Robots don't have any permissions when created and they need to be member of a team with the right permissions on a control plane for their token to work for MCP Connector. And currently, this is challenging to require from user since assigning control plane permissions to a team is disabled in the UI. Doing that as part of up ctp connect would be almost overreaching, i.e. create team, create robot, assign robot to a team, assign permission to the team, create token. Also, it'd have to create a team for every cluster, which is not an ideal default. On the other hand, user tokens have permission for all control planes the user has access, hence we're using that even if the user points to an org with --account flag.
Ideally, we'd like a robot to be created for each cluster but that will have to wait for a default team created automatically for every organization. In that case, we can just assume that team for the robot if a team name is not given. Granting permission to that team could be an optional flag.
Description of your changes
Robots don't have any permissions when created and they need to be member of a team with the right permissions on a control plane for their token to work for MCP Connector. And currently, this is challenging to require from user since assigning control plane permissions to a team is disabled in the UI. Doing that as part of
up ctp connect
would be almost overreaching, i.e. create team, create robot, assign robot to a team, assign permission to the team, create token. Also, it'd have to create a team for every cluster, which is not an ideal default. On the other hand, user tokens have permission for all control planes the user has access, hence we're using that even if the user points to an org with--account
flag.Ideally, we'd like a robot to be created for each cluster but that will have to wait for a
default
team created automatically for every organization. In that case, we can just assume that team for the robot if a team name is not given. Granting permission to that team could be an optional flag.I have:
make reviewable
to ensure this PR is ready for review.backport release-x.y
labels to auto-backport this PR, as appropriate.How has this code been tested
Manually.