diff --git a/docs/commands/rhoas_cluster_connect.adoc b/docs/commands/rhoas_cluster_connect.adoc index 0cf588b76..750c69ccc 100644 --- a/docs/commands/rhoas_cluster_connect.adoc +++ b/docs/commands/rhoas_cluster_connect.adoc @@ -27,6 +27,10 @@ For example for Kafka service you should execute the following command to grant $ rhoas kafka acl grant-access --producer --consumer --service-account your-sa --topic all --group all +Similarly for service registry you should execute the following command: + + $ rhoas service-registry role add --role=DEVELOPER --service-account your-sa + .... diff --git a/pkg/cluster/connect.go b/pkg/cluster/connect.go index fa58b5f41..72030e672 100644 --- a/pkg/cluster/connect.go +++ b/pkg/cluster/connect.go @@ -89,11 +89,15 @@ func (api *KubernetesClusterAPIImpl) ExecuteConnect(connectOpts *v1alpha.Connect return kubeclient.TranslatedKubernetesErrors(api.CommandEnvironment, err) } - err = api.createServiceAccountSecretIfNeeded(currentNamespace) + clientID, err := api.createServiceAccountSecretIfNeeded(currentNamespace) if err != nil { return kubeclient.TranslatedKubernetesErrors(api.CommandEnvironment, err) } + if clientID != "" { + currentService.PrintAccessCommands(clientID) + } + err = api.createCustomResource(serviceDetails, currentNamespace) if err != nil { return kubeclient.TranslatedKubernetesErrors(api.CommandEnvironment, err) @@ -181,7 +185,7 @@ func (c *KubernetesClusterAPIImpl) createTokenSecretIfNeeded(namespace string, a } // createSecret creates a new secret to store the SASL/PLAIN credentials from the service account -func (c *KubernetesClusterAPIImpl) createServiceAccountSecretIfNeeded(namespace string) error { +func (c *KubernetesClusterAPIImpl) createServiceAccountSecretIfNeeded(namespace string) (string, error) { cliOpts := c.CommandEnvironment kClients := c.KubernetesClients ctx := cliOpts.Context @@ -189,12 +193,12 @@ func (c *KubernetesClusterAPIImpl) createServiceAccountSecretIfNeeded(namespace _, err := kClients.Clientset.CoreV1().Secrets(namespace).Get(context.TODO(), constants.ServiceAccountSecretName, metav1.GetOptions{}) if err == nil { cliOpts.Logger.Info(cliOpts.Localizer.MustLocalize("cluster.kubernetes.serviceaccountsecret.log.info.exist")) - return nil + return "", nil } serviceAcct, err := c.createServiceAccount(ctx, cliOpts) if err != nil { - return err + return "", err } secret := &apiv1.Secret{ @@ -210,7 +214,7 @@ func (c *KubernetesClusterAPIImpl) createServiceAccountSecretIfNeeded(namespace createdSecret, err := kClients.Clientset.CoreV1().Secrets(namespace).Create(cliOpts.Context, secret, metav1.CreateOptions{}) if err != nil { - return fmt.Errorf("%v: %w", cliOpts.Localizer.MustLocalize("cluster.kubernetes.serviceaccountsecret.error.createError"), err) + return "", fmt.Errorf("%v: %w", cliOpts.Localizer.MustLocalize("cluster.kubernetes.serviceaccountsecret.error.createError"), err) } cliOpts.Logger.Info(icon.SuccessPrefix(), cliOpts.Localizer.MustLocalize("cluster.kubernetes.createSASecret.log.info.createSuccess", @@ -218,7 +222,7 @@ func (c *KubernetesClusterAPIImpl) createServiceAccountSecretIfNeeded(namespace localize.NewEntry("ClientID", serviceAcct.GetClientId()), )) - return nil + return serviceAcct.GetClientId(), nil } // createServiceAccount creates a service account diff --git a/pkg/cluster/services/custom_connection.go b/pkg/cluster/services/custom_connection.go index 631b30697..1612f392c 100644 --- a/pkg/cluster/services/custom_connection.go +++ b/pkg/cluster/services/custom_connection.go @@ -17,4 +17,7 @@ type RHOASKubernetesService interface { // Build Custom Resource representing desired service that should be created BuildServiceDetails(serviceName string, namespace string, ignoreConfigContext bool) (*ServiceDetails, error) + + // Print commands to be executed