Refactor roles: static definitions in bundle#1209
Conversation
OlivierCazade
left a comment
There was a problem hiding this comment.
One comment about some tests, but most of the PR is looking good to me.
| // By("Not expecting mono-ingester role binding") | ||
| // Eventually(func() interface{} { | ||
| // return k8sClient.Get(ctx, rbKeyTransformMono, &rbacv1.ClusterRoleBinding{}) | ||
| // }, timeout, interval).Should(MatchError(`clusterrolebindings.rbac.authorization.k8s.io "flowlogs-pipeline-transformer-role-mono" not found`)) |
There was a problem hiding this comment.
Were these comments intended ?
There was a problem hiding this comment.
probably something I forgot to finish, thanks for pointing this out :-)
Move all roles from in-code/dynamic definition to yaml/bundle static definions. It better clarifies which roles are used and why. Use a finer granularity in role definitions, and keep only the logic for bindings attribution. All component roles are defined in `config/rbac/component_roles.yaml`. Files `netobserv-<rolename>_etc.yaml` in bundle are generated from component_roles.yaml New functions to generate bindings for roles Change prometheus role to be a namespaced role instead of cluster role Remove a few unnecessary roles
- Add previous CRB to the cleanup list, as their names changed
- We won't clean up old cluster roles, since we're removing the CR
create/update/delete permission to the operator, we can't do that.
They'll just remain on the cluster, unused.
- Removing old entries from the cleanup list, dating back to 1.3/1.5.
Since operator upgrades doesn't jump over versions, they should have
already been clean up from previous upgrades
- Shorten CRB names
- Fix tests
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1209 +/- ##
==========================================
+ Coverage 62.42% 62.63% +0.21%
==========================================
Files 77 76 -1
Lines 11581 11503 -78
==========================================
- Hits 7229 7205 -24
+ Misses 3893 3834 -59
- Partials 459 464 +5
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jotak The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Description
Move all roles from in-code/dynamic definition to yaml/bundle static definions.
It better clarifies which roles are used and why. Use a finer granularity in role definitions, and keep only the logic for bindings attribution.
All component roles are defined in
config/rbac/component_roles.yaml. Filesnetobserv-<rolename>_etc.yamlin bundle are generated from component_roles.yamlNew functions to generate bindings for roles
Change prometheus role to be a namespaced role instead of cluster role
Remove a few unnecessary roles
Dependencies
n/a
Checklist
If you are not familiar with our processes or don't know what to answer in the list below, let us know in a comment: the maintainers will take care of that.