From 1b42290a85f7f8907da24d09f054eaf27acec430 Mon Sep 17 00:00:00 2001 From: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> Date: Tue, 5 Nov 2024 10:41:24 -0500 Subject: [PATCH] docs: random bits (#93) * docs: multi-tenancy Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> * fine point Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> * typo Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> * docs: random bits Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> --------- Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> --- config/samples/kustomization.yaml | 1 - .../promoter_v1alpha1_changetransferpolicy.yaml | 4 +++- config/samples/promoter_v1alpha1_commitstatus.yaml | 9 +++------ config/samples/promoter_v1alpha1_gitrepository.yaml | 5 ++++- .../samples/promoter_v1alpha1_promotionstrategy.yaml | 1 - docs/multi-tenancy.md | 10 +++++++--- internal/controller/promotionstrategy_controller.go | 4 ---- internal/controller/pullrequest_controller.go | 4 ---- 8 files changed, 17 insertions(+), 21 deletions(-) diff --git a/config/samples/kustomization.yaml b/config/samples/kustomization.yaml index 1568549..cbeb708 100644 --- a/config/samples/kustomization.yaml +++ b/config/samples/kustomization.yaml @@ -1,4 +1,3 @@ -## Append samples of your project ## resources: - promoter_v1alpha1_pullrequest.yaml - promoter_v1alpha1_commitstatus.yaml diff --git a/config/samples/promoter_v1alpha1_changetransferpolicy.yaml b/config/samples/promoter_v1alpha1_changetransferpolicy.yaml index edf405c..333cc0f 100644 --- a/config/samples/promoter_v1alpha1_changetransferpolicy.yaml +++ b/config/samples/promoter_v1alpha1_changetransferpolicy.yaml @@ -10,5 +10,7 @@ spec: name: promoter-testing proposedBranch: environment/development-next activeBranch: environment/development - commitStatuses: + proposedCommitStatuses: + - key: deployment-freeze + activeCommitStatuses: - key: healthy diff --git a/config/samples/promoter_v1alpha1_commitstatus.yaml b/config/samples/promoter_v1alpha1_commitstatus.yaml index c98a797..ed270b5 100644 --- a/config/samples/promoter_v1alpha1_commitstatus.yaml +++ b/config/samples/promoter_v1alpha1_commitstatus.yaml @@ -8,12 +8,9 @@ metadata: name: commitstatus-sample spec: sha: 68522faaf5591f98c7a89dd74069e79195e4d6c6 - repository: - owner: zachaller - name: promoter-testing - gitRepositoryRef: - name: scmprovider-sample + gitRepositoryRef: + name: scmprovider-sample phase: pending name: health description: "The build succeeded!" - url: "https://google.com" + url: "https://example.com" diff --git a/config/samples/promoter_v1alpha1_gitrepository.yaml b/config/samples/promoter_v1alpha1_gitrepository.yaml index b397da7..60ba7d3 100644 --- a/config/samples/promoter_v1alpha1_gitrepository.yaml +++ b/config/samples/promoter_v1alpha1_gitrepository.yaml @@ -6,4 +6,7 @@ metadata: app.kubernetes.io/managed-by: kustomize name: gitrepository-sample spec: - # TODO(user): Add fields here + repo: + owner: + scmProviderRef: + name: example-scm-provider diff --git a/config/samples/promoter_v1alpha1_promotionstrategy.yaml b/config/samples/promoter_v1alpha1_promotionstrategy.yaml index 9c448a6..b33ff61 100644 --- a/config/samples/promoter_v1alpha1_promotionstrategy.yaml +++ b/config/samples/promoter_v1alpha1_promotionstrategy.yaml @@ -8,7 +8,6 @@ metadata: spec: gitRepositoryRef: name: promoter-testing - dryBranch: main activeCommitStatuses: - key: healthy - key: healthy-load diff --git a/docs/multi-tenancy.md b/docs/multi-tenancy.md index 624a753..add8314 100644 --- a/docs/multi-tenancy.md +++ b/docs/multi-tenancy.md @@ -15,9 +15,10 @@ To enable self-service PromotionStrategy management for multiple tenants, a GitO tenant write access to a namespace to manage these resources. As long as the GitOps Promoter controller has access to those namespaces, it will reconcile the resources. -PromotionStrategies, GitRepositories, and ScmProviders may only reference resources in the same namespace. This prevents -one tenant from referencing a Secret in another tenant's namespace and gaining write access to another tenant's -repositories. +Secrets with SCM credentials may only be referenced by ScmProviders in the same namespace, which in turn may only be +referenced by GitRepositories in the same namespace, which may only be referenced by PromotionStrategies in the same +namespace. Limiting these references to a namespace prevents one tenant from referencing a Secret in another tenant's +namespace and thereby gaining write access to another tenant's repositories. **Important**: Provision Secrets securely! @@ -28,6 +29,9 @@ If an administrator does not want to use namespace-based tenancy, they must eith resources themselves or build some other system to regulate Secret access among tenants (for example, by validating that one tenant's resources do not reference another tenant's resources within the same namespace). +If there are no trust boundaries to be enforced among PromotionStrategy users, a GitOps Promoter admin may choose to +host all resources in a single namespace, keeping in mind the need to avoid resource name collisions. + ## CommitStatus Tenancy As with PromotionStrategies, all references from CommitStatuses (to GitRepositories, then ScmProviders, and finally to diff --git a/internal/controller/promotionstrategy_controller.go b/internal/controller/promotionstrategy_controller.go index 903d624..6826f4b 100644 --- a/internal/controller/promotionstrategy_controller.go +++ b/internal/controller/promotionstrategy_controller.go @@ -61,10 +61,6 @@ type PromotionStrategyReconciler struct { // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. -// TODO(user): Modify the Reconcile function to compare the state specified by -// the PromotionStrategy object against the actual cluster state, and then -// perform operations to make the cluster state reflect the state specified by -// the user. // // For more details, check Reconcile and its Result here: // - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.17.2/pkg/reconcile diff --git a/internal/controller/pullrequest_controller.go b/internal/controller/pullrequest_controller.go index 3577c98..1aef160 100644 --- a/internal/controller/pullrequest_controller.go +++ b/internal/controller/pullrequest_controller.go @@ -52,10 +52,6 @@ type PullRequestReconciler struct { // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. -// TODO(user): Modify the Reconcile function to compare the state specified by -// the PullRequest object against the actual cluster state, and then -// perform operations to make the cluster state reflect the state specified by -// the user. // // For more details, check Reconcile and its Result here: // - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.17.2/pkg/reconcile