fabric8-tenant should allow per-cluster setup of namespace(s) + applying template in it

[ibuziuk]

fabric8-tenant targets setup for a new user provisioning + tenant update (which targets users that have been provisioned before). AFAIK, there is no mechanism that would allow the creation of a namespace + applying a template in one specific namespace per cluster

Great exampled is k8s-image-puller [1] which needs:

• k8s-image-puller namespace in every OSIO cluster
• SA in this namespace

Since currently fabric8-tenant does not allow to easily setup CI/CD for this case we have to ask SD team to manually proceed with this setup [2]

Not sure if it makes sense to work on this feature now, but this is definitely smth. that should be taken into account for OSD 4 / tenant operator work

[1] https://github.com/redhat-developer/kubernetes-image-puller
[2] https://gitlab.cee.redhat.com/dtsd/housekeeping/issues/2591

[ibuziuk]

@MatousJobanek @alexeykazakov wdyt?

[MatousJobanek]

Correct me if I'm wrong - this namespace creation using the template should happen only once per cluster, right? Not every time when a new user is provisioned/updated.

Theoretically, you could do it by creating a new user with k8s-image-puller username and then update the namespaces via the _tenant page where you would use the given template as a replacement for the template used for updates of the user's namespace. However, you would need to do it in all clusters - create such a user with the same user's namespace name; and this is impossible - tenant needs to have the user's namespace names unique across all clusters. This could be changed, however, it looks a bit of an overkill to me.

But definitely a very good use-case for toolchain-operator @dipak-pawar

[ibuziuk]

Correct me if I'm wrong - this namespace creation using the template should happen only once per cluster, right? Not every time when a new user is provisioned/updated.

correct - 1 time setup

Theoretically, you could do it by creating a new user with k8s-image-puller username. However, you would need to do it in all clusters - create such a user with the same user's namespace name; and this is impossible - tenant needs to have the user's namespace names unique across all clusters. This could be changed, however, it looks a bit of an overkill to me.

This would be a hack and it is not an option we are looking for. The solution should be the user-agnostic and clean (also taken into account that there is an automatic time-based user deprovisioning planned on auth side, which makes any user involvement for this setup fragile and error-prone)

But definitely a very good use-case for toolchain-operator @dipak-pawar

huge +1

[alexeykazakov]

This is definitely a work for our toolchain operator.
Tenant service could potentially take care of updating the templates/namespaces but it can't do anything about setting it up in the first place.
Tenant service is not a tool to set up a cluster. It's for tenant namespace managing.
It just happened to be that the tenant service has enough permissions to set up such namespace in the clusters but it's not its role to do such things.

[ibuziuk]

ok, than looks like we will need a service for cluster setup (toolchain operator?)

[alexeykazakov]

Yes - https://github.com/fabric8-services/toolchain-operator

[dipak-pawar]

@ibuziuk Created https://jira.coreos.com/browse/ODC-460