Skip to content
This repository was archived by the owner on Oct 10, 2023. It is now read-only.

apply ordering to RBAC resources in FeatureGates package#1080

Merged
yharish991 merged 1 commit intovmware-tanzu:mainfrom
yharish991:applyOrderingInFeatureGatesPackage
Nov 9, 2021
Merged

apply ordering to RBAC resources in FeatureGates package#1080
yharish991 merged 1 commit intovmware-tanzu:mainfrom
yharish991:applyOrderingInFeatureGatesPackage

Conversation

@yharish991
Copy link
Copy Markdown
Contributor

@yharish991 yharish991 commented Nov 8, 2021

Signed-off-by: Harish Yayi yharish991@gmail.com

What this PR does / why we need it

This PR adds kapp builtin rules(https://carvel.dev/kapp/docs/latest/apply-ordering/) to FeatureGates rbac resources to make sure they are created in a proper order
ServiceAccount(tanzu-featuregates-manager-sa) and ClusterRole(tanzu-featuregates-manager-clusterrole) -> ClusterRoleBinding(tanzu-featuregates-manager-clusterrolebinding)

Which issue(s) this PR fixes

Fixes #1079

Describe testing done for PR

  1. Install kapp-controller v0.28.0
  2. Create PackageRepository CR
apiVersion: packaging.carvel.dev/v1alpha1
kind: PackageRepository
metadata:
  name: management.tanzu.vmware.com
  namespace: tkg-system
spec:
  fetch:
    imgpkgBundle:
      image: quay.io/hyayiv/management@sha256:76a447d44fdb6b31d8a40daf4d2d171441c2771229cf077fba0f094f8430e238
  1. Create ServiceAccount for PackageInstall CR
apiVersion: v1
kind: ServiceAccount
metadata:
  name: tanzu-featuregates-package-sa
  namespace: tkg-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: tanzu-featuregates-package-cluster-role
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - create
      - update
      - get
  - apiGroups:
      - ""
    resources:
      - serviceaccounts
      - services
    verbs:
      - create
      - update
      - get
  - apiGroups:
      - apps
    resources:
      - deployments
    verbs:
      - create
      - update
      - get
  - apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    verbs:
      - create
      - update
      - get
  - apiGroups:
      - cert-manager.io
    resources:
      - issuers
      - certificates
    verbs:
      - create
      - update
      - get
  - apiGroups:
      - admissionregistration.k8s.io
    resources:
      - validatingwebhookconfigurations
    verbs:
      - create
      - update
      - get
  - apiGroups:
      - rbac.authorization.k8s.io
    resources:
      - clusterroles
      - clusterrolebindings
    verbs:
      - create
      - update
      - get
  - apiGroups:
      - config.tanzu.vmware.com
    resources:
      - featuregates
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - config.tanzu.vmware.com
    resources:
      - featuregates/status
    verbs:
      - get
      - patch
      - update
  - apiGroups:
      - config.tanzu.vmware.com
    resources:
      - features
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - config.tanzu.vmware.com
    resources:
      - features/status
    verbs:
      - get
      - patch
      - update
  - apiGroups:
      - ""
    resources:
      - namespaces
    verbs:
      - get
      - list
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: tanzu-featuregates-package-cluster-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: tanzu-featuregates-package-cluster-role
subjects:
  - kind: ServiceAccount
    name: tanzu-featuregates-package-sa
    namespace: tkg-system
  1. Create PackageInstall CR
apiVersion: packaging.carvel.dev/v1alpha1
kind: PackageInstall
metadata:
  name: tanzu-featuregates
  namespace: tkg-system
spec:
  packageRef:
    refName: featuregates.tanzu.vmware.com
    versionSelection:
      prereleases: {}
  serviceAccountName: tanzu-featuregates-package-sa
  1. Check PackageInstall CR status
$ kubectl get packageinstalls.packaging.carvel.dev tanzu-featuregates -n tkg-system -o jsonpath="Status: {.status}"

Release note

Fixed FeatureGates package installation by applying ordering rules to FeatureGates RBAC resources

PR Checklist

  • Squash the commits into one or a small number of logical commits
  • Use good commit messages
  • Ensure PR contains terms all contributors can understand and links all contributors can access

Additional information

Special notes for your reviewer

@yharish991 yharish991 added area/addons kind/bug PR/Issue related to a bug labels Nov 8, 2021
@yharish991 yharish991 requested a review from a team as a code owner November 8, 2021 07:09
@yharish991
apply ordering to RBAC resources in FeatureGates package
1741733 
Signed-off-by: Harish Yayi <yharish991@gmail.com>
@yharish991 yharish991 force-pushed the applyOrderingInFeatureGatesPackage branch from 3a37367 to 1741733 Compare November 8, 2021 07:11
@rajathagasthya
Copy link
Copy Markdown

rajathagasthya commented Nov 8, 2021

What this PR does / why we need it

This PR adds kapp builtin rules(https://carvel.dev/kapp/docs/latest/apply-ordering/) to FeatureGates rbac resources to make sure they are created in a proper order
ServiceAccount(tanzu-featuregates-manager-sa) and ClusterRole(tanzu-featuregates-manager-clusterrole) -> ClusterRoleBinding(tanzu-featuregates-manager-clusterrolebinding)

@yharish991 This PR description would also be a great commit message detail. If you make updates to the PR, please consider adding it to the commit message.

rajathagasthya
rajathagasthya reviewed Nov 8, 2021
View reviewed changes
Copy link
Copy Markdown

@rajathagasthya rajathagasthya left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but I'm not too familiar with these annotations. Would like someone who knows about it to give an approval.

@yharish991 yharish991 requested a review from cppforlife November 8, 2021 14:40
@jmoroski jmoroski added the ok-to-merge PRs should be labelled with this before merging label Nov 9, 2021
@yharish991 yharish991 merged commit 0c96340 into vmware-tanzu:main Nov 9, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

3 more reviewers

@cppforlife cppforlife cppforlife left review comments

@rajathagasthya rajathagasthya rajathagasthya left review comments

@jmoroski jmoroski jmoroski approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@jmoroski jmoroski

Labels

area/addons cla-not-required kind/bug PR/Issue related to a bug ok-to-merge PRs should be labelled with this before merging

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

FeatureGates package installation fails to create tanzu-featuregates-manager-clusterrole

5 participants

@yharish991 @rajathagasthya @cppforlife @jmoroski @vmwclabot