feat(deploy): support single namespace

Signed-off-by: Rory Z <[email protected]>

.github/workflows/deploy.yaml

@@ -32,6 +32,11 @@ jobs:
 
           - [EMQX, emqx, "config/samples/emqx/v2beta1/emqx-slim.yaml"]
           - [EMQX, emqx, "config/samples/emqx/v2beta1/emqx-full.yaml"]
+        single_namespace:
+          - false
+        include:
+          - install: helm
+            single_namespace: true
 
     steps:
       - run: minikube start
@@ -63,6 +68,7 @@ jobs:
           helm install emqx-operator deploy/charts/emqx-operator \
             --set image.tag=${{ github.sha }} \
             --set development=true \
+            --set singleNamespace=${{ matrix.single_namespace }} \
             --namespace emqx-operator-system \
             --create-namespace
       - name: Check operator

deploy/charts/emqx-operator/README.md

@@ -34,6 +34,7 @@ The following table lists the configurable parameters of the cert-manager chart
 | Parameter | Description | Default |
 | --------- | ----------- | ------- |
 | `skipCRDs` | If `true`, skips installing CRDs | `false` |
+| `singleNamespace` | If true, the operator will watch only the namespace where it is deployed. If false, the operator will watch all namespaces. | `false` |
 | `development` | Development configures the logger to use a Zap development config  (stacktraces on warnings, no sampling), otherwise a Zap production config will be used (stacktraces on errors, sampling). | `false` |
 | `image.repository` | Image repository | `emqx/emqx-operator-controller` |
 | `image.tag` | Image tag | `{{RELEASE_VERSION}}` |

deploy/charts/emqx-operator/templates/controller-manager-rbac.yaml

@@ -16,9 +16,16 @@ imagePullSecrets:
 {{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+{{ if .Values.singleNamespace }}
+kind: RoleBinding
+metadata:
+  name: {{ include "emqx-operator.fullname" . }}-manager-rolebinding
+  namespace: {{ .Release.Namespace }}
+{{- else }}
 kind: ClusterRoleBinding
 metadata:
   name: {{ include "emqx-operator.fullname" . }}-manager-rolebinding
+{{- end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -29,10 +36,16 @@ subjects:
   namespace: {{ .Release.Namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+{{ if .Values.singleNamespace }}
+kind: Role
+metadata:
+  name: {{ include "emqx-operator.fullname" . }}-manager-role
+  namespace: {{ .Release.Namespace }}
+{{- else }}
 kind: ClusterRole
 metadata:
-  creationTimestamp: null
   name: {{ include "emqx-operator.fullname" . }}-manager-role
+{{- end }}
 rules:
 - apiGroups:
   - ""

deploy/charts/emqx-operator/templates/controller-manager.yaml

@@ -51,6 +51,13 @@ spec:
         - containerPort: 9443
           name: webhook-server
           protocol: TCP
+        {{- if .Values.singleNamespace }}
+        env:
+        - name: WATCH_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        {{- end }}
         readinessProbe:
           httpGet:
             path: /readyz

deploy/charts/emqx-operator/values.yaml

@@ -4,6 +4,9 @@
 
 skipCRDs: false
 
+## If true, the operator will watch only the namespace where it is deployed. If false, the operator will watch all namespaces.
+singleNamespace: false
+
 # Development configures the logger to use a Zap development config
 # (stacktraces on warnings, no sampling), otherwise a Zap production
 # config will be used (stacktraces on errors, sampling).

main.go

@@ -28,8 +28,11 @@ import (
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 	"k8s.io/utils/ptr"
 
+	"sigs.k8s.io/controller-runtime/pkg/cache"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
@@ -102,6 +105,9 @@ func main() {
 		LeaderElectionID:       "19fd6fcc.emqx.io",
 		LeaseDuration:          ptr.To(time.Second * 30),
 		RenewDeadline:          ptr.To(time.Second * 20),
+		Cache: cache.Options{
+			DefaultNamespaces: map[string]cache.Config{getWatchNamespace(): {}},
+		},
 	})
 	if err != nil {
 		setupLog.Error(err, "unable to start manager")
@@ -173,3 +179,17 @@ func main() {
 		os.Exit(1)
 	}
 }
+
+// getWatchNamespace returns the Namespace the operator should be watching for changes
+func getWatchNamespace() string {
+	// WatchNamespaceEnvVar is the constant for env variable WATCH_NAMESPACE
+	// which specifies the Namespace to watch.
+	// An empty value means the operator is running with cluster scope.
+	var watchNamespaceEnvVar = "WATCH_NAMESPACE"
+
+	ns, found := os.LookupEnv(watchNamespaceEnvVar)
+	if !found {
+		return metav1.NamespaceAll
+	}
+	return ns
+}