Fix flyte-to-union prefix and add singleTenantOrgID to selfhosted DP#269
Merged
Fix flyte-to-union prefix and add singleTenantOrgID to selfhosted DP#269
Conversation
This was referenced Mar 3, 2026
mhotan
force-pushed
the
mike/fix-crs-rbac-and-proxy-configmap
branch
from
c280b5f to
404a2d4
Compare
3 tasks
mhotan
changed the title
mhotan
force-pushed
the
mike/fix-crs-rbac-and-proxy-configmap
branch
3 times, most recently
from
a5d2b1e to
5bc7b0d
Compare
katrogan
approved these changes
Mar 4, 2026
charts/controlplane/values.yaml
Outdated
| maxOpenConnections: 20 | ||
| connMaxLifeTime: 120s | ||
| configmap: | ||
| # --- Namespace Mapping --- |
Contributor
There was a problem hiding this comment.
nit: does this maybe belong in the previous PR #226
Contributor
Author
There was a problem hiding this comment.
Yeah confirmed it should be apart of that PR.
mhotan
force-pushed
the
mike/fix-crs-rbac-and-proxy-configmap
branch
from
5bc7b0d to
d0b5db6
Compare
mhotan
force-pushed
the
mike/run-102-consolidate-namespace-mapping
branch
from
6a83889 to
49a8b5b
Compare
The top-level `namespace_mapping` in values.yaml was dead config (no template referenced `.Values.namespace_mapping`). Wire it as the canonical source of truth that cascades to all dataplane services when explicitly set: - clusterresourcesync: falls back to `.Values.namespace_mapping` when `.Values.config.namespace_mapping` is not set - nodeexecutor: auto-injects root-level `namespace_mapping` from the top-level value when `executor.raw_config.namespace_mapping` is not set - propeller: falls back to top-level value when `config.namespace_config` is not set - operator: falls back to top-level value for `org.namespaceTemplate` when `config.operator.org` is not set Default remains empty (no template). Per-service overrides still take precedence for backward compatibility. towards RUN-102 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add `namespace_mapping.template` to aws and fully-selfhosted test values to verify the canonical value cascades correctly to all service configmaps (clusterresourcesync, executor, propeller, operator). Azure test values already set per-service overrides (`config.namespace_config`, `config.operator.org`), which confirms backward compat (overrides take precedence over the top-level value). towards RUN-102 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
mhotan
commented
Mar 4, 2026
charts/controlplane/values.yaml
Outdated
| # cascades to propeller, clusterresourcesync, operator, and executor. | ||
| # For consistent namespace resolution, this MUST match the dataplane config. | ||
| # | ||
| # How it works: |
Contributor
Author
There was a problem hiding this comment.
We probably don't need How it works sections
mhotan
force-pushed
the
mike/run-102-consolidate-namespace-mapping
branch
from
49a8b5b to
c3b5c7d
Compare
mhotan
force-pushed
the
mike/fix-crs-rbac-and-proxy-configmap
branch
from
d0b5db6 to
1c8ab57
Compare
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Three fixes for selfhosted dataplane deployments: 1. ClusterRoleBinding `union-clustersync-resource` referenced ClusterRole `clustersync-resource` instead of `union-clustersync-resource`, causing all CRS namespace creation to fail with RBAC errors. Introduced in #260. 2. operator-proxy deployment referenced ConfigMap `flyte-clusterresourcesync-config` instead of `union-clusterresourcesync-config`, leaving the proxy stuck in ContainerCreating. 3. Add singleTenantOrgID to AWS and GCP selfhosted-intracluster dataplane values. Without this, the DP operator-proxy identity interceptor rejects internal requests from the CP dataproxy (401 on CreateUploadLocation). The CP already sets this — the DP was missing it. NOTE: Existing deployments will need the old ClusterRoleBinding deleted before ArgoCD can recreate it, since roleRef is immutable: kubectl delete clusterrolebinding union-clustersync-resource Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
mhotan
force-pushed
the
mike/fix-crs-rbac-and-proxy-configmap
branch
from
1c8ab57 to
c49e3af
Compare
Contributor
Author
|
/aviator merge |
Contributor
|
Aviator has accepted the merge request. It will enter the queue when all of the required status checks have passed. Aviator will update the sticky status comment as the pull request moves through the queue. |
Contributor
|
The base branch (mike/run-102-consolidate-namespace-mapping) of this pull request is not configured as a base branch. Please edit the base branch of this PR if you wish to merge using Aviator. |
Base automatically changed from
mike/run-102-consolidate-namespace-mapping
to
main
March 4, 2026 16:44
Contributor
Current Aviator status
This PR was merged manually (without Aviator). Merging manually can negatively impact the performance of the queue. Consider using Aviator next time.
See the real-time status of this PR on the
Aviator webapp.
Use the Aviator Chrome Extension
to see the status of your PR within GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
flyte-tounion-prefix in CRS ClusterRoleBinding (was referencing wrong ServiceAccount)singleTenantOrgIDto selfhosted dataplane values for single-tenant deploymentsTest plan
make helm-testpasses (golden files regenerated)union-prefixed ServiceAccountRollout Plan
Bug fix — corrects misconfigured RBAC and proxy references. Safe to roll out immediately.
Rollback Plan
Revert this commit.
main