Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature]: Developer can stage and run apps in spaces created via the API #243

Closed
tcdowney opened this issue Nov 16, 2021 · 3 comments
Closed

[Feature]: Developer can stage and run apps in spaces created via the API #243

tcdowney opened this issue Nov 16, 2021 · 3 comments
Assignees
@davewalter

Comments

@tcdowney
Copy link
Member

tcdowney commented Nov 16, 2021
edited

Blockers/Dependencies

No response

Background

As an App Developer
I want to be able to stage and run apps in spaces that I create via cf create-space
So that My staging and workload Pods are run separately from other spaces and that my RBAC roles apply to them

Acceptance Criteria

Staging Apps

GIVEN I have created an org and space with the cf CLI
WHEN I create a CFBuild in the space I just created
THEN I see it succeed

Running Apps

GIVEN I have created an org and space with the cf CLI
AND I have staged an App in that space / assigned the Droplet to the App
WHEN I start the App
THEN I see running Pods in the namespace corresponding with the CF space

Dev Notes

Right now there are three issues I've identified that are preventing this from working:

  1. We should configure the new cf namespace to be the root namespace in the API shim
  2. We need to configure HNC to propagate secrets
  3. Propagating ServiceAccounts seems buggy and maybe not supported. It propagates the ServiceAccounts themselves, but not the token secrets that they rely on which causes them to be broken in the child namespaces.

The HNC docs say this:

Similarly, Kubernetes ServiceAccount Secrets will also by default be excluded from propagation.
@tcdowney
Copy link
Member Author

Notes from the discussion during the CF on K8s SIG call:

  • We should avoid relying on HNC to propagate ServiceAccounts for now. Let's have the API Shim create one when creating spaces*. Eventually let's have a controller that operates on CFOrg and CFSpace resources handle this.

* I think space creation is pretty async since we are actually creating HNC SubnamespaceAnchors. But I've seen buggy CLI behavior where the create space call returns too soon, so it might be beneficial in general to wait a bit for the namespace to get made so that we can create the ServiceAccount for kpack

@gcapizzi
Copy link
Contributor

After #154 we should already be waiting for namespaces to exist before returning from the endpoint!

@tcdowney
Copy link
Member Author

@gcapizzi nice, good to know :)

@acosta11 acosta11 mentioned this issue Nov 18, 2021
Merged
@davewalter davewalter self-assigned this Nov 18, 2021
@gnovv gnovv closed this as completed Nov 20, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@davewalter davewalter

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@davewalter @gcapizzi @tcdowney @gnovv