- 
                Notifications
    You must be signed in to change notification settings 
- Fork 68
🌱 OPRUN-4016: Split rbac generation into experimental/standard #2099
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🌱 OPRUN-4016: Split rbac generation into experimental/standard #2099
Conversation
| ✅ Deploy Preview for olmv1 ready!
 To edit notification comments on pull requests, go to your Netlify project configuration. | 
| I think this is a good start, but we should also do this for catalogd... | 
| Codecov ReportAll modified and coverable lines are covered by tests ✅ 
 Additional details and impacted files@@           Coverage Diff           @@
##             main    #2099   +/-   ##
=======================================
  Coverage   73.48%   73.48%           
=======================================
  Files          78       78           
  Lines        7240     7240           
=======================================
  Hits         5320     5320           
  Misses       1568     1568           
  Partials      352      352           
 Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
 | 
| 
 @tmshort I've added it. But are you sure we aren't jumping the gun a little. I wonder if we'll ever add new APIs or controllers to catalogd...:thinking: | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this file added? I don't see a reference to it anywhere? It seems like an old file that was deleted a while go?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I messed up. Great catch, thank you!
| 
 
 EDIT: To clarify, experimental controllers should be included/excluded based on feature gate flags, not build flags. The manifests (including CRDs) can change at any time during a deployment (including argument flags). EDIT 2: However, i think what's not clear (to me, at least initially) is that this tag is only used for generating the RBAC, and is not used during code compilation. I will likely need to update the RFCs to make the use of  | 
| @grokspawn believes we might, and I would prefer a complete solution. It's a good sign that the committed manifests did not change! This looks good, but I don't know why  | 
6f12fcb    to
    4c3456a      
    Compare
  
    | 
 @tmshort I think we can get away with not generating new and experimental CRDs by not adding them to the standardKinds map but still adding them to the generate-crds.sh lists of things to generate. I would highly encourage us to use this path (unless there's something I'm not seeing) because it feels a bit weird to ship empty CRDs to production. I've done this in the Boxcutter WIP PR if you want to have a look to see what that looks like in code. I've put an additional commit to add exp/std split support for the catalogd webhooks. Feels like it leads to a lot of duplication (and I'd also pose the same question of whether we have any inclination to have experimental webhooks, etc.). Regarding catalogd, I think the solution is complete without this additional complexity under the assumption there will be no new controllers and we'll just have experimental changes to the existing CRD and add features to the existing controllers. I get that there's a certain lack of symmetry, but I think we'd be carrying around additional complexity for no added benefit, or just in case future us decide to violate the stated assumption - and it should be easy enough to add the split when the time comes anyway. But, I'll defer to your better judgement here since you've put all of this together. | 
| 
 Exactly. 
 Yes, that is the purpose of those lists in the generator. 
 I hear you about duplication. However, we still need to keep the manifest generation separate for downstream reasons. So, we unfortunately have to deal with it. Also, there are kubebuilder limitations on the number of paths it can accept in a single invocation (it's only one path). 
 I would prefer to have it in place for catalogd, because when the time comes around, and something is added to catalogd, and the experimental/standard split is only partially done (i.e. for CRDs but not RBAC), it going to really confuse someone, and they are going to have to recreate this infrastructure. You have done the work for this, so thank you! | 
Signed-off-by: Per Goncalves da Silva <[email protected]>
Signed-off-by: Per Goncalves da Silva <[email protected]>
Signed-off-by: Per Goncalves da Silva <[email protected]>
Signed-off-by: Per Goncalves da Silva <[email protected]>
a9307a0    to
    279fcc9      
    Compare
  
    | @tmshort | 
| /approve | 
| [APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: tmshort The full list of commands accepted by this bot can be found here. The pull request process is described here 
Needs approval from an approver in each of these files:
 
 Approvers can indicate their approval by writing  | 
| This does not appear to have any downstream issues... | 
7c12644
      into
      
  
    operator-framework:main
  
    
Description
Once we introduce experimental API types and controllers the standard rbac will get polluted.
This PR:
Updates the Makefile to generate standard and experimental rbac
Updates kustomize to handle this split
Update
hack/tools/upgrade-crds.shto be tolerant to ungenerated files. This may happen if there are new types that are not registered in the thestandardKindsmap in hack/tools/crd-generator/main.goExperimental controllers should carry
//go:build !standardbuild tag. This will exclude it from the standard manifest generation step in the Makefile.Reviewer Checklist