From 4d1e2c024f609212c881309a4393cbd8907ec2af Mon Sep 17 00:00:00 2001 From: Per Goncalves da Silva Date: Thu, 22 Aug 2024 12:34:27 -0300 Subject: [PATCH] update readme Signed-off-by: Per Goncalves da Silva --- README.md | 143 +++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 141 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 19ca0c4a4..822bab9b2 100644 --- a/README.md +++ b/README.md @@ -43,6 +43,7 @@ The ClusterCatalog resource supports file-based catalog ([FBC](https://olm.opera The following example uses the official [OperatorHub](https://operatorhub.io) catalog. ```bash +# Create ClusterCatalog kubectl apply -f - < [!WARNING] +> The scripts referenced in this section are best-effort and may not always work as +> intended. They are provided as a stopgap until we can offer production grade tooling +> for tasks such as: searching the catalog, discovering supported bundles, and determining +> the least-privilege set of permissions required by the installer service account to install +> the content. + +#### Installation + +An extension needs a namespace in which to be installed and a service account with sufficient +privileges to install the content. For instance: + +```bash +# Create argocd namespace for the argocd-operator +kubectl create ns argocd +``` + +```bash +# Create installer service account +kubectl create serviceaccount -n argocd-system argocd-installer +``` + +> [!WARNING] +> We work around the absence of reliable tooling to determine the set of least privileges +> for the installer service account to be able to install a given bundle by giving +> the installer service account cluster admin privileges. +> This is not an option for production clusters due to the security implications. +> The OLM community is working hard to bridge this tooling gap. + +```bash +# Give service account cluster admin privileges +# This works with KIND - consult documentation for instructions on how +# to grant admin privileges for your kubernetes distribution +kubectl create clusterrolebinding "argocd-operator-installer-cluster-admin" \ + --clusterrole=cluster-admin \ + --serviceaccount="argocd-system:argocd-operator-installer" +``` + +```bash +# Apply ClusterExtension +cat <