Authenticating to your Providers

Some features of Garden Cloud require you to configure authentication to your clusters or—more generally—to your providers. Specifically, features such as Automatic Environment Cleanup, Workflows, and One-click Preview environment require you to be able to connect to the infrastructure where the runners need to build, deploy, and test your code.

Below you'll find our preferred ways for authenticating in the scenarios described above.

Authenticating via Environment Authentication Script

Note: this authentication method is not supported in all features. Please take a look at the support table below.

To setup an Authentication Script, please navigate to your Project Settings and click the settings icon for the environment you'll want to deploy your environment to.

In the example below, we are setting up the authentication script for the preview environment

Authenticating via Exec Provider

Note: this authentication method is not supported in all features. Please take a look at the support table below.

If you want a bit more flexibility when defining which environment needs authentication and when you need to use the same script for different environments, we suggest using an Exec Provider and set it as a dependency for the providers that need to be authenticated.

In the example below we want to authenticate to our kubernetes cluster, using the script defined in initScript.

You can read more about the exec provider here.

providers:
  - name: exec
    environments: [preview, ci] # Add your environments here

    # You can use Cloud Secrets to pass credentials to your auth script.
    initScript: "echo ${secrets.YOUR_SECRET_AUTH_KEY} > .scripts/your-auth-script.sh"
  - name: kubernetes
    [...]
    dependencies: [exec]

Authenticating via script field of the Workflow Configuration

Note: this authentication method is not supported in all features. Please take a look at the support table below.

kind: Workflow
name: run-tests
description: Run full test suite
steps:
  # You can use Cloud Secrets to pass credentials to your auth script.
  - script: "echo ${secrets.YOUR_SECRET_AUTH_KEY} > .scripts/your-auth-script.sh"
  - name: run-tests
    command: [test]

Examples of authentication scripts

Authentication varies greatly between different cloud providers, so we'd suggest you to always follow their specific docs in order to understand how to create accounts, credentials and how to authenticate to their services using those.

We have collected some common examples of an authentication script for connecting to AWS EKS and GCP GKE. Please bear in mind that your project and security configuration might be different and the script might need tweaking based on your specific conditions.

AWS EKS

This assumes your credentials (aws_access_key_id and aws_secret_access_key) are stored as secrets in Garden Cloud under the keys AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

#!/bin/sh

set -e

mkdir -p ~/.aws

cat <<EOT >> ~/.aws/credentials
[default]
aws_access_key_id=${secrets.AWS_ACCESS_KEY_ID}
aws_secret_access_key=${secrets.AWS_SECRET_ACCESS_KEY}
EOT

cat <<EOT >> ~/.aws/config
[default]
region=<your-aws-region>
output=json
EOT

aws eks --region <your-aws-region> update-kubeconfig --name <your-cluster-name>

GCP GKE

This assumes a GCP (service) account with access to your GKE cluster has been created, and the JSON credentials have been downloaded and stored in a secret in Garden Cloud called GCLOUD_JSON.

https://cloud.google.com/kubernetes-engine/docs/tutorials/authenticating-to-cloud-platform

#!/bin/sh

set -e

gcloud_json='${secrets.GCLOUD_JSON}'

mkdir -p tmp/gcloud
cat <<EOF > tmp/gcloud/gcloud.json
$gcloud_json
EOF
gcloud auth activate-service-account --key-file=tmp/gcloud/gcloud.json
gcloud container clusters get-credentials <your-cluster-name> --zone <your-gcp-zone> --project <your-gcp-project>

rm -rf tmp/gcloud

Table of supported features vs authentication methods

We are working on enabling all authentications method for all features but until then, this is an overview of the currently supported authentication method for each feature.