-
Notifications
You must be signed in to change notification settings - Fork 26
Support activating pipelines in an alternate namespace #230
Comments
@stephenkinder Can we get a clarification please - would you prefer:
I don't know if there are long-term benefits from doing one over the other. |
In order to watch multiple namespaces and support this scenario, we have to move up to operator-sdk v0.11.0 or newer to pick up controller-runtime v0.2.0 |
@dacleyra has been working thru some of the issues here, and I wanted to write some of this stuff down because it's going to affect other components (potentially). First, there were some questions about the service accounts and roles now, which becomes complicated because you have namespaces where the pipelines are allowed to create applications, as well as namespaces where the pipelines are allowed to be in the first place. Things to keep in mind:
After these changes, someone using the tekton dashboard to establish a GitHub webhook would look to the
I don't like having a default I think that the kabanero controller should be responsible for establishing all of the roles and bindings, since the Kabanero CR instance has the namespaces coded into it. If we push the namespaces down to the Stack CR instances, that leaves the possibility that someone codes different pipelines namespaces into manually created Stack CR instances, and then we potentially end up with a mess (although it might be a convenient mess for someone who wants to do things in a very particular way). I think having all of the permission/control information in the Kabanero CR instances is easier to understand. I am open to other suggestions though. Dan mentioned that as of right now, the kabanero operator is namespace-scoped, and so if we create pipelines and tasks in another namespace, we won't be able to watch these and re-create any that are deleted. Once we change to be a cluster-scoped operator (see #284 ) this will be possible. I mean, it's always possible that we can do some off-label thing like create a second client in the stack controller pod which is capable of watching another namespace, and then feed reconcile requests back into the reconciler somehow, but I don't think that's necessary. For now, if someone codes That's everything I can think of ATM. It's likely that we can move this along to a point, and then have to stop to work thru more design issues (particularly with eventing), and that's fine. |
Another approach worth considering is to support a matching pair of namespaces - |
There is a desire to have the collection-level resources (ie pipelines, tasks, etc) deployed in a separate namespace from the rest of Kabanero. Consider the following proposed yaml:
Note the new
pipelinesNamespace
attribute (name subject to change, and also cardinality, but lets go with this for now). When activating the collections, the resources would get created in this alternate namespace. IfpipelinesNamespace
were not specified, we would continue to activate in the current namespace (kabanero in this case).It's not clear whether the collection itself should be activated in the current (kabanero) namespace or in the pipelines namespace. For now lets assume activating in the current namespace. If it's activated in the pipelines namespace, then the CLI services will need to change to watch/create
kind: Collection
instances in the pipelines namespace rather than the current namespace. The kabanero-operator already sets up an environment variable to tell the CLI service what namespace to watch, and it may be as simple as just changing that to a new value, but that also may have un-intended side effects on the CLI, and also would probably require a new role / cluster role, to allow the CLI to search and createkind: Collection
objects across namespaces.The text was updated successfully, but these errors were encountered: