feat(plugins): add optional consumer name to show consumer permissions

plugins/kubeconfigretriever.py

@@ -13,7 +13,7 @@ def retrieve_kubeconfig(self, serverURL, kubeconfigFor, kubeconfig):
 		if kubeconfigFor == 'provider':
 			cmd = "kubectl get configmaps kubeplus-saas-provider -n " + kubeplusNS + r" -o jsonpath='{.data.kubeplus-saas-provider\.json}'"
 		if kubeconfigFor == 'consumer':
-			cmd = "kubectl get configmaps kubeplus-saas-consumer-kubeconfig -n " + kubeplusNS + r" -o jsonpath='{.data.kubeplus-saas-consumer\.json}'"			
+			cmd = "kubectl get configmaps kubeplus-saas-consumer-kubeconfig -n " + kubeplusNS + r" -o jsonpath='{.data.kubeplus-saas-consumer\.json}'"
 
 		cmd = cmd + " --kubeconfig=" + kubeconfig
 		out = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).communicate()[0]

plugins/kubectl-kubeplus-commands

@@ -16,7 +16,7 @@ print_help () {
     echo "        kubectl grantpermission consumer"
     echo "        kubectl upload chart"
     echo "        kubectl show provider permissions"
-    echo "        kubectl show consumer permissions"
+    echo "        kubectl show consumer permissions <Namespace> <ConsumerName>"
     echo "        kubectl license create"
     echo "        kubectl license get"
     echo "        kubectl license delete"
@@ -57,7 +57,7 @@ print_help () {
     echo "        Upload Helm chart (tgz) to KubePlus Operator."
     echo ""
     echo "        - kubectl show provider permissions shows the permissions for kubeplus-saas-provider service account in the namespace where kubeplus is installed."
-    echo "        - kubectl show consumer permissions shows the permissions for kubeplus-saas-consumer service account in the namespace where kubeplus is installed."
+    echo "        - kubectl show consumer permissions shows the RBAC permissions for a consumer. Namespace and ConsumerName are required."
     echo "        License Management."
     echo "        - kubectl license create - creates license for a Kind"
     echo "        - kubectl license get    - gets license for a Kind"

plugins/kubectl-show-consumer-permissions

@@ -7,19 +7,32 @@ print_help () {
     echo "        kubectl show consumer permissions"
     echo ""
     echo "SYNOPSIS"
-    echo "        kubectl show consumer permissions <Namespace>"
+    echo "        kubectl show consumer permissions <Namespace> <ConsumerName>"
     echo ""
     echo "DESCRIPTION"
-    echo "        kubectl show consumer permissions shows the permissions for kubeplus-saas-consumer service account in the namespace where kubeplus is installed."
+    echo "        kubectl show consumer permissions shows the RBAC permissions for a consumer service account."
+    echo "        Namespace is the namespace where the consumer service account lives."
+    echo "        ConsumerName is the name of the consumer service account."
+    echo ""
+    echo "        Two use cases for consumer service accounts:"
+    echo "        1) Instance-creation consumer: SA with permissions to create application instances (not restricted to a namespace)."
+    echo "           Typically lives in the KubePlus namespace (e.g. kubeplus-saas-consumer in default)."
+    echo "        2) Instance-scoped consumer: SA with permissions restricted to a specific instance's namespace (e.g. for debugging)."
+    echo "           Lives in the instance namespace (e.g. team1mysql when team1 created an instance named team1mysql)."
+    echo ""
+    echo "EXAMPLES"
+    echo "        kubectl show consumer permissions default kubeplus-saas-consumer"
+    echo "        kubectl show consumer permissions team1mysql team1-debug"
     exit 0
 }
 
-if (( $# < 1 || $# >= 2)); then
+if (( $# != 2)); then
   print_help
 fi
 
 namespace="$1"
+consumer="$2"
 
 check_namespace $namespace
 
-kubectl auth can-i --list --as=system:serviceaccount:$namespace:kubeplus-saas-consumer
+kubectl auth can-i --list --as=system:serviceaccount:$namespace:$consumer