Donate maxgio92/capsule-addon-fluxcd
maxgio92 opened this issue · 4 comments
Hello,
I'd like to donate an addon (maxgio92/capsule-addon-fluxcd) I developed for the integration of Capsule with GitOps scenarios made with Flux CD (v2), following the documented integration guide that describes a use case to provide tenants a Namespace-as-a-Service the GitOps-way.
The addon simply automates all the Tenant owner ServiceAccount setup for:
- Required permissions
- Credentials and client config (kubeConfig) to be used in Flux reconciliation resources.
The setup aligns with all the Flux multi-tenancy lockdown security rules, which are fundamental for multi-tenancy scenarios.
This setup, as for the integration documentation, introduces a pattern that is the Tenant system Namespace.
This Namespace is outside the Tenant and it contains all system resources, such as:
- The
ServiceAccountTenant owner - The
Rolebindings - The client config for the Service Account
Tenantowner
These resources are intended to be used by the Flux reconciliation resources, in order to reconcile Tenant resources as Tenant owner.
Furthermore, with the autogenerated client config, all the requests are directed to the API server through the Capsule proxy, allowing the tenant to operate, the GitOps-way, on cluster-wide resources, including the custom ones.
The addon allows to optionally distribute the Tenant owner client config in all Tenant's Namespaces through GlobalTenantResources. This is configurable as a per-owner knob.
More on this in the addon's home.
LGTM, I'm looking forward to having it donated to the Project Capsule organization! 👍🏻
Since we had the feedback in the Slack channel also from @bsctl, we have 2 positive feedbacks from 2 maintainers, within 9 days, so I think I can now request the transfer WDYT @prometherion?
@maxgio92 please, proceed with the repo transfer to the projectcapsule organization.
Closing this, and welcome aboard!
Thank you @prometherion!
Just sent the ownership transfer.