multiple ns watch

adobe · Mar 11, 2020 · a0498ea · a0498ea
1 parent 962390c
commit a0498ea
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 3 deletions.
diff --git a/charts/zookeeper-operator/templates/operator.yaml b/charts/zookeeper-operator/templates/operator.yaml
@@ -25,9 +25,13 @@ spec:
         - zookeeper-operator
         env:
         - name: WATCH_NAMESPACE
+          {{- if .Values.namespaces }}
+          value: {{ .Values.namespaces }}
+          {{- else }}
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
+          {{- end }}
         - name: POD_NAME
           valueFrom:
             fieldRef:

diff --git a/charts/zookeeper-operator/values.yaml b/charts/zookeeper-operator/values.yaml
@@ -19,3 +19,6 @@ serviceAccount:
 # Whether to create custom resource
 crd:
   create: true
+
+# List of namespaces to watch resources in
+#namespaces: "ns1,ns2,ns3"
diff --git a/cmd/manager/main.go b/cmd/manager/main.go
@@ -16,6 +16,7 @@ import (
 	"fmt"
 	"os"
 	"runtime"
+	"strings"
 
 	"github.com/operator-framework/operator-sdk/pkg/k8sutil"
 	"github.com/operator-framework/operator-sdk/pkg/leader"
@@ -26,6 +27,7 @@ import (
 	"github.com/pravega/zookeeper-operator/pkg/version"
 	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
 	_ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
+	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/client/config"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 	logf "sigs.k8s.io/controller-runtime/pkg/runtime/log"
@@ -64,11 +66,24 @@ func main() {
 		os.Exit(0)
 	}
 
-	namespace, err := k8sutil.GetWatchNamespace()
+	namespaces, err := k8sutil.GetWatchNamespace()
 	if err != nil {
 		log.Error(err, "failed to get watch namespace")
 		os.Exit(1)
 	}
+	//When operator is started to watch resources in a specific set of namespaces, we use the MultiNamespacedCacheBuilder cache.
+	//In this scenario, it is also suggested to restrict the provided authorization to this namespace by replacing the default
+	//ClusterRole and ClusterRoleBinding to Role and RoleBinding respectively
+	//For further information see the kubernetes documentation about
+	//Using [RBAC Authorization](https://kubernetes.io/docs/reference/access-authn-authz/rbac/).
+	managerWatchCache := (cache.NewCacheFunc)(nil)
+	if namespaces != "" {
+		ns := strings.Split(namespaces, ",")
+		for i := range ns {
+			ns[i] = strings.TrimSpace(ns[i])
+		}
+		managerWatchCache = cache.MultiNamespacedCacheBuilder(ns)
+	}
 
 	// Get a config to talk to the apiserver
 	cfg, err := config.GetConfig()
@@ -89,7 +104,7 @@ func main() {
 	defer r.Unset()
 
 	// Create a new Cmd to provide shared dependencies and start components
-	mgr, err := manager.New(cfg, manager.Options{Namespace: namespace})
+	mgr, err := manager.New(cfg, manager.Options{NewCache: managerWatchCache})
 	if err != nil {
 		log.Error(err, "")
 		os.Exit(1)

diff --git a/pkg/utils/zookeeper_util.go b/pkg/utils/zookeeper_util.go
@@ -25,7 +25,7 @@ const (
 
 func GetZkServiceUri(zoo *v1beta1.ZookeeperCluster) (zkUri string) {
 	zkClientPort, _ := ContainerPortByName(zoo.Spec.Ports, "client")
-	zkUri = zoo.GetClientServiceName() + ":" + strconv.Itoa(int(zkClientPort))
+	zkUri = fmt.Sprintf("%s.%s", zoo.GetClientServiceName(), zoo.GetNamespace()) + ":" + strconv.Itoa(int(zkClientPort))
 	return zkUri
 }