[Flux] Flux plugin cannot detect flux controllers without cluster-scoped permissions to list deployments

[nikolai-fra]

Hello all,

I'm facing the following problem with using the flux plugin in our environment:

In our cluster normal users have permissions in their own namespaces and the built-in "View" role on a few platform-level namespaces like "flux-system".

When trying to use the flux plugin they are shown the "Helm Controller is not installed" label.
After analysis of the network calls the api request to
/apis/apps/v1/deployments?labelSelector=app.kubernetes.io%2Fpart-of%3Dflux
fails with 403 for these users.

If I'm right this is because this api request is equivalent to
kubectl get deployments -A -l app.kubernetes.io/part-of=flux -v8
and the users do not have the permission to get deployments in all namespace.

Instead the users do have the permission to
kubectl get deployments -n flux-system -l app.kubernetes.io/part-of=flux -v8
=>
apis/apps/v1/namespaces/flux-system/deployments?labelSelector=app.kubernetes.io%2Fpart-of%3Dflux

Probably somebody can give me a pointer where this is in the code? - I was not able to find this code part :/

I think this is a common scenario.
A solution could be to add an configuration option in the Settings > plugins > flux to specify the namespace (here "flux-system") where the flux controllers are installed.

[nikolai-fra]

I've started to work on a PR but I'm still lost on finding the place to modify the initial check for the flux controller :/

[mgalesloot]

I believe this is fixed in #165. The flux plugin does not need to know where the controller is installed, nor should it have permissions to view that namespace.

[nikolai-fra]

Ah perfect. I did not find this issue and now I see the reason why I did not find the problematic code path as it was removed with your PR, but I'm still using the last release.
Thanks for your fix!