Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Flux installation with Openshift and OLM into a dedicated namespace #21

Closed
1 task done
blezoray opened this issue May 30, 2024 · 9 comments
Closed
1 task done

Comments

@blezoray
Copy link

Hello,
I created the following issue to flux repo but it seems for Openshift deployment, it should be there.

Issue: fluxcd/flux2#4816

Describe the bug

Hello,

I installed Flux v2.3.0 on my lab Openshift 4.14 platform into a dedicated namespace, mpms-fluxcd-operator, using Operator Livecycle Manager (OLM).

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: fluxcd-operator
  namespace: mpms-fluxcd-operator
spec:
  channel: stable
  installPlanApproval: Manual
  name: flux
  source: community-operators
  sourceNamespace: openshift-marketplace
  startingCSV: flux.v2.3.0

But all the controllers have the default namespace flux-system hard-coded in their deployment args --events-addr=http://notification-controller.flux-system.svc.cluster.local./

      labels:
        app: kustomize-controller
    spec:
      containers:
      - args:
        - --events-addr=http://notification-controller.flux-system.svc.cluster.local./
        - --watch-all-namespaces=true
        - --log-level=info
        - --log-encoding=json
        - --enable-leader-election

You should use the variable RUNTIME_NAMESPACE or replace the url by --events-addr=http://notification-controller/

Steps to reproduce

  • Create a dedicated namespace, different to flux-system
  • Create an OperatorGroup to allow user to deploy operator in the namespace with OLM
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: fluxcd-operator
spec:
  targetNamespaces: []
  • Create a Subscription
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: fluxcd-operator
spec:
  channel: stable
  installPlanApproval: Manual
  name: flux
  source: community-operators
  sourceNamespace: openshift-marketplace
  startingCSV: flux.v2.3.0
  • Check the deployments

Expected behavior

Args should be : - --events-addr=http://notification-controller.mpms-fluxcd-operator.svc.cluster.local./

Screenshots and recordings

No response

OS / Distro

OpenShift 4.14

Flux version

2.3.0

Flux check

no more details

Git provider

No response

Container Registry provider

No response

Additional context

No response

Code of Conduct

  • I agree to follow this project's Code of Conduct
@stefanprodan
Copy link
Contributor

stefanprodan commented Jun 11, 2024

The new Flux Operator allows setting a different namespace than flux-system, just make sure to create the FluxInstance custom resource in the same namespace where the operator has been installed. https://operatorhub.io/operator/flux-operator

@blezoray
Copy link
Author

Good. Does it support multi-tenancy ?

@stefanprodan
Copy link
Contributor

Does it support multi-tenancy ?

Yes, see the docs here: https://fluxcd.control-plane.io/operator/fluxinstance/#cluster-configuration

@blezoray
Copy link
Author

Is there a way to specify the name of the ServiceAccount because the default SA has no permissions and I not sure it is recommended to change its permissions. So, I prefer to create a dedicated SA in each namespace with the associated role/rolebinding.

@stefanprodan
Copy link
Contributor

The dedicated SA should be specified on the Flux Kustomization/HelmRelease objects under .spec.serviceAccountName, the default SA works the same as for any Kubernetes workloads, it grants no perms and it should be left like this.

Docs:

You can also change the default with a patch like so:

apiVersion: fluxcd.controlplane.io/v1
kind: FluxInstance
spec:
  kustomize:
    patches:
      - patch: |
          - op: add
            path: /spec/template/spec/containers/0/args/-
            value: --default-service-account=flux
        target:
          kind: Deployment
          name: "(kustomize-controller|helm-controller)"

@blezoray
Copy link
Author

It tested the patch and it didn't replace the arg, it adds:

  spec:
    containers:
      - args:
          - --events-addr=http://notification-controller.mpms-flux-operator.svc.cluster.local./
          - --watch-all-namespaces=true
          - --log-level=info
          - --log-encoding=json
          - --enable-leader-election
          - --no-cross-namespace-refs=true
          - --no-remote-bases=true
          - --default-service-account=default
          - --concurrent=10
          - --requeue-dependency=5s
          - --default-service-account=flux

In the logs, I can see it uses the last args system:serviceaccount:mpms-ubly7356:flux
Maybe, it should interesting to add a new parameter multitenantServiceAccountName` to avoid any confusion.

@stefanprodan
Copy link
Contributor

This how it suppose to work, Flux flags support overriding, last one listed wins.

@stefanprodan
Copy link
Contributor

Anyway, let's move this conversation to the flux-operator repo.

@stefanprodan stefanprodan closed this as not planned Won't fix, can't repro, duplicate, stale Jun 20, 2024
@blezoray
Copy link
Author

I created this issue controlplaneio-fluxcd/flux-operator#44

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants