Skip to content

Commit

Permalink
Merge branch '0.10' into SA-5031-Docs-0.10.0
Browse files Browse the repository at this point in the history
  • Loading branch information
SheryarButt authored Dec 6, 2023
2 parents 41b2cea + e7d486d commit 1a6188f
Show file tree
Hide file tree
Showing 13 changed files with 94 additions and 30 deletions.
32 changes: 31 additions & 1 deletion content/changelog.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,35 @@
# Changelog

## v0.10.x

### v0.10.0

### Feature

- Added support for caching for MTO Console using PostgreSQL as caching layer.
- Added support for custom metrics with Template, Template Instance and Template Group Instance.
- Graph visualization of Tenant and its associated resources on MTO Console.
- Tenant and Admin level authz/authn support within MTO Console and Gateway.
- Now in MTO console you can view cost of different Tenant resources with different date, resource type and additional filters.
- MTO can now create a default keycloak realm, client and `mto-admin` user for Console.
- Implemented Cluster Resource Quota for vanilla Kubernetes platform type.
- Dependency of TLS secrets for MTO Webhook.
- Added Helm Chart that would be used for installing MTO over Kubernetes.
- And it comes with default Cert Manager manifests for certificates.
- Support for MTO e2e.

### Fix

- Updated CreateMergePatch to MergeMergePatches to address issues caused by losing `resourceVersion` and UID when converting `oldObject` to `newObject`. This prevents problems when the object is edited by another controller.
- In Template Resource distribution for Secret type, we now consider the source's Secret field type, preventing default creation as Opaque regardless of the source's actual type.
- Enhanced admin permissions for tenant role in Vault to include Create, Update, Delete alongside existing Read and List privileges for the common-shared-secrets path. Viewers now have Read permission.

### Enhanced

- Started to support Kubernetes along with OpenShift as platform type.
- Support of MTO's PostgreSQL instance as persistent storage for keycloak.
- `kube:admin` is now bypassed by default to perform operations, earlier `kube:admin` needed to be mentioned in respective tenants to give it access over namespaces.

## v0.9.x

### v0.9.4
Expand Down Expand Up @@ -242,7 +272,7 @@
> ⚠️ Known Issues
- `caBundle` field in validation webhooks is not being populated for newly added webhooks. A temporary fix is to edit the validation webhook configuration manifest without the `caBundle` field added in any webhook, so OpenShift can add it to all fields simultaneously
- Edit the `ValidatingWebhookConfiguration` `stakater-tenant-operator-validating-webhook-configuration` by removing all the `caBundle` fields of all webhooks
- Edit the `ValidatingWebhookConfiguration` `multi-tenant-operator-validating-webhook-configuration` by removing all the `caBundle` fields of all webhooks
- Save the manifest
- Verify that all `caBundle` fields have been populated
- Restart Tenant-Operator pods
Expand Down
39 changes: 35 additions & 4 deletions content/faq.md
Original file line number Diff line number Diff line change
@@ -1,12 +1,43 @@
# FAQs

## Q. Error received while performing Create, Update or Delete action on namespace `"Cannot CREATE namespace test-john without label stakater.com/tenant"`
## Namespace Admission Webhook

**A.** Error occurs when a user is trying to perform create, update, delete action on a namespace without the required `stakater.com/tenant` label. This label is used by the operator to see that authorized users can perform that action on the namespace. Just add the label with the tenant name so that MTO knows which tenant the namespace belongs to, and who is authorized to perform create/update/delete operations. For more details please refer to [Namespace use-case](./tutorials/tenant/creating-namespaces.md).
### Q. Error received while performing Create, Update or Delete action on Namespace

## Q. How do I deploy cluster-scoped resource via the ArgoCD integration?
```terminal
Cannot CREATE namespace test-john without label stakater.com/tenant
```

**A.** Multi-Tenant Operator's ArgoCD Integration allows configuration of which cluster-scoped resources can be deployed, both globally and on a per-tenant basis. For a global allow-list that applies to all tenants, you can add both resource `group` and `kind` to the [IntegrationConfig's](./how-to-guides/integration-config.md#argocd) `spec.argocd.clusterResourceWhitelist` field. Alternatively, you can set this up on a tenant level by configuring the same details within a [Tenant's](./how-to-guides/tenant.md) `spec.argocd.appProject.clusterResourceWhitelist` field. For more details, check out the [ArgoCD integration use cases](./tutorials/argocd/enabling-multi-tenancy-argocd.md#allow-argocd-to-sync-certain-cluster-wide-resources)
**Answer.** Error occurs when a user is trying to perform create, update, delete action on a namespace without the required `stakater.com/tenant` label. This label is used by the operator to see that authorized users can perform that action on the namespace. Just add the label with the tenant name so that MTO knows which tenant the namespace belongs to, and who is authorized to perform create/update/delete operations. For more details please refer to [Namespace use-case](./tutorials/tenant/creating-namespaces.md).

