rjeberhard
commented
1 month ago @Krishnamotive, with the 3.x version of the operator, it was only required that someone with sufficient cluster privileges install the CRD document and then the rest of the installation could be done in a single namespace using the dedicated mode, as you described.
However, the 4.x operator added a schema conversion webhook to assist customers with upgrading from the v8 version of the domain resource schema to the v9 version and the new v1 cluster resource. Since we were only very rarely hearing requests for support of multitenant cluster environments, we elected to have the CRD always be installed by the endpoint serving the schema conversion webhook.
You can achieve something like the 3.x dedicated mode by having someone with sufficient cluster privileges install the webhook endpoint using the webhookOnly option. Then, you could install one or more operator instances in dedicated namespaces using the selection strategy and the operatorOnly option.
We are working on an enhancement that would allow you to skip installing the schema conversion webhook entirely. When this enhancement is available, we would have restored the 3.x behavior of just requiring the installation of the CRD documents (with a kubectl create -f) prior to a dedicated mode install of the operator.
Looping in @mriccell, who is our product manager.
Krishnamotive
I am trying to deploy web-logic operator weblogic-kubernetes-operator:4.2.8 on OCP 4.16 multi-tenant env with dedicated domainNamespaceSelectionStrategy. However some roles like weblogic-operator-role , weblogic-operator-general fails RBAC permission issues. Do we need to follow any specific guidelines for this multi-tenant type installation? Also, do we need to add any namespace based custom roles to achieve this in multi-tenant env before proceeding installation?