-
Notifications
You must be signed in to change notification settings - Fork 702
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GetInstalledPackageSummaries in fluxv2 plug-in #3228
GetInstalledPackageSummaries in fluxv2 plug-in #3228
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi Greg.
I started going through this, but there's something fundamental that I'm not understanding which probably needs clarifying before I keep going: This is servicing a request for info about the installed packages (HelmRelease
CRs). Now with Flux , AIUI, when a user installs a package (ie. creates a HelmRelease
), flux creates the related HelmChart
CR. So when we're servicing this request, we're returning info about the HelmReleases
with possibly some extra info from the related HelmChart
. But a lot of the code here seems to be catering for a scenario where the related HelmChart
doesn't exist and creating it (temporarily), and I don't yet understand why we'd want to do that?
Thanks for any info.
// see if we the chart already exists | ||
// TODO (gfichtenholt): | ||
// see https://github.com/kubeapps/kubeapps/pull/2915 | ||
// for context. It'd be better if we could filter on server-side. The problem is the set of supported | ||
// fields in FieldSelector is very small. things like "spec.chart" or "status.artifact.revision" are | ||
// certainly not supported. | ||
// see | ||
// - kubernetes/client-go#713 and | ||
// - https://github.com/flant/shell-operator/blob/8fa3c3b8cfeb1ddb37b070b7a871561fdffe788b///HOOKS.md#fieldselector and | ||
// - https://github.com/kubernetes/kubernetes/issues/53459 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a duplicate of same detailed comment that was already mentioned above? Fine either way, just unsure why it's detailed twice in the same file.
// TODO (gfichtenholt) | ||
// 1. HelmChart object needs to be co-located in the same namespace as the HelmRepository it is referencing. | ||
// 2. flux impersonates a "super" user when doing this (see fluxv2 plug-in specific notes at the end of | ||
// design doc). We should probably be doing simething similar to avoid RBAC-related problems |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FWIW, I don't think we'll ever include a cluster-admin
service account with Kubeapps or a plugin - that's just too dangerous, as you can see from the flux proposal (that hasn't been accepted yet) which you linked to in the doc, about how they're trying to get out of that situation.
Helm itself used to do something similar, having tiller
running in the cluster with crazy privileges that could be used to do exactly what they describe in the flux proposal... I'm quite surprised that they have cluster-admin
as the default for the helm controller TBH, given the history.
Anyway, fine as is, as long as we're not wanting to deploy a kubeapps component with super privs.
So back to here: The user carrying out the request will need to have RBAC for whatever is done - currently it looks like you're creating the flux HelmChart CR explicitly. If that is necessary (see previous comment above as I'm not sure why it is if the HelmRelease already exists) we can document that as a requirement.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1. If you'd like me to word the comment a certain way, just say so.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the comment is fine as a note - word it however you like :) I just don't think option 2 is something we should do (even flux seems to be backing away from it).
// Delete the created helm chart regardless of success or failure. At the end of | ||
// GetAvailablePackageDetail(), we've already collected the information we need, | ||
// so why leave a flux chart chart object hanging around? | ||
// Over time, they could accumulate to a very large number... |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. More generally it seems a bit icky to be creating them when they should exist if a HelmRelease already exists (and if not, I'm not sure we should be trying to provide the info). It seems analogous to the situation with normal helm, where if the user has deleted the AppRepository (ie. so kubeapps no longer has info about the related charts), we can't provide that info (such as upgrade info or latest version) and that's OK.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
GetAvailablePackageDetail() requires me to provide some info not available in the repo index file, like the chart readme/schema/values. For a chart that may not be installed at all. I can only get that if I have the chart tgz file, so that's the only reason I am doing it. I am open to other proposals, please.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, it makes sense for GetAvailablePackageDetail() - and given that's a singular request, the efficiency isn't an issue either. As above, I'd thought this PR was about GetInstalledPackageSummaries only as per the title, so when I saw these changes, assumed it must be for them.
return url, nil, nil | ||
} | ||
|
||
// did not find the chart, need to create |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't understand why we need to be creating a chart here at all. We're wanting to return information about the installed packages (ie. the HelmReleases). From what I've understood, if a user has created a HelmRelease
CR, then the helm-controller would have created the related HelmChart
for that release, so it should exist. If it doesn't, because the user has manually deleted it or whatever, then the best we can do is return the info about the installed package that we have (ie. the info from the HelmRelease).
Or what reason do you see here for a HelmRelease without the corresponding HelmChart?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no, this is a different use case - GetAvailablePackageDetail()
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah - ok. I assumed this PR was just about GetInstalledPackageSummaries . Great, I'll finish going through the PR tomorrow.
return "", err, nil | ||
} else if url != "" { | ||
return url, nil, nil | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm probably missing something, but I think we should just be doing
return url, nil, nil
here, regardless. More below.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So ignore the above - this was because I thought the fn was part of your work for GetInstalledPackageSummaries - but you pointed out it's just refactoring for the existing GetAvailablePackage... fns.
Hi Michael, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great, thanks for the info (that lots of the changes in this PR are about GetAvailablePackageDetail, not GetInstalledPackageSummaries). I'll finish it tomorrow then :)
return url, nil, nil | ||
} | ||
|
||
// did not find the chart, need to create |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah - ok. I assumed this PR was just about GetInstalledPackageSummaries . Great, I'll finish going through the PR tomorrow.
// TODO (gfichtenholt) | ||
// 1. HelmChart object needs to be co-located in the same namespace as the HelmRepository it is referencing. | ||
// 2. flux impersonates a "super" user when doing this (see fluxv2 plug-in specific notes at the end of | ||
// design doc). We should probably be doing simething similar to avoid RBAC-related problems |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the comment is fine as a note - word it however you like :) I just don't think option 2 is something we should do (even flux seems to be backing away from it).
// Delete the created helm chart regardless of success or failure. At the end of | ||
// GetAvailablePackageDetail(), we've already collected the information we need, | ||
// so why leave a flux chart chart object hanging around? | ||
// Over time, they could accumulate to a very large number... |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, it makes sense for GetAvailablePackageDetail() - and given that's a singular request, the efficiency isn't an issue either. As above, I'd thought this PR was about GetInstalledPackageSummaries only as per the title, so when I saw these changes, assumed it must be for them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great, thanks Greg.
return "", err, nil | ||
} else if url != "" { | ||
return url, nil, nil | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So ignore the above - this was because I thought the fn was part of your work for GetInstalledPackageSummaries - but you pointed out it's just refactoring for the existing GetAvailablePackage... fns.
thank you |
Adds GetInstalledPackageSummaries() functionality to fluxv2 plug-in. Unit tests included