Add proper cluster-scope support to the Operator to allow installing GitLab in a separate namespace
Summary
Our Operator currently has the RBAC objects to give it cluster-scope, but we set WATCH_NAMESPACE to confine it to only reconcile CRs in its own namespace.
For the Operator to properly support reconciling GitLab instances across namespaces, we need to:
- Remove the
WATCH_NAMESPACEenvironment variable from the Deployment - Ensure all RBAC objects (like ServiceAccounts) and any other dependencies are available in the desired namespace
Initial report
It seems that the operator expects the GitLab CR to be created in the same namespace as the operator itself.
Upon creation of the CR in its own namespace, the operator creates a Job which requires the gitlab-manager ServiceAccount:
Error creating: pods "staging-shared-secrets-1-p0m-" is forbidden: error looking up service account gitlab-staging/gitlab-manager: serviceaccount "gitlab-manager" not found
You could opt to copy the ServiceAccount into the new namespace:
kubectl get sa gitlab-manager -n gitlab-system -o json | jq '{apiVersion,secrets,kind,metadata} | .metadata |= {"name"}' | kubectl apply -n gitlab-staging -f -
But you'd also need to change the gitlab-manager-role ClusterRoleBinding to point to the new ServiceAccount as well:
kubectl patch clusterrolebinding gitlab-manager-rolebinding --type='json' -p='[{"op": "add", "path": "/subjects/1", "value": {"kind": "ServiceAccount", "name": "gitlab-manager","namespace": "gitlab-staging" } }]'
This gets you to the point where the staging-shared-secrets Job is able to complete, but then the next issue comes up.
This all seems like a lot of trouble. Am I doing something wrong?
See #210 (closed) for more discussion on this issue.