feat: Allow receiver to notify resources in any namespace#1315
Conversation
This change introduces '*' as allowed namespace value for resources in the reciver. It allows notifying resources across many namespaces, this is especially very powerful in combination with label filter to establish a generic pattern without adding huge complexity with many webhooks. fixes fluxcd#1217 Signed-off-by: Richard Hillmann <richard@flowers-software.de>
project0
force-pushed
the
feat/receiver-cross-namespace-resources
branch
from
6bddd13 to
2994fa1
Compare
|
I don't think allowing cross-tenant triggering is the right solution. If any, a solution I'd consider would be a new API called What I do in my clusters is to use Flux Operator's ResourceSet to easily provision a Receiver for each namespace: https://fluxoperator.dev/docs/crd/resourceset/ Combined with this upcoming feature in Flux 2.9 you won't even need secrets anymore for a secure Receiver: |
|
The problem with creating receiver per tenant/namespace, you need to wire the new webhook endpoints also on the other side. This means a lot of extra effort to either automate or manual setup :-( |
I do not see a real problem with this approach. Fact is, you can already cross-namespace as of today when you know the namespace name. So your concerns is not valid in this case as this is already happening. This just extends capability to be more flexible with label filter across many namespaces |
Can you pls expand on this? We just implemented |
I cannot follow your thoughts about the cli command, it serves actually different purpose in my opinion and applicable for any case. I dont see why i would need to execute github actions for something that i already retrieve natively as a event from the sub-system i need. How am i supposed to trigger the receiver from outside the cluster (github actions) when there is no public kubernetes controller? We have a github org-wide webhook per cluster (And ECR Push events webhook to notify image updates for all registries). I just want to route the webhooks to its destination within the multi-tenant namespace so i dont have to create lots of webhooks in github and ECR (either via complex script/dynamic setup whatever or manual effort). |
|
I am not saying i like the current option and also would rather like to see better native option with clusterReceiver and proper RBAC, but its what we have currently. |
2 participants
This change introduces '*' as allowed namespace value for resources in the reciver. It allows notifying resources across many namespaces, this is especially very powerful in combination with label filter to establish a generic pattern without adding huge complexity with many webhooks.
fixes #1217