Reconcile does not discriminate client per namespace
fjvierap opened this issue · 6 comments
Hi,
We have a situation where we have all non prod environments in the same cluster but in different namespaces. We have set in every namespaces an hydra and hydra maester instance. The idea we have is when we add/update a client in hydra maester in namespace development then reconciliation should also happen only in hydra in development namespace.
But we found that OAuth2Client
event seems to be pick in other namespaces not only in the ones where it was created and we don't know if it is possible to configure hydra controller manager to only process OAuth2Client with for some namespace.
In our client definition we configure the namespace:
apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client
metadata:
name: oidc-client5
namespace: demo
For now we have workaround the issue by using long domain name in client definition instead of the sort one.
hydraAdmin:
url: https://hydra-admin.demo.svc.cluster.local
port: 4445
endpoint: /clients
forwardedProto: https
With that we got an erro when the controller tries to reconcile a client from a different namespace.
ERROR controller-runtime.controller Reconciler error {"controller": "oauth2client", "request": "sandbox-
authentication-management/oidc-client6", "error": "Get \"https://hydra-admin.sandbox-authentication-management.svc.cluster.local:4445/clients/oidc-
client6\": x509: certificate signed by unknown authority"}
We would like to know if it is posible to configure the controller in some what to only accept OAuth2Client from certain namespace.
Thanks in adavance.
Hello there, this is a bigger issue, as the k8s CRD concept expects controllers to react on all namespaces. We may need to do some internal hacking in the controller and expose a config parameter observedNamespace
and implement logic that if set, other namespaces are ignored. This may allow a setup of multiple controllers, each watching on all namespaces (k8s design), but ignoring all namespaces but one.
Thank you @Demonsthere ! Have you seen the proposed changes for https://github.com/ory/hydra-maester/pull/64/files ?
@aeneasr @fjvierap I have took some time to tinker around the problem, and the result is in #65. This allows a scenario:
Namespace: Dev1
Hydra: hydra-dev1
Hydra-maester: hydra-maester-dev1
Namespace: Dev2
Hydra: hydra-dev2
Hydra-maester: hydra-maester-dev2
Create 2 clients: dev1 in dev1 and dev2 in dev2
Client dev1 is picked up by hydra-maester-dev1 and existis only in hydra-dev1
Client dev2 is picked up by hydra-maester-dev2 and existis only in hydra-dev2
@Demonsthere great thanks
@Demonsthere @fjvierap so is the #64 still relevant or I should take a look at #65 directly?
I would like to start making a review :)