New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: create cli commands for ApplicationSet #9584
feat: create cli commands for ApplicationSet #9584
Conversation
2f209b0
to
9bad0d4
Compare
Codecov Report
@@ Coverage Diff @@
## master #9584 +/- ##
==========================================
- Coverage 45.69% 45.31% -0.39%
==========================================
Files 234 236 +2
Lines 28508 28827 +319
==========================================
+ Hits 13027 13063 +36
- Misses 13694 13973 +279
- Partials 1787 1791 +4
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
a3f228b
to
d547ec7
Compare
157e1b5
to
0038697
Compare
c415e3b
to
2a5967d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So I think the big question we have to answer is: should we require all write-type ApplicationSet API requests to have an un-templated spec.template.spec.project
field, or can we accept templated Project fields?
I think when @leoluz and @ishitasequeira and @jgwest and I discussed it last, we had settled on disallowing write-type API requests when the AppSet Project field was templated. But I think we can eliminate that requirement.
My proposal:
- Before each RBAC check, run
fasttemplate
over the Project field and replace each template with an asterisk. - Perform the RBAC check for the now-templated project fields.
For example, suppose I have RBAC like this:
p, appset-dev-maintainers, applicationsets, update, *-dev/*, allow
If a user tries to update an AppSet like this:
metadata:
name: apis-appset
spec:
template:
spec:
project: "{{path[0]}}-dev"
Then the following RBAC check would happen:
*-dev/apis-appset # passes because it matches the first rule
I don't think this would be too much additional code, and I think it would make the API support for ApplicationSets much more powerful. Thoughts?
After chatting with Leo... ignore my last comment, I think that can be introduced in a later PR. For now, let's just reject AppSet API requests where the project field is templated. |
The other comment I had was that maybe we should just skip the Application RBAC checks and instead document very thoroughly that granting write capabilities on applicationsets grants the ability to do a bunch of things with applications by proxy. |
efd47e5
to
84b76d0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ran into a few issues while testing the CLI.
Signed-off-by: ishitasequeira <ishiseq29@gmail.com>
Signed-off-by: ishitasequeira <ishiseq29@gmail.com>
Signed-off-by: ishitasequeira <ishiseq29@gmail.com>
Signed-off-by: ishitasequeira <ishiseq29@gmail.com>
Signed-off-by: ishitasequeira <ishiseq29@gmail.com>
Signed-off-by: ishitasequeira <ishiseq29@gmail.com>
Signed-off-by: ishitasequeira <ishiseq29@gmail.com>
Signed-off-by: ishitasequeira <ishiseq29@gmail.com>
Signed-off-by: ishitasequeira <ishiseq29@gmail.com>
Signed-off-by: ishitasequeira <ishiseq29@gmail.com>
Signed-off-by: ishitasequeira <ishiseq29@gmail.com>
Signed-off-by: ishitasequeira <ishiseq29@gmail.com>
Signed-off-by: ishitasequeira <ishiseq29@gmail.com>
Signed-off-by: ishitasequeira <ishiseq29@gmail.com>
Signed-off-by: CI <michael@crenshaw.dev> Signed-off-by: ishitasequeira <ishiseq29@gmail.com>
Signed-off-by: ishitasequeira <ishiseq29@gmail.com>
Signed-off-by: ishitasequeira <ishiseq29@gmail.com>
Signed-off-by: CI <michael@crenshaw.dev> Signed-off-by: ishitasequeira <ishiseq29@gmail.com>
Signed-off-by: ishitasequeira <ishiseq29@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm, thanks @ishitasequeira for putting so much work into this!
@jannfis do you want to give it another pass before merging?
@ishitasequeira thank you for this. do you know when this pr will be merged? would love to give this a spin :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thanks @ishitasequeira!
And thanks @crenshaw-dev for giving me opportunity to look over it again!
* feat: add applicationset cli commands Signed-off-by: ishitasequeira <ishiseq29@gmail.com> * squashed commits and rebased with master Signed-off-by: ishitasequeira <ishiseq29@gmail.com> * addressed comments Signed-off-by: ishitasequeira <ishiseq29@gmail.com> * fix lint errors Signed-off-by: ishitasequeira <ishiseq29@gmail.com> * Retrigger CI pipeline Signed-off-by: ishitasequeira <ishiseq29@gmail.com> * Retrigger CI pipeline Signed-off-by: ishitasequeira <ishiseq29@gmail.com> * feat: add applicationset cli commands Signed-off-by: ishitasequeira <ishiseq29@gmail.com> * addressed comments Signed-off-by: ishitasequeira <ishiseq29@gmail.com> * fix lint errors Signed-off-by: ishitasequeira <ishiseq29@gmail.com> * Retrigger CI pipeline Signed-off-by: ishitasequeira <ishiseq29@gmail.com> * Retrigger CI pipeline Signed-off-by: ishitasequeira <ishiseq29@gmail.com> * Addressed PR comments Signed-off-by: ishitasequeira <ishiseq29@gmail.com> * removed duplicate imports Signed-off-by: ishitasequeira <ishiseq29@gmail.com> * fix CI errors Signed-off-by: ishitasequeira <ishiseq29@gmail.com> * address PR comments Signed-off-by: ishitasequeira <ishiseq29@gmail.com> * add k8s RBAC, docs tweaks Signed-off-by: CI <michael@crenshaw.dev> Signed-off-by: ishitasequeira <ishiseq29@gmail.com> * rebase master branch Signed-off-by: ishitasequeira <ishiseq29@gmail.com> * Addressed PR coments Signed-off-by: ishitasequeira <ishiseq29@gmail.com> * remove unnecessary fields, add docs Signed-off-by: CI <michael@crenshaw.dev> Signed-off-by: ishitasequeira <ishiseq29@gmail.com> * fix unit test Signed-off-by: ishitasequeira <ishiseq29@gmail.com> Signed-off-by: ishitasequeira <ishiseq29@gmail.com> Signed-off-by: CI <michael@crenshaw.dev> Co-authored-by: CI <michael@crenshaw.dev>
Note on DCO:
If the DCO action in the integration test fails, one or more of your commits are not signed off. Please click on the Details link next to the DCO action for instructions on how to resolve this.
Checklist: