-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weβll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add design document for multiples-url-to-the-same-repo feature #1644
Open
chmouel
wants to merge
1
commit into
openshift-pipelines:main
Choose a base branch
from
chmouel:design-multiple-urls
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| --- | ||
| title: Design Proposals | ||
| weight: 3 | ||
| --- | ||
| # Pipelines-as-Code Design proposals | ||
|
|
||
| {{<section>}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,105 @@ | ||
| --- | ||
| title: Matching multiple URLs to the same Repository CR | ||
| weight: 1 | ||
| --- | ||
|
|
||
| # Matching multiple URLs to the same Repository CR | ||
|
|
||
| ## Background | ||
|
|
||
| The current implementation of the Repository CR allows specifying a single URL | ||
| for the repository. This is limiting in cases where the repository is mirrored | ||
| to multiple URLs. This document proposes a way to allow specifying multiple URLs | ||
| for the same repository. | ||
|
|
||
| ## Goal | ||
|
|
||
| The goal is to allows specifying multiple URLs for the same repository in the | ||
| same namespace. All settings for all repositories are inside a single Repository | ||
| CR. | ||
|
|
||
| ## Non Goals | ||
|
|
||
| - Allowing multiple URLs for the same repository in different namespaces. | ||
|
|
||
| ## Proposal | ||
|
|
||
| - Extend the Repository CR to allow specifying a regexp for the URL. | ||
| - Extend the Repository CR to allow specifying a non-matching regexp. | ||
| - Extend the Pipelines-as-Code webhook to ensure that no other Repo CR | ||
| configuration match the newly or updated Repository CR. | ||
|
|
||
| ```yaml | ||
| spec: | ||
| url: https://github.com/foo/.* | ||
| non-url: https://github.com/foo/hello-* | ||
| ``` | ||
|
|
||
| This will match all repositories in the `foo` organization except the one | ||
| starting with `hello-*` | ||
|
|
||
| - Repository status will have a new field `url` that will show the | ||
| matched URL. | ||
|
|
||
| ## Discussion | ||
|
|
||
| The full security model of Pipelines-as-Code is based on the assumption that the | ||
| first one wins. Since we don't have a way (or we decided not to for the | ||
| sake of making it simple) to know who is the real owner of a GitHub (or | ||
| others) repository, we assume that the first one that creates the Repository | ||
| is the owner of the repository. It is up to the cluster administrator to make | ||
| sure which team that has access to a namespace have the proper Repository CR | ||
| matching the GitHub Repository. | ||
|
|
||
| If we start letting people making a regexp for the URL, we need to make sure | ||
| they are not able to hijack other repositories. | ||
|
|
||
| Example scenario: | ||
|
|
||
| - User A creates a Repository CR with a regexp for the URL that matches | ||
| all repositories in the organization. | ||
| - User B creates another Repository CR with a regexp for the URL that as well | ||
| matches all repositories in the organization with a different syntax (regexp | ||
| have many ways to express the same thing). | ||
|
|
||
| The webhook will need to make sure that when User B create that Repository CR to | ||
| deny it since User A had already have a match for it. It is up to the | ||
| Users/Teams to communicate to have the regexps works (using `non-url` setting | ||
| for example) for some repositories and not the others. | ||
|
|
||
| Second scenario: | ||
|
|
||
| - User A has created a Repository CR matching URL: <https://github.com/org/repos> | ||
| - User B has a Repository CR matching URL: <https://github.com/org/otherrepos> | ||
| - User A decide to update their Repo CR with: <https://github.com/org/.*> | ||
|
|
||
| The webhook will deny User A since we have a repository CR in user B already | ||
| matching the new update. | ||
|
|
||
| ## CLI | ||
|
|
||
| - [ ] The CLI will probably not need to handle such advanced use case, this is up to | ||
| the user to directly edit the `Repository` CR Yaml. | ||
|
|
||
| ## UI | ||
|
|
||
| - OpenShift Console will need to be updated I believe to be able to show a status for multiple URL match (TBC) | ||
|
|
||
| ## Tekton Results | ||
|
|
||
| - TBD | ||
|
|
||
| ## Alternatives | ||
|
|
||
| We could extend the global `ConfigMap` setting `auto-configure-new-github-repo` to | ||
| only allows a certain regexps and have a `Repository` template. | ||
|
|
||
| The problem with this is that: | ||
|
|
||
| - It is specific to GitHub | ||
| - The settings is admin level. | ||
| - The Repository CR are not allowed to be customized by the user. | ||
| - The regexps may need to be adjusted and it will only works for a specific | ||
| scenario. | ||
|
|
||
| The advantages is that UI and tools would not need to be adjusted. | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
creating one CR for each repo?
is this a lot of work for this use case? or sharing the settings? across repos?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I listed this in the alternatives sections that we could potentially reuse the configmap features of that setting you implemented sometime ago and extend it, but that's an admin thing that doesn't allow much flexibility...
sharing setting is an interesting idea,having a configmap reference that would embed the value..
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think allowing multiple repo url could be a nice thing but if we allow regex then it might become quite complex as you have defined in scenarios
handling cases with multiple repos, what if a repo is edited and all
if the requirement for this design is to somehow share settings across repos then we could find someother way π€
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think there is flow in the scenarios i have listed, it's just a matter to have the webhook check if the new value (on update or creation) matches already and fail otherwise? is there more complexities to it do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah webhook can handle that.
wdym by multiples-url-to-the-same-repo?
if we go with regex
https://github.com/foo/.*how it could be same repo?
differen repos can also be in this case right π€