to grant access to the service + PrintAccessCommands(clientID string) } diff --git a/pkg/cluster/services/kafka.go b/pkg/cluster/services/kafka.go index 147d3e8cc..b8eed5477 100644 --- a/pkg/cluster/services/kafka.go +++ b/pkg/cluster/services/kafka.go @@ -6,6 +6,7 @@ import ( "github.com/redhat-developer/app-services-cli/pkg/cluster/services/resources" "github.com/redhat-developer/app-services-cli/pkg/cluster/v1alpha" "github.com/redhat-developer/app-services-cli/pkg/kafka" + "github.com/redhat-developer/app-services-cli/pkg/localize" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -78,3 +79,9 @@ func (s KafkaService) BuildServiceDetails(serviceName string, namespace string, return &serviceDetails, nil } + +// PrintAccessCommands prints command to grant service account acccess to the Kafka instance +func (s KafkaService) PrintAccessCommands(clientID string) { + cliOpts := s.CommandEnvironment + cliOpts.Logger.Info(cliOpts.Localizer.MustLocalize("cluster.kubernetes.printKafkaAccessCommands", localize.NewEntry("ClientID", clientID))) +} diff --git a/pkg/cluster/services/service-registry.go b/pkg/cluster/services/service-registry.go index 083cb53cd..5464b1a7c 100644 --- a/pkg/cluster/services/service-registry.go +++ b/pkg/cluster/services/service-registry.go @@ -5,6 +5,7 @@ import ( "github.com/redhat-developer/app-services-cli/pkg/cluster/kubeclient" "github.com/redhat-developer/app-services-cli/pkg/cluster/services/resources" "github.com/redhat-developer/app-services-cli/pkg/cluster/v1alpha" + "github.com/redhat-developer/app-services-cli/pkg/localize" "github.com/redhat-developer/app-services-cli/pkg/serviceregistry" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -79,3 +80,9 @@ func (s RegistryService) BuildServiceDetails(serviceName string, namespace strin return &serviceDetails, nil } + +// PrintAccessCommands prints command to assign service account roles in the service registry instance +func (s RegistryService) PrintAccessCommands(clientID string) { + cliOpts := s.CommandEnvironment + cliOpts.Logger.Info(cliOpts.Localizer.MustLocalize("cluster.kubernetes.printRegistryAccessCommands", localize.NewEntry("ClientID", clientID))) +} diff --git a/pkg/localize/locales/en/cmd/cluster.en.toml b/pkg/localize/locales/en/cmd/cluster.en.toml index a5e21f485..e5c52c0f5 100644 --- a/pkg/localize/locales/en/cmd/cluster.en.toml +++ b/pkg/localize/locales/en/cmd/cluster.en.toml @@ -168,6 +168,10 @@ For example for Kafka service you should execute the following command to grant $ rhoas kafka acl grant-access --producer --consumer --service-account your-sa --topic all --group all +Similarly for service registry you should execute the following command: + + $ rhoas service-registry role add --role=DEVELOPER --service-account your-sa + ''' [cluster.connect.cmd.example] @@ -301,11 +305,21 @@ Client ID: {{.ClientID}} Make a copy of the client ID to store in a safe place. Credentials won't appear again after closing the terminal. You will need to assign permissions to service account in order to use it. -For example for Kafka service you should execute the following command to grant access to the service account: +''' + +[cluster.kubernetes.printKafkaAccessCommands] +one = ''' +You need to separately grant service account access to Kafka by issuing following command $ rhoas kafka acl grant-access --producer --consumer --service-account {{.ClientID}} --topic all --group all ''' - + +[cluster.kubernetes.printRegistryAccessCommands] +one = ''' +You might need to assign non-readonly roles for the service account based on the use case (READ_ONLY by default): + + $ rhoas service-registry role add --role=DEVELOPER --service-account {{.ClientID}} +''' [cluster.kubernetes.createTokenSecret.log.info.createFailed] one = 'Creation of the "{{.Name}}" secret failed:'