Ability to specify default aiven token

[mortenlj]

We would like to be able to specify a default aiven token to use, so that we don't have to distribute tokens to everyone who wants to create a new instance of anything.

Ideally, it would work so that if authSecretRef is not specified on the CR, use the default token configured on the operator.

This would allow us to use Kubernetes mechanisms (RBAC and OPA) to restrict what users can create, and at the same time ensure that they can't use the token to do anything else. For instance, we would let them create Redis and OpenSearch instances, but not Postgres or Kafka. If they have access to an API-token, they can do "anything".

[ivan-savciuc]

Hi @mortenlj, we had this K8s operator design decision to make authSecretRef mandatory and force our users to pass a secret with the API token to each resource.

Indeed, if a K8s user has an Aiven API Token any service can be created within a project, we will evaluate this request internally and I will come back to you with the decision.