feat(deploy): support single namespace

Signed-off-by: Rory Z <[email protected]>

.github/workflows/deploy.yaml

@@ -32,6 +32,15 @@ jobs:
 
           - [EMQX, emqx, "config/samples/emqx/v2beta1/emqx-slim.yaml"]
           - [EMQX, emqx, "config/samples/emqx/v2beta1/emqx-full.yaml"]
+        single_namespace:
+          - false
+        include:
+          - install: helm
+            emqx: [EMQX, emqx, "config/samples/emqx/v2beta1/emqx-slim.yaml"]
+            single_namespace: true
+          - install: helm
+            emqx: [EMQX, emqx, "config/samples/emqx/v2beta1/emqx-full.yaml"]
+            single_namespace: true
 
     steps:
       - run: minikube start
@@ -63,7 +72,8 @@ jobs:
           helm install emqx-operator deploy/charts/emqx-operator \
             --set image.tag=${{ github.sha }} \
             --set development=true \
-            --namespace emqx-operator-system \
+            --set singleNamespace=${{ matrix.single_namespace }} \
+            --namespace ${{ matrix.single_namespace && 'default' || 'emqx-operator-system' }}  \
             --create-namespace
       - name: Check operator
         timeout-minutes: 5

Dockerfile

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.22 as builder
+FROM golang:1.22 AS builder
 
 WORKDIR /workspace
 # Copy the Go Modules manifests

deploy/charts/emqx-operator/README.md

@@ -34,6 +34,7 @@ The following table lists the configurable parameters of the cert-manager chart
 | Parameter | Description | Default |
 | --------- | ----------- | ------- |
 | `skipCRDs` | If `true`, skips installing CRDs | `false` |
+| `singleNamespace` | If true, the operator will watch only the namespace where it is deployed. If false, the operator will watch all namespaces. | `false` |
 | `development` | Development configures the logger to use a Zap development config  (stacktraces on warnings, no sampling), otherwise a Zap production config will be used (stacktraces on errors, sampling). | `false` |
 | `image.repository` | Image repository | `emqx/emqx-operator-controller` |
 | `image.tag` | Image tag | `{{RELEASE_VERSION}}` |

deploy/charts/emqx-operator/templates/controller-manager-rbac.yaml

@@ -16,9 +16,16 @@ imagePullSecrets:
 {{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+{{ if .Values.singleNamespace }}
+kind: RoleBinding
+metadata:
+  name: {{ include "emqx-operator.fullname" . }}-manager-rolebinding
+  namespace: {{ .Release.Namespace }}
+{{- else }}
 kind: ClusterRoleBinding
 metadata:
   name: {{ include "emqx-operator.fullname" . }}-manager-rolebinding
+{{- end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -29,10 +36,16 @@ subjects:
   namespace: {{ .Release.Namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+{{ if .Values.singleNamespace }}
+kind: Role
+metadata:
+  name: {{ include "emqx-operator.fullname" . }}-manager-role
+  namespace: {{ .Release.Namespace }}
+{{- else }}
 kind: ClusterRole
 metadata:
-  creationTimestamp: null
   name: {{ include "emqx-operator.fullname" . }}-manager-role
+{{- end }}
 rules:
 - apiGroups:
   - ""

deploy/charts/emqx-operator/templates/controller-manager.yaml

@@ -51,6 +51,13 @@ spec:
         - containerPort: 9443
           name: webhook-server
           protocol: TCP
+        {{- if .Values.singleNamespace }}
+        env:
+        - name: WATCH_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        {{- end }}
         readinessProbe:
           httpGet:
             path: /readyz

deploy/charts/emqx-operator/values.yaml

@@ -4,6 +4,9 @@
 
 skipCRDs: false
 
+## If true, the operator will watch only the namespace where it is deployed. If false, the operator will watch all namespaces.
+singleNamespace: false
+
 # Development configures the logger to use a Zap development config
 # (stacktraces on warnings, no sampling), otherwise a Zap production
 # config will be used (stacktraces on errors, sampling).

main.go

@@ -34,6 +34,7 @@ import (
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 
@@ -102,6 +103,7 @@ func main() {
 		LeaderElectionID:       "19fd6fcc.emqx.io",
 		LeaseDuration:          ptr.To(time.Second * 30),
 		RenewDeadline:          ptr.To(time.Second * 20),
+		Cache:                  getCacheOptions(),
 	})
 	if err != nil {
 		setupLog.Error(err, "unable to start manager")
@@ -173,3 +175,27 @@ func main() {
 		os.Exit(1)
 	}
 }
+
+func getCacheOptions() cache.Options {
+	var watchNamespaceEnvVar = "WATCH_NAMESPACE"
+
+	ns, found := os.LookupEnv(watchNamespaceEnvVar)
+	if !found {
+		return cache.Options{}
+	}
+
+	return cache.Options{
+		DefaultNamespaces: map[string]cache.Config{ns: {}},
+	}
+}
+
+// getWatchNamespace returns the Namespace the operator should be watching for changes
+// func getWatchNamespace() string {
+// 	var watchNamespaceEnvVar = "WATCH_NAMESPACE"
+
+// 	ns, found := os.LookupEnv(watchNamespaceEnvVar)
+// 	if !found {
+// 		return metav1.NamespaceAll
+// 	}
+// 	return ns
+// }

sidecar/reloader/Dockerfile

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.18.3 as builder
+FROM golang:1.18.3 AS builder
 
 WORKDIR /workspace
 # Copy the Go Modules manifests