## Release notes In GitLab version 16.4 we made it possible to connect to a Kubernetes cluster from a local terminal using the agent for Kubernetes and a personal access token. In the initial version, setting up the local cluster configuration required several commands and a long lived access token. In the past month we worked on streamlining and making the local setup process more secure by extending the GitLab CLI. The GitLab CLI can now list the agent connections available from a GitLab project checkout directory or the specified project, and users can set up the connection through a selected agent with a dedicated command. When `kubectl` or any other tool needs to authenticate with the cluster the GitLab CLI will generate a short-lived, restricted token for the currently logged in user. [Connect to your cluster from your terminal following the documentation](https://docs.gitlab.com/ee/user/clusters/agent/user_access.html#access-a-cluster-with-the-kubernetes-api) - FIX LINK. ## Problem to solve As a follow-up on https://gitlab.com/groups/gitlab-org/-/epics/6038+, we would like to integrate the local cluster connections with `glab`. As a Developer, in order to access the clusters I'm authorized to reach - I want to easily list the GitLab-cluster connections I can access - I want to easily update my local kubeconfig with a selected connection - I want to create a separate personal access token for cluster access <!-- What problem do we solve? Try to define the who/what/why of the opportunity as a user story. For example, "As a (who), I want (what), so I can (why/value)." --> ## Proposal The GitLab CLI (`glab`) should implement a set of commands to manage cluster agents and make it easy to integrate them into Kubernetes tooling like `kubectl` by providing commands to update kube configs and manage authentication. Commands under the `glab cluster agent` command: ### `glab cluster agent list` Shows the agents available in the project Example: ```shell glab cluster agent list -R gitlab-org/gitlab ``` ### `glab cluster agent update-kubeconfig` Updates the users kube config for the given agent. It would use `kubectl config` behind to the scenes. ```shell # Provide a token via CLI argument glab clusters update-kubeconfig --agent 1234 --token glpat-XXXX # Provide a token via stdin glab clusters update-kubeconfig --agent 1234 --token - ``` #### Next Iterations 1. Implement a authentication plugin for `kubectl`, see [docs](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins) - This may either return a token configured for `glab` - or create a short-lived PrAT. ```yaml apiVersion: v1 kind: Config users: - name: my-user user: exec: apiVersion: "client.authentication.k8s.io/v1" command: "glab" args: - clusters - get-token - --agent - 1234 - --project - gitlab-org/gitlab interactiveMode: IfAvailable ``` ## Further details <!-- Include examples, use cases, benefits, goals, or any other details that will help us understand the problem better. --> ## Links / references