Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add provision to update the CSP issuer to TCSP #793

Merged
merged 1 commit into from
Jul 17, 2024
Merged

Add provision to update the CSP issuer to TCSP #793

merged 1 commit into from
Jul 17, 2024

Conversation

prkalle
Copy link
Contributor

@prkalle prkalle commented Jul 12, 2024
edited
Loading

What this PR does / why we need it

This PR adds provision to update the CSP issuer to TCSP
Summary of changes:

  • Add provision through central configuration to update the CSP issuer from VCSP to TCSP. Also added an option in central configuration so that CLI can react to the configuration flag set in central configuration to update the issuers in the already created contexts.

Which issue(s) this PR fixes

Fixes #

Describe testing done for PR

API_TOKEN testing:

  • login to TAP pre-integration org using API token using the below central configuration (using the VCSP as default Issuer).
#### central configuration used for testing####
cli.core.cli_recommended_versions:
- version: v1.4.0-rc.0
- version: v1.3.0
- version: v1.2.0
- version: v1.1.0
- version: v1.0.0
- version: v0.90.1
cli.core.tanzu_application_platform_scopes:
- scope: tap:viewer
- scope: tap:admin
- scope: tap:member
cli.core.tanzu_hub_metadata:
  cspProductIdentifier: "TANZU-SAAS"
  cspDisplayName: "Tanzu Platform"
  endpointProduction: https://api.mgmt.cloud.vmware.com/hub
  endpointStaging: https://api.staging-tis.symphony-dev.com/hub
  useCentralConfig: true
cli.core.tanzu_default_csp_metadata:
  issuerStaging: https://console-stg.cloud.vmware.com/csp/gateway/am/api
  issuerProduction: https://console.cloud.vmware.com/csp/gateway/am/api
cli.core.tanzu_tcsp_metadata:
  issuerStaging: https://console-stg.tanzu.broadcom.com/csp/gateway/am/api
  issuerProduction: https://console.tanzu.broadcom.com/csp/gateway/am/api
cli.core.tanzu_csp_known_issuer_endpoints:
  https://console-stg.cloud.vmware.com/csp/gateway/am/api:
     authURL: "https://console-stg.cloud.vmware.com/csp/gateway/discovery"
     tokenURL: "https://console-stg.cloud.vmware.com/csp/gateway/am/api/auth/authorize"
  https://console.cloud.vmware.com/csp/gateway/am/api:
     authURL: "https://console.cloud.vmware.com/csp/gateway/discovery"
     tokenURL: "https://console.cloud.vmware.com/csp/gateway/am/api/auth/authorize"
  https://https://console-stg.tanzu.broadcom.com/csp/gateway/am/api:
    authURL: "https://console-stg.tanzu.broadcom.com/csp/gateway/discovery"
    tokenURL: "https://console-stg.tanzu.broadcom.com/csp/gateway/am/api/auth/authorize"
  https://console.tanzu.broadcom.com/csp/gateway/am/api:
    authURL: "https://console.tanzu.broadcom.com/csp/gateway/discovery"
    tokenURL: "https://console.tanzu.broadcom.com/csp/gateway/am/api/auth/authorize"
cli.core.tanzu_cli_config_csp_issuer_update_flag: false

####

❯ ./bin/tanzu login --staging --endpoint https://api.tanzu-dev.cloud.vmware.com
[i] API token env var is set

[ok] Successfully logged into 'TAP pre-integration' organization and created a tanzu context

❯ ./bin/tanzu project list
Listing projects from TAP pre-integration org

  NAME                     READY  AGE
  Sriram Test project      True   4d17h
  abhisheks2               True   4d17h
  alb-test                 True   4d17h
 [...]

❯ ./bin/tanzu context get TAP_pre-integration-staging-d03c5c97
name: TAP_pre-integration-staging-d03c5c97
target: tanzu
contextType: tanzu
globalOpts:
    endpoint: https://api.tanzu-dev.cloud.vmware.com
    auth:
        issuer: https://console-stg.cloud.vmware.com/csp/gateway/am/api
        userName: pkalle
        permissions:
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd/tap:developer
            - external/5b919bd9-b029-45c7-829d-1a30fad2808e/ensemble:admin
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd/tap:viewer
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj/tap:member
            - csp:project_admin/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj
            - csp:org_member
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj/tap:admin
            - csp:developer
            - csp:project_admin/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj/tap:developer
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj/tap:viewer
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/tap:developer
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/tap:viewer
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/tap:admin
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd/tap:admin
            - csp:org_admin
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd/tap:member
            - external/5b919bd9-b029-45c7-829d-1a30fad2808e/instance:a8c26706-6514-4374-b825-cdb754e9faa6/ensemble:admin
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/tap:member
        accessToken: <REDACTED>
        IDToken: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InNpZ25pbmdfMyJ9.eyJzdWIiOiJ2bXdhcmUuY29tOjMwMjM2YzBhLTk2MjYtNDZmMy1iYTlmLTY3OTc3NjY4NmE5NSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJpc3MiOiJodHRwczovL2dhei1wcmV2aWV3LmNzcC12aWRtLXByb2QuY29tIiwiZ3JvdXBfbmFtZXMiOlsiVGFibGVhdSBTZXJ2ZXIgVXNlcnNAdm13YXJlLmNvbSIsImcudklETVN5bmNAdm13YXJlLmNvbSIsImcuZHluLnZtd2FyZV9hbGxfYWN0aXZlX2VtcGxveWVlc0B2bXdhcmUuY29tIiwiZy5SbkQtSVQtUGx1cmFsc2lnaHQtdXNlci1ncm91cEB2bXdhcmUuY29tIiwiZy5Tb2x1dGlvbkJ1aWxkZXItU2VydmljZXNTYWxlc0B2bXdhcmUuY29tIiwiUlNBQXJjaGVySG9yaXpvbkB2bXdhcmUuY29tIiwiZy5Tb2x1dGlvbkJ1aWxkZXItQ29yZVNhbGVzQHZtd2FyZS5jb20iLCJnLmR5bi5oZWxwbm93X2FsbF9hY3RpdmVfZW1wbG95ZWVzQHZtd2FyZS5jb20iLCJnLlpFTi1HUkMgQ09OVFJJQlVUT1JAdm13YXJlLmNvbSIsImcuZHluLmhlbHBub3dfYWxsX2FjdGl2ZV9lbXBsb3llZXNfZXhjbHVkZV9wcmVoaXJlQHZtd2FyZS5jb20iLCJnLmR5bi5hbGxfdXNlcnNAdm13YXJlLmNvbSIsImcuRG9ja2VyVXNlcnNAdm13YXJlLmNvbSIsImcuYnVpbGR3ZWJfYXV0aG9yaXplZF9ncm91cEB2bXdhcmUuY29tIiwiZy5keW4uZXVjLWVuZ2luZWVyaW5nQHZtd2FyZS5jb20iLCJnLnNjbS5naXRsYWJfYXV0aG9yaXplZF91c2Vyc0B2bXdhcmUuY29tIiwiZy5vcGVuZ3Jva19hdXRob3JpemVkX2dyb3VwQHZtd2FyZS5jb20iLCJnLmR5bi5zc2RzX291X2VuZ0B2bXdhcmUuY29tIiwiZy5jb3JlYXV0b21hdGlvbi5oZWFkc3BpbkB2bXdhcmUuY29tIiwiZy5SYWdodS1SbkQtT3JnLUZURUB2bXdhcmUuY29tIiwiZy5kYmMtdXNlcnNAdm13YXJlLmNvbSIsImcuc2NtLnBlcmZvcmNlX2F1dGhvcml6ZWRfdXNlcnNAdm13YXJlLmNvbSIsImcuZHluLmFsbF9mdGVzX2FuZF9pbnRlcm5zQHZtd2FyZS5jb20iLCJnLmR5bi5tYW1iZy12ZHAtZGVtb0B2bXdhcmUuY29tIl0sImNvbnRleHRfbmFtZSI6ImFlOTNlYmI0LWEyNDktNDU1My1hYTFlLWM4N2M0YjdmNzVlNSIsImdpdmVuX25hbWUiOiJQcmVtIiwiYXVkIjpbImNzcF9zdGdfZ2F6X2ludGVybmFsX2NsaWVudF9pZCJdLCJhdXRoX3RpbWUiOjE3MTMzNzk1NzUsImRvbWFpbiI6InZtd2FyZS5jb20iLCJncm91cF9pZHMiOlsidm13YXJlLmNvbTpiMGUzZWFjMC1mMDhjLTQ1ZmQtOTZmZS04YTUxYTNlM2FmNTAiLCJ2bXdhcmUuY29tOmQwYWI0ZmMxLTE2YjEtNGI0OC05Y2VkLWE0MzNjYTBhOWZhYSIsInZtd2FyZS5jb206NTI3YWM2NmYtZTQ5OC00NjJkLThmOTQtM2JlMmQ2MzRhMTAzIiwidm13YXJlLmNvbTpjMTY5ZTU1Mi03ZGI2LTQ3MWQtOTBmYy0wOGMzMGIzNzBhMjkiLCJ2bXdhcmUuY29tOjQ5YTBiMTZmLWRjNGQtNGMwMy1iYzdiLThhNjEzMTllMWI3NiIsInZtd2FyZS5jb206MmE1ZDdkZDAtNWE1ZC00MmQzLThjMWItMDAxN2VlOTgwMGM0Iiwidm13YXJlLmNvbTo0NGUwZWNkYi1jOGMzLTQwZjAtOGIzOS0wY2Q2NDA2M2E3MTkiLCJ2bXdhcmUuY29tOmUzNjRkMmRjLTQ5NWUtNDI5ZC05ZTQ4LWU2ZDc3N2Q5OWFmNyIsInZtd2FyZS5jb206YTE2MmUxNmYtMjM3ZS00NGY0LTk0OTAtZjA5YzhiNTI5YjIxIiwidm13YXJlLmNvbTpmYzg1MzYyNi01ZThlLTRjMmYtYmE3MS1kZjA2NzMzYjczMTciLCJ2bXdhcmUuY29tOmViMTAwMGMzLTVkNzMtNDBlZS1iMmRkLTI1YjFkNzQ1NTNhNyIsInZtd2FyZS5jb206YTFhZmIwYTctMjgwMC00ZjQwLTg2M2MtOTg3NDllOGZkMTUyIiwidm13YXJlLmNvbToyY2MwNDcyZC0zNzkyLTQyMWQtODlhOS1iYWI4Njk0ODA1NzUiLCJ2bXdhcmUuY29tOmMxM2I1NzhhLTQzYzItNDhiYy05MWQzLWVkMGEyOGMwYTEzNCIsInZtd2FyZS5jb206MjdlZTBhY2ItZmJhOS00OTBjLWIyYzAtNjk1ZmIwZDhkMzI5Iiwidm13YXJlLmNvbTphNmI5ODk0NC0xZjM4LTRhNGYtODIyYS1kYmYyZWNkMDJmODMiLCJ2bXdhcmUuY29tOjc5YjBiMjQ0LTgwYTQtNDcxNy1iYzBhLTc1OGIwOWU0MzU5NCIsInZtd2FyZS5jb206MDIyYzMyZGQtNTljOC00YmMxLWE0ODEtNDc1ZjgwNGI0ZGE3Iiwidm13YXJlLmNvbTo3NjVlMTRiZC01MjQwLTQ0NTItOTE0OC05NTc3ODJlMDY4YWIiLCJ2bXdhcmUuY29tOjliMjkwMWI4LWQ0MzMtNGQxNy04ZjI1LThhZTE0YjExNGE2ZCIsInZtd2FyZS5jb206ZGU1NDU1ZWMtMTE1Yi00NDFiLWIyMzItY2MzOThhODg1OWYyIiwidm13YXJlLmNvbTo1ZDJlNGViNi1jMjJjLTQ0OTQtYTdkOS0yMThkMjQ0NzhlNDgiLCJ2bXdhcmUuY29tOjNmYTE1YTE5LTI3YzQtNDM5Yi05M2EwLTgxOTg1NDQ3MTcxYyJdLCJjb250ZXh0IjoiMzg4NDY0NDktMGFkNS00MjExLThjY2YtMDMwZGMzZTJiMjA5IiwiZXhwIjoxNzIxMDI1NjIxLCJpYXQiOjE3MjEwMjM4MjEsImZhbWlseV9uYW1lIjoiS2FsbGUiLCJqdGkiOiJhNjhmMzAwMi0yYTI2LTQ4YzEtYjk4Mi1kY2E5YWE5ZjFiMTkiLCJlbWFpbCI6InBrYWxsZUB2bXdhcmUuY29tIiwiYWNjdCI6InBrYWxsZUB2bXdhcmUuY29tIiwidXNlcm5hbWUiOiJwa2FsbGUifQ.UjF7QvZfDTbPxXPz_xKp7N7R1V3fxWuRkDqgaGuSFKOLBVO9y65bR8yY5hBGg8tvHmsn9s3j914tPImVrtONyl-qqXiNPeWZZuyPm3Xycd2gxOyi0gPJSJWq6dZ8oCsoNyqmU57ICuUyomOb2yc29qOW2ODcoiy5ZF1Kov-UCQlm5RMOQKR3c_imUrEj_sYS6Ul2_-wEX9VFIVt7umuCahSusrOmS86sIh2EbvBpe2SACU_rR4IhMJrEPjd1c8sjDD-t6djYVE9pe6kuY6k_C-FunllNI6gUrxTFMpxs0-nahhit_glya8JcioxSC8YWSFo2j7XgFCZvTvTdXko91Q
        refresh_token: <REDACTED>
        expiration: 2024-07-14T23:40:20.616767-07:00
        type: api-token
clusterOpts:
    endpoint: https://api.tanzu-dev.cloud.vmware.com/org/ae93ebb4-a249-4553-aa1e-c87c4b7f75e5
    path: /Users/pkalle/.config/tanzu/kube/config
    context: tanzu-cli-TAP_pre-integration-staging-d03c5c97
additionalMetadata:
    tanzuHubEndpoint: https://api.staging-tis.symphony-dev.com/hub
    tanzuMissionControlEndpoint: https://tmc.tanzu-dev.cloud.vmware.com
    tanzuOrgID: ae93ebb4-a249-4553-aa1e-c87c4b7f75e5
    tanzuOrgName: TAP pre-integration
  • Now verfiy the $HOME/.config/tanzu/.data-store.yaml file doesn't the entry isCLIContextsUpdatedToTCSPIssuers: true. (This would be set once we set the cli.core.tanzu_cli_config_csp_issuer_update_flag: true on a cutover date to update the current CLI contexts created using the old CLI version or current CLI version using the VCSP Issuer. If we set the update the flag to true the contexts issuers would be updated to TCSP.)

