Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow multi namespace cache scoping #1341

Merged
merged 1 commit into from
May 3, 2023
Merged

Allow multi namespace cache scoping #1341

merged 1 commit into from
May 3, 2023

Conversation

ActuallyTrent
Copy link
Contributor

Note to reviewers: remember to look at the commits in this PR and consider if they can be squashed

Summary Of Changes

Allows scoping the cache namespace to more than 1 namespace if OPERATOR_SCOPE_NAMESPACE is a comma delimited list.

Additional Context

If someone needed to configure their RBAC with non-cluster roles and rolebindings they would be unable to run the operator. This project requires access to a lot of resources and not everyone's security stance allows for using clusterroles.

Without providing OPERATOR_SCOPE_NAMESPACE and using role instead of clusterrole you get errors such as

failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:rabbit:rabbit-cluster-operator" cannot list resource "configmaps" in API group "" at the cluster scope

and a similar error if a resource is added in a namespace not covered by OPERATOR_SCOPE_NAMESPACE.

Without this change, it's only possible to scope the cache to a single namespace, and this allows for scoping to a list of namespaces.

Local Testing

Please ensure you run the unit, integration and system tests before approving the PR.

To run the unit and integration tests:

$ make unit-tests integration-tests

You will need to target a k8s cluster and have the operator deployed for running the system tests.

For example, for a Kubernetes context named dev-bunny:

$ kubectx dev-bunny
$ make destroy deploy-dev
# wait for operator to be deployed
$ make system-tests

@ActuallyTrent ActuallyTrent mentioned this pull request May 2, 2023
Merged
@Zerpet Zerpet self-assigned this May 3, 2023
@Zerpet Zerpet self-requested a review May 3, 2023 10:05
@Zerpet
Copy link
Collaborator

Zerpet commented May 3, 2023

Verified the new behaviour, working as expected. I did the following:

  1. Create NS rabbit-1 and rabbit-2
  2. Modify RBAC to use Role and RoleBinding, instead of is Cluster* variants
  3. Deployed RBACs to NS rabbit-1 and rabbit-2
  4. Started Operator using: 
    make just-run OPERATOR_SCOPE_NAMESPACE="rabbit-1,rabbit-2"
  5. Created a RabbitmqCluster object in NS rabbit-1
  6. Observe the Operator reconcile with no errors
  7. Created a RabbitmqCluster in default NS
  8. Observe the Operator does not reconcile the object
  9. Created a RabbitmqCluster in NS rabbit-2
  10. Observe the Operator reconcile the object

@Zerpet
Copy link
Collaborator

Zerpet commented May 3, 2023

The CI failure seems unrelated to this PR. I suspect it is failing because the PR is coming from a fork, and GitHub Secrets are not injected in forks, based on this message:

By default, secrets are not passed to workflows triggered from forks [...]

@Zerpet Zerpet merged commit 04b13aa into rabbitmq:main May 3, 2023
9 of 10 checks passed
Zerpet added a commit to rabbitmq/rabbitmq-website that referenced this pull request May 8, 2023
@Zerpet
Update Operator Defaults guide
1d64092 
- Document feature introduced by rabbitmq/cluster-operator/pull/1341
- Formatting to avoid long lines. No effect on rendering
- Document missing variables related to leader electio

Signed-off-by: Aitor Perez Cedres <acedres@vmware.com>
@Zerpet Zerpet mentioned this pull request May 8, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Zerpet Zerpet Zerpet approved these changes

Assignees

@Zerpet Zerpet

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@ActuallyTrent @Zerpet