[WIP] Skip creating the clusterrole/clusterrolebinding if we are not enabling openshif OAuth #381
Conversation
…ng openshift oauth so a normal user can run chectl Signed-off-by: Tom George <tg82490@gmail.com>
tomgeorge
requested review from
azatsarynnyy,
benoitf,
l0rd,
rhopp and
vparfonov
as code owners
| @@ -120,6 +125,11 @@ export class OperatorTasks { | |||
| }, | |||
| { | |||
| title: `Create ClusterRoleBinding ${this.operatorClusterRoleBinding}`, | |||
| skip: () => { | |||
| if (!flags['os-oauth']) { | |||
| return `No need for ClusterRole ${this.operatorClusterRole}` | |||
There was a problem hiding this comment.
Previously it was implemented in such way, but then I removed such check during console link support implementing.
How consolelink supposed to work after your changes? https://github.com/eclipse/che-operator/blob/master/deploy/cluster_role.yaml#L41
There was a problem hiding this comment.
I think chectl should be be smarter - it can check if the current user has admin rights:
- if has - create cluster role, everything is OK
- if it does not - OAuth flag is not permitted, during deploying chectl prints warning that consolelink won't be created.
It's needed to check what che-operator will do on OpenShift 4.2 when he does not permissions to create console link, probably it fails to deploy Che...
There was a problem hiding this comment.
Probably che-operator should be modified, and ClusterRoles for OAuth and Console links should be separate.
Then chectl is able to create OauthClusterRole only when Oauth is configured, and consoleLink might be optional in case when user is not a cluster admin.
tomgeorge
changed the title
|
Would you say this is better suited as an operator change, to separate those clusterroles? Then on the chectl side, if |
Signed-off-by: Tom George tg82490@gmail.com
What does this PR do?
Skip creating the
che-operatorclusterrole if--os-authis not enabled.What issues does this PR fix or reference?
Part of eclipse-che/che#14662 that I changed as part of my testing.