Now set the cli.core.tanzu_cli_config_csp_issuer_update_flag: true in the central config file ~/.cache/tanzu/plugin_inventory/default/central_config.yaml and run any command and verify the context is updated with TCSP issuer.

# running any command would update the CLI contexts to use TCSP issuer instead of VCSP issuer. 
❯ ./bin/tanzu version
version: v1.4.0-rc.0
buildDate: 2024-07-12
sha: 6ce31e03
arch: amd64

## you can check the context globalOpts.auth.issuer is updated to TCSP issuer
❯ ./bin/tanzu context get TAP_pre-integration-staging-d03c5c97
name: TAP_pre-integration-staging-d03c5c97
target: tanzu
contextType: tanzu
globalOpts:
    endpoint: https://api.tanzu-dev.cloud.vmware.com
    auth:
        issuer: https://console-stg.tanzu.broadcom.com/csp/gateway/am/api
        userName: pkalle
        permissions:
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd/tap:developer
            - external/5b919bd9-b029-45c7-829d-1a30fad2808e/ensemble:admin
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd/tap:viewer
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj/tap:member
            - csp:project_admin/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj
            - csp:org_member
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj/tap:admin
            - csp:developer
            - csp:project_admin/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj/tap:developer
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj/tap:viewer
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/tap:developer
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/tap:viewer
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/tap:admin
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd/tap:admin
            - csp:org_admin
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd/tap:member
            - external/5b919bd9-b029-45c7-829d-1a30fad2808e/instance:a8c26706-6514-4374-b825-cdb754e9faa6/ensemble:admin
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/tap:member
        accessToken: <REDACTED>
        IDToken: <REDACTED>
        refresh_token: <REDACTED>
        expiration: 2024-07-14T23:40:20.616767-07:00
        type: api-token
clusterOpts:
    endpoint: https://api.tanzu-dev.cloud.vmware.com/org/ae93ebb4-a249-4553-aa1e-c87c4b7f75e5
    path: /Users/pkalle/.config/tanzu/kube/config
    context: tanzu-cli-TAP_pre-integration-staging-d03c5c97
additionalMetadata:
    tanzuHubEndpoint: https://api.staging-tis.symphony-dev.com/hub
    tanzuMissionControlEndpoint: https://tmc.tanzu-dev.cloud.vmware.com
    tanzuOrgID: ae93ebb4-a249-4553-aa1e-c87c4b7f75e5
    tanzuOrgName: TAP pre-integration

### Now running the project list should fetch the projects, but since the backend UCP is not updated to honor the tokens from TCSP it throws error. This test should be done again when UCP is updated to honor the tokens from both issuers.
❯ ./bin/tanzu project list
Error: failed to get API group resources: unable to retrieve the complete list of server APIs: ucp.tanzu.vmware.com/v1: the server has asked for the client to provide credentials


### However if you check the context token expiration, the token was refreshed successfully and token expiry is updated successfully (globalOpts.auth.expiration)

