search

1Password / connect-helm-charts

Official 1Password Helm Charts
https://developer.1password.com
MIT License
93 stars 74 forks source link

Watch all namespaces by default #54

Closed SimonBarendse closed 3 years ago

SimonBarendse commented 3 years ago

Summary

Don't override the setting in https://github.com/1Password/onepassword-operator/pull/40

Use cases

I want to configure as little as possible and don't have to redeploy when I add more namespaces.

Proposed solution

Set OP_WATCH_NAMESPACES: [] in values.yml

Is there a workaround to accomplish this today?

Override the OP_WATCH_NAMESPACES configured by the Helm chart.

References & Prior Work

SimonBarendse commented 3 years ago

Open challenge: how will this work with creation of service accounts and role bindings so that the operator has permissions to observe usage of 1Password items within the namespace? Could we ask the user to create those separately on each namespace creation? How can we make that very simple and satisfy the ease of adding namespaces requested in https://github.com/1Password/onepassword-operator/issues/8?

Related question: how does service account creation currently work for multiple namespaces watched?

Role bindings are created for each namespace and reference service accounts in a specific namespace.

Do we need to create a service account in each namespace?

From my (limited) understanding, it appears that we're currently creating only a single service account.

SimonBarendse commented 3 years ago

Figured this one out, we can use a ClusterRoleBinding in case we're watching all namespaces. Related: #55

rchenzheng commented 3 years ago

Figured this one out, we can use a ClusterRoleBinding in case we're watching all namespaces. Related: #55

I opened a PR to accomplish this https://github.com/1Password/connect-helm-charts/pull/62

insider89 commented 3 years ago

Can anyone review PR above? It's very important to have ability to watch all namespaces for our cases. Thx in advance.

roderik commented 3 years ago

Any idea when this is going to be released?

We are using a gitops approach (via Pulumi) and I'm struggling with chicken/egg problems. To configure a shared operator per cluster to watch a namespace, it needs to exist. But the namespaces are env related and might not exist yet, when they are created, they do not deploy anything in them since they depend on secrets by the operator, that is not watching yet. Doing the runs by hand twice works, but for our purposes I had to move to connect+operator per namespace. This PR would solve this.

SimonBarendse commented 3 years ago

Thank you @rchenzheng for opening the PR! :blue_heart: I've left a review just now.

I appreciate you all sharing this is important for you. We don't usually make any promises on when we'll release new functionality, so we never create expectations we're not delivering on when we hit unexpected challenges or when other features we're adding for you take precedence. Thank you for your understanding.

edif2008 commented 3 years ago

Hey. Great news. We released 1.5.0, which includes the clusterrolebinding compatibility, as well as watching all namespaces by default.