GetInstalledPackageSummaries in fluxv2 plug-in #3228
Conversation
There was a problem hiding this comment.
Hi Greg.
I started going through this, but there's something fundamental that I'm not understanding which probably needs clarifying before I keep going: This is servicing a request for info about the installed packages (HelmRelease CRs). Now with Flux , AIUI, when a user installs a package (ie. creates a HelmRelease), flux creates the related HelmChart CR. So when we're servicing this request, we're returning info about the HelmReleases with possibly some extra info from the related HelmChart. But a lot of the code here seems to be catering for a scenario where the related HelmChart doesn't exist and creating it (temporarily), and I don't yet understand why we'd want to do that?
Thanks for any info.
| // see if we the chart already exists | ||
| // TODO (gfichtenholt): | ||
| // see https://github.com/kubeapps/kubeapps/pull/2915 | ||
| // for context. It'd be better if we could filter on server-side. The problem is the set of supported | ||
| // fields in FieldSelector is very small. things like "spec.chart" or "status.artifact.revision" are | ||
| // certainly not supported. | ||
| // see | ||
| // - kubernetes/client-go#713 and | ||
| // - https://github.com/flant/shell-operator/blob/8fa3c3b8cfeb1ddb37b070b7a871561fdffe788b///HOOKS.md#fieldselector and | ||
| // - https://github.com/kubernetes/kubernetes/issues/53459 |
There was a problem hiding this comment.
This is a duplicate of same detailed comment that was already mentioned above? Fine either way, just unsure why it's detailed twice in the same file.
| // TODO (gfichtenholt) | ||
| // 1. HelmChart object needs to be co-located in the same namespace as the HelmRepository it is referencing. | ||
| // 2. flux impersonates a "super" user when doing this (see fluxv2 plug-in specific notes at the end of | ||
| // design doc). We should probably be doing simething similar to avoid RBAC-related problems |
There was a problem hiding this comment.
FWIW, I don't think we'll ever include a cluster-admin service account with Kubeapps or a plugin - that's just too dangerous, as you can see from the flux proposal (that hasn't been accepted yet) which you linked to in the doc, about how they're trying to get out of that situation.
Helm itself used to do something similar, having tiller running in the cluster with crazy privileges that could be used to do exactly what they describe in the flux proposal... I'm quite surprised that they have cluster-admin as the default for the helm controller TBH, given the history.
Anyway, fine as is, as long as we're not wanting to deploy a kubeapps component with super privs.
So back to here: The user carrying out the request will need to have RBAC for whatever is done - currently it looks like you're creating the flux HelmChart CR explicitly. If that is necessary (see previous comment above as I'm not sure why it is if the HelmRelease already exists) we can document that as a requirement.
There was a problem hiding this comment.
+1. If you'd like me to word the comment a certain way, just say so.
There was a problem hiding this comment.
I think the comment is fine as a note - word it however you like :) I just don't think option 2 is something we should do (even flux seems to be backing away from it).
| // Delete the created helm chart regardless of success or failure. At the end of | ||
| // GetAvailablePackageDetail(), we've already collected the information we need, | ||
| // so why leave a flux chart chart object hanging around? | ||
| // Over time, they could accumulate to a very large number... |
There was a problem hiding this comment.
Yes. More generally it seems a bit icky to be creating them when they should exist if a HelmRelease already exists (and if not, I'm not sure we should be trying to provide the info). It seems analogous to the situation with normal helm, where if the user has deleted the AppRepository (ie. so kubeapps no longer has info about the related charts), we can't provide that info (such as upgrade info or latest version) and that's OK.
There was a problem hiding this comment.
GetAvailablePackageDetail() requires me to provide some info not available in the repo index file, like the chart readme/schema/values. For a chart that may not be installed at all. I can only get that if I have the chart tgz file, so that's the only reason I am doing it. I am open to other proposals, please.
There was a problem hiding this comment.
Yep, it makes sense for GetAvailablePackageDetail() - and given that's a singular request, the efficiency isn't an issue either. As above, I'd thought this PR was about GetInstalledPackageSummaries only as per the title, so when I saw these changes, assumed it must be for them.
| return url, nil, nil | ||
| } | ||
|
|
||
| // did not find the chart, need to create |
There was a problem hiding this comment.
I don't understand why we need to be creating a chart here at all. We're wanting to return information about the installed packages (ie. the HelmReleases). From what I've understood, if a user has created a HelmRelease CR, then the helm-controller would have created the related HelmChart for that release, so it should exist. If it doesn't, because the user has manually deleted it or whatever, then the best we can do is return the info about the installed package that we have (ie. the info from the HelmRelease).
Or what reason do you see here for a HelmRelease without the corresponding HelmChart?
There was a problem hiding this comment.
no, this is a different use case - GetAvailablePackageDetail()
There was a problem hiding this comment.
Ah - ok. I assumed this PR was just about GetInstalledPackageSummaries . Great, I'll finish going through the PR tomorrow.
| return "", err, nil | ||
| } else if url != "" { | ||
| return url, nil, nil | ||
| } |
There was a problem hiding this comment.
I'm probably missing something, but I think we should just be doing
return url, nil, nil
here, regardless. More below.
There was a problem hiding this comment.
So ignore the above - this was because I thought the fn was part of your work for GetInstalledPackageSummaries - but you pointed out it's just refactoring for the existing GetAvailablePackage... fns.
Hi Michael, |
| return url, nil, nil | ||
| } | ||
|
|
||
| // did not find the chart, need to create |
There was a problem hiding this comment.
Ah - ok. I assumed this PR was just about GetInstalledPackageSummaries . Great, I'll finish going through the PR tomorrow.
| // TODO (gfichtenholt) | ||
| // 1. HelmChart object needs to be co-located in the same namespace as the HelmRepository it is referencing. | ||
| // 2. flux impersonates a "super" user when doing this (see fluxv2 plug-in specific notes at the end of | ||
| // design doc). We should probably be doing simething similar to avoid RBAC-related problems |
There was a problem hiding this comment.
I think the comment is fine as a note - word it however you like :) I just don't think option 2 is something we should do (even flux seems to be backing away from it).
| // Delete the created helm chart regardless of success or failure. At the end of | ||
| // GetAvailablePackageDetail(), we've already collected the information we need, | ||
| // so why leave a flux chart chart object hanging around? | ||
| // Over time, they could accumulate to a very large number... |
There was a problem hiding this comment.
Yep, it makes sense for GetAvailablePackageDetail() - and given that's a singular request, the efficiency isn't an issue either. As above, I'd thought this PR was about GetInstalledPackageSummaries only as per the title, so when I saw these changes, assumed it must be for them.
| return "", err, nil | ||
| } else if url != "" { | ||
| return url, nil, nil | ||
| } |
There was a problem hiding this comment.
So ignore the above - this was because I thought the fn was part of your work for GetInstalledPackageSummaries - but you pointed out it's just refactoring for the existing GetAvailablePackage... fns.
thank you |
Adds GetInstalledPackageSummaries() functionality to fluxv2 plug-in. Unit tests included