lhotari commented on PR #387: URL: https://github.com/apache/pulsar-helm-chart/pull/387#issuecomment-1892199716
Good questions @Mortom123 . > Thanks for the work @lhotari and @frankjkelly. I am trying to implement #424 and stumbled upon your recent work. I understand separating PSP related stuff from the rest, as it will be deprecated soon. However, as far as I understand, when using RBAC one still needs to define `Role`s and `RoleBinding`s. Is there any reason why one needs to toggle PSP for these things to become active (e.g. [here](https://github.com/apache/pulsar-helm-chart/blob/8061a8b7aa777d14634be32b6aa3b92b24520255/charts/pulsar/templates/broker-psp.yaml#L20))? Shouldn't we split the old setup into 3 parts: > > 1. PSP-related stuff (soon to be removed) (.Values.rbac.psp == True) > 2. Service Account creation (.Values.rbac.enabled == True) > 3. `Role`s and `RoleBinding`s, used by 1. and 2. (.Values.rbac.enabled == True) > However, as far as I understand, when using RBAC one still needs to define `Role`s and `RoleBinding`s. Is there any reason why one needs to toggle PSP for these things to become active (e.g. [here](https://github.com/apache/pulsar-helm-chart/blob/8061a8b7aa777d14634be32b6aa3b92b24520255/charts/pulsar/templates/broker-psp.yaml#L20))? The referred roles and role bindings defined in broker-psp.yaml are tightly coupled to PSP. That's why they are in the broker-psp.yaml file and require toggling PSP. > 1. PSP-related stuff (soon to be removed) (.Values.rbac.psp == True) That is already split into the `*-psp.yaml` templates > 2. Service Account creation (.Values.rbac.enabled == True) > 3. `Role`s and `RoleBinding`s, used by 1. and 2. (.Values.rbac.enabled == True) If we would start from a clean slate with the Pulsar Helm Chart, we would most likely do it this way. It seems that `.Values.rbac.enabled` hasn't has a clear meaning. IIRC, there are currently templates that create service accounts regardless of `.Values.rbac.enabled`. @Mortom123 The Apache Pulsar PMC is looking for maintainers for this repository so if you'd like to show some care for this project, it would be appreciated. We can introduce breaking changes in major releases so if it would make sense to organize things differently, that could be done as long as the breaking changes are documented and we bump the major version number. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
