Great Question from today:
We are trying to template below toggles under the kots-app config with no success,
requireMinimalRBACPrivileges additionalNamespacesWe need to be able to let our customer to control these toggle on deployment, and specify the namespace accordingly for minimal RBAC permissions
Put another way, at least as I understand it, this comes down to “My customer only wants to give me access to one or more specific namespaces, and I want to make this customizable for them”
As far as I know, those flags cannot be templated - my recommendations for this are below:
requireMinimalRBACPrivileges
Instead of requireMinimalRBAC, use supportsMinimalRBAC, and then instruct your customer to use the kots install --use-minimal-rbac flag at runtime: supportsMinimalRBAC docs
If you need to customize further, you can also use admin-console generate-manifests | Replicated Docs with the --minimal-rbac flag.
additionalNamespaces
For the namespace side of things the answer here at it’s core comes down to following best practices when it comes to architecting an application for delivery into heterogenous customer environments, especially when you’re going to be a single tenant in a larger cluster.
Service objects will solve the problemThis is fully documented here: Managing Application Namespaces | Replicated Docs
Recommended
# good, namespace absent
apiVersion: apps/v1
kind: Deployment
metadata:
name: spline-reticulators
spec:
Not Recommended
# bad, configurable
apiVersion: apps/v1
kind: Deployment
metadata:
name: spline-reticulator
namespace: repl{{ ConfigOption "gv_namespace" }}
spec:
If you need to pass a namespace as a parameter into a Helm chart or something, you can pass it in with {{repl Namespace}} which will return the namespace that the KOTS App Manager is already installed into.