Until this point, the homepage about the multi-tenant cluster was running in the multi-tenant cluster without using the multi-tenant functionality :-P.
Now, I have created a “homepage” tenant, with a non-cluster-admin user (myself) as the owner. As this user I have created a homepage namespace and a “deployer” service account, that only has access to the homepage namespace. The kubeconfig of this deployer serviceaccount is used in the Gitlab pipeline.
- the usual multi-tenancy ones
- no longer using cluster-admin credentials in the CI/CD pipeline
- create a non-cluster-admin user and output its kubeconfig file
- create a Capsule Tenant (with a user as the owner)
- as a Tenant admin: create a “deployer” service account (with access limited to a single namespace) and output its kubeconfig file
Scripts to do these steps have been committed to the main Qluster project.