-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: multi-tenancy #142
feat: multi-tenancy #142
Conversation
60779f6
to
601ecfc
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we add a docs update on multi-tenancy under the topics section? 🙏
Can do! That one in-line comment wasn't doing it for you? 🙈 |
config/crd/bases/infrastructure.cluster.x-k8s.io_linodevpcs.yaml
Outdated
Show resolved
Hide resolved
ddcbc71
to
83f5d52
Compare
docs/src/topics/multi-tenancy.md
Outdated
|
||
CAPL can manage multi-tenant workload clusters across Linode accounts. | ||
LinodeCluster objects may reference an optional Secret containing their Linode | ||
credentials (i.e. API token) to be used for the deployment of "things" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would slightly change the wording to note that this is for Linode resources associated with individual workload clusters such as Linodes, VPCs, and NodeBalancers.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Better? Worse? 🤔 9942590
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would just replace "things" in the original paragraph with Linode resources (i.e. Linodes, VPCs, and NodeBalancers)
be1bf95
to
03a5321
Compare
Adds a new (optional) field (CredentialsRef) to the Spec for LinodeClusters. This references a Secret that contains Linode credentials that will override the ones supplied by the controller.
Updates LinodeMachines to use the CredentialsRef field (if supplied) of their owner LinodeCluster.
Adds a new (optional) field (CredentialsRef) to the Spec for LinodeVPCs. This references a Secret that contains Linode credentials that will override the ones supplied by the controller.
Adds a credentials Secret in the cluster templates. This propagates the $LINODE_TOKEN environment variable into a Secret that will be created for every workload cluster. While this credentials Secret may be referenced by multiple workload clusters (or not at all), generating a per-cluster Secret works best in the current cluster templating workflow.
03a5321
to
94126db
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
* feat: multi-tenancy for LinodeClusters Adds a new (optional) field (CredentialsRef) to the Spec for LinodeClusters. This references a Secret that contains Linode credentials that will override the ones supplied by the controller. * feat: multi-tenancy for LinodeMachines Updates LinodeMachines to use the CredentialsRef field (if supplied) of their owner LinodeCluster. * feat: multi-tenancy for LinodeVPCs Adds a new (optional) field (CredentialsRef) to the Spec for LinodeVPCs. This references a Secret that contains Linode credentials that will override the ones supplied by the controller. * templates: add cluster credentials secret Adds a credentials Secret in the cluster templates. This propagates the $LINODE_TOKEN environment variable into a Secret that will be created for every workload cluster. While this credentials Secret may be referenced by multiple workload clusters (or not at all), generating a per-cluster Secret works best in the current cluster templating workflow. * docs: add multi-tenant clusters
What type of PR is this?
/kind feature
What this PR does / why we need it:
Adds multi-tenancy for CAPL-managed clusters. Clusters may now reference an optional Secret containing their Linode credentials (i.e. API token) to be used for the deployment of "things" associated with their cluster.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
From the design, it appears
LinodeVPC
andLinodeCluster
objects are loosely-coupled and managed somewhat independently by the controller. I thought it was best to use a separateCredentialsRef
field in the Spec forLinodeVPC
s rather than doing a bigger refactor and trying to couple the two types.The
$LINODE_TOKEN
environment variable is always propagated into a Secret that will be created for every workload cluster. While a credentials Secret may be referenced by multiple workload clusters (or not at all), I thought generating a per-cluster Secret was best in the current cluster templating workflow.TODOs:
Testing:
Create two Linode tokens, one with full "Read/Write" permissions (
$GOOD_TOKEN
) and one with full "None" permissions ($BAD_TOKEN
).Deploy two workload clusters, one per token:
NOTE: These tokens will be different from the default one (
capl-system/capl-manager-credentials
) that is used by CAPL if the Cluster does not reference a credentials Secret.