Improve release process and structure of release manifests #3841
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tekton-robot
added
the
kind/misc
tekton-robot
added
the
size/XL
Reduce unnecessary differences between the read-only and read-write manifests, both to reduce maintenance overhead and to avoid user confusion. There have been a few instances where users thought the read-only mode was broken as they switched the `read-only` flag in the deployment args but didn't replace the associated roles with the appropriate versions. With this update we now include all roles in the manifest, and create bindings for the relevant ones with updated naming to make it clear which grant view access and which grant edit rather than keeping the same name and swapping out the rules. Update install script to accept input from a previously generated installer manifest. This removes the need to run the `ko` build 4 times (2x installer modes + 2x normal release modes) as part of our releases. Now it builds once, and uses the resulting manifest as input to the normal releases so they can augment it with the appropriate RBAC resources depending on mode (read-only vs. read-write). This also means there's no need for a dedicated read-write installer manifest. Update the release pipeline's publish task to take advantage of this new approach, and eliminate other unnecessary config. Use the aggregate ClusterRoles provided by Tekton Pipelines and Triggers instead of defining them ourselves, ensuring we stay in sync with the versions deployed on the cluster. The one exception to this is for `ClusterTask` resources as they're not included in the aggregate roles provided by Tekton Pipelines. We will remove support for these resources in a future release and remove the corresponding rule from the Dashboard backend role. With this new approach to building the manifests, we no longer need separate overlays or additional patches to modify the resources to match the desired mode. Instead, the installer augments the base installer manifest with the appropriate ClusterRoleBindings or RoleBindings to grant the read-only or read-write permissions as desired, and replaces other config in-place. Move the remaining resources into the `config` folder for consistency with other Tekton projects. All of this should be mostly transparent to consumers. They will still use the `installer` or `release-installer` scripts as before. There is some cleanup that should be performed on clusters if upgrading from a previous Dashboard release, by removing the following resources after upgrade: - `clusterrole/tekton-dashboard-backend` - `clusterrole/tekton-dashboard-tenant` - `clusterrolebinding/tekton-dashboard-backend` - `clusterrolebinding/tekton-dashboard-tenant` and if the Dashboard was installed with limited namespace visibility (i.e. using the `--tenant-namespaces` installer flag, or directly via the `--namespaces` deployment arg): - `rolebinding/tekton-dashboard-tenant` in each of the tenant namespaces
briangleeson
approved these changes
Jan 6, 2025
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: briangleeson The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
tekton-robot
added
the
approved
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes
Reduce unnecessary differences between the read-only and read-write manifests, both to reduce maintenance overhead and to avoid user confusion. There have been a few instances where users thought the read-only mode was broken as they switched the
read-onlyflag in the deployment args but didn't replace the associated roles with the appropriate versions. With this update we now include all roles in the manifest, and create bindings for the relevant ones with updated naming to make it clear which grant view access and which grant edit rather than keeping the same name and swapping out the rules.Update install script to accept input from a previously generated installer manifest. This removes the need to run the
kobuild 4 times (2x installer modes + 2x normal release modes) as part of our releases. Now it builds once, and uses the resulting manifest as input to the normal releases so they can augment it with the appropriate RBAC resources depending on mode (read-only vs. read-write). This also means there's no need for a dedicated read-write installer manifest.Update the release pipeline's publish task to take advantage of this new approach, and eliminate other unnecessary config.
Use the aggregate ClusterRoles provided by Tekton Pipelines and Triggers instead of defining them ourselves, ensuring we stay in sync with the versions deployed on the cluster. The one exception to this is for
ClusterTaskresources as they're not included in the aggregate roles provided by Tekton Pipelines. We will remove support for these resources in a future release and remove the corresponding rule from the Dashboard backend role.With this new approach to building the manifests, we no longer need separate overlays or additional patches to modify the resources to match the desired mode. Instead, the installer augments the base installer manifest with the appropriate ClusterRoleBindings or RoleBindings to grant the read-only or read-write permissions as desired, and replaces other config in-place.
Move the remaining resources into the
configfolder for consistency with other Tekton projects.All of this should be mostly transparent to consumers. They will still use the
installerorrelease-installerscripts as before. There is some cleanup that should be performed on clusters if upgrading from a previous Dashboard release, by removing the following resources after upgrade:clusterrole/tekton-dashboard-backendclusterrole/tekton-dashboard-tenantclusterrolebinding/tekton-dashboard-backendclusterrolebinding/tekton-dashboard-tenantand if the Dashboard was installed with limited namespace visibility (i.e. using the
--tenant-namespacesinstaller flag, or directly via the--namespacesdeployment arg):rolebinding/tekton-dashboard-tenantin each of the tenant namespaces/kind misc
Submitter Checklist
As the author of this PR, please check off the items in this checklist:
functionality, content, code)
/kind <type>. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tepRelease Notes