🌱 clusterctl move should consider Secrets from provider's namespace #4598
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
the
size/L
| }, | ||
| { | ||
| name: "Cluster and Global + Namespaced External Objects", | ||
| // NOTE: External objects are CRD types installed by clusterctl, but not directly related with the CAPI hierarchy of objects. e.g. IPAM claims. |
There was a problem hiding this comment.
NOTE: I'm cleaning up tests for external objects because this would help in implementing next step of move credentials; however if reviewer find this confusing I'm happy to move this to a separated PR
| } | ||
| for _, p := range providers.Items { | ||
| if p.Type == string(clusterctlv1.InfrastructureProviderType) { | ||
| providerNamespaceSelector := []client.ListOption{client.InNamespace(p.Namespace)} |
There was a problem hiding this comment.
Are the secrets we're interested about only in the infrastructure provider namespace? Like capa-system? Is this enforced somehow? cc @yastij @randomvariable @sedefsavas
There was a problem hiding this comment.
Perfect for the docs, can we make sure to also enforce this in code?
There was a problem hiding this comment.
This should be implemented on the provider side, might be @randomvariable has some ideas about how to enforce it..
There was a problem hiding this comment.
- default credentials mounted in the pods are within the provider namespace
- the
identityRefshouldn't have a namespace, so that's also good (especially for providers who reference a secret directly) - for providers referencing a CR or a cluster-scoped
identityRefwe'll need validation or a webhook the provider side if we need to look for which namespace the provider is installed
|
/retest |
fabriziopandini
force-pushed
the
clusterctl-move-infrastructure-secrets
branch
from
55b8a16 to
8419393
Compare
|
/retest |
fabriziopandini
force-pushed
the
clusterctl-move-infrastructure-secrets
branch
from
8419393 to
bdb5427
Compare
|
/retest |
|
@fabriziopandini - seems like |
|
@yastij yes, we have a few fix in flight chasing some test flakes |
|
/retest |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: vincepri The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/retest |
fabriziopandini
force-pushed
the
clusterctl-move-infrastructure-secrets
branch
from
bdb5427 to
c4bf2e7
Compare
k8s-ci-robot
removed
the
lgtm
|
Rebased to fix a new test after #4695 changed a method signature |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
6 participants
What this PR does / why we need it:
This PR implements the first of a set of changes meant to allow clusterctl move to deal properly with the new model for managing credentials being implemented by providers in v1alpha4.
More specifically this PR makes clusterctl move to consider Secrets from the infrastructure provider's namespace (in addition to secrets from the namespace being moved).
Which issue(s) this PR fixes:
Fixes: #3042
/assign @randomvariable
/assign @yastij