flamingo icon indicating copy to clipboard operation
flamingo copied to clipboard

Published 20 hours ago verified publisher icon flux-subsystem-argo

Flamingo tenant structure not mapping to Flux tenant structure

Open tommyreilly opened this issue 1 year ago • 2 comments

Hi,

Hopefully a quick question if someone knows.

In the Flamingo source at:

https://github.com/flux-subsystem-argo/flamingo/blob/ef02f00f17000b5a95bee67abcd6387819e942be/cmd/flamingo/install_templates.go#L110

it suggests that the label to identify a tenant is limited to the namespace name:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    toolkit.fluxcd.io/tenant: %s
  name: flamingo-reconciler
  namespace: %s
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: argocd-application-controller
  namespace: %s

However, Flux multi-tenancy doesn't limit a tenant to a single namespace:

https://fluxcd.io/flux/cmd/flux_create_tenant/

e.g. as per the doc, you can define --with-namespace multiple times which makes sense to me where a team may be allocated more than one namespace in a k8s (shared) cluster:

 # Generate tenant namespaces and role bindings in YAML format
 flux create tenant dev-team \
   --with-namespace=frontend \
   --with-namespace=backend \
	--export > dev-team.yaml

Is this difference between Flamingo tenancy and Flux intended? i..e would I have to work with a tenant = namespace if I wanted to use the Flux subsystem?

tommyreilly avatar Dec 14 '23 23:12 tommyreilly

Hi @tommyreilly Thank you for bringing this up.

Our aim is to make Flamingo 100% compatible with Flux tenants. So yes, we would definitely support the model you suggested.

chanwit avatar Dec 20 '23 03:12 chanwit

Thank you @chanwit

tommyreilly avatar Dec 20 '23 04:12 tommyreilly