An admin should be able to specify Secrets, ConfigMaps and PersistentVolumesClaims that need to be provisioned on each user's namespace #20501
Comments
skabashnyuk
added
kind/task
che-bot
added
the
status/need-triage
azatsarynnyy
added
severity/P1
|
As for the instructions on how to map those secrets/configmaps to the workspaces, we should make sure that the DWO labels/annos are used. E.g. devfile/devworkspace-operator#417 and devfile/devworkspace-operator#564 |
|
We need to somehow guarantee the order in which the configmaps/secrets would be applied to the workspace. Imagine an admin would define a "global" configmap with We need to be able to tell DWO in what order it should apply the configmaps such that the "user settings" can override the "global settings". What do you think about this, @sleshchenko , @l0rd ? |
|
@metlos good point. We definitely need to label the target secrets/configmaps as However I think we can leave the how to merge multiple overlapping secrets/cm out of the scope of this issue. |
|
Issues go stale after Mark the issue as fresh with If this issue is safe to close now please do so. Moderators: Add |
che-bot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
|
@tolusha this is the issue you are currently working on right? |
che-bot
removed
the
lifecycle/stale
|
This one #21605 |
l0rd
added
area/che-operator
|
/remove-lifecycle stale |
ibuziuk
added
status/analyzing
|
che-operator should watch for Secrets/ConfigMaps/PersistentVolumeClaims, with the following labels, in the Che namespace: labels:
app.kubernetes.io/part-of: che.eclipse.org
app.kubernetes.io/component: workspaces-configFor example if, a ConfigMap like the following one is in the Che namespace: kind: ConfigMap
apiVersion: v1
metadata:
name: dev-env-variables
labels:
app.kubernetes.io/part-of: che.eclipse.org
app.kubernetes.io/component: workspaces-config
annotations:
(...)
data:
(...)then the following ConfigMap should be created in every user namespace: kind: ConfigMap
apiVersion: v1
metadata:
name: dev-env-variables
labels:
app.kubernetes.io/part-of: che.eclipse.org
app.kubernetes.io/component: workspaces-config
controller.devfile.io/mount-to-devworkspace: "true"
controller.devfile.io/watch-secret: "true"
annotations:
(...)
data:
(...) |
l0rd
changed the title
|
@l0rd |
will let Mario comment, but I think this should not be a problem since this is how k8s works. PVC does not automatically create a PV; rather, it either binds to an existing PV or triggers the dynamic provisioning of a new PV based on the specified storage class. N.B. PV provisioning is dependent on storage class e.g. there are non-dynamic storage classes that would require manual PV creation. Also, if I remember correctly when PVC does not specify a storageClassName, it will only bind to an existing PV that is not already claimed by another PVC. If there is no matching PV available, the PVC remains pending until a suitable PV is manually created and becomes available. |
Yes, that's fine. That's something that the Che admin should manage (i.e. should check if it's possible to get an extra PV for every developer). |
|
@ibuziuk |
|
@tolusha yes, I belive we should remove the resource from the users' namespaces |
Is your task related to a problem? Please describe
There are multiple usecases.
Describe the solution you'd like
Secrets and configmaps with predefined set of labels can be propaged to the user's namespace
Original labels and annotations should be preserved.
Additional context
https://issues.redhat.com/browse/CRW-2120
The text was updated successfully, but these errors were encountered: