Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added logic to watch all namespaces #38

Draft
wants to merge 6 commits into
base: main
Choose a base branch
from
Draft

Added logic to watch all namespaces #38

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
c12998b
add optional value to watchAllNamespaces.
James-Newman Oct 13, 2021
c8d3b55
RoleBinding logic
James-Newman Oct 13, 2021
7207a9b
updated role determination logic
James-Newman Oct 13, 2021
a7f76de
Added helper role function call to the role yaml
orifici Oct 13, 2021
8d20a4a
Bugfixes
orifici Oct 13, 2021
d6ed764
README docs update
orifici Oct 13, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 50 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,3 +96,53 @@ $ kubectl delete crd workspaces.app.terraform.io
```

If the CRD is not updated correctly, you will not be able to create a Workspace Custom Resource.



### Helm Chart
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would skip this paragraph completely.


The Helm chart consists of several components. The Kubernetes configurations associated with the Helm chart are located under `crds/` and `templates/`.

#### Custom Resource Definition
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would skip this paragraph completely.


Helm starts by deploying the Custom Resource Definition for the Workspace. Custom Resource Definitions extend the Kubernetes API. It looks for definitions in the `crds/` of the chart.

The Custom Resource Definition under `crds/app.terraform.io_workspaces_crd.yaml` defines that the Workspace Custom Resource schema.

#### Role-Based Access Control
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would skip this paragraph completely.


In order to scope the operator to a namespace, Helm assigns a role and service account to the namespace. The role has access to Pods, Secrets, Services, and ConfigMaps. This configuration is located in `templates/`.

#### Namespace Scope

To ensure the operator does not have access to secrets or resource beyond the namespace, the Helm chart scopes the operator's deployment to a namespace.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Line wrapping should be on 80 characters.


```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: terraform-k8s
spec:
# some sections omitted for clarity
template:
metadata:
labels:
name: terraform-k8s
spec:
serviceAccountName: terraform-k8s
containers:
- name: terraform-k8s
command:
- /bin/terraform-k8s
- "--k8s-watch-namespace=$(POD_NAMESPACE)"
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
```

When deploying, if you want to explicitly watch all namespaces,
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Line wrapping should be on 80 characters.

then you'll need to set `watchAllNamespaces: true`. Otherwise,
the default behaviour will be to watch the Release namespace or
the namespace provided in the `k8WatchNamespace` value.
11 changes: 11 additions & 0 deletions templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,3 +59,14 @@ Inject extra environment vars in the format key:value, if populated
{{- end -}}
{{- end -}}
{{- end -}}

{{/*
Define the kind of Role to use
*/}}
{{- define "terraform.getRole" -}}
{{- if .Values.syncWorkspace.watchAllNamespaces -}}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would change this to this:

{{/*
Define the kind of Role to use
*/}}
{{- define "terraform.getRole" -}}
  {{- if or .Values.syncWorkspace.watchAllNamespaces (or (empty .Values.syncWorkspace.k8WatchNamespace) (eq (.Values.syncWorkspace.k8WatchNamespace | toString) .Release.Namespace)) }}
    {{- "ClusterRole" }}
  {{- else }}
    {{- "Role" }}
  {{- end }}
{{- end -}}

{{- "ClusterRole" -}}
{{- else -}}
{{- (ternary "Role" "ClusterRole" (or (empty .Values.syncWorkspace.k8WatchNamespace) (eq (.Values.syncWorkspace.k8WatchNamespace | toString) .Release.Namespace))) -}}
{{- end -}}
{{- end -}}
2 changes: 2 additions & 0 deletions templates/sync-workspace-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,9 @@ spec:
- /bin/terraform-k8s
args:
- --enable-leader-election
{{- if not .Values.syncWorkspace.watchAllNamespaces }}
- --k8s-watch-namespace={{ default .Release.Namespace .Values.syncWorkspace.k8WatchNamespace}}
{{- end }}
{{- if .Values.syncWorkspace.logLevel }}
- --zap-log-level={{ .Values.syncWorkspace.logLevel }}
{{- end }}
Expand Down
3 changes: 1 addition & 2 deletions templates/sync-workspace-role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
{{- $syncEnabled := (or (and (ne (.Values.syncWorkspace.enabled | toString) "-") .Values.syncWorkspace.enabled) (and (eq (.Values.syncWorkspace.enabled | toString) "-") .Values.global.enabled)) }}
{{- if $syncEnabled }}
apiVersion: rbac.authorization.k8s.io/v1
{{- $kind := (ternary "Role" "ClusterRole" (or (empty .Values.syncWorkspace.k8WatchNamespace) (eq (.Values.syncWorkspace.k8WatchNamespace | toString) .Release.Namespace))) }}
kind: {{ $kind }}
kind: {{ template "terraform.getRole" . }}
metadata:
name: {{ template "terraform.fullname" . }}-sync-workspace
labels:
Expand Down
5 changes: 2 additions & 3 deletions templates/sync-workspace-rolebinding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
{{- $syncEnabled := (or (and (ne (.Values.syncWorkspace.enabled | toString) "-") .Values.syncWorkspace.enabled) (and (eq (.Values.syncWorkspace.enabled | toString) "-") .Values.global.enabled)) }}
{{- if $syncEnabled }}
apiVersion: rbac.authorization.k8s.io/v1
{{- $kind := (ternary "Role" "ClusterRole" (or (empty .Values.syncWorkspace.k8WatchNamespace) (eq (.Values.syncWorkspace.k8WatchNamespace | toString) .Release.Namespace))) }}
kind: {{ ternary "RoleBinding" "ClusterRoleBinding" (eq $kind "Role") }}
kind: {{ template "terraform.getRole" . }}Binding
metadata:
name: {{ template "terraform.fullname" . }}-sync-workspace
labels:
Expand All @@ -15,7 +14,7 @@ subjects:
name: {{ template "terraform.fullname" . }}-sync-workspace
namespace: {{ .Release.Namespace }}
roleRef:
kind: {{ $kind }}
kind: {{ template "terraform.getRole" . }}
name: {{ template "terraform.fullname" . }}-sync-workspace
apiGroup: rbac.authorization.k8s.io
{{- end }}
4 changes: 4 additions & 0 deletions values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,10 @@ syncWorkspace:
# to the release namespace
k8WatchNamespace: null

# If true watchAllNamespaces will configure the operator to watch for workspace
# changes across all kubernetes namespaces.
watchAllNamespaces: false

# terraformVersion describes the version of Terraform to use for each workspace.
# If this is not set then it will default to the latest version of Terraform
# compiled with the operator.
Expand Down