Skip to content

feat(QOV-1953): add --read-only flag to cluster kubeconfig and get-token#653

Open
Guimove wants to merge 2 commits into
mainfrom
feat/QOV-1953-read-only-kubeconfig
Open

feat(QOV-1953): add --read-only flag to cluster kubeconfig and get-token#653
Guimove wants to merge 2 commits into
mainfrom
feat/QOV-1953-read-only-kubeconfig

Conversation

@Guimove
Copy link
Copy Markdown
Contributor

@Guimove Guimove commented May 30, 2026
edited
Loading

QOV-1953

Adds --read-only (-r) flag to:

  • qovery cluster kubeconfig --cluster-id --read-only

How it works:

  • Downloads a kubeconfig whose exec plugin calls get-token --read-only. The backend will eventually generate a 1h token for the qovery-readonly SA (provisioned by the engine on every cluster via the qovery-cluster-agent Helm chart), bound to the built-in view ClusterRole.
  • Output file is named kubeconfig-readonly-.yaml.
  • The --read-only flag on cluster get-token is accepted by the CLI and reserved for when cluster-agent gRPC token generation is implemented.

No behavior change on existing commands, all callers pass readOnly=false explicitly.

Dependency: requires qovery-client-go to be regenerated after qovery-openapi-spec PR #1107 is merged. After the client is published, run go get github.com/qovery/qovery-client-go@latest && go mod tidy.

Merge order

  1. qovery-openapi-spec PR #1107 (triggers Go client regen)
  2. engine MR !2590
  3. backend MR !3560
  4. This PR (after go get)

https://qovery.atlassian.net/browse/QOV-1953

Guimove added 2 commits May 29, 2026 20:11
@Guimove
feat(QOV-1953): add --read-only flag to cluster kubeconfig and get-token
f100ac7 
- cluster kubeconfig --read-only: downloads a kubeconfig with read-only
  exec plugin (calls get-token --read-only), output file named
  kubeconfig-readonly-<id>.yaml
- cluster get-token --read-only: requests a SA-backed read-only token
  instead of an admin cloud-provider token
- All existing callers pass readOnly=false explicitly — no behavior change

CLI will compile once qovery-client-go is regenerated from the spec
(ReadOnly() method on ApiGetClusterKubeconfigRequest and
ApiGetClusterTokenByClusterIdRequest).
@Guimove
fix(QOV-1953): do not pass read_only to token endpoint (not implement…
e92bcbe 
…ed yet)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Guimove