❯ ./bin/tanzu context get TAP_pre-integration-staging-d03c5c97
name: TAP_pre-integration-staging-d03c5c97
target: tanzu
contextType: tanzu
globalOpts:
    endpoint: https://api.tanzu-dev.cloud.vmware.com
    auth:
        issuer: https://console-stg.tanzu.broadcom.com/csp/gateway/am/api
        userName: pkalle
        permissions:
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd/tap:developer
            - external/5b919bd9-b029-45c7-829d-1a30fad2808e/ensemble:admin
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd/tap:viewer
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj/tap:member
            - csp:project_admin/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj
            - csp:org_member
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj/tap:admin
            - csp:developer
            - csp:project_admin/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj/tap:developer
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj/tap:viewer
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/tap:developer
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/tap:viewer
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/tap:admin
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd/tap:admin
            - csp:org_admin
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd/tap:member
            - external/5b919bd9-b029-45c7-829d-1a30fad2808e/instance:a8c26706-6514-4374-b825-cdb754e9faa6/ensemble:admin
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/tap:member
            - external/5b919bd9-b029-45c7-829d-1a30fad2808e/instance:a8c26706-6514-4374-b825-cdb754e9faa6/ensemble:viewer
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/instance:a8c26706-6514-4374-b825-cdb754e9faa6/tap:viewer
            - external/39721d32-3962-4a75-83d9-9b3dae23c39d/instance:a8c26706-6514-4374-b825-cdb754e9faa6/tap:admin
        accessToken: <REDACTED>
        IDToken: <REDACTED>
        refresh_token: <REDACTED>
        expiration: 2024-07-15T00:22:23.62953-07:00
        type: api-token
clusterOpts:
    endpoint: https://api.tanzu-dev.cloud.vmware.com/org/ae93ebb4-a249-4553-aa1e-c87c4b7f75e5
    path: /Users/pkalle/.config/tanzu/kube/config
    context: tanzu-cli-TAP_pre-integration-staging-d03c5c97
additionalMetadata:
    tanzuHubEndpoint: https://api.staging-tis.symphony-dev.com/hub
    tanzuMissionControlEndpoint: https://tmc.tanzu-dev.cloud.vmware.com
    tanzuOrgID: ae93ebb4-a249-4553-aa1e-c87c4b7f75e5
    tanzuOrgName: TAP pre-integration

Interactive login test

  • Updated the central config to below before running the tests
cli.core.cli_recommended_versions:
- version: v1.4.0-rc.0
- version: v1.3.0
- version: v1.2.0
- version: v1.1.0
- version: v1.0.0
- version: v0.90.1
cli.core.tanzu_application_platform_scopes:
- scope: tap:viewer
- scope: tap:admin
- scope: tap:member
cli.core.tanzu_hub_metadata:
  cspProductIdentifier: "TANZU-SAAS"
  cspDisplayName: "Tanzu Platform"
  endpointProduction: https://api.mgmt.cloud.vmware.com/hub
  endpointStaging: https://api.staging-tis.symphony-dev.com/hub
  useCentralConfig: true
cli.core.tanzu_default_csp_metadata:
  issuerStaging: https://console-stg.cloud.vmware.com/csp/gateway/am/api
  issuerProduction: https://console.cloud.vmware.com/csp/gateway/am/api
cli.core.tanzu_tcsp_metadata:
  issuerStaging: https://console-stg.tanzu.broadcom.com/csp/gateway/am/api
  issuerProduction: https://console.tanzu.broadcom.com/csp/gateway/am/api
cli.core.tanzu_csp_known_issuer_endpoints:
  https://console-stg.cloud.vmware.com/csp/gateway/am/api:
     authURL: "https://console-stg.cloud.vmware.com/csp/gateway/discovery"
     tokenURL: "https://console-stg.cloud.vmware.com/csp/gateway/am/api/auth/authorize"
  https://console.cloud.vmware.com/csp/gateway/am/api:
     authURL: "https://console.cloud.vmware.com/csp/gateway/discovery"
     tokenURL: "https://console.cloud.vmware.com/csp/gateway/am/api/auth/authorize"
  https://console-stg.tanzu.broadcom.com/csp/gateway/am/api:
    authURL: "https://console-stg.tanzu.broadcom.com/csp/gateway/discovery"
    tokenURL: "https://console-stg.tanzu.broadcom.com/csp/gateway/am/api/auth/authorize"
  https://console.tanzu.broadcom.com/csp/gateway/am/api:
    authURL: "https://console.tanzu.broadcom.com/csp/gateway/discovery"
    tokenURL: "https://console.tanzu.broadcom.com/csp/gateway/am/api/auth/authorize"
cli.core.tanzu_cli_config_csp_issuer_update_flag: true
  • Also reset the flag in ~/.config/tanzu/.data-store.yaml to isCLIContextsUpdatedToTCSPIssuers: false
  • Now use login command to login to TAP pre-integration organization using interactive login as shown below
❯ unset TANZU_API_TOKEN

❯ ./bin/tanzu context list
  NAME                                  ISACTIVE  TYPE   PROJECT  SPACE
  TAP_pre-integration-staging-d03c5c97  true      tanzu

