Feature Request: add `--disable-writing` to `auth` commands & add `--api-token` as a global flag

[mardonner]

Hey,
during my deployment pipelines, I'm trying to keep ALL my secrets in the environment variables. With this self-imposed restriction, I'm having trouble with stackit auth under these circumstances.

To illustrate, imagine something like this as the last step of a initial deployment pipeline:

stackit config set --project-id $(STACKIT_PROJECT_ID)
stackit auth activate-service-account --service-account-key-path <(echo $STACKIT_SERVICE_ACCOUNT_KEY)

KUBECONFIG=$(stackit ske kubeconfig create <mycluster> --disable-writing --output-format json -y) \
helm install argocd argo-cd \
--kubeconfig <(echo $KUBECONFIG) \
--repo <private-artifactory-url> \
--username $(artifactory_technical_user_name) \
--password $(artifactory_technical_user_token) \
-f <(envsubst < myvalues.yaml.template)
# myvalues contains secrets like git token and imagepullsecret in the 'extraObjects:' section in helm the chart

This authenticates against STACKIT, creates a kubeconfig and deploys a minimal argoCD instance via helm, that has just enough configuration in order to connect to our gitops repo where the applicationsets and an application for self-managed argo live.
I'm explicitly trying to avoid using the helm and argocd terraform providers. I'm also not using helm repo add so that I don't store credentials in ~/.config/helm/repositories.yaml. I'm also using process substitution to pass the service account key to stackit-cli and the kubeconfig to helm, since these expect file path and as I said, don't want to write files to disk.

---

Now to how I would like this to work:
In my world, this script above has one downside. At the moment there is no way around stackit auth writing the api token to disk. Something I'm trying to avoid. I would like to have the option to not write the token into ~/.config/stackit/cli-auth-storage.txt but instead either to stdout or into a environment variable. If written to stdout, I would use something like export STACKIT_API_TOKEN=$(stackit auth activate-service-account --service-account-key-path <(echo $STACKIT_SERVICE_ACCOUNT_KEY) --disable-writing).

The second thing I would need for this to work is for stackit-cli to either respect this environment variable or have an extra flag like --api-token so that I can get my kubeconfig like this:

KUBECONFIG=$(stackit ske kubeconfig create <mycluster> --disable-writing --output-format json -y --api-token $STACKIT_API_TOKEN)

I have not looked into the code yet so I don't know wether this is a topic for the cli or the sdk.
I could also directly talk to the API but that's a little more inconvenient than doing it via the cli.

[marceljk]

Hi @mardonner,

thanks for your feature request. I create internal a ticket for this.

[Fyusel]

Hi @mardonner,
we decided to use a environment variable for this. This feature is implemented via #682 and will be part of the next CLI release.

[mardonner]

Amazing! That was pretty fast. Thank you.

[mardonner]

Just in case anyone stumbles upon this and tries to use my example:
This doesn't work because helm cli doesn't properly support reading the kubeconfig with process substitution and probably won't in the near future if I understood the issue correctly.
See these issues: 1, 2, 3, 4.

There seems to be no way around writing the kubeconfig to disk. I guess, setting a short expiration time will need to
suffice.