endpoints; custom configuration via flags or config is not supported.

EU and German government funding logos

Funded by the European Union – NextGenerationEU.

The views and opinions expressed are solely those of the author(s) and do not necessarily reflect the views of the European Union or the European Commission. Neither the European Union nor the European Commission can be held responsible for them.

Copyright © Linux Foundation Europe.

Provider Env | Gardener is a project of the Open Component Model Community. For applicable policies including privacy policy, terms of use and trademark usage guidelines, please see https://linuxfoundation.eu. Linux is a registered trademark of Linus Torvalds.

Building this site is powered by
Terms of Use|Privacy Statement|Legal Disclosure