Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: support additional resources across tenant namespaces
This attempts to address projectcapsule#525 which is related to projectcapsule#416. problem this commit is trying to solve ---- ``` Alice would like to create several resources on each of their Namespaces. Upon the creation of each Namespace, they have to create the desired resources on each Namespace ``` On the above linked tickets there are two proposed approaches approach 01 ---- Create a new resource `TenantResource` something like this ```yaml apiVersion: capsule.clastix.io/v1beta2 kind: TenantResource metadata: name: database namespace: solar-management spec: resyncPeriod: 60s additionalResources: namespaceSelector: matchLabels: tier: one items: - apiVersion: presslabs.io/v1beta1 kind: MySQL spec: foo: bar clusterRoles: namespaceSelector: matchLabels: tier: one items: - name: database-admin subjects: - kind: Group name: developers ``` approach 02 ----- Extend `Tenant` to support addtional resources ```yaml apiVersion: capsule.clastix.io/v1beta1 kind: Tenant metadata: name: gas spec: additionalResources: - apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata: name: "l3-rule" spec: endpointSelector: matchLabels: role: backend ingress: - fromEndpoints: - matchLabels: role: frontend ``` This commit implements approach `02` due to the following reasons - The namespaces belong to the tenant already, extra `TenantResource` seems redundant given that the lifecycle of the additional resources are tied to the `Tenant`. How does the crd look like now ? ---- ```yaml apiVersion: capsule.clastix.io/v1beta1 kind: Tenant metadata: name: oil spec: resyncPeriod: 60s additionalResources: namespaceSelector: matchLabels: tier: one items: - | apiVersion: v1 kind: Pod metadata: name: nginx labels: app.kubernetes.io/name: proxy spec: containers: - name: nginx image: nginx:11.14.2 ports: - containerPort: 80 name: http-web-svc - | apiVersion: v1 kind: Service metadata: name: nginx-service labels: app.kubernetes.io/name: proxy spec: selector: app.kubernetes.io/name: proxy ports: - name: name-of-service-port protocol: TCP port: 80 targetPort: http-web-svc owners: - name: alice kind: User ``` The difference with the proposed crd is, items are strings of k8s objects in yaml format. I ran through decoding issues when I tried to use `Unstructured` so I decided to settle on strings instead. How it works ? ---- We search for namespaces specified by `namespaceSelector` that are owned by the tenant. For each matched namespace, apply all resources specified in `additionalResources.items` on any error, reschedule next reconciliation by `resyncPeriod`. What is missing ? ---- - [ ] Tests - [ ] What happens when a tenant is deleted ? - [ ] What happens when a tenant is deleted ? - [ ] Does `additionalRoleBindings` cover for `clusterRoles` defined in approach 01? I will wait for feedback/discussion on how to proceed from here.
- Loading branch information