This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Gardener Discovery Server

A server which provides public metadata for Gardener resources

Gardener Discovery Server

REUSE status

A server capable of serving public metadata about different Gardener resources like shoot OIDC discovery documents and Gardener Workload Identity discovery.

Development

As a prerequisite you need to have a Garden cluster up and running. The easiest way to get started is to follow the Getting Started Locally Guide which explains how to setup Gardener for local development.

Once the Garden cluster is up and running, export the kubeconfig pointing to the cluster as an environment variable.

export KUBECONFIG=/path-to/garden-kubeconfig

You should be able to start the discovery server with the following command.

make start

Alternatively you can deploy the discovery server in the local cluster with the following command.

make server-up

1 - Api

Gardener Discovery Server API

The Gardener Discovery Server currently handles the following operations:

Garden Operations

Retrieve the OpenID Configuration of the Workload Identity Issuer of the Garden cluster

Request

GET /garden/workload-identity/issuer/.well-known/openid-configuration

Response

{
  "issuer": "https://local.gardener.cloud/garden/workload-identity/issuer",
  "jwks_uri": "https://local.gardener.cloud/garden/workload-identity/issuer/jwks",
  "response_types_supported": [
    "id_token"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ]
}

Retrieve the JWKS of the Workload Identity Issuer of the Garden cluster

Request

GET /garden/workload-identity/issuer/jwks

Response

{
  "keys": [
    {
      "use": "sig",
      "kty": "RSA",
      "kid": "AvI...vWZ4",
      "alg": "RS256",
      "n": "1X1fsFJluuanoKq6c_...TUsX5bTv6c_c1xoqayFQc",
      "e": "AQAB"
    }
  ]
}

Shoot Operations

Retrieve the OpenID Configuration of a Shoot cluster

Request

GET /projects/{projectName}/shoots/{shootUID}/issuer/.well-known/openid-configuration

Response

{
  "issuer": "https://local.gardener.cloud/projects/local/shoots/7b4ed380-2eea-4cf5-87d9-fd220727bb54/issuer",
  "jwks_uri": "https://local.gardener.cloud/projects/local/shoots/7b4ed380-2eea-4cf5-87d9-fd220727bb54/issuer/jwks",
  "response_types_supported": [
    "id_token"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ]
}

Retrieve the JWKS of a Shoot cluster

Request

GET /projects/{projectName}/shoots/{shootUID}/issuer/jwks

Response

{
  "keys": [
    {
      "use": "sig",
      "kty": "RSA",
      "kid": "AvI...vWZ4",
      "alg": "RS256",
      "n": "1X1fsFJluuanoKq6c_...TUsX5bTv6c_c1xoqayFQc",
      "e": "AQAB"
    }
  ]
}

Retrieve the CA of a Shoot cluster

Request

GET /projects/{projectName}/shoots/{shootUID}/cluster-ca

Response

{
  "certs": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----\n"
}