Flamingo tenant structure not mapping to Flux tenant structure

[tommyreilly]

Hi,

Hopefully a quick question if someone knows.

In the Flamingo source at:

flamingo/cmd/flamingo/install_templates.go

Line 110 in ef02f00

toolkit.fluxcd.io/tenant: %s

it suggests that the label to identify a tenant is limited to the namespace name:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    toolkit.fluxcd.io/tenant: %s
  name: flamingo-reconciler
  namespace: %s
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: argocd-application-controller
  namespace: %s

However, Flux multi-tenancy doesn't limit a tenant to a single namespace:

https://fluxcd.io/flux/cmd/flux_create_tenant/

e.g. as per the doc, you can define --with-namespace multiple times which makes sense to me where a team may be allocated more than one namespace in a k8s (shared) cluster:

 # Generate tenant namespaces and role bindings in YAML format
 flux create tenant dev-team \
   --with-namespace=frontend \
   --with-namespace=backend \
   --export > dev-team.yaml

Is this difference between Flamingo tenancy and Flux intended? i..e would I have to work with a tenant = namespace if I wanted to use the Flux subsystem?

[chanwit]

Hi @tommyreilly
Thank you for bringing this up.

Our aim is to make Flamingo 100% compatible with Flux tenants.
So yes, we would definitely support the model you suggested.

[tommyreilly]

Thank you @chanwit