From 0a6472e7706bdf7d0dfa545738eed967f4069c31 Mon Sep 17 00:00:00 2001
From: Morten Larsen <mortenl41@gmail.com>
Date: Thu, 9 Oct 2025 17:54:29 +0200
Subject: [PATCH] Set proper credential scope when refreshing

---
 server.go | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/server.go b/server.go
index dabfb73..758d3d7 100644
--- a/server.go
+++ b/server.go
@@ -43,6 +43,8 @@ import (
 
 const gcpAuth = "gcp-auth"
 
+const gcpAuthScope = "https://www.googleapis.com/auth/cloud-platform"
+
 var (
 	runtimeScheme = runtime.NewScheme()
 	codecs        = serializer.NewCodecFactory(runtimeScheme)
@@ -79,7 +81,7 @@ func watchNamespaces() error {
 
 	// grab credentials from where GCP would normally look
 	ctx := context.Background()
-	creds, err := google.FindDefaultCredentials(ctx, "https://www.googleapis.com/auth/cloud-platform")
+	creds, err := google.FindDefaultCredentials(ctx, gcpAuthScope)
 	if err != nil {
 		return fmt.Errorf("finding default credentials: %v", err)
 	}
@@ -170,7 +172,7 @@ func deletePullSecret(clientset *kubernetes.Clientset, ns corev1.Namespace) erro
 
 // refreshAllPullSecrets deletes and recreates image registry pull secrets for all namespaces
 func refreshAllPullSecrets() error {
-	creds, err := google.FindDefaultCredentials(context.Background())
+	creds, err := google.FindDefaultCredentials(context.Background(), gcpAuthScope)
 	if err != nil {
 		return fmt.Errorf("finding default credentials: %v", err)
 	}