Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jsonnet/prometheus: configure permissions #74

Merged
merged 2 commits into from Nov 1, 2018
Merged

jsonnet/prometheus: configure permissions #74

merged 2 commits into from Nov 1, 2018

Conversation

s-urbaniak
Copy link
Contributor

This enables permissions (subject access review as well as delegate URLs)
to be configured using saas hurder template variables.

cc @squat

@openshift-ci-robot openshift-ci-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Nov 1, 2018
brancz
brancz reviewed Nov 1, 2018
View reviewed changes
manifests/prometheus/list.yaml Outdated
"namespace": "telemeter-production"}'
- name: OPENSHIFT_DELEGATE_URLS
value: '{"/": {"resource": "namespaces", "verb": "get", "resourceName": "telemeter-production",
"namespace": "telemeter-production"}}'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it really need to be that specifically configurable? Why not just use the namespace and template it into the SubjectAccessReview?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this was just "on suspicion" to have a broad configurability. We can reduce it to namespace only 👍

squat
squat reviewed Nov 1, 2018
View reviewed changes
jsonnet/telemeter/prometheus/kubernetes/kubernetes.libsonnet Outdated
@@ -20,6 +20,8 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
rules: { groups: [] },
htpasswdAuth: '',
sessionSecret: '',
sar: '{"resource": "namespaces", "verb": "get", "resourceName": "telemeter-production", "namespace": "telemeter-production"}',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this seems like a bit too much configurability here. I think we can optimize for our actual expected use case :), since we know how it is intended to be deployed. Anyone wild enough to use and want more configurability power this can import the jsonnet and use additional mixins to modify the generated manifests

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ack, see #74 (comment)

squat
squat reviewed Nov 1, 2018
View reviewed changes
jsonnet/telemeter/prometheus/kubernetes/kubernetes.libsonnet Outdated
@@ -20,6 +20,8 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
rules: { groups: [] },
htpasswdAuth: '',
sessionSecret: '',
sar: '{"resource": "namespaces", "verb": "get", "resourceName": "telemeter-production", "namespace": "telemeter-production"}',
Copy link
Contributor

@squat squat Nov 1, 2018
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

currently $._config.namespace defaults to telemeter and has one config variable, but the SAR uses telemeter-production as the target namespace. Rather than having to configure both $._config.namespace as well as the SAR so that the namespaces match, the SAR should inherit the namespace to which the object is deployed.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah, that's indeed a good idea

@s-urbaniak
jsonnet/prometheus: configure permissions
5e23aa9 
This enables permissions (subject access review as well as delegate
URLs) to be configured using saas hurder template variables.
@s-urbaniak
jsonnet: regenerate
38c9344
@s-urbaniak
Copy link
Contributor Author

@brancz @squat addressed comments, PTAL

@brancz
Copy link
Contributor

brancz commented Nov 1, 2018

Looks good. Giving @squat the last call.

@squat
Copy link
Contributor

squat commented Nov 1, 2018

much better

@squat
Copy link
Contributor

squat commented Nov 1, 2018

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Nov 1, 2018
@openshift-merge-robot openshift-merge-robot merged commit d54be56 into openshift:master Nov 1, 2018
@s-urbaniak s-urbaniak deleted the prom-perms branch November 1, 2018 13:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brancz brancz brancz left review comments

@squat squat squat left review comments

@mxinden mxinden Awaiting requested review from mxinden

Assignees

@squat squat

Labels
lgtm Indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@s-urbaniak @brancz @squat @openshift-ci-robot @openshift-merge-robot