Merge pull request #5597 from anshuishere/skip-tenant-ns-create

Allow option to skip tenant namespace creation

cmd/flux/create_tenant.go

@@ -61,6 +61,7 @@ type tenantFlags struct {
 	namespaces    []string
 	clusterRole   string
 	account       string
+	skipNamespace bool
 }
 
 var tenantArgs tenantFlags
@@ -69,6 +70,7 @@ func init() {
 	createTenantCmd.Flags().StringSliceVar(&tenantArgs.namespaces, "with-namespace", nil, "namespace belonging to this tenant")
 	createTenantCmd.Flags().StringVar(&tenantArgs.clusterRole, "cluster-role", "cluster-admin", "cluster role of the tenant role binding")
 	createTenantCmd.Flags().StringVar(&tenantArgs.account, "with-service-account", "", "service account belonging to this tenant")
+	createTenantCmd.Flags().BoolVar(&tenantArgs.skipNamespace, "skip-namespace", false, "skip namespace creation (namespace must exist already)")
 	createCmd.AddCommand(createTenantCmd)
 }
 
@@ -157,7 +159,7 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 
 	if createArgs.export {
 		for i := range tenantArgs.namespaces {
-			if err := exportTenant(namespaces[i], accounts[i], roleBindings[i]); err != nil {
+			if err := exportTenant(namespaces[i], accounts[i], roleBindings[i], tenantArgs.skipNamespace); err != nil {
 				return err
 			}
 		}
@@ -173,10 +175,12 @@ func createTenantCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	for i := range tenantArgs.namespaces {
+		if !tenantArgs.skipNamespace {
 			logger.Actionf("applying namespace %s", namespaces[i].Name)
 			if err := upsertNamespace(ctx, kubeClient, namespaces[i]); err != nil {
 				return err
 			}
+		}
 
 		logger.Actionf("applying service account %s", accounts[i].Name)
 		if err := upsertServiceAccount(ctx, kubeClient, accounts[i]); err != nil {
@@ -284,12 +288,16 @@ func upsertRoleBinding(ctx context.Context, kubeClient client.Client, roleBindin
 	return nil
 }
 
-func exportTenant(namespace corev1.Namespace, account corev1.ServiceAccount, roleBinding rbacv1.RoleBinding) error {
+func exportTenant(namespace corev1.Namespace, account corev1.ServiceAccount, roleBinding rbacv1.RoleBinding, skipNamespace bool) error {
+	var data []byte
+	var err error
+
+	if !skipNamespace {
 		namespace.TypeMeta = metav1.TypeMeta{
 			APIVersion: "v1",
 			Kind:       "Namespace",
 		}
-	data, err := yaml.Marshal(namespace)
+		data, err = yaml.Marshal(namespace)
 		if err != nil {
 			return err
 		}
@@ -297,6 +305,7 @@ func exportTenant(namespace corev1.Namespace, account corev1.ServiceAccount, rol
 
 		printlnStdout("---")
 		printlnStdout(resourceToString(data))
+	}
 
 	account.TypeMeta = metav1.TypeMeta{
 		APIVersion: "v1",

cmd/flux/create_tenant_test.go

@@ -54,6 +54,11 @@ func TestCreateTenant(t *testing.T) {
 			args:   "create tenant dev-team --with-namespace=apps --cluster-role=custom-role --export",
 			assert: assertGoldenFile("./testdata/create_tenant/tenant-with-cluster-role.yaml"),
 		},
+		{
+			name:   "tenant with skip namespace",
+			args:   "create tenant dev-team --with-namespace=apps --cluster-role=cluster-admin --skip-namespace --export",
+			assert: assertGoldenFile("./testdata/create_tenant/tenant-with-skip-namespace.yaml"),
+		},
 	}
 
 	for _, tt := range tests {

cmd/flux/testdata/create_tenant/tenant-with-skip-namespace.yaml

@@ -0,0 +1,27 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    toolkit.fluxcd.io/tenant: dev-team
+  name: dev-team
+  namespace: apps
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    toolkit.fluxcd.io/tenant: dev-team
+  name: dev-team-reconciler
+  namespace: apps
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: gotk:apps:reconciler
+- kind: ServiceAccount
+  name: dev-team
+  namespace: apps