feat: use sso account to configure sandbox in one click

[dgolovin]

This is my experiment in response to https://github.com/redhat-developer/vscode-openshift-tools/commit/78dd780a9103ecd8af224f07b5ea6933572a0800. It is not complete fix, but test.

https://github.com/redhat-developer/vscode-openshift-tools/assets/620330/e05717f5-039b-4029-9435-2317ba971a6b

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 16.66667% with 20 lines in your changes missing coverage. Please review.

Project coverage is 43.62%. Comparing base (da60441) to head (ae581b2). Report is 315 commits behind head on main.

Files	Patch %	Lines
src/openshift/cluster.ts	19.04%	17 Missing :warning:
src/webview/cluster/clusterViewLoader.ts	0.00%	3 Missing :warning:

Additional details and impacted files

```diff @@ Coverage Diff @@ ## main #4232 +/- ## =========================================== + Coverage 32.37% 43.62% +11.25% =========================================== Files 85 95 +10 Lines 6505 7718 +1213 Branches 1349 1647 +298 =========================================== + Hits 2106 3367 +1261 + Misses 4399 4351 -48 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

[dgolovin]

Anyone care to comment? It works. If it stopped to work at some point, there should be conversation with sandbox team.

[vrubezhny]

Anyone care to comment? It works. If it stopped to work at some point, there should be conversation with sandbox team.

We have already tried using a pipeline service token to login - it stopped working like a few days before we published a release containing it. We do not expect to have it really working for users... unless they do not have some privileged-like access to the sandbox.

Is using the service account pipeline token an officially documented and supported thing?

Anyway, I'm going to try it.

[dgolovin]

https://docs.openshift.com/container-platform/4.8/authentication/understanding-and-creating-service-accounts.html

if you don't like pipeline SA, you can create tool specific SA and grant it edit role and it is going to be much cleaner approach. The only caveat is if you are using 'oc whoiam' it is returning SA account name.

[vrubezhny]

In general, the PR works for me if I'm logging in from Welcome -> Add OpenShift Cluster view. The only problem is that a wrong project was set in the App. Explorer tree as current (probably because the user's namespace wasn't set for the resulting current context, or maybe because of the code that sets the current project after a timeout was commented out).

The account created this way looks like the following:

My "custom" Sandbox context saved in Kube config (created previously) already has namespace property set to <my-username>-dev so it's still possible to use it to log in and the project is correctly selected once logged in. But in this case we aren't switched to using the pipeline token (in previous try we were switching to it automatically instead of using a provided user token value)

[dgolovin]

Latest commits to the main definitely have some issues. If I re-base this branch on top of origin/main nothing works. If I use it as it is, everything works.

[datho7561]

I also tried this branch and it's working for me. I noticed I was able to list the service accounts again; I think this was the root of the failure when we removed the feature. I'm going to try rebasing and retrying to see if I can reproduce those errors you mentioned.

[dgolovin]

The namespace is a problem, because in case of using SA it is going to be {sa-fullname}-dev and that is not going to work. Namespace should be pulled out of token (have decode and parse json to pull kubernetes.io/serviceaccount/namespace claim out of it. 💯 to @vrubezhny for catching it.

[dgolovin]

There is also another caveat, but it needs to be confirmed with freshly provisioned sandbox.

Considering the namespace problem is fixed and here is all required info to push image to internal registry:

1. Image tagged properly
2. user token is correct
3. registry public url is correct

It is still not going to work for very first time until first dummy image stream is created.