[i] Use '--wide' to view additional columns.
❯ ./bin/tanzu context delete TAP_pre-integration-staging-d03c5c97
Deleting the context entry from the config will remove it from the list of tracked contexts. You will need to use `tanzu context create` to re-create this context. Are you sure you want to continue? [y/N]: y
[i] Deleting kubeconfig context 'tanzu-cli-TAP_pre-integration-staging-d03c5c97' from the file '/Users/pkalle/.config/tanzu/kube/config'
[ok] Successfully deleted context "TAP_pre-integration-staging-d03c5c97"
❯ tanzu config set env.TANZU_CLI_CLOUD_SERVICES_ORGANIZATION_ID ae93ebb4-a249-4553-aa1e-c87c4b7f75e5
❯ ./bin/tanzu login --staging --endpoint https://api.tanzu-dev.cloud.vmware.com
[i] This tanzu context is being created using organization ID ae93ebb4-a249-4553-aa1e-c87c4b7f75e5 as set in the tanzu configuration (to unset, use `tanzu config unset env.TANZU_CLI_CLOUD_SERVICES_ORGANIZATION_ID`).
[i] Opening the browser window to complete the login
Log in by visiting this link:

    https://console-stg.cloud.vmware.com/csp/gateway/discovery?client_id=tanzu-cli-client-id&code_challenge=nDaWX8MbTJYsKO9_LSMldPiBVHPFQdjnoWh3wZqzkmc&code_challenge_method=S256&orgId=ae93ebb4-a249-4553-aa1e-c87c4b7f75e5&redirect_uri=http%3A%2F%2F127.0.0.1%3A56611%2Fcallback&response_type=code&state=f556c3f4ce594330b8eb42c841c748c5

    Optionally, paste your authorization code: [...]


[ok] Successfully logged into 'TAP pre-integration' organization and created a tanzu context


## access the ucp project list
❯ ./bin/tanzu project list
Listing projects from TAP pre-integration org

  NAME                     READY  AGE
  Sriram Test project      True   5d4h
  abhisheks2               True   5d4h
  alb-test                 True   5d5h
  alexd-project            True   5d5h
  ank-test                 True   5d5h
[...]

### attaching the access_token obtained through interactive login for reference ( you can verify the issuer `iss` is VCSP issuer)
{
  "sub": "vmware.com:30236c0a-9626-46f3-ba9f-679776686a95",
  "iss": "https://console-stg.cloud.vmware.com",
  "context_name": "ae93ebb4-a249-4553-aa1e-c87c4b7f75e5",
  "_nonce": "7da40b60-33fd-11ef-9890-2d15ad0bbfa1",
  "azp": "tanzu-cli-client-id",
  "authorization_details": [],
  "domain": "vmware.com",
  "context": "38846449-0ad5-4211-8ccf-030dc3e2b209",
  "perms": [
    "external/39721d32-3962-4a75-83d9-9b3dae23c39d/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd/tap:developer",
    "external/39721d32-3962-4a75-83d9-9b3dae23c39d/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd/tap:viewer",
    "external/39721d32-3962-4a75-83d9-9b3dae23c39d/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj/tap:member",
    "csp:org_member",
    "external/39721d32-3962-4a75-83d9-9b3dae23c39d/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj/tap:admin",
    "external/39721d32-3962-4a75-83d9-9b3dae23c39d/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj/tap:developer",
    "external/39721d32-3962-4a75-83d9-9b3dae23c39d/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj/tap:viewer",
    "external/39721d32-3962-4a75-83d9-9b3dae23c39d/tap:developer",
    "external/39721d32-3962-4a75-83d9-9b3dae23c39d/tap:viewer",
    "external/39721d32-3962-4a75-83d9-9b3dae23c39d/tap:admin",
    "external/39721d32-3962-4a75-83d9-9b3dae23c39d/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd/tap:admin",
    "external/39721d32-3962-4a75-83d9-9b3dae23c39d/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd/tap:member",
    "external/39721d32-3962-4a75-83d9-9b3dae23c39d/tap:member"
  ],
  "exp": 1721067587,
  "iat": 1721065787,
  "jti": "3fb4d34d-a3d9-4a63-a9a7-a95105870744",
  "acct": "[email protected]",
  "username": "pkalle"
}
  • Now create a context using context command (using login command would overwrite the existing context) to create a context using TCSP issuer by exproting the environment variable TANZU_CLI_USE_TANZU_CLOUD_SERVICE_PROVIDER and verify both contexts works.
❯ export TANZU_CLI_USE_TANZU_CLOUD_SERVICE_PROVIDER=true

