HMW allow unprivileged users to install components that may require CRDs

[tylerauerbeck]

Things like ArgoCD require the installation of some CRD's, which are cluster resources and require elevated privileges to install. This will likely cause some issues in the long run.

This also is an issue when you have multiple users doing development on this stack and trying to deploy/clean this up. One user cleaning up all of their resources and deleting a set of CRD's may inadvertently impact the development being done by another user.

[eformat]

I think a common pattern is to deploy the crds in a separate chart

https://thenewstack.io/helm-3-is-almost-boring-and-thats-a-great-sign-of-maturity/

See comments in here from one of helms core maintainers. Not a solved problem.

[tylerauerbeck]

Agreed. I think the difficult part (at least in our current case with Argo) is that it's a external, dependency chart so we don't have much choice there. That being said, it looks like there is a --skip-crds flag in the helm command that we can lean on. I think the problem there is that (at least initially) you have to assume that someone with permissions will at least initially install the CRD's that you require.

[eformat]

just so i dont forget - the CRW kustomize app, also needs factoring in - it also deploys CRD's needing elevated privilege.

i'm wondering if we can get a narrowed down service account with least privilege just to install CRD's as part of this

[springdo]

@oybed - FYI