Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support Service Account Passthrough for CPH Creation #149

Open
gurnben opened this issue Nov 2, 2021 · 2 comments
Open

Support Service Account Passthrough for CPH Creation #149

gurnben opened this issue Nov 2, 2021 · 2 comments
Labels
enhancement New feature or request (Release Note New Feature)

Comments

@gurnben
Copy link
Member

gurnben commented Nov 2, 2021

Summary of Issue

In some scenarios - specifically using cm in ci-like scenarios including Tekton tasks - the acting user may not have permissions to create a ServiceAccount, or you may not want a ServiceAccount to be created for a one-time-use task like ci - leaking a large number of ServiceAccounts.

I would propose that we add a function to cm create cph that allows you to specify --service-account=<service-account> that queries the token for that ServiceAccount and uses it for the CPH as opposed to creating a new one.

@gurnben gurnben added the enhancement New feature or request (Release Note New Feature) label Nov 2, 2021
@gurnben
Copy link
Member Author

gurnben commented Nov 2, 2021

In order to serve CI use-cases - we also need to eliminate the need for a pre-existing RBAC group - we should just take in a bare service account that the user has already created (probably explicitly for CI) and use that. That way multiple jobs that lack the shared known-cphs and related contexts can still reuse the same service account.

Specifically I'm thinking - if --service-account is specified, we need to drop the requirement for --group and use --namespace only for finding the ServiceAccount we were given.

@itdove
Copy link
Contributor

itdove commented Nov 18, 2021

it should be not to difficult at the first sight to add a --token or --service-account when creating the cph as there is a method returning these https://github.com/open-cluster-management/cm-cli/blob/ec25f840bb467c9d842f32abb50060c2932fd2ae/pkg/clusterpoolhost/clusterpoolhostcontext.go#L22
so instead of calling it, we should just use the one provided and then create the context for it as it is done here: https://github.com/open-cluster-management/cm-cli/blob/ec25f840bb467c9d842f32abb50060c2932fd2ae/pkg/clusterpoolhost/clusterpoolhostcontext.go#L32 and persist the cph with these token or SA for future use.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request (Release Note New Feature)
Projects
None yet
Development

No branches or pull requests

2 participants