❯ ./bin/tanzu context create testTCSPIssureCtx --type tanzu --staging --endpoint https://api.tanzu-dev.cloud.vmware.com
[i] This tanzu context is being created using organization ID ae93ebb4-a249-4553-aa1e-c87c4b7f75e5 as set in the tanzu configuration (to unset, use `tanzu config unset env.TANZU_CLI_CLOUD_SERVICES_ORGANIZATION_ID`).
[i] Opening the browser window to complete the login
Log in by visiting this link:

    https://console-stg.tanzu.broadcom.com/csp/gateway/discovery?client_id=tanzu-cli-client-id&code_challenge=t8H5L_8LmH9YHGdEXViGjlow_JPjaU2WMqh1SavAaxo&code_challenge_method=S256&orgId=ae93ebb4-a249-4553-aa1e-c87c4b7f75e5&redirect_uri=http%3A%2F%2F127.0.0.1%3A57089%2Fcallback&response_type=code&state=5435ae79b573b407d5445e87cc9f9f75

    Optionally, paste your authorization code: [...]


[ok] Successfully logged into 'TAP pre-integration' organization and created a tanzu context


❯ ./bin/tanzu context list
  NAME                                  ISACTIVE  TYPE   PROJECT  SPACE
  TAP_pre-integration-staging-d03c5c97  false     tanzu
  testTCSPIssureCtx                     true      tanzu

[i] Use '--wide' to view additional columns.

### As expected at the moment since the backend is not updated to honor the token issued by the new CSP Issuer, it  fails
❯ ./bin/tanzu project list
Error: failed to get API group resources: unable to retrieve the complete list of server APIs: ucp.tanzu.vmware.com/v1: the server has asked for the client to provide credentials

### attaching the acces_token value of the  testTCSPIssureCtx context (you can check the issuer `iss` is TCSP issuer)
{
  "sub": "vmware.com:30236c0a-9626-46f3-ba9f-679776686a95",
  "iss": "https://console-stg.tanzu.broadcom.com",
  "context_name": "ae93ebb4-a249-4553-aa1e-c87c4b7f75e5",
  "_nonce": "5bb05470-42d3-11ef-80b0-b13079511a9f",
  "azp": "tanzu-cli-client-id",
  "authorization_details": [],
  "domain": "vmware.com",
  "context": "38846449-0ad5-4211-8ccf-030dc3e2b209",
  "perms": [
    "external/39721d32-3962-4a75-83d9-9b3dae23c39d/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd/tap:developer",
    "external/39721d32-3962-4a75-83d9-9b3dae23c39d/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd/tap:viewer",
    "external/39721d32-3962-4a75-83d9-9b3dae23c39d/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj/tap:member",
    "csp:org_member",
    "external/39721d32-3962-4a75-83d9-9b3dae23c39d/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj/tap:admin",
    "external/39721d32-3962-4a75-83d9-9b3dae23c39d/instance:a8c26706-6514-4374-b825-cdb754e9faa6/tap:viewer",
    "external/39721d32-3962-4a75-83d9-9b3dae23c39d/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj/tap:developer",
    "external/39721d32-3962-4a75-83d9-9b3dae23c39d/vrn/org:ae93ebb4-a249-4553-aa1e-c87c4b7f75e5/project:test-cli-proj/tap:viewer",
    "external/39721d32-3962-4a75-83d9-9b3dae23c39d/tap:developer",
    "external/39721d32-3962-4a75-83d9-9b3dae23c39d/tap:viewer",
    "external/39721d32-3962-4a75-83d9-9b3dae23c39d/tap:admin",
    "external/39721d32-3962-4a75-83d9-9b3dae23c39d/instance:a8c26706-6514-4374-b825-cdb754e9faa6/tap:admin",
    "external/39721d32-3962-4a75-83d9-9b3dae23c39d/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd/tap:admin",
    "external/39721d32-3962-4a75-83d9-9b3dae23c39d/project:e2db6ff4-ea19-4804-a694-1ab79ce1d6bd/tap:member",
    "external/39721d32-3962-4a75-83d9-9b3dae23c39d/tap:member"
  ],
  "exp": 1721067902,
  "iat": 1721066102,
  "jti": "d8cf0762-0db1-452e-8988-329e8c6e892a",
  "acct": "[email protected]",
  "username": "pkalle"
}

  • Verified the refresh tokens are obtained from the respective issuers (issuer stored in CLI contexts) for both contexts.(You can do that by modifying the expiration time to past time frame so that CLI would automatically refresh it.