### Q. Error received while performing Create, Update or Delete action on OpenShift Project

```terminal
Cannot CREATE namespace testing without label stakater.com/tenant. User: system:serviceaccount:openshift-apiserver:openshift-apiserver-sa
```

**Answer.** This error occurs because we don't allow Tenant members to do operations on OpenShift Project, whenever an operation is done on a project, `openshift-apiserver-sa` tries to do the same request onto a namespace. That's why the user sees `openshift-apiserver-sa` Service Account instead of its own user in the error message.

The fix is to try the same operation on the namespace manifest instead.

### Q. Error received while doing "kubectl apply -f namespace.yaml"

```terminal
Error from server (Forbidden): error when retrieving current configuration of:
Resource: "/v1, Resource=namespaces", GroupVersionKind: "/v1, Kind=Namespace"
Name: "ns1", Namespace: ""
from server for: "namespace.yaml": namespaces "ns1" is forbidden: User "muneeb" cannot get resource "namespaces" in API group "" in the namespace "ns1"
```

**Answer.** Tenant members will not be able to use `kubectl apply` because `apply` first gets all the instances of that resource, in this case namespaces, and then does the required operation on the selected resource. To maintain tenancy, tenant members do not the access to get or list all the namespaces.

The fix is to create namespaces with `kubectl create` instead.

## MTO - ArgoCD Integration

### Q. How do I deploy cluster-scoped resource via the ArgoCD integration?

**Answer.** Multi-Tenant Operator's ArgoCD Integration allows configuration of which cluster-scoped resources can be deployed, both globally and on a per-tenant basis. For a global allow-list that applies to all tenants, you can add both resource `group` and `kind` to the [IntegrationConfig's](./how-to-guides/integration-config.md#argocd) `spec.argocd.clusterResourceWhitelist` field. Alternatively, you can set this up on a tenant level by configuring the same details within a [Tenant's](./how-to-guides/tenant.md) `spec.argocd.appProject.clusterResourceWhitelist` field. For more details, check out the [ArgoCD integration use cases](./tutorials/argocd/enabling-multi-tenancy-argocd.md#allow-argocd-to-sync-certain-cluster-wide-resources)

## Q. InvalidSpecError: application repo \<repo\> is not permitted in project \<project\>

Expand Down
2 changes: 1 addition & 1 deletion content/how-to-guides/integration-config.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1
kind: IntegrationConfig
metadata:
name: tenant-operator-config
namespace: stakater-tenant-operator
namespace: multi-tenant-operator
spec:
tenantRoles:
default:
Expand Down
9 changes: 6 additions & 3 deletions content/integration-config.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1
kind: IntegrationConfig
metadata:
name: tenant-operator-config
namespace: stakater-tenant-operator
namespace: multi-tenant-operator
spec:
tenantRoles:
default:
Expand Down Expand Up @@ -251,11 +251,14 @@ users:

### Cluster Admin Groups

`clusterAdminGroups:` Contains names of the groups that are allowed to perform CRUD operations on namespaces present on the cluster. Users in the specified group(s) will be able to perform these operations without MTO getting in their way
`clusterAdminGroups:` Contains names of the groups that are allowed to perform CRUD operations on namespaces present on the cluster. Users in the specified group(s) will be able to perform these operations without MTO getting in their way. MTO does not interfere even with the deletion of privilegedNamespaces.

!!! note
User `kube:admin` is bypassed by default to perform operations as a cluster admin, this includes operations on all the namespaces.

### Privileged Namespaces

`privilegedNamespaces:` Contains the list of `namespaces` ignored by MTO. MTO will not manage the `namespaces` in this list. Values in this list are regex patterns.
`privilegedNamespaces:` Contains the list of `namespaces` ignored by MTO. MTO will not manage the `namespaces` in this list. Treatment for privileged namespaces does not involve further integrations or finalizers processing as with normal namespaces. Values in this list are regex patterns.
For example:

