kubeapps
kubeapps copied to clipboard
vmware-tanzu
Configuration of service account token for additional clusters
Signed-off-by: Rafa Castelblanque [email protected]
Description of the change
This PR adds the ability to set a service token to be used by Kubeapps on additional clusters. There was the original work done by @XenoAura in #5034. Due to kubeops being removed, the work has been re-done for the new setup, hence this PR. Added tests for regression.
Benefits
Service account token applies to operations done against additional clusters.
Possible drawbacks
Security? Service account token will apply to all operations done with the configGetter, not only the ones related to namespaces.
Applicable issues
- fixes #5033
- related to #5034
Deploy Preview for kubeapps-dev canceled.
| Name | Link |
|---|---|
| Latest commit | 1341a35b8cae69c42143d89d968beedd75df9b64 |
| Latest deploy log | https://app.netlify.com/sites/kubeapps-dev/deploys/63174d2680c8db000aab8068 |
![netlify[bot] avatar](https://avatars.githubusercontent.com/in/13473?v=4 "Published by a pub.dev verified publisher"){kind=small}
After taking a deeper look, it seems that the fix for this is more complex. The service account for additional clusters should only be used for listing namespaces. See comment here.
With the fix in this PR we are always applying the service token (if any) for calls to additional clusters.
Switching to using this only for listing namespaces requires a change in the signature of the clientGetter function used in the plugin to handle a flag. This will allow to get the client using the service account token or the context token.