Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Profiles CRD toggle #696

Merged
merged 2 commits into from
Nov 4, 2020
Merged

Profiles CRD toggle #696

merged 2 commits into from
Nov 4, 2020

Conversation

alexellis
Copy link
Member

@alexellis alexellis commented Nov 3, 2020

Signed-off-by: Alex Ellis (OpenFaaS Ltd) [email protected]

Description

Profiles CRD toggle

Motivation and Context

Introduces a toggle for creating the Profiles CRD. This is
to help users overcome #686

The main use-case is for users who are installing within a
restrictive environment, where they cannot create CRDs, but
rely on an administrator to take on this role.

Makes a breaking change where "createCRDs" controls whether
any CRDs are created. This is on by default. Existing users
must take note when upgrading.

How Has This Been Tested?

Perhaps some users would like to test?

createCRDs: false gave no CRDs in the cluster

createCRDs: true gave: profiles.openfaas.com

createCRDs: true with operator.create: true gave functions.openfaas.com and profiles.openfaas.com

createCRDs has been made "true" in the values.yaml file

Introduces a toggle for creating the Profiles CRD. This is
to help users overcome #686

Makes a breaking change where "createCRDs" controls whether
any CRDs are created. This is on by default. Existing users
must take note when upgrading.

Signed-off-by: Alex Ellis (OpenFaaS Ltd) <[email protected]>
@alexellis alexellis force-pushed the openfaasltd/profiles-toggle branch from 1f56bdf to 08ffc57 Compare November 3, 2020 20:40
@alexellis
Copy link
Member Author

This solution is similar to what was asked for here -> #579 (comment) by @spawn2kill

@alexellis
Copy link
Member Author

@ArcticXWolf
Copy link

ArcticXWolf commented Nov 4, 2020

Shouldn't these RBAC definitions be disabled too, if profiles are not enabled?

- apiGroups:
- "openfaas.com"
resources:
- "profiles"
verbs:
- "get"
- "list"
- "watch"

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: faas-controller
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ .Release.Name }}-profiles
namespace: {{ .Release.Namespace | quote }}
rules:
- apiGroups:
- "openfaas.com"
resources:
- "profiles"
verbs:
- "get"
- "list"
- "watch"

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: faas-controller
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ .Release.Name }}-profiles
namespace: {{ .Release.Namespace | quote }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ .Release.Name }}-profiles
subjects:
- kind: ServiceAccount
name: {{ .Release.Name }}-controller
namespace: {{ .Release.Namespace | quote }}

@alexellis
Copy link
Member Author

Potentially, however it is not causing an error at deployment time. Feel free to try it out.

@ArcticXWolf
Copy link

I did, but in my cluster I do not have the rights to grant the {{ .Release.Name }}-profiles role (yes, I am currently in discussion with getting more access). However since this role is not needed, we dont need to deploy it?

When I use the {{- if .Values.createCRDs }} in line 76 and 186 of controller-rbac.yaml I can deploy the chart fine.

@alexellis
Copy link
Member Author

That makes me think of something else. If we put those parts behind the same if statement, then what is the story for your administrator? How will he/she install those parts on your behalf?

@ArcticXWolf
Copy link

Sorry, I am not quite sure what these CRDs are used for in OpenFaaS. Are they mandatory for the installation? I would've just skipped it for now (the chart seems to install just fine without) and instructed my administrator to either provide me with enough permissions at a later time or install the CRDs manually.

Copy link
Member

@LucasRoesler LucasRoesler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This adds a new value, which should be documented in the chart readme too https://github.com/openfaas/faas-netes/tree/master/chart/openfaas#configuration

@alexellis
Copy link
Member Author

I'll get that done @LucasRoesler - anything else, or otherwise happy for this to be merged?

@LucasRoesler
Copy link
Member

I'll get that done @LucasRoesler - anything else, or otherwise happy for this to be merged?

That is it

Signed-off-by: Alex Ellis (OpenFaaS Ltd) <[email protected]>
@alexellis
Copy link
Member Author

OK, I've just done that.

@alexellis alexellis merged commit bb3c79c into master Nov 4, 2020
@alexellis alexellis deleted the openfaasltd/profiles-toggle branch November 4, 2020 09:30
@ArcticXWolf
Copy link

So we keep the roles in the chart? Or shall this be addressed in a different issue?

@alexellis
Copy link
Member Author

Please can you raise a separate issue for discussion?

@ArcticXWolf
Copy link

Sure thing, I've created #697 . Thanks for all your work 👍

@alexellis
Copy link
Member Author

I think it's been mentioned before but we can do even more to help customers through our Premium Subscription - take a look at it with your manager? Or at our new GitHub Sponsors program

End-user companies are also invited to "chop wood and carry water" - we have a huge amount of unpaid work ahead of us moving all builds off Travis and the Docker Hub, both of which are no-longer free for OSS.

@ArcticXWolf
Copy link

Sure, I'll ask 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants