Looking at the
juju add-k8s --controller <controller> command in the Juju client, I realized that most of it should be probably handled by the controller instead.
juju add-k8s, the client will, using the k8s client version for go, create a serviceaccount, clusterrole, and secret that later on will be used for creating a
CloudCredentials object for the cloud. This means the client needs access to the k8s cluster.
I think it would be nice to move that logic to the controller, and just use the k8s client from the controller to create the resources, removing the need for the client to have access to the k8s cluster.
While I am writing this, I realize that this will only work when you add a k8s cloud to an existing controller, but there must exist this controller already. If you want to add a k8s cloud to the client so that later on you can bootstrap a controller… this won’t work for obvious reasons.
Anyway, if someone could share some thoughts about this I would appreciate it