Skip to content

feat(QOV-1953): add --read-only flag to cluster kubeconfig and get-token#653

Open
Guimove wants to merge 3 commits into
mainfrom
feat/QOV-1953-read-only-kubeconfig
Open

feat(QOV-1953): add --read-only flag to cluster kubeconfig and get-token#653
Guimove wants to merge 3 commits into
mainfrom
feat/QOV-1953-read-only-kubeconfig

Conversation

@Guimove
Copy link
Copy Markdown
Contributor

@Guimove Guimove commented May 30, 2026
edited
Loading

QOV-1953

Adds --read-only (-r) flag to:

  • qovery cluster kubeconfig --cluster-id --read-only
  • qovery cluster get-token --cluster-id --read-only

How it works:

  • cluster kubeconfig --read-only downloads a kubeconfig whose exec plugin calls get-token --read-only. The cluster-agent generates a 1h token for the qovery-readonly SA (bound to the built-in view ClusterRole, provisioned by the engine Helm chart).
  • Output file is named kubeconfig-readonly-.yaml.

No behavior change on existing commands.

Dependency: requires qovery-client-go to be regenerated after Qovery/qovery-openapi-spec#1107 is merged. Then run go get github.com/qovery/qovery-client-go@latest && go mod tidy.

Merge order

  1. feat(QOV-1953): add read_only param to kubeconfig and token endpoints qovery-openapi-spec#1107
  2. https://gitlab.com/qovery/backend/engine/-/merge_requests/2590
  3. https://gitlab.com/qovery/backend/rust-backend/-/merge_requests/639
  4. https://gitlab.com/qovery/backend/q-core/-/merge_requests/3560
  5. This PR (after go get)

https://qovery.atlassian.net/browse/QOV-1953

Guimove added 3 commits May 29, 2026 20:11
@Guimove
feat(QOV-1953): add --read-only flag to cluster kubeconfig and get-token
f100ac7 
- cluster kubeconfig --read-only: downloads a kubeconfig with read-only
  exec plugin (calls get-token --read-only), output file named
  kubeconfig-readonly-<id>.yaml
- cluster get-token --read-only: requests a SA-backed read-only token
  instead of an admin cloud-provider token
- All existing callers pass readOnly=false explicitly — no behavior change

CLI will compile once qovery-client-go is regenerated from the spec
(ReadOnly() method on ApiGetClusterKubeconfigRequest and
ApiGetClusterTokenByClusterIdRequest).
@Guimove
fix(QOV-1953): do not pass read_only to token endpoint (not implement…
e92bcbe 
…ed yet)
@Guimove
feat(QOV-1953): restore ReadOnly() call on token endpoint
4c211e2
@Guimove Guimove mentioned this pull request Jun 2, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@erebe erebe erebe approved these changes

@fabienfleureau fabienfleureau fabienfleureau approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Guimove @erebe @fabienfleureau