Selecting kube namespace for access request in Connect sources cluster URI from wrong place

[ravicious]

teleport/web/packages/teleterm/src/ui/AccessRequestCheckout/useAccessRequestCheckout.ts

Lines 401 to 417 in ee1726e

	async function fetchKubeNamespaces({
	kubeCluster,
	search,
	}: KubeNamespaceRequest): Promise<string[]> {
	const { response } = await ctx.tshd.listKubernetesResources({
	searchKeywords: search,
	limit: 50,
	useSearchAsRoles: true,
	nextKey: '',
	resourceType: 'namespace',
	clusterUri,
	predicateExpression: '',
	kubernetesCluster: kubeCluster,
	kubernetesNamespace: '',
	});
	return response.resources.map(i => i.name);
	}

fetchKubeNamespaces uses clusterUri to query for namespaces. However, clusterUri comes from the cluster selector to the left of the search bar, present only if there are leaf clusters. If someone adds root kube cluster to a request and then goes to browse a leaf Teleport cluster, then opens the checkout and tries to modify requested namespaces, that request is going to either fail or return wrong data. Unless both the root cluster and the leaf cluster have a kube cluster with the same name and the same namespaces.

To fix this, fetchKubeNamespaces would at least need to provide the name of the cluster that the kube cluster belongs to. Ideally, the shared components in access requests would operate on some kind of URIs so that a single identifier points at a specific kube cluster.

On top of that, the ListKubernetesResourcesRequest gRPC message should operate on a single kubeClusterUri to identify the kube cluster, not on a combo of cluster_uri + kubernetes_cluster. This is possible today without any changes to the shared access request components.