Make default namespace configurable #91
Comments
|
Some more details on the design we discussed with @vazirim:
|
|
@pdettori just curious, are the names |
|
@cdlliuy Sure, we can rename. Just to be clear, every namespace will still need a seed-default configmap, because this is what will tell us where to look for the secret. It will also contain the context (org/space/resource group) corresponding to that namespace. |
|
I guess the org/space is optional , right? it is a concept for cf. |
|
yes but the resourcegroup is needed for non-cf. |
|
@pdettori After some thinking, I think we may reconsider the design. One major concern is from security. So far I do not have a good idea how to resolve the problem. Suggest to hold on and use seed-secret in user's namespace which open to all namespace users. Will follow this issue later after discuss with more people to get feedback. What do you think ? Thank you. |
|
@ZhuangYuZY yes, I can see how this makes sense from security perspective. If there is a concern about users accessing the IAM API Key from the secret, one possible approach is to give the IAM API Key only the minimum permissions required to create IBM Cloud Services. |
|
Yes, now we are working on to try to create a service id with minimum permission to create IBM Cloud service and credential. But seems IBM Cloud operator can not work well with service id, so we created issue #98 to track it. It will be priority for us. |
|
Fixed in v0.1.7 |
operator should look for seed-secret in current namespace, and if not present, in the namespace specified in seed-defaults, using a naming convention (one seed-secret per namespace)
The text was updated successfully, but these errors were encountered: