Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] Allow CRDs to target an OpenSearchCluster in another namespace #822

Closed
tmsdce opened this issue May 23, 2024 · 2 comments
Closed

[FEATURE] Allow CRDs to target an OpenSearchCluster in another namespace #822

tmsdce opened this issue May 23, 2024 · 2 comments
Labels
enhancement New feature or request untriaged Issues that have not yet been triaged

Comments

@tmsdce
Copy link

tmsdce commented May 23, 2024

Is your feature request related to a problem?

I'm just starting off with the operator so maybe I'm wrong but it seems that all CRs can only target an opensearch cluster in the same namespace in which they are declared. It does not seem possible to declare say an OpensearchUser in namespace A targeting an OpenSearchCluster deployed in namespace B. The CRDs spec seems to confirm this as there is no namespace field available for targeting a cluster :

# kubectl explain opensearchusers.spec.opensearchCluster

GROUP:      opensearch.opster.io
KIND:       OpensearchUser
VERSION:    v1

FIELD: opensearchCluster <Object>

DESCRIPTION:
    LocalObjectReference contains enough information to let you locate the
    referenced object inside the same namespace.
    
FIELDS:
  name	<string>
    Name of the referent.
    More info:
    https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
    TODO: Add other useful fields. apiVersion, kind, uid?

What solution would you like?

Being able to target an OpenSearchCluster regardless of the namespace it is deployed to.

  • This is particularly useful when you want a single Opensearch cluster managing multiple tenants instead of having to deploy a complete opensearch cluster per tenant which can be expensive resource-wise even for small clusters and adds maintenance burden
  • This would also allow application owners to handle their own configuration (users, index templates...) while letting "cluster administrators" handle the lifecycle of the Opensearch cluster itself

What alternatives have you considered?

Deploying an opensearch cluster per tenant and/or application instance which seems overkill in some cases

Do you have any additional context?

For reference, the RabbitMQ operator does this. For example, the Vhosts CRD gives the ability to specify the target namespace of the RabbitmqCluster (cf. https://github.com/bitnami/charts/blob/main/bitnami/rabbitmq-cluster-operator/crds/messaging-topology-operator/rabbitmq.com_vhosts.yaml#L59)
@tmsdce tmsdce added enhancement New feature or request untriaged Issues that have not yet been triaged labels May 23, 2024
@swoehrl-mw
Copy link
Collaborator

Hi @tmsdce. There was some discussion about this topic in #596.
Bottom line: Cross-namespace references will likely not be supported as the namespaces are a security boundary and opening that up either breaks security or requires us to implement extra logic and configuation to properly manage it.

@tmsdce
Copy link
Author

tmsdce commented May 24, 2024

Hi @swoehrl-mw
Thanks for your prompt reply. Indeed, I didn't catch #596, sorry for the noise. We can consider the present issue as a duplicate so I'm closing it

@tmsdce tmsdce closed this as completed May 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request untriaged Issues that have not yet been triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@swoehrl-mw @tmsdce