Install flag for helm and additional kustomize file for raw yaml for pure Namespace scoping #149
Conversation
ack-bot
added
the
needs-ok-to-test
|
Hi @ryansteakley. Thanks for your PR. I'm waiting for a aws-controllers-k8s member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
| [{"op": "replace", | ||
| "path": "/kind", | ||
| "value": "RoleBinding"}, | ||
|
|
There was a problem hiding this comment.
Please remove excess whitespace
There was a problem hiding this comment.
Still some excess whitespace here. Probably can go to 1 line per object:
[{"op": "replace", "path": "/kind", "value": "RoleBinding"},
{"op": "add", "path": "/metadata/namespace", "value": "ack-system"},
{"op": "replace","path": "/roleRef/kind","value": "Role"}] …ked inside of conditional
| group: rbac.authorization.k8s.io | ||
| version: v1 | ||
| kind: ClusterRole | ||
| name: ack-sagemaker-controller |
There was a problem hiding this comment.
Does "sagemaker" need to be hardcoded here?
There was a problem hiding this comment.
Thought I removed this must have pushed it again by accident :(
There was a problem hiding this comment.
Fair point. These might need to be made into Go templates and inject {{ .ServiceIDClean }} just like the cluster-role-binding.yaml.tpl
There was a problem hiding this comment.
Yep had to make them into go templates and put them in release.go and controller.go respectively
ryansteakley
force-pushed
the
namespaced-installation
branch
from
8a9e3c0 to
46bace7
Compare
There was a problem hiding this comment.
@ryansteakley you marked a number of conversations between you and @RedbackThomson as resolved, but I don't actually see changes made... did you forget to git push your changes?
| [{"op": "replace", | ||
| "path": "/kind", | ||
| "value": "RoleBinding"}, | ||
|
|
There was a problem hiding this comment.
Still some excess whitespace here. Probably can go to 1 line per object:
[{"op": "replace", "path": "/kind", "value": "RoleBinding"},
{"op": "add", "path": "/metadata/namespace", "value": "ack-system"},
{"op": "replace","path": "/roleRef/kind","value": "Role"}]
Going to look into it, it is very possible some changes got git stash and never applied again Some of the conversations related to file naming extensions ended up in keeping the .tpl extension as they were needed to get {{ .ServiceIDClean }} injected |
templates/helm/values.yaml.tpl
Outdated
|
|
||
| # If specified, the service controller will only be able to operate in a single namespace. Set by default to K8S_NAMESPACE | ||
| # If set to true, user must set watchNamespace as well. | ||
| namespacedInstallation: false |
There was a problem hiding this comment.
Why do we need this additional option? If watchNamespace is required, then why can't we just switch on watchNamespace != ""?
There was a problem hiding this comment.
A customer may want to set the watchNamespace but still have their resource be cluster-scoped. This allows for flexibility in changing the watchNamespace value later, and not having to redeploy anything except the deployment. It also means that a user could install the controller into the ack-system namespace and watch another namespace. Installing as namespacedInstallation = true requires the Helm chart be installed into the watchNamespace
There was a problem hiding this comment.
A customer may want to set the
watchNamespacebut still have their resource be cluster-scoped.
Why? Isn't the whole point of namespaced installation to limit the CRDs, the RBACs that can read those CRs and the namespace that those CRs can be created in to just a single namespace?
There was a problem hiding this comment.
I am trying to not conflate the two ideas:
- Watch a single namespace
- Be installed into the scope of the single namespace
Users may want 1 but not 2. But if they want 2, it is required that they also do 1.
If you want to bundle them up into the same thing and ship them together, then ok I'm on board. I wanted to offer the choice, at least.
Note: I guess I don't understand how customers are using namespace scoping well enough to draw a judgement on what they would want.
| @@ -1,11 +1,22 @@ | |||
| apiVersion: rbac.authorization.k8s.io/v1 | |||
| {{ "{{ if not .Values.namespacedInstallation }}" }} | |||
There was a problem hiding this comment.
See below... this could simply be:
{{ "{{ if not .Values.watchNamespace }}" }}
| @@ -0,0 +1,13 @@ | |||
| apiVersion: rbac.authorization.k8s.io/v1 | |||
| {{ "{{ if not .Values.namespacedInstallation }}" }} | |||
There was a problem hiding this comment.
See below... I don't see why this can't just be:
{{ "{{ if not .Values.watchNamespace }}" }}
| metadata: | ||
| creationTimestamp: null | ||
| name: ack-{{ .ServiceIDClean }}-controller | ||
| {{ "{{ else if and .Values.namespacedInstallation (required \"watchNamespace must be set for namespaced installation\" .Values.watchNamespace) }}" }} |
There was a problem hiding this comment.
and this would not be necessary... could just be {{ else }}
scripts/build-controller-release.sh
Outdated
| # `cluster-role-controller.yaml` to better reflect what is in that file. We additionally add the ability | ||
| # for the user to specify if they want the role to be ClusterRole or Role by specifying installation scope | ||
| # in the helm values.yaml | ||
| sed -e '1r '"$helm_output_dir/templates/_controller-role-kind-patch.yaml"'' -e '1, 7d' $helm_output_dir/templates/role.yaml > $helm_output_dir/templates/cluster-role-controller.yaml |
There was a problem hiding this comment.
oh boy...
Way too much magic and sed-fu to be readable and understandable by mere mortals.
We need to find a clearer way of doing this.
There was a problem hiding this comment.
