Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[helm] Add support for namespaced scope #3403

Merged
merged 3 commits into from Mar 30, 2023
Merged

[helm] Add support for namespaced scope #3403

merged 3 commits into from Mar 30, 2023

Conversation

jkroepke
Copy link
Contributor

Description

Classical service providers may not grant you admin permissions on our own kubernetes cluster. This changes introduce a namespaced modes, where external-dns runs namespace scoped.

Fixes #ISSUE

Checklist

  • Unit tests updated
  • End user documentation updated

i though about create a dedicated role.yaml file first, but then I was the disadvantage of maintain to roles inside the helm chart.

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Feb 13, 2023
@stevehipwell
Copy link
Contributor

This approach makes sense given the constraints. I'll review properly on a big screen in the morning.

stevehipwell
stevehipwell suggested changes Feb 14, 2023
View reviewed changes
Copy link
Contributor

@stevehipwell stevehipwell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good, but I have a couple of questions.

charts/external-dns/templates/clusterrole.yaml Show resolved Hide resolved
charts/external-dns/templates/clusterrole.yaml Show resolved Hide resolved
@jkroepke
Copy link
Contributor Author

jkroepke commented Feb 14, 2023
edited

I add a section about namespace scoped installation. All sources that depends against namespace scoped resources are working in namespaced scoped installation. Istio is a bit tricky here, because depends against 2 namespace scoped resources, but it would only work if both are in the same namespace.

I started with an quick table/support matrix, but I stop it. Most of the CRDs are namespaced scope, like RouteGroups, Openshift Routes, VirtualServices, getambassador/ingress...

I guess the RBAC for nodes can be still gated, since the Node permissions are only needed, if the annotation external-dns.alpha.kubernetes.io/endpoints-type: NodeExternalIP is defined.

I only test ingress objects, for the sources, I looked into the source code. Based on that, i have no idea, why contour-httpproxy need node permissions.

@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Feb 14, 2023
@jkroepke jkroepke requested review from stevehipwell and removed request for seanmalloy February 14, 2023 14:23
@stevehipwell
Copy link
Contributor

/ok-to-test

@k8s-ci-robot k8s-ci-robot added the ok-to-test Indicates a non-member PR verified by an org member that is safe to test. label Feb 14, 2023
@stevehipwell
Copy link
Contributor

/cc @njuettner (your name was on the last PR for the namespace feature)

@rahtr
Copy link

rahtr commented Mar 29, 2023

Any updates on this? When can we merge it?

@stevehipwell
Copy link
Contributor

@Raffo do you have any thoughts on this? It looks good to me and it'd make sense to get merged now and in the release I'm about to do if you're happy?

@stevehipwell stevehipwell mentioned this pull request Mar 30, 2023
Closed
@stevehipwell
Copy link
Contributor

/label tide/merge-method-squash

@k8s-ci-robot k8s-ci-robot added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label Mar 30, 2023
@Raffo
Copy link
Contributor

Raffo commented Mar 30, 2023

@stevehipwell this works for me, I don't have too many opinions on how the helm chart should be configured.

@Raffo
Copy link
Contributor

Raffo commented Mar 30, 2023

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 30, 2023
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jkroepke, Raffo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 30, 2023
@k8s-ci-robot k8s-ci-robot merged commit e4792ae into kubernetes-sigs:master Mar 30, 2023
3 checks passed
@jkroepke jkroepke deleted the namespaced branch March 30, 2023 08:55
@rahtr rahtr mentioned this pull request Mar 31, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stevehipwell stevehipwell Awaiting requested review from stevehipwell

Assignees

@Raffo Raffo

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@jkroepke @stevehipwell @rahtr @Raffo @k8s-ci-robot