- To ignore the `default` namespace, we can specify `^default$`
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1
kind: IntegrationConfig
metadata:
name: tenant-operator-config
namespace: stakater-tenant-operator
namespace: multi-tenant-operator
spec:
openshift:
project:
Expand Down
4 changes: 2 additions & 2 deletions content/reference-guides/custom-roles.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1
kind: IntegrationConfig
metadata:
name: tenant-operator-config
namespace: stakater-tenant-operator
namespace: multi-tenant-operator
spec:
tenantRoles:
default:
Expand All @@ -35,7 +35,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1
kind: IntegrationConfig
metadata:
name: tenant-operator-config
namespace: stakater-tenant-operator
namespace: multi-tenant-operator
spec:
tenantRoles:
default:
Expand Down
8 changes: 4 additions & 4 deletions content/reference-guides/integrationconfig.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1
kind: IntegrationConfig
metadata:
name: tenant-operator-config
namespace: stakater-tenant-operator
namespace: multi-tenant-operator
spec:
openshift:
privilegedNamespaces:
Expand All @@ -44,7 +44,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1
kind: IntegrationConfig
metadata:
name: tenant-operator-config
namespace: stakater-tenant-operator
namespace: multi-tenant-operator
spec:
openshift:
privilegedServiceAccounts:
Expand All @@ -62,7 +62,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1
kind: IntegrationConfig
metadata:
name: tenant-operator-config
namespace: stakater-tenant-operator
namespace: multi-tenant-operator
spec:
openshift:
privilegedServiceAccounts:
Expand All @@ -85,7 +85,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1
kind: IntegrationConfig
metadata:
name: tenant-operator-config
namespace: stakater-tenant-operator
namespace: multi-tenant-operator
spec:
vault:
enabled: true
Expand Down
6 changes: 3 additions & 3 deletions content/tutorials/argocd/enabling-multi-tenancy-argocd.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1
kind: IntegrationConfig
metadata:
name: tenant-operator-config
namespace: stakater-tenant-operator
namespace: multi-tenant-operator
spec:
...
argocd:
Expand Down Expand Up @@ -138,7 +138,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1
kind: IntegrationConfig
metadata:
name: tenant-operator-config
namespace: stakater-tenant-operator
namespace: multi-tenant-operator
spec:
...
argocd:
Expand Down Expand Up @@ -178,7 +178,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1
kind: IntegrationConfig
metadata:
name: tenant-operator-config
namespace: stakater-tenant-operator
namespace: multi-tenant-operator
spec:
...
argocd:
Expand Down
6 changes: 3 additions & 3 deletions content/usecases/argocd.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1
kind: IntegrationConfig
metadata:
name: tenant-operator-config
namespace: stakater-tenant-operator
namespace: multi-tenant-operator
spec:
...
argocd:
Expand Down Expand Up @@ -116,7 +116,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1
kind: IntegrationConfig
metadata:
name: tenant-operator-config
namespace: stakater-tenant-operator
namespace: multi-tenant-operator
spec:
...
argocd:
Expand Down Expand Up @@ -156,7 +156,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1
kind: IntegrationConfig
metadata:
name: tenant-operator-config
namespace: stakater-tenant-operator
namespace: multi-tenant-operator
spec:
...
argocd:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1
kind: IntegrationConfig
metadata:
name: tenant-operator-config
namespace: stakater-tenant-operator
namespace: multi-tenant-operator
spec:
openshift:
project:
Expand Down
4 changes: 2 additions & 2 deletions content/usecases/custom-roles.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1
kind: IntegrationConfig
metadata:
name: tenant-operator-config
namespace: stakater-tenant-operator
namespace: multi-tenant-operator
spec:
tenantRoles:
default:
Expand All @@ -35,7 +35,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1
kind: IntegrationConfig
metadata:
name: tenant-operator-config
namespace: stakater-tenant-operator
namespace: multi-tenant-operator
spec:
tenantRoles:
default:
Expand Down
8 changes: 4 additions & 4 deletions content/usecases/integrationconfig.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1
kind: IntegrationConfig
metadata:
name: tenant-operator-config
namespace: stakater-tenant-operator
namespace: multi-tenant-operator
spec:
openshift:
privilegedNamespaces:
Expand All @@ -44,7 +44,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1
kind: IntegrationConfig
metadata:
name: tenant-operator-config
namespace: stakater-tenant-operator
namespace: multi-tenant-operator
spec:
openshift:
privilegedServiceAccounts:
Expand All @@ -62,7 +62,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1
kind: IntegrationConfig
metadata:
name: tenant-operator-config
namespace: stakater-tenant-operator
namespace: multi-tenant-operator
spec:
openshift:
privilegedServiceAccounts:
Expand All @@ -85,7 +85,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1
kind: IntegrationConfig
metadata:
name: tenant-operator-config
namespace: stakater-tenant-operator
namespace: multi-tenant-operator
spec:
vault:
enabled: true
Expand Down
2 changes: 1 addition & 1 deletion vocabulary

0 comments on commit 1a6188f

Please sign in to comment.