Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Creating ManagedServiceAccount in cluster-set namespace did not work #90

Open
tamalsaha opened this issue Oct 22, 2023 · 7 comments
Open
Labels
bug Something isn't working

Comments

@tamalsaha
Copy link
Contributor

tamalsaha commented Oct 22, 2023

Describe the bug
The design docs says that the ManagedServiceAccount can be created a cluster-set namespace. I created a clusterset namespace and bound it to the global clusterset. No service account secret was created. The operator basically did nothing. There was no error in the logs.

Later I tried using a manually created clusterset instead of global. That did not work either.

To Reproduce
Steps to reproduce the behavior:

Expected behavior
A clear and concise description of what you expected to happen.

Environment ie: OCM version, managed serviceaccount addon version, Kubernetes version and provider:

Additional context
Add any other context about the problem here.

@tamalsaha tamalsaha added the bug Something isn't working label Oct 22, 2023
@zhujian7
Copy link
Member

Hi @tamalsaha, did you enable the managed service account addon(kubectl get managedclusteraddon -n <managed-cluster> managed-serviceaccount -oyaml)? which doc are you referring to?

@tamalsaha
Copy link
Contributor Author

I am referring to this design doc:
https://github.com/open-cluster-management-io/enhancements/tree/main/enhancements/sig-architecture/19-projected-serviceaccount-token

A valid "ManagedServiceAccount" should be either in a "cluster namespace" or a "cluster-set namespace" which is bind to a valid "ManagedClusterSet" resource.

Yes, managedaddon is active for the spoke clusters.
Screenshot 2023-10-22 at 8 39 24 PM

@zhujian7
Copy link
Member

Hi @tamalsaha, only the "cluster namespace" is supported as of now, can you try to create the managedserviceaccounts in the cluster namespaces?

@tamalsaha
Copy link
Contributor Author

Creating in cluster namespaces works.

@tamalsaha
Copy link
Contributor Author

What needs to change to make it work with clusterset namespace? Can you please show me any example?

@zhujian7
Copy link
Member

Hi @tamalsaha , after discussed with @qiujian16 the managed service account API does not support clusterset namespace, and most likely it will not be supported in the future, sorry the enhancement doc is not updated.
If you want to make a service account that can access multi managed clusters, we might need another high-level API. we need to reconsider this, and welcome any thoughts/proposals.

@tamalsaha
Copy link
Contributor Author

I finally got a chance the read the current implementation. I think there needs to be a higher level resource for clusterset support. I think there could be a even more generic ClusterSet resource that can be used for ManifestWork, ManagedServiceAccount which basically clones the underlying resource into cluster namespace based on placcement logic. This way there can be one ClusterSet type resource that is build into the ocm.

haoqing0110 pushed a commit to haoqing0110/managed-serviceaccount that referenced this issue Jun 6, 2024
Signed-off-by: red-hat-konflux <123456+red-hat-konflux[bot]@users.noreply.github.com>
Co-authored-by: red-hat-konflux <123456+red-hat-konflux[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants