-
Notifications
You must be signed in to change notification settings - Fork 155
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Automation providing capsule-proxy kubeConfig to in-cluster GitOps automation #770
Comments
I like the idea of automating the deployment of the Since we're talking about the |
That makes sense. I wasn't fully aware of capsule-proxy being a separate project. Sorry. |
After thinking a bit more about this, I think it makes more sense to focus on the secret and rely on a K8s feature, as this will probably make the machinery simpler and less error-prone. So my modified suggestion is the following. The user creates the secret where he/she wants to obtain the capsule-proxy kubeconfig. The secret is created as request for a long-lived token as explained here, but with one additional annotation. apiVersion: v1
kind: Secret
metadata:
name: gitops-reconciler-kubeconfig
namespace: my-tenant
annotations:
kubernetes.io/service-account.name: gitops-reconciler
capsule.clastix.io/kubeconfig: generate
type: kubernetes.io/service-account-token When the Kubernetes controller has done its job adding the token++ to the secret, the Capsule controller can use the token to generate the kind: Secret
apiVersion: v1
metadata:
name: gitops-reconciler-kubeconfig
namespace: my-tenant
annotations:
capsule.clastix.io/kubeconfig: generate
kubernetes.io/service-account.name: gitops-reconciler
kubernetes.io/service-account.uid: 7dfa681c-f6a9-4b15-969a-e5e7ac834ace
data:
ca.crt: ....
kubeconfig: ...
service-ca.crt: ...
token: ...
type: kubernetes.io/service-account-token |
Tracking @prometherion I agree, we can move this issue to capsule-proxy repository. The proposal Thank you @erikgb for this feedback and proposal. I totally get your point and actually, we had in plan the automation it's missing now to enable the integration to scale. So, I'm glad we're on the same page. Kubeconfig setup About the implementation: I like the idea of, as a platform admin, annotating the Tenant Owner The token, from Kubernetes 1.24, could be missing and we need to address what responsibility the Capsule Proxy admission controllers would have with respect to it: should it automatically create, when missing, the long-lived token? Instead, I see the RBAC setup In general, keep in mind that the As the RBAC depends on the integration with Flux (e.g. the needed permission to impersonate), I see this automation should be part of an external project, like an addon. What do you think? |
@maxgio92 I am pretty sure the machinery will be a lot simpler if we head for the secret, instead of the SA. By addressing the secret, we don't have to deal with a typical controller issue: two (or more) service accounts trying to "own" the same secret. Owner references and garbage collection will also be taken care of by something else. I am not sure if I understand what RBAC you are referring to. The documentation is actually outdated for newer versions of Flux (after fluxcd/flux2#3566). No need to grant anything more than the Capsule default admin cluster role to tenant owners (including the Flux GitOps reconcile SA). I also don't see why the RBAC is relevant for this issue? Am I missing something? |
Describe the feature
We would like to use FluxCD (or other in-cluster GitOps tool) with Capsule to allow regular users to provision namespaces. First, we tried without the capsule-proxy, but it seems like the proxy is required for the Flux reconciling approach to work, and that's fair. Making the Flux tenant gitops-reconciler service account go through the proxy is possible, but currently requires manual cluster-admin work (ref.
proxy-kubeconfig-generator
in https://capsule.clastix.io/docs/guides/flux2-capsule/#the-recipe). This does not scale IMO, and I would like an automated solution to provide capsule-proxykubeConfig
.Related issue: #608
What would the new user story look like?
As a cluster-admin I want automation to provide a capsule-proxy
kubeConfig
secret for in-cluster access to kube-apiserver through the proxy. This will allow me to avoid manual tasks for onboarding new tenants.Expected behavior
Ref. https://capsule.clastix.io/docs/guides/flux2-capsule/#the-recipe, I think it the UI could as simple as annotating the tenant gitops-reconciler service account with an indication of the name of the secret the
kubeConfig
should be delivered to. Example:This should make the automation (capsule-controller) deliver and maintain the
kubeConfig
secret:The text was updated successfully, but these errors were encountered: