Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: use Kubernetes configuration for name and version when available #805

Merged
merged 3 commits into from
Jan 25, 2024
Merged

fix: use Kubernetes configuration for name and version when available #805

merged 3 commits into from
Jan 25, 2024
+45 −16

Conversation

metacosm
Copy link
Member

  • fix: use Kubernetes configuration for name and version when available
  • refactor: RBACRule should be used instead of PermissionRule

@metacosm metacosm self-assigned this Jan 23, 2024
@metacosm metacosm requested a review from csviri January 23, 2024 17:47
@metacosm metacosm linked an issue Jan 23, 2024 that may be closed by this pull request
Helm chart generation incorrectly filters resources from kubernetes.yaml #801
Closed
@metacosm
Copy link
Member Author

/cc @jcechace

@metacosm
fix: use Kubernetes configuration for name and version when available
d60cfd6 
Fixes #801

Signed-off-by: Chris Laprun <claprun@redhat.com>
@metacosm
refactor: RBACRule should be used instead of PermissionRule
610f52f 
RBACRules should be used when the rules should apply to the service
account of the Reconciler since they would also impact the generated
Kubernetes manifests and be automatically propagated to the CSV, whereas
the reverse is not true (i.e. PermissionRule will not appear in the
generated Kubernetes manifests).

Signed-off-by: Chris Laprun <claprun@redhat.com>
jcechace
jcechace reviewed Jan 24, 2024
View reviewed changes
annotations/src/main/java/io/quarkiverse/operatorsdk/annotations/CSVMetadata.java
Comment on lines +94 to +99
/**
* Additional RBAC rules that need to be provided because they cannot be inferred automatically. Note that RBAC rules added
* to your reconciler via {@link RBACRule} should already be handled automatically, under the service account name
* associated with your Reconciler so this annotation should only be used to add additional rules to other service accounts
* or for rules that you don't want to appear in the generated Kubernetes manifests.
*/
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Kudos for this. Javadocs should be used way more :)

@metacosm one thing I am still curious about is this being part of the CSVMetadata. Shouldn't this also have an impact when CSV bundle is not used? AFAIK the CSVMetadata class really is used just for CSV metadata generation, or am I wrong?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

RBACRule is not part of CSVMetadata and we still need permission rules on CSVMetadata in case you don't want something to be generated in the kubernetes manifests. Or am I misunderstanding your question?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

RBACRule is not part of CSVMetadata and we still need permission rules on CSVMetadata in case you don't want something to be generated in the kubernetes manifests. Or am I misunderstanding your question?
I see.. That makes sense. So you would use this when you don't want the permission in your kubernetes.yml but still want to use it for CSV. Thanks!

@jcechace
Copy link
Contributor

@metacosm

/**
         * @return the service account name for the permission rule. If not provided, it will use the default service account
         *         name.
         */
        String serviceAccountName() default "";

Although this is not affected by this PR I have a question/note to add here. What is considered a "default service account"? When I incorrectly used CSVMetadata.permissionRules with the @PermissionRule (instead of @RBACRuledirectly on the Reconciler) and haven't provided this serviceAccountName parameter it didn't seem to generate anything anywhere.

@metacosm
Copy link
Member Author

@metacosm

/**
         * @return the service account name for the permission rule. If not provided, it will use the default service account
         *         name.
         */
        String serviceAccountName() default "";

Although this is not affected by this PR I have a question/note to add here. What is considered a "default service account"? When I incorrectly used CSVMetadata.permissionRules with the @PermissionRule (instead of @RBACRuledirectly on the Reconciler) and haven't provided this serviceAccountName parameter it didn't seem to generate anything anywhere.

Yes, this is confusing and something that I'm pondering. I will add some documentation here.

@jcechace
Copy link
Contributor

@metacosm

/**
         * @return the service account name for the permission rule. If not provided, it will use the default service account
         *         name.
         */
        String serviceAccountName() default "";

Although this is not affected by this PR I have a question/note to add here. What is considered a "default service account"? When I incorrectly used CSVMetadata.permissionRules with the @PermissionRule (instead of @RBACRuledirectly on the Reconciler) and haven't provided this serviceAccountName parameter it didn't seem to generate anything anywhere.

Yes, this is confusing and something that I'm pondering. I will add some documentation here.

Regarding your comment (#801 (comment))

I'm confused how these two relate together. We are still using QOSDK 6.3.5 which obviously doesn't include this fix. However the permission is added to the CSV just fine when only @RBACRule is used

@metacosm
docs: clarify service account name role in PermissionRule
011d02c 
Signed-off-by: Chris Laprun <claprun@redhat.com>
@metacosm
Copy link
Member Author

@metacosm

/**
         * @return the service account name for the permission rule. If not provided, it will use the default service account
         *         name.
         */
        String serviceAccountName() default "";

Although this is not affected by this PR I have a question/note to add here. What is considered a "default service account"? When I incorrectly used CSVMetadata.permissionRules with the @PermissionRule (instead of @RBACRuledirectly on the Reconciler) and haven't provided this serviceAccountName parameter it didn't seem to generate anything anywhere.

Yes, this is confusing and something that I'm pondering. I will add some documentation here.

Regarding your comment (#801 (comment))

I'm confused how these two relate together. We are still using QOSDK 6.3.5 which obviously doesn't include this fix. However the permission is added to the CSV just fine when only @RBACRule is used

Yes, that's how it should work. My previous comment was indeed wrong: I initially thought that a fix was needed for the RBAC rule to be propagated but that isn't the case. I will update the comment to reflect that.

@metacosm metacosm merged commit 220eea4 into main Jan 25, 2024
@metacosm metacosm deleted the fix-801 branch January 25, 2024 10:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jcechace jcechace

@csviri csviri

Assignees

@metacosm metacosm

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Helm chart generation incorrectly filters resources from kubernetes.yaml
2 participants
@metacosm @jcechace