Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix 1802: leverage KEP-1755 to retrieve local image registry host an… #2696

Merged
merged 2 commits into from
Apr 5, 2022
Merged

fix 1802: leverage KEP-1755 to retrieve local image registry host an… #2696

merged 2 commits into from
Apr 5, 2022

Conversation

johnpoth
Copy link
Member

…d port

Fixes #1802, this makes:

$kamel install

work on supporting clusters without additional arguments (tested successfully on k3d), thanks !

Release Note

NONE

astefanutti
astefanutti approved these changes Oct 15, 2021
View reviewed changes
Copy link
Member

@astefanutti astefanutti left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great! Last time I checked, Minikube was not going to support this. Has it changed?

pkg/install/operator.go Outdated Show resolved Hide resolved
pkg/install/operator.go Show resolved Hide resolved
pkg/install/operator.go Show resolved Hide resolved
@astefanutti
Copy link
Member

Would it be possible to move that logic in the controller, like when reconciling the platform, instead of keeping it for the sole kamel install. That way it would work also whatever the installation mode. I remember we kept it there for Minikube to avoid extra RBAC and specific code, but with that KEP, it seems it would be both logical and possible.

@nicolaferraro
Copy link
Member

Would it be possible to move that logic in the controller, like when reconciling the platform, instead of keeping it for the sole kamel install. That way it would work also whatever the installation mode. I remember we kept it there for Minikube to avoid extra RBAC and specific code, but with that KEP, it seems it would be both logical and possible.

I guess it depends how much the kube-public namespace is public..

@astefanutti
Copy link
Member

astefanutti commented Oct 15, 2021
edited
Loading

Would it be possible to move that logic in the controller, like when reconciling the platform, instead of keeping it for the sole kamel install. That way it would work also whatever the installation mode. I remember we kept it there for Minikube to avoid extra RBAC and specific code, but with that KEP, it seems it would be both logical and possible.

I guess it depends how much the kube-public namespace is public..

Hehe, I asked it as a question more by courtesy but I don't expect any counter arguments 😃.

@johnpoth
Copy link
Member Author

Would it be possible to move that logic in the controller, like when reconciling the platform, instead of keeping it for the sole kamel install. That way it would work also whatever the installation mode. I remember we kept it there for Minikube to avoid extra RBAC and specific code, but with that KEP, it seems it would be both logical and possible.

Thanks for reviewing !

As @nicolaferraro said I'm not sure how public the "kube-public" namespace really is:

$kubectl auth can-i get cm  -n kube-public --as system:serviceaccount:camel-k:camel-k-operator
no

Although by convention it is supposed to be:

"kube-public This namespace is created automatically and is readable by all users (including those not authenticated). This namespace is mostly reserved for cluster usage, in case that some resources should be visible and readable publicly throughout the whole cluster. The public aspect of this namespace is only a convention, not a requirement."

Anyhow I've updated the PR so the logic is also in the operator. I've left it in the client as well so that

kamel install

works without any other options (i.e without having to specify --skip-operator-registry). Thanks !

astefanutti
astefanutti reviewed Oct 21, 2021
View reviewed changes
pkg/platform/defaults.go
@@ -149,7 +150,15 @@ func configureRegistry(ctx context.Context, c client.Client, p *v1.IntegrationPl
}
}
}

if p.Status.Build.Registry.Address == "" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it won't work for local install, as the operator service account do not have required permission.

I think the best solution is to create a dedicated ClusterRole with:

rules:
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["local-registry-hosting"]
  verbs: ["get"]

And a RoleBinding projecting that ClusterRole on the kube-public namespace for the operator service account.

@astefanutti
Copy link
Member

As @nicolaferraro said I'm not sure how public the "kube-public" namespace really is:

$kubectl auth can-i get cm  -n kube-public --as system:serviceaccount:camel-k:camel-k-operator
no

That means the operator service account do not have the required permission, but I would not deduce kube-public is not "public" from it. That only means read permission is granted for all users, but not service account. This is for us to add the permission to the operator service account.

One solution is to create a dedicated ClusterRole with:

rules:
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["local-registry-hosting"]
  verbs: ["get"]

And a RoleBinding projecting that ClusterRole on the kube-public namespace for the operator service account.

@johnpoth
Copy link
Member Author

johnpoth commented Nov 3, 2021

kubectl auth can-i get cm -n kube-public --as system:serviceaccount:camel-k:camel-k-operator
no

As @nicolaferraro said I'm not sure how public the "kube-public" namespace really is:

$kubectl auth can-i get cm  -n kube-public --as system:serviceaccount:camel-k:camel-k-operator
no

That means the operator service account do not have the required permission, but I would not deduce kube-public is not "public" from it. That only means read permission is granted for all users, but not service account. This is for us to add the permission to the operator service account.

One solution is to create a dedicated ClusterRole with:

rules:
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["local-registry-hosting"]
  verbs: ["get"]

And a RoleBinding projecting that ClusterRole on the kube-public namespace for the operator service account.

Ah yeah thanks, I think I tested with unauthorized users (which also didn't work) but I've added the RBAC files as you suggested which should make the question "is the kube-public namespace really public" null and void :) Thanks !

@github-actions
Copy link
Contributor

github-actions bot commented Feb 2, 2022

This PR has been automatically marked as stale due to 90 days of inactivity.
It will be closed if no further activity occurs within 15 days.
If you think that’s incorrect or the issue should never stale, please simply write any comment.
Thanks for your contributions!

@squakez
Copy link
Contributor

squakez commented Apr 1, 2022

Hey @johnpoth unfortunately this has some conflict ongoing now. Would you mind rebase with main?

@johnpoth
Copy link
Member Author

johnpoth commented Apr 5, 2022

Thanks @squakez ! Rebased and merging....

@johnpoth johnpoth merged commit 346b787 into apache:main Apr 5, 2022
@johnpoth johnpoth deleted the KEP-1755 branch April 5, 2022 09:56
This was referenced Sep 7, 2022
Merged
Closed
@squakez squakez mentioned this pull request Oct 23, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@astefanutti astefanutti astefanutti approved these changes

@oscerd oscerd oscerd approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Use local registry config from cluster
5 participants
@johnpoth @astefanutti @nicolaferraro @squakez @oscerd