How does authentication work for this? It looks like Helm Wrapper is configured with a Kubeconfig. But that means that anyone that have access to the HTTP service can deploy whatever that Kubeconfig have access to.

Could it be an idea to provide a ServiceAccount somehow (via its token/Secret) and use that when deploying the Helm chart?

Now helm-wrapper really doesn't have auth, i can add a basic auth.

Allright! I wasn't thinking of a generic basic auth that can be used. It would be great if I could configure a ServiceAccount that have full permission in namespace abc123. And then use the token for that ServiceAccount somehow, maybe through the POST body:

{
    "serviceAccountToken": "xyz"
}

... or just a query parameter ?serviceAccountToken=xyz, if you prefer having the POST body only "real" Helm options.

I'm not sure if this is technically possible though, but it feels like it should be possible. The kubeconfig can accept users using service account tokens, as far as I know:

users:
- name: my-service-account
  user:
    token: xyz

The reason that I want this is that I can limit each individual access to individual namespaces, and get much more fine grained access control.

Looks good. helm-wrapper supports multiple clusters, how does it support multiple clusters using ServiceAccount authentication?

The kubeconfig can have multiple clusters and multiple users, and those are connected via contexts. And Helm Wrapper already seems to have support for passing in kube_context (which I'm assuming is this kind of context).

The tricky part I guess would be to build up the kubeconfig dynamically, per request. Since I only want the clusters in my kubeconfig and not the actual users.

yes, when use ServiceAccount, i have no idea about it, how support multiple clusters