v0.6.1

use ca.crt from importer, not from the imported service account (sometimes, they're different)

v0.6.0

Improvements

• new kubemcsa export command, chained with kubectl apply for one-off imperative service account imports (see You Might Not Need Multicluster-Service-Account)
• new helper functions in config to work with kubeconfigs
• switch Go modules

v0.5.1

option to override kubeconfig cluster names during bootstrap (fix #10)

v0.5.0

Improvements

• PR #8: ca.crt, namespace, token and server return to service account import secrets. This reverts the breaking aspect of the switch to kubeconfigs introduced in v0.4.0, but maintains the improvement: kubeconfigs are still added to the secrets under config as a convenience, even though they're redundant with the four other fields (we should have done that in v0.4.0).
• (BREAKING) PR #9: kubemcsa bootstrap can be called using separate (and non-default) kubeconfig files for the target and source cluster, with the --target-kubeconfig and --source-kubeconfig arguments. Target and source contexts become optional, with the --target-kubeconfig and --source-kubeconfig arguments (instead of required positional arguments—that's the breaking change).

v0.4.1

Bugfixes

• fix #6: kubemcsa can now bootstrap clusters so that one central cluster can import service accounts from multiple other clusters. Before v0.4.1, it only worked for agent architectures, where multiple clusters only need to import service accounts from one central cluster (as in multicluster-scheduler).

v0.4.0

Improvements

• (BREAKING) Remote service account secrets are now imported and mounted as kubeconfig files. This makes multicluster-service-account compatible with existing clients in any language without any code change, but breaks clients that use the helper functions in pkg/config pre-0.4.0.

v0.3.1

Bugfixes

• fix #2: run as non root
• fix #3: import all auth plugins, not just gcp

v0.3.0

Bugfixes

• fixed #1

Breaking Changes

• You MUST label namespaces with multicluster-service-account=enabled if you want to automount service account import secrets inside annotated pods in those namespaces (opt-in vs. all-cluster).

v0.2.1

• updated controller-runtime to v0.1.9 to capture bug fixes upstream
• automount webhook errors are now logged (otherwise we have to hunt them in events)
• poor-man's CI/CD pipeline: mostly shell scripts, but includes an end-to-end test

v0.2.0

• kubemcsa CLI helps bootstrap multicluster-service-account
• admission controller refuses pods if service account import secret is not ready (consistent with regular service accounts)