vmware-tanzu-labs / namespace-operator Goto Github PK

Add this line into docker build (https://github.com/vmware-tanzu-labs/namespace-operator/blob/master/Dockerfile#L25) and ensure that the image builds correctly.

Currently, RBAC deployment is in place, however, there is not a sane manner in which RBAC is assigned. To do such a thing would require significant elevated privileges for the namespace-operator.

1. Is there a better way to do this, and to restrict the ability for the namespace-operator to elevate its privileges?

2. Need to implement agreed upon solution

Add proper unit tests to the Go code. Currently, we are not unit testing anything.

Make YAML Lint pass its tests

Currently, we only allows for LimitRange/ResourceQuota to act on CPU/Memory. Add in appropriate options for storage constraints as well.

This would allow the ability to inject a secret for the purposes of allowing workloads within a namespace/tenant to pull images from a private repository without having to manually copy the secret into said namespace.

We shouldn't error out on an existing namespace. Instead, we should:

1. Skip namespace creation or update if the ownerref does not match the expected value

-OR-

2. Continue with appropriate updates when the ownerref does match the expected value

2021-02-03T22:10:44.098Z        ERROR   controller-runtime.controller   Reconciler error        {"controller": "tanzunamespace", "request": "/namespace-30", "error": "namespaces \"namespace-30\" already exists"}
github.com/go-logr/zapr.(*zapLogger).Error
        /Users/sdustin/go/pkg/mod/github.com/go-logr/[email protected]/zapr.go:128
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
        /Users/sdustin/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:258
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
        /Users/sdustin/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:232
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker
        /Users/sdustin/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:211
k8s.io/apimachinery/pkg/util/wait.JitterUntil.func1
        /Users/sdustin/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:152
k8s.io/apimachinery/pkg/util/wait.JitterUntil
        /Users/sdustin/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:153
k8s.io/apimachinery/pkg/util/wait.Until
        /Users/sdustin/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:88

Currently, the v1alpha1 API version (flat structure) is mixed together with nested structures. Users should be able to use v1alpha1 (flat) or the new version (nested) via independent API versions.

NOTE: currently working in the current state. Is it actually time for a new API version?

Currently, the namespace-operator only acts upon object creation. Need to find a way to ensure that it does a full reconciliation when the TanzuNamespace resource gets updated.

For now, simply building, spinning up a KIND cluster, and testing against said KIND cluster would be sufficient.

Make Go lint pass its tests

Update the custom resource definition for a TanzuNamespace to include all requirements to allow users to kubectl explain tanzunamespace.* the resource.