Moved global repos to their own namespace and outside the kubeapps one

[castelblanque]

Description of the change

Sorry for the long PR, but in order to have the feature working it is all or nothing 😄

This PR moves the global repos from the Kubeapps namespace to its own namespace.

Based on the problem stated by @dlaloue-vmware and the discussion in #3680, this allows to give read access to users to the global repos namespace, and therefore not having to grant them with access to the kubeapps namespace.

Changes are done e.g. to Helm templates, repositories-controller, asset-syncer and kubeapps-apis, so it is large change, but basically it is adding the global namespace parameter and substituting the kubeapps namespace where needed.

No changes done to the double secrets kept for non-global repos.
Modifications in Kubeops are done for compatibility reasons.

Benefits

Global repos can be placed into their own namespace, and therefore better RBAC can be applied separated from the kubeapps namespace. Hopefully this helps somehow to implement #1647.

Possible drawbacks

Assets syncing should not be affected, but we could keep an eye on it.

Applicable issues

• fixes Update Kubeapps to keep global repositories in a separate namespace #3989

[castelblanque]

Not sure if this is the best place to add the global repos namespace...otherwise we might need to extend the register RPC method signature.

[absoludity]

Yeah, I think that's fine for now.

[castelblanque]

Preferred to add a proper flag instead of passing the value through env variables

[absoludity]

+100.

[castelblanque]

Creates the global repos namespace

[absoludity]

Sorry for the long PR,

Heh - at +161 −91 this isn't a long PR, the focused change just touches a lot of files :) Start to worry about that if it's over +400 (IMO).

but in order to have the feature working it is all or nothing smile

Hmm, I'm not sure this is the case... in particular, have you checked how this code handles upgrading an existing deployment, where there are existing global repos? Won't they disappear with this change (anything other than the default bitnami repo, that is). I think it'd be easy to update so this is a non-breaking change by. See what you think (more context inline).

[absoludity]

Regarding making this a non-breaking change, could we instead do:

Suggested change

	namespace: {{ printf "%s-%s" $.Release.Namespace $.Values.apprepository.globalReposNamespaceSuffix | quote }}
	namespace: {{ printf "%s%s" $.Release.Namespace $.Values.apprepository.globalReposNamespaceSuffix | quote }}

so that if globalReposNamespaceSuffix is empty (which can be the default, initially), we will have the existing behavior? We can then update the default value to -repos-global when we do a major version change, breaking the backwards compatibility?

It'd require a conditional around the namespace creation later too, etc.

[castelblanque]

Thanks for the suggestion Michael, it makes sense. So, defaulting now to the same kubeapps namespace, would mean leaving without effect the purpose of this change until next major version 3.x?
As-is in a Kubeapps upgrade scenario, new global repos will go to the new ns and old global repos will stay in the kubeapps ns, just not being considered global anymore.

[absoludity]

Thanks for the suggestion Michael, it makes sense. So, defaulting now to the same kubeapps namespace, would mean leaving without effect the purpose of this change until next major version 3.x?

By default, yes, but we can verify it works as expected, even update CI to use it (by setting a value for the suffix) if we want, to ensure that switching the default later is a non-event (other than the instructions for users).

As-is in a Kubeapps upgrade scenario, new global repos will go to the new ns and old global repos will stay in the kubeapps ns, just not being considered global anymore.

Yep, we'll just ensure we document that in the release notes so people can move their repos as needed.

[absoludity]

+100.

[absoludity]

Yeah, I think that's fine for now.

[castelblanque]

Hmm, I'm not sure this is the case... in particular, have you checked how this code handles upgrading an existing deployment, where there are existing global repos? Won't they disappear with this change (anything other than the default bitnami repo, that is). I think it'd be easy to update so this is a non-breaking change by. See what you think (more context inline).

I don't remember from the top of my head if I tested that scenario before Christmas 😅 , will give it a try. We are talking about:

• Install Kubeapps v2.4.2 (global repos in ns kubeapps)
• Deploy app from one of the global repos
• Upgrade Kubeapps to this snapshot (global repos in new global ns)
• Upgrade app?

Old global repos will stay in kubeapps and repos coming from Helm values will go to the new ns.

[absoludity]

Hmm, I'm not sure this is the case... in particular, have you checked how this code handles upgrading an existing deployment, where there are existing global repos? Won't they disappear with this change (anything other than the default bitnami repo, that is). I think it'd be easy to update so this is a non-breaking change by. See what you think (more context inline).

I don't remember from the top of my head if I tested that scenario before Christmas sweat_smile , will give it a try. We are talking about:

* Install Kubeapps v2.4.2 (global repos in ns `kubeapps`)

* Deploy app from one of the global repos

* Upgrade Kubeapps to this snapshot (global repos in new global ns)

* Upgrade app?

Old global repos will stay in kubeapps and repos coming from Helm values will go to the new ns.

Yeah - in particular, does that affect existing installations (ie. if I'd installed apache in my-namespace, because apache was from the bitnami repo which was in the global repo before the upgrade, after the upgrade I may not be able to upgrade the app, as kubeapps may have lost the link to the available package?)

[antgamdia]

Agree with the rest of the comments in that the suffix should also include the - to prevent backward-incompatible changes.

Also, in order to stick close to similar names within our organization, why not go with a similar suffix as Carvel people does: -packaging-global ? (source: carvel-dev/kapp-controller@d199158)

[castelblanque]

I find using the word repos more intuitive 😄
Is there any accepted terminology for this?

[castelblanque]

Yeah - in particular, does that affect existing installations (ie. if I'd installed apache in my-namespace, because apache was from the bitnami repo which was in the global repo before the upgrade, after the upgrade I may not be able to upgrade the app, as kubeapps may have lost the link to the available package?)

@absoludity I tested the scenario of updating Kubeapps to the new global repos ns, and as expected:

• Custom global repos created prior to Kubeapps update were kept in kubeapps ns, but they are not global anymore.
• When retrieving details of already installed packages from old custom global repos, this error appears:
  
• When switching context to ns kubeapps, old custom global repos packages appear and they can be installed normally, only in kubeapps ns.
• If the old global repo is created/moved into the new global repos namespace, existing installations can be updated. Maybe in the future we could provide a mechanism to move repositories from one namespace to another? This way admins could move their repos to other namespaces after updating.

By now we are safe as we are defaulting to kubeapps ns (no global suffix).
When a proper global namespace will be used, existing installations from custom global repositories will be affected.

[absoludity]

Excellent, thanks for testing Rafa.

• If the old global repo is created/moved into the new global repos namespace, existing installations can be updated. Maybe in the future we could provide a mechanism to move repositories from one namespace to another? This way admins could move their repos to other namespaces after updating.

Great, yes, at the very least, instructions in the release notes when the default changes.

+1, thanks!