-
Notifications
You must be signed in to change notification settings - Fork 139
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
openshift-ingress: Change namespace and permissions #16
openshift-ingress: Change namespace and permissions #16
Conversation
Move the "cloud-credentials" secret from the operand namespace ("openshift-ingress") to the operator namespace ("openshift-ingress-operator"): The operator already has permission to read secrets in its own namespace, but not from its operands', and the "cloud-credentials" secret is an input to the operator, not an operand, so having the secret in the operator's namespace simplifies RBAC and is more consistent with how we place other resources related to the operator. Refine the set of permissions for cluster-ingress-operator: The operator needs to be able to look up Route 53 zones using the ListHostedZones and GetResources APIs, list load balancers using DescribeLoadBalancers, update hosted zones using the ChangeResourceRecordSets API, and nothing else. This commit is related to NE-140. https://jira.coreos.com/browse/NE-140 * manifests/03-cred-openshift-ingress.yaml: Change the namespace for the secret from "openshift-ingress" to "openshift-ingress-operator". Update the permissions to be exactly what cluster-ingress-operator needs.
db6e45e
to
b78cbd6
Compare
/retest |
/lgtm Thanks Miciah! Look good to you @ironcladlou ? /hold |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dgoodwin, Miciah The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@dgoodwin @Miciah looks fine to me in theory, but since openshift/origin#21617 is still pending we have no automated regression testing. Does this sequence make sense:
Future changes to cloud-credentials-operator which could impact ingress DNS management should then be tested via e2e-aws. |
Sounds good to me. Just cancel the hold when you're ready. |
@ironcladlou, your plan looks fine. |
/hold cancel |
Move the
cloud-credentials
secret from the operand namespace (openshift-ingress
) to the operator namespace (openshift-ingress-operator
): The operator already has permission to read secrets in its own namespace, but not from its operands', and thecloud-credentials
secret is an input to the operator, not an operand, so having the secret in the operator's namespace simplifies RBAC and is more consistent with how we place other resources related to the operator.Refine the set of permissions for cluster-ingress-operator: The operator needs to be able to look up Route 53 zones using the
ListHostedZones
andGetResources
APIs, list load balancers usingDescribeLoadBalancers
, update hosted zones using theChangeResourceRecordSets
API, and nothing else.This PR is related to NE-140.
manifests/03-cred-openshift-ingress.yaml
: Change the namespace for the secret fromopenshift-ingress
toopenshift-ingress-operator
.Update the permissions to be exactly what cluster-ingress-operator needs.
@ironcladlou