docs(operatorgroups): add more extensive docs #721
Conversation
openshift-ci-robot
added
the
do-not-merge/work-in-progress
openshift-ci-robot
added
approved
njhale
force-pushed
the
operatorgroup-docs
branch
from
1d134f6 to
38edf47
Compare
njhale
changed the title
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
| * Contains the namespace of the `OperatorGroup` | ||
| * `olm.targetNamespaces=<target-namespaces>` | ||
| * Contains a comma-delimited string listing the `OperatorGroup`'s target namespace selection. This annotation is projected onto the pod template of a CSV's deployments and can be consumed by a pod instance via [The Downward API](https://kubernetes.io/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information/#the-downward-api) | ||
| * If the CSV does not [have a Copied status reason](#copied-csvs) |
There was a problem hiding this comment.
I think this is missing the end of the sentence?
| * `OwnNamespace`: If supported, the set of namespaces targetted by an `OperatorGroup` must contain the namespace the Operator is to be installed in. | ||
| * `SingleNamespace`: If supported, the set of namespaces targetted by an `OperatorGroup` can be of length 1. | ||
| * `MultiNamespace`: If supported, the set of namespaces targetted by an `OperatorGroup` can be of length >= 1. Any Operator supporting `MultiNamespace` implicitly supports `SingleNamespace` as well. | ||
| * `AllNamespaces`: If supported, the Operator can support an `OperatorGroup` that selects all namespaces with a targetted set = [""]. Any Operator supporting `AllNamespaces` implicity supports `OwnNamespace` as well. |
There was a problem hiding this comment.
I don’t think we would install an operator with ‘AllNamespaces’ into a group watching one namespaces, so I think that this extra comment makes sense
There was a problem hiding this comment.
This just means that any CSV supporting AllNamespaces must also support OwnNamespace - For reference OwnNamespace doesn't imply SingleNamespace.
There was a problem hiding this comment.
But can't I write an operator that starts up and watches all namespaces, but can't be deployed in a configuration that watches only its own namespace?
There was a problem hiding this comment.
In the current implementation, OwnNamespace is an additional restriction on an OperatorGroup’s namespace set. More specifically, it means that a CSV can be a member of an OperatorGroup whose target namespace set includes the CSV’s namespace. This rule applies to Single, Multi, and All, rather than just applying to Single (see https://github.com/operator-framework/operator-lifecycle-manager/blob/master/pkg/api/apis/operators/v1alpha1/clusterserviceversion.go#L99).
We can change this logic to match your definition (It makes sense to) - but I think a change like that warrants a follow up PR.
| namespaces: | ||
| - local | ||
| ``` | ||
|
|
There was a problem hiding this comment.
I think we should introduce the Copied status and the static provided apis around here; they’re referenced frequently in the intersection section.
There was a problem hiding this comment.
It's been updated to reflect your comments - forgot to push this morning.
njhale
force-pushed
the
operatorgroup-docs
branch
from
38edf47 to
8d63163
Compare
|
/retest |
3 similar comments
|
/retest |
|
/retest |
|
/retest |
|
|
||
| * An `OperatorGroup` selects a set of target namespaces in which to generate required RBAC access for its member operators. | ||
| * The set of target namespaces is provided via a comma-delimited string stored in the `olm.targetNamespaces` annotation. This annotation is applied to member operator's deployments and is accessible through [The Downward API](https://kubernetes.io/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information/#the-downward-api) | ||
| * An operator is said to be a [member of an `OperatorGroup`](#operatorgroup-membership) if its CSV exists in the same namespace as the `OperatorGroup` and its CSV's [`InstallModes` support the set of namespaces targetted by the `OperatorGroup`](#installmodes-and-supported-operatorgroups) |
There was a problem hiding this comment.
Could be better to split out InstallModes to a separate bullet (or remove from "OperatorGroup Overview") to simplify what it means to belong to an OperatorGroup.
There was a problem hiding this comment.
Besides being in the same namespace, InstallModes are the primary factor in determining membership. I think it makes sense for it to be in the overview. InstallModes are tightly coupled to membership so I feel that putting it in a separate bullet will dilute that association.
The link serves as a pointer to the definition since I don't want to leave people wondering or ctrl-fing.
njhale
force-pushed
the
operatorgroup-docs
branch
from
8d63163 to
b4b4a72
Compare
|
/test e2e-aws |
| metadata: | ||
| name: my-group | ||
| namespace: my-namespace | ||
| targetNamespaces: |
| * `OwnNamespace`: If supported, the set of namespaces targetted by an `OperatorGroup` must contain the namespace the Operator is to be installed in. | ||
| * `SingleNamespace`: If supported, the set of namespaces targetted by an `OperatorGroup` can be of length 1. | ||
| * `MultiNamespace`: If supported, the set of namespaces targetted by an `OperatorGroup` can be of length >= 1. Any Operator supporting `MultiNamespace` implicitly supports `SingleNamespace` as well. | ||
| * `AllNamespaces`: If supported, the set of namespaces targetted by an `OperatorGroup` can be = [""] (which tells operators to watch all namespaces). Any Operator supporting `AllNamespaces` implicity supports `OwnNamespace` as well. |
There was a problem hiding this comment.
Does this mean that OwnNamespace must be set to true if AllNamespaces is supported?
There was a problem hiding this comment.
That is the current behavior, but not the desired. I'm updating the docs to reflect our desired behavior, in which case OwnNamespace does not need to be set to true if AllNamespaces is supported.
A follow up PR that changes the behavior in OLM is on the way.
njhale
force-pushed
the
operatorgroup-docs
branch
from
b4b4a72 to
8641c63
Compare
|
/lgtm |
njhale
force-pushed
the
operatorgroup-docs
branch
from
8641c63 to
a6cd32f
Compare
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ecordell, njhale The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/retest |
docs(operatorgroups): add more extensive docs
njhale
added
the
kind/feature
Document OperatorGroup purpose and behavior in high fidelity.