Issue is that the role.yaml file is auto-generated by controller-gen. So there will have to be some overwriting of the auto-generated file with the lines of code we want to allow the user to switch programmatically between clusterrole and role.
| @@ -0,0 +1,3 @@ | |||
| [{"op": "replace", "path": "/kind", "value": "RoleBinding"}, | |||
| {"op": "add", "path": "/metadata/namespace", "value": "ack-system"}, | |||
There was a problem hiding this comment.
This is replacing the namespace that should be supplied by the user in .Values.watchNamespace with the hard-coded string "ack-system", which is defeating the original purpose of a namespace-scoped installation, no?
There was a problem hiding this comment.
This file is for the Kustomize overlay - no Helm values to replace, here. All of these Kustomize files use ack-system as the default namespace. The user will need to override the values for all resources anyway, so may as well make this one match.
There was a problem hiding this comment.
ah, yes, ok that makes sense.
| @@ -0,0 +1,2 @@ | |||
| [{"op": "replace", "path": "/kind", "value": "Role"}, | |||
| {"op": "add", "path": "/metadata/namespace", "value": "ack-system"}] No newline at end of file | |||
There was a problem hiding this comment.
same comment as above about hard-coded "ack-system".
|
/hold |
ack-bot
added
the
do-not-merge/hold
|
As described on Slack with @jaypipes and @ryansteakley: I suggest that we remove the This would reduce the chance of a user accidentally applying the Helm chart into a namespace where the deployment does not have sufficient privileges. It also reduces the number of independent variables that need to align for a correct configuration. |
| {{- define "watch-namespace" -}} | ||
| {{- if eq .Values.installScope "namespace" -}} | ||
| {{- .Release.Namespace -}} | ||
| {{- end -}} | ||
| {{- end -}} |
There was a problem hiding this comment.
Have we confirmed that this defaults to an empty string when install scope is cluster?
There was a problem hiding this comment.
Environment:
K8S_NAMESPACE: ack-system (v1:metadata.namespace)
AWS_ACCOUNT_ID: 123456789012
AWS_REGION: us-west-1
AWS_ENDPOINT_URL:
ACK_WATCH_NAMESPACE:
ACK_ENABLE_DEVELOPMENT_LOGGING: true
ACK_LOG_LEVEL: debug
ACK_RESOURCE_TAGS: services.k8s.aws/managed=true,services.k8s.aws/created=%UTCNOW%,services.k8s.aws/namespace=%KUBERNETES_NAMESPACE%
AWS_ROLE_ARN: arn:aws:iam::123456789012:role/ack-controller-role-namespaced
AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
Defaults to an empty string when using cluster.
When using namespace, value is correctly passed.
Environment:
K8S_NAMESPACE: ack-system (v1:metadata.namespace)
AWS_ACCOUNT_ID: 123456789012
AWS_REGION: us-west-1
AWS_ENDPOINT_URL:
ACK_WATCH_NAMESPACE: ack-system
ACK_ENABLE_DEVELOPMENT_LOGGING: true
ACK_LOG_LEVEL: debug
ACK_RESOURCE_TAGS: services.k8s.aws/managed=true,services.k8s.aws/created=%UTCNOW%,services.k8s.aws/namespace=%KUBERNETES_NAMESPACE%
AWS_ROLE_ARN: arn:aws:iam::123456789012:role/ack-controller-role-namespaced
AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
| apiGroup: rbac.authorization.k8s.io | ||
| kind: Role | ||
| name: ack-{{ .ServiceIDClean }}-controller |
There was a problem hiding this comment.
nit: Remove duplication by moving apiGroup and name to after {{ end }} (and removing from both conditional blocks)
templates/helm/values.yaml.tpl
Outdated
|
|
||
| # If specified, the service controller will watch for object creation only in the provided namespace | ||
| watchNamespace: "" | ||
| # Set to namespace to install the controller in a namespaced scope, will only watch for object creation |
There was a problem hiding this comment.
nit: For clarity,
| # Set to namespace to install the controller in a namespaced scope, will only watch for object creation | |
| # Set to "namespace" to install the controller in a namespaced scope, will only watch for object creation |
| @@ -0,0 +1,3 @@ | |||
| [{"op": "replace", "path": "/kind", "value": "RoleBinding"}, | |||
| {"op": "add", "path": "/metadata/namespace", "value": "ack-system"}, | |||
There was a problem hiding this comment.
ah, yes, ok that makes sense.
|
@RedbackThomson feel free to lgtm if you're also good with this. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: A-Hilaly, jaypipes, RedbackThomson, ryansteakley The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/unhold |
ack-bot
removed
the
do-not-merge/hold
6 participants
Issue #, if available:
aws-controllers-k8s/community#770
Description of changes:
namespacedInstallationflag for helmvalues.yamlto specify thatRoleandRoleBindingshould be used instead ofClusterRoleandClusterRoleBindingwatchNamespacein helmvalues.yamlmust be set if usingnamespacedInstallationflag.role-controller.yamlfile with the template code that allows for the programmatic setting ofnamespacedInstallationin the helmvalues.yamloverlays/namespaceddirectory for the raw yamls in config. This folder contains the json patch files,role.yamlandrole-binding.yamlthat will modify theClusterRoleandClusterRoleBindingfiles to beRoleandRoleBinding. This allows the user to apply these changes using raw yaml and not helm if these wish.cluster-role-binding.yamlandcluster-role-controller.yamlso that every service repo doesn't need to rm these files since they already exist in their repo and any other naming of the yaml files will cause multiple roles/bindings to install causing installation failures.Tested locally
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.