chore: add additional CRB for auth-delegator, allows token validation (#1145)

* chore: add additional CRB for auth-delegator, allows token validation

* chore: bump chart version

* Update to weave-gitops with token checking

* Fixes up interface change in weave-gitops

Co-authored-by: Simon Howe <[email protected]>
Co-authored-by: Simon <[email protected]>

Author: jmickey

charts/mccp/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.2.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/mccp/templates/clusters-service/token_review_crb.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+    name: clusters-service-token-review
+    namespace: {{ .Release.Namespace | quote }}
+roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: ClusterRole
+    name: system:auth-delegator
+subjects:
+    - kind: ServiceAccount
+      name: {{ include "mccp.serviceAccountName" . }}
+      namespace: {{ .Release.Namespace | quote }}

cmd/clusters-service/app/server.go

@@ -347,7 +347,11 @@ func StartServer(ctx context.Context, log logr.Logger, tempDir string, p Params)
 		return err
 	}
 
-	clientsFactoryScheme := kube.CreateScheme()
+	clientsFactoryScheme, err := kube.CreateScheme()
+	if err != nil {
+		return fmt.Errorf("could not create scheme: %w", err)
+	}
+
 	runtimeUtil.Must(pacv2beta1.AddToScheme(clientsFactoryScheme))
 	runtimeUtil.Must(flaggerv1beta1.AddToScheme(clientsFactoryScheme))
 	clusterClientsFactory := clustersmngr.NewClientFactory(

go.mod

@@ -15,7 +15,7 @@ require (
 	github.com/sirupsen/logrus v1.8.1
 	github.com/spf13/cobra v1.5.0
 	github.com/stretchr/testify v1.7.2
-	github.com/weaveworks/weave-gitops v0.9.1-rc.1.0.20220720151155-47b9020ad0eb
+	github.com/weaveworks/weave-gitops v0.9.1-rc.1.0.20220726110232-5aae702086e7
 	github.com/weaveworks/weave-gitops-enterprise-credentials v0.0.2
 	github.com/weaveworks/weave-gitops-enterprise/common v0.0.0
 	gopkg.in/yaml.v3 v3.0.1 // indirect

go.sum

@@ -1019,8 +1019,8 @@ github.com/weaveworks/policy-agent/api v1.0.4 h1:dznn4I3+tfSniNbERFaAXOMpLsvwW+6
 github.com/weaveworks/policy-agent/api v1.0.4/go.mod h1:GbePwORMtByaPqKoD7xuY/oqdq8iagfh5R6NZS14+AA=
 github.com/weaveworks/progressive-delivery v0.0.0-20220719161717-3318c52a96f8 h1:heu/YEkVgb+YKiX1e0iuxlSNkF395DMltyoWfQ+Lq/g=
 github.com/weaveworks/progressive-delivery v0.0.0-20220719161717-3318c52a96f8/go.mod h1:DKROFoMYek6LRX/Us3W2Jb/VCjvqNduxhKz4E7hgq8c=
-github.com/weaveworks/weave-gitops v0.9.1-rc.1.0.20220720151155-47b9020ad0eb h1:Cbj/xErhzJ+Ki1ZgVWZ/qdwFc6Z+RL0CG5WG8uedNwc=
-github.com/weaveworks/weave-gitops v0.9.1-rc.1.0.20220720151155-47b9020ad0eb/go.mod h1:sJhdINlDBhO2SoRCH6h8Q0Op0qaPBUNfOptwEbqY/N0=
+github.com/weaveworks/weave-gitops v0.9.1-rc.1.0.20220726110232-5aae702086e7 h1:DguFWWfDAuxyYO12almZplmbSL0ouhPjebbpyQzA7JA=
+github.com/weaveworks/weave-gitops v0.9.1-rc.1.0.20220726110232-5aae702086e7/go.mod h1:prdoxOe8u1xjQkSx11BneBs58LGSYidSrXmNjfNEElk=
 github.com/weaveworks/weave-gitops-enterprise-credentials v0.0.2 h1:7jeiQehqmI4ds6YIq8TW1Vqhlb6V7G2BVRJ8VM3r99I=
 github.com/weaveworks/weave-gitops-enterprise-credentials v0.0.2/go.mod h1:6PMYg+VtSNePnP7EXyNG+/hNRNZ3r0mQtolIZU4s/J0=
 github.com/xanzy/go-gitlab v0.58.0 h1:Entnl8GrVDlc1jd1BlOWhNR0QVQgiO3WDom5DJbT+1s=