Description of problem:
As a user I would like to limit which templates SSP is deploying in order to limit what my users can use.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Install SSP
All tempaltes that SSP ships areinstalled
Selected templates that SSP ships get installed
Adjusting the title of the bug: Instead of not deploying them, a better alternative could be to deploy the templates to a different namespace than the regular "openshift" one, because this a) will make the templates exclusive to the admin (no other user is seeing them) b) the admin still has them in cluster for reference i.e. to create custom tempaltes based on them
(In reply to Fabian Deutsch from comment #3)
> Adjusting the title of the bug: Instead of not deploying them, a better
> alternative could be to deploy the templates to a different namespace than
> the regular "openshift" one, because this a) will make the templates
> exclusive to the admin (no other user is seeing them) b) the admin still has
> them in cluster for reference i.e. to create custom tempaltes based on them
so the workflow for the cluster admin who wants to only expose a small subset of templates would be
- admin sets a field on HCO cr indicating template namespace override (which ultimately influences where ssp installs the common templates)
- admin manually copies over subset of approved templates to the visible "openshift" namespace where they become visible to users
boot sources are cross namespace and independent of this, so this seems like a viable approach.
The SSP CR already has a parameter to specify the namespace for templates:
But it is not configurable form HCO. HCO uses a hardcoded "openshift" namespace.
That's great, so we'd only be looking at extending the HCO API and setting a default there.
How do we move that on their radar? @stirabos do you think that is a change you'd be fine with?
I just had a chat with nunnatsa and we should be fine sending a PR to HCO exposing the API we already have on SSP on their end.
That should give us what we need here.
And it should be a small enough change to still make it for 4.9 if we're quick enough as QE also needs to test it.
This can be done by adding "commonTemplatesNamespace: <custom ns>" to HCO in 4.10, moving the bug to verified status.
Feel free to reopen the bug if it's not the case.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: OpenShift Virtualization 4.10.0 Images security and bug fix update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.