Add field in config to disable hub devconsole integration #569
Conversation
tekton-robot
added
release-note
tekton-robot
added
the
size/M
|
The following is the coverage report on the affected files.
|
piyush-garg
force-pushed
the
add_field_hub
branch
from
d7f61f0 to
f9033c5
Compare
tekton-robot
added
size/L
tekton-robot
removed
the
do-not-merge/work-in-progress
|
The following is the coverage report on the affected files.
|
piyush-garg
force-pushed
the
add_field_hub
branch
from
f9033c5 to
8e1e881
Compare
|
The following is the coverage report on the affected files.
|
|
We may need a new clusterRoleBinding addon for the developer (non-admin) users to read the tekton config CRs. |
@karthikjeeyar this is the intented, as CRDs like TektonConfig, TektonPipeline are internal. Non-admin users generally deal with CRDs like Task, TaskRun etc. |
|
/approve |
tekton-robot
added
the
approved
|
Ideally, the operator should be reading the new param and set a value in a configMap for the Devconsole to read. In the current scope of this patch, the operator does not do anything in response to a change in the param added by this patch. So we are hosting a spec field in TektonConfig for Devconsole code to read. 👉 this is alright functionaly. However, this is a tight coupling. ie, we will not be able to change the structure or name of this part in TektonConfig in the future without breaking Devconsole. If there is a intermediary like a configMap where the operator can set configuration for Devconsole after reading spec in TektonConfig, then we will be able to change the api/behavior on operator side without breaking devconsole. I understand that we agreed with @karthikjeeyar that devconsole side can proceed development based on the TektonConfig spec field name as a contract. However, we all should be aware of the tight coupling here. cc @sm43 @vdemeester |
@nikhil-thomas I agree and disagree. For |
|
I think this patch will be fine. In case we need to change the TektonConfig field in the future, then we can do it without breaking DevConsole by using proper deprecation process like we handled |
|
we can merge this right after the @piyush-garg pushes the minor change in defaulting that we discussed. |
@nikhil-thomas Most of the time the developer console users will have limited permission (eg: create/edit permissions on one or two namespaces). So if the logged in user is a devleoper (non-admin) user, then the call to fetch TektonConfig CR will fail due to lack of permission as it a cluster wide CR. With the clusterRoleBinding I suggested previously, all the logged in users should be able to read the config and UI can behave based on the configuration. |
does this mean that devconsole uses the logged in users credentials to query the api. I highly recomend reconsidering how we are handling this. |
I think so yes. The Devconsole is querying k8s directly for that reason too, there is no "devconsole service" running anywhere. |
|
Yes, Devconsole uses Logged-in user credentials to query any resource. |
piyush-garg
force-pushed
the
add_field_hub
branch
2 times, most recently
from
d8a8c16 to
8a5d307
Compare
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
✅ lgtm |
|
@karthikjeeyar @nikhil-thomas @sm43 Have tested the PR. It is working as expected now. Changes
|
This will add a struct in config by named hub, where user can add flags and field to set properties related to hub Right now, only one field is available to enable/disable devconsole pipeline builder and hub resources integration on OpenShift, by default the integration is enabled but it can be disabled by adding the field with value false in tektonconfig CR. By default the field will not be there in CR and the integration is enabled. The field getting added is with possible values as true and false. if user provides invalid key and invalid value it will be handled by webhook Also, if the field is not there in CR, webhook will not add it. This patch also add the config CRD view role for all system authenticated users.
piyush-garg
force-pushed
the
add_field_hub
branch
from
8a5d307 to
d69d5a1
Compare
|
I have a question - the tekton config CR read role we want to get added for both kubernetes and openshift platform or only openshift cc @vdemeester @nikhil-thomas |
|
The following is the coverage report on the affected files.
|
It's only useful for OpenShift today, but I don't see any reason for not putting it in both. |
Yaa this just provides read permission, I think it will be fine to provide for both. On that note, this PR is good to review and merge. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: nikhil-thomas, vdemeester The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/lgtm |
6 participants
This will add a struct in config by named hub, where user can add flags and field
to set properties related to hub
Right now, only one field is available to enable/disable devconsole pipeline
builder and hub resources integration on OpenShift, by default the integration is
enabled but it can be disabled by adding the field with value
false in tektonconfig CR. By default the field will not be there in CR and
the integration is enabled.
The field getting added is with possible values as true and false.
if user provides invalid key and invalid value it will be handled by webhook
Also, if the field is not there in CR, webhook will not add it.
This patch also add the config CRD view role for all system authenticated users.
Submitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
See the contribution guide for more details.
Release Notes