🐛 (helm/v1-alpha): Use namePrefix from config/default/kustomization.yaml as prefix for RBAC rules and project name only if this value cannot be found. #4571
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: camilamacedo86 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
k8s-ci-robot
added
the
size/M
|
HI @mkarlheim Could you please check this one? |
camilamacedo86
force-pushed
the
use-prefix-name
branch
2 times, most recently
from
03a08a9 to
8775274
Compare
camilamacedo86
changed the title
camilamacedo86
changed the title
camilamacedo86
force-pushed
the
use-prefix-name
branch
from
8775274 to
e1b8916
Compare
camilamacedo86
force-pushed
the
use-prefix-name
branch
from
e1b8916 to
bc1f6dc
Compare
Awesome, thanks! I'll try to do it shortly. |
|
Hi @camilamacedo86, using the namePrefix by default and the project name as fallback is an improvement, but the core issue still exists in my opinion:
So these generated ClusterRoles are not considered with adding a prefix at all. There must be something like a regex replace like |
|
Hi @mkarlheim
When you change your project you need to re-run the helm plugin Also, ensure that you run |
k8s-ci-robot
added
the
do-not-merge/hold
|
Closing because I think we will need to fix it another way, by changing the scaffolds and adding a prefix in the chart values instead. |
k8s-ci-robot
added
the
needs-rebase
camilamacedo86
force-pushed
the
use-prefix-name
branch
from
bc1f6dc to
c13a625
Compare
k8s-ci-robot
added
size/L
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
|
Hi @mkarlheim Can you please verify this one now? However, ultimately, we will need to change the Helm plugin implementation to generate the chart from the kustomize install, using YAML instead. See; #4833 |
camilamacedo86
force-pushed
the
use-prefix-name
branch
from
c13a625 to
faa9608
Compare
k8s-ci-robot
added
the
needs-rebase
…l as prefix for RBAC rules and project name only if this value cannot be found.
camilamacedo86
force-pushed
the
use-prefix-name
branch
from
faa9608 to
c7f409d
Compare
k8s-ci-robot
removed
the
needs-rebase
|
/test pull-kubebuilder-e2e-k8s-1-33-0 |
There was a problem hiding this comment.
Hi @camilamacedo86,
many thanks for your efforts!
Unfortunately, it is still not the expected behaviour. All roles that are created with the Kustomize/v2 plugin, don't have a prefix in their generated yaml by default.
All the roles are prefixed in the moment when the Kustomize build (make build-installer) is executed as you described in #4833.
The function copyFileWithHelmLogic only considers the roles with fixed names like the metrics, election and leader roles, but not the crd-roles (admin, editor, viewer). The name of these roles is not fixed as it contains resource group and kind (in multgroup projects).
I was also thinking about using the Kustomize build output as the base for the Helm chart generation, as this would adress the issue with the namePrefix.
Another argument for your proposal would be:
In the config/rbac/kustomization.yaml there is a comment saying You can comment the following lines if you do not want those helpers be installed with your Project. Those types of changes wouldn't be considered as well, if someone commented out some roles (e.g.). Using the Kustomize build output as base for the Helm chart generation would also address those types of changes.
Best
Michael
|
Hi @mkarlheim Thank you a lot for your time on this review 👍
But what we are doing here is ONLY doing what is done with kutomize I think we need to modify one of the samples scenarios and add a test for it.
OK, we need to add a code to cover those 👍
OK. Good point for we recheck 👍
That seems the best way to move forward with the helm plugin. /hold until check the points above |
Closes: #4566