Part of #147. Phase 2 of 5. Estimated ~4 days. Blocked by Phase 1.
Scope
- Read kubeconfig via
k8s.io/client-go/tools/clientcmd — honors $KUBECONFIG env, --kubeconfig flag, ~/.kube/config fallback
- Honor
--context flag (else use current context); --namespace flag (else use the context's default)
- Discover the tracebloc parent release in the namespace: list ConfigMaps with label
owner=helm + name pattern, OR list Helm release secrets (Helm v3 stores releases as Secrets of type helm.sh/release.v1)
- Mint an ingestor SA token via the TokenRequest API (audience: jobs-manager, expiration: 10 min)
- Fallback: if TokenRequest is denied (older clusters, restricted RBAC), look for a pre-existing
Secret of type kubernetes.io/service-account-token referencing the ingestor SA; if neither works, error with a clear remediation message
- Resolve the jobs-manager endpoint from the deployed parent chart (Service name
jobs-manager in the parent release's namespace)
- Diagnostic:
tracebloc cluster info prints discovered cluster, namespace, release name + version, jobs-manager URL, SA name, whether TokenRequest is available, and a sample token (or hash thereof) with expiration
Acceptance criteria
tracebloc cluster info works against the EKS cluster we validated this week- TokenRequest path tested against a permissive cluster
- SA-secret fallback tested against a restricted cluster (ad-hoc setup)
- Errors give actionable next steps when discovery fails (parent release not found, SA missing, etc.)
Open question (carried from epic)
The fallback strategy depends on the cluster's RBAC posture. Verify with a few real clusters before committing to either-or; might need to ship both paths with a flag.
Part of #147. Phase 2 of 5. Estimated ~4 days. Blocked by Phase 1.
Scope
k8s.io/client-go/tools/clientcmd— honors$KUBECONFIGenv,--kubeconfigflag,~/.kube/configfallback--contextflag (else use current context);--namespaceflag (else use the context's default)owner=helm+ name pattern, OR list Helm release secrets (Helm v3 stores releases as Secrets of typehelm.sh/release.v1)Secretof typekubernetes.io/service-account-tokenreferencing the ingestor SA; if neither works, error with a clear remediation messagejobs-managerin the parent release's namespace)tracebloc cluster infoprints discovered cluster, namespace, release name + version, jobs-manager URL, SA name, whether TokenRequest is available, and a sample token (or hash thereof) with expirationAcceptance criteria
tracebloc cluster infoworks against the EKS cluster we validated this weekOpen question (carried from epic)
The fallback strategy depends on the cluster's RBAC posture. Verify with a few real clusters before committing to either-or; might need to ship both paths with a flag.