  • Now verify that by updating the central config to update the CLI contexts to new Issuer, the TAP_pre-integration-staging-d03c5c97 context created using VCSP would be updated to new Issuer(and existing tokens are invalidated) and when we try to access the UCP plugin list it should trigger the Interactive login and fetch the access token from the new issuer. (Please set cli.core.tanzu_cli_config_csp_issuer_update_flag: true in "~/.cache/tanzu/plugin_inventory/default/central_config.yaml" so that CLI would update the issuer to new issuer URL and deactivate the interactive login tokens )

### by running any command the CLI context are updated 
❯ ./bin/tanzu version
version: v1.4.0-rc.0
buildDate: 2024-07-12
sha: 6ce31e03
arch: amd64

❯ ./bin/tanzu context list
  NAME                                  ISACTIVE  TYPE   PROJECT  SPACE
  TAP_pre-integration-staging-d03c5c97  true      tanzu
  testTCSPIssureCtx                     false     tanzu

[i] Use '--wide' to view additional columns.

### Now if you try to access the UCP, it would retrigger the interactive login(old tokens are invalidated) with the new issuer( you can check the login link in the command output pointing to new TCSP Issuer). Though the login was successful, since the backend is not updated to honor the new Issuer, "tanzu project list" command fails which is expected.

❯ ./bin/tanzu project list
[i] Opening the browser window to complete the login
Log in by visiting this link:

    https://console-stg.tanzu.broadcom.com/csp/gateway/discovery?client_id=tanzu-cli-client-id&code_challenge=2_iaiJj55Zagp21CfYCMjJeddWyAv7Si_FD0AD9AXHI&code_challenge_method=S256&orgId=ae93ebb4-a249-4553-aa1e-c87c4b7f75e5&redirect_uri=http%3A%2F%2F127.0.0.1%3A58430%2Fcallback&response_type=code&state=aaa4bb878a9553f2b35190bc78026a56

    Optionally, paste your authorization code: [...]

Error: failed to get API group resources: unable to retrieve the complete list of server APIs: ucp.tanzu.vmware.com/v1: the server has asked for the client to provide credentials

Release note

Add support to update the CSP issuer to TCSP

Additional information

Special notes for your reviewer

@prkalle prkalle force-pushed the feat/tcsp_issuer branch 2 times, most recently from 4b65a11 to ff3fc60 Compare July 15, 2024 05:47
@prkalle prkalle marked this pull request as ready for review July 16, 2024 19:00
@prkalle prkalle requested a review from a team as a code owner July 16, 2024 19:00
anujc25
anujc25 reviewed Jul 16, 2024
View reviewed changes
Copy link
Contributor

@anujc25 anujc25 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome work. This will be really useful once the backend is ready to switch to TCSP. Just one minor comment but otherwise LGTM.

pkg/command/root.go
}
// if all the contexts are updated successfully, update the flag in the data store
if updateSuccess {
_ = datastore.SetDataStoreValue(isCLIContextsUpdatedToTCSPIssuers, &updateSuccess)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we show a log message to the user that all the contexts have been migrated to TCSP and tokens have been invalidated? That way, users might not be surprised when the interactive login happens again and it points to a new location.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. Adding the log is useful to inform user about the changes. I updated the PR with the new log message as shown below. Thanks

The CLI contexts have been updated to use the Tanzu CSP issuer. Any existing tokens obtained through interactive login are now invalid and CLI will automatically obtain a new token through interactive login using the new Tanzu CSP issuer

@prkalle prkalle force-pushed the feat/tcsp_issuer branch from ff3fc60 to 002ea08 Compare July 17, 2024 20:49
@prkalle
Add provision to update the CSP issuer to TCSP
543c695 
- Add provision through central configuration to update the CSP issuer from VCSP to TCSP. Also added an option in central configuration so that CLI can react to the configuration flag set in central configuration to update the issuers in the already created contexts.

Signed-off-by: Prem Kumar Kalle <[email protected]>
@prkalle prkalle force-pushed the feat/tcsp_issuer branch from 002ea08 to 543c695 Compare July 17, 2024 22:23
anujc25
anujc25 approved these changes Jul 17, 2024
View reviewed changes
Copy link
Contributor

@anujc25 anujc25 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks 🚀

@prkalle prkalle merged commit 3cdb5f8 into vmware-tanzu:main Jul 17, 2024
7 checks passed
@marckhouzam marckhouzam added this to the v1.4.0 milestone Jul 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anujc25 anujc25 anujc25 approved these changes

Assignees
No one assigned
Labels
cla-not-required
Projects
None yet
Milestone
v1.4.0
Development

Successfully merging this pull request may close these issues.
4 participants
@prkalle @anujc25 @marckhouzam @vmwclabot