[kong] add watch-namespace automation #420
Conversation
Add a watchNamespaces setting to the controller. When set to a list of namespaces, sets CONTROLLER_WATCH_NAMESPACE to the list of namespaces and creates Role to access resources in every watched namespace. When set to an empty list (the default), watches all namespaces and creates a ClusterRole.
|
I think I failed to heed my own advice: the automation does require KIC 2.x, but we don't test with that yet. CI for the new feature would require a 2.x instance to run successfully, so until then we can only test the default, which uses existing functionality with a slightly changed template. Will probably just remove that part of the change. Poking at it a bit since it failed in a weird way (the namespace was just completely empty, which is... odd), and I should do a manual test that does use 2.x. Q: is it feasible to automate the manual tests ? |
Sounds good. Once you have done manual testing, and have some corrections for the tests I'm still ✔️ |
- Fix an incorrectly-placed namespace field in a RoleBinding template. - Revert changes to ci/test2-values.yaml. Do not test specific namespaces as it requires KIC 2.x and the namespaces in question. We can re-add this test once we default to KIC 2, though we'll need to use a namespace that exists in the test environment (so probably watch default only). - Extend local namespace role for 2.x. Role now includes get permissions to Services and Endpoints, to allow controllers without cluster permissions to see the proxy Service for publish service info. - Change the RBAC API versions. We were using a deprecated version, and do not need changes other than the API version itself to use a supported version. - When watching specific namespaces, disable the KongClusterPlugin controller. That controller does not work without cluster permissions.
|
Post manual testing updates in a096df3. Requesting review again since the changes are large enough to warrant another look IMO. 2.x will now start with a limited set of namespaces without permissions errors. We actually won't be able to completely test watchNamespaces even with 2.x, since you can't use namespaces that don't exist and can't create new namespaces for CI. The workaround in #421 is the only option. Still gets most of what we want to test (templates are correct and the controller doesn't break completely with that option) even though it's not a realistic configuration. RBAC version bump wasn't necessary for this, but we should do it anyway because v1beta1 is deprecated, and we intended to change it per Kong/kubernetes-ingress-controller#801. That's handled upstream but wasn't handled here because I only overwrote rules when making these changes. |
What this PR does / why we need it:
Automates role creation for controllers that watch a specific set of namespaces only. When
ingressController.watchNamespacesis set to an empty array, watches all namespaces and uses a ClusterRole to access resources, same as we've done in the past. When it is set to a list of namespaces, specifies them in--watch-namespaceand creates a Role/RoleBinding for each individual namespace.Which issue this PR fixes
(optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close that issue when PR gets merged)Related to Kong/kubernetes-ingress-controller#1503
Special notes for your reviewer:
Checklist
[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]
nextbranch and targetsnext, notmain[kong])