feat: Make operator to watch only operator namespace (#183)

* NOJIRA: Make operator respect the 'WATCH_NAMESPACE' env variable

* namespacedMode

* feat: ability to watch only operator namespace

---------

Co-authored-by: Ivaylo Papratilov <ivaylo.papratilov@corva.ai>
Co-authored-by: vkryzh <mail@vvk.im>

.github/workflows/ci.yaml

@@ -17,7 +17,7 @@ jobs:
     env:
       # UPDATE_HERE
       # https://hub.docker.com/r/rancher/k3s/tags
-      K3S_VERSION: v1.30.0-k3s1
+      K3S_VERSION: v1.30.2-k3s2
       # https://github.com/helm-unittest/helm-unittest/releases
       HELM_UNITTEST_VERSION: 0.5.1
 

.tool-versions

@@ -1,14 +1,14 @@
 # UPDATE_HERE
 # https://github.com/kubernetes-sigs/kubebuilder/releases
-kubebuilder 3.15.0
+kubebuilder 4.1.0
 # https://golang.org/dl/
-golang 1.22.4
+golang 1.22.5
 # https://github.com/mozilla/sops/releases
 sops 3.9.0
 # https://github.com/kubernetes-sigs/kustomize/releases
 kustomize 5.4.2
 # https://github.com/rancher/k3d/releases
-k3d 5.6.3
+k3d 5.7.1
 # https://github.com/kubernetes/kubernetes/releases
 kubectl 1.30.2
 # https://github.com/helm/helm/releases

Makefile

@@ -1,12 +1,12 @@
 # UPDATE_HERE
 # !!!!!!! NOTE: GOEXPERIMENT=nocoverageredesign is temp until 1.23.x
 GO := GOEXPERIMENT=nocoverageredesign GOPROXY=https://proxy.golang.org go
-SOPS_SEC_OPERATOR_VERSION := 0.13.1
+SOPS_SEC_OPERATOR_VERSION := 0.13.2
 
 # https://github.com/kubernetes-sigs/controller-tools/releases
 CONTROLLER_GEN_VERSION := "v0.15.0"
 # https://github.com/kubernetes-sigs/controller-runtime/releases
-CONTROLLER_RUNTIME_VERSION := "v0.18.2"
+CONTROLLER_RUNTIME_VERSION := "v0.18.4"
 # https://github.com/kubernetes-sigs/kustomize/releases
 KUSTOMIZE_VERSION := "v5.4.2"
 # use `setup-envtest list` to obtain the list of available versions

PROJECT

@@ -1,6 +1,6 @@
 domain: github.com
 layout:
-- go.kubebuilder.io/v3
+- go.kubebuilder.io/v4
 projectName: sops-secrets-operator
 repo: github.com/isindir/sops-secrets-operator
 # UPDATE_HERE

README.md

@@ -23,7 +23,7 @@ encrypted files stored in `git` repository.
 
 | Kubernetes | Sops | Chart | Operator |
 |---|---|---|---|
-| v1.30.x | v3.9.0 | 0.19.1 | 0.13.1 |
+| v1.30.x | v3.9.0 | 0.19.2 | 0.13.2 |
 | v1.29.x | v3.8.1 | 0.18.6 | 0.12.6 |
 | v1.28.x | v3.8.1 | 0.17.4 | 0.11.4 |
 | v1.27.x | v3.7.3 | 0.15.5 | 0.9.5 |

chart/helm3/sops-secrets-operator/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 # UPDATE_HERE
-version: 0.19.1
-appVersion: 0.13.1
+version: 0.19.2
+appVersion: 0.13.2
 type: application
 description: Helm chart deploys sops-secrets-operator
 name: sops-secrets-operator

chart/helm3/sops-secrets-operator/README.md

@@ -134,7 +134,7 @@ The following table lists the configurable parameters of the Sops-secrets-operat
 | healthProbes.readiness | object | `{"initialDelaySeconds":5,"periodSeconds":10}` | Readiness probe configuration |
 | image.pullPolicy | string | `"Always"` | Operator image pull policy |
 | image.repository | string | `"isindir/sops-secrets-operator"` | Operator image name |
-| image.tag | string | `"0.13.1"` | Operator image tag |
+| image.tag | string | `"0.13.2"` | Operator image tag |
 | imagePullSecrets | list | `[]` | Secrets to pull image from private docker repository |
 | initImage.pullPolicy | string | `"Always"` | Init container image pull policy |
 | initImage.repository | string | `"ubuntu"` | Init container image name |
@@ -148,6 +148,7 @@ The following table lists the configurable parameters of the Sops-secrets-operat
 | logging.timeEncoding | string | `"iso8601"` | Zap time encoding (one of 'epoch', 'millis', 'nano', 'iso8601', 'rfc3339' or 'rfc3339nano'). Defaults to 'epoch'. |
 | metrics.enabled | bool | `false` | Enable prometheus metrics |
 | nameOverride | string | `""` | Overrides auto-generated short resource name |
+| namespaced | bool | `false` | If set - operator will watch SopsSecret resources only in operator namespace |
 | nodeSelector | object | `{}` | Node selector to use for pod configuration |
 | podAnnotations | object | `{}` | Annotations to be added to operator pod (can be used with kiam or kube2iam) |
 | rbac.enabled | bool | `true` | Create and use RBAC resources |

chart/helm3/sops-secrets-operator/templates/cluster_role.yaml

@@ -1,6 +1,10 @@
 {{- if .Values.rbac.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
+{{- if .Values.namespaced }}
+kind: Role
+{{- else }}
 kind: ClusterRole
+{{- end }}
 metadata:
   name: {{ include "sops-secrets-operator.fullname" . }}
   labels:

chart/helm3/sops-secrets-operator/templates/cluster_role_binding.yaml

@@ -1,5 +1,9 @@
 {{- if .Values.rbac.enabled }}
+{{- if .Values.namespaced }}
+kind: RoleBinding
+{{- else }}
 kind: ClusterRoleBinding
+{{- end }}
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: {{ include "sops-secrets-operator.fullname" . }}
@@ -10,7 +14,11 @@ subjects:
   name: {{ include "sops-secrets-operator.fullname" . }}
   namespace: {{ .Release.Namespace }}
 roleRef:
+{{- if .Values.namespaced }}
+  kind: Role
+{{- else }}
   kind: ClusterRole
+{{- end }}
   name: {{ include "sops-secrets-operator.fullname" . }}
   apiGroup: rbac.authorization.k8s.io
 {{- end }}

chart/helm3/sops-secrets-operator/templates/operator.yaml

@@ -92,6 +92,9 @@ spec:
           - "-zap-log-level={{ .Values.logging.level }}"
           - "-zap-stacktrace-level={{ .Values.logging.stacktraceLevel }}"
           - "-zap-time-encoding={{ .Values.logging.timeEncoding }}"
+          {{- if .Values.namespaced }}
+          - "-watch-namespace={{ .Release.Namespace }}"
+          {{- end -}}
           {{- if .Values.kubeconfig.enabled }}
           - "-kubeconfig={{ .Values.kubeconfig.path | quote }}"
           {{- end }}

chart/helm3/sops-secrets-operator/tests/operator_test.yaml

@@ -30,8 +30,8 @@ tests:
         app.kubernetes.io/instance: sops
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: sops-secrets-operator
-        app.kubernetes.io/version: 0.13.1
-        helm.sh/chart: sops-secrets-operator-0.19.1
+        app.kubernetes.io/version: 0.13.2
+        helm.sh/chart: sops-secrets-operator-0.19.2
 
 # custom name
 - it: should correctly render custome name
@@ -169,7 +169,7 @@ tests:
   # UPDATE_HERE
   - equal:
       path: spec.template.spec.containers[0].image
-      value: isindir/sops-secrets-operator:0.13.1
+      value: isindir/sops-secrets-operator:0.13.2
   - equal:
       path: spec.template.spec.containers[0].imagePullPolicy
       value: Always

chart/helm3/sops-secrets-operator/values.yaml

@@ -8,12 +8,15 @@
 # -- Deployment replica count - should not be modified
 replicaCount: 1
 
+# -- If set - operator will watch SopsSecret resources only in operator namespace
+namespaced: false
+
 # UPDATE_HERE
 image:
   # -- Operator image name
   repository: isindir/sops-secrets-operator
   # -- Operator image tag
-  tag: 0.13.1
+  tag: 0.13.2
   # -- Operator image pull policy
   pullPolicy: Always
 

cmd/main.go

@@ -8,6 +8,8 @@ import (
 	"flag"
 	"fmt"
 	"os"
+
+	"sigs.k8s.io/controller-runtime/pkg/cache"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
@@ -48,13 +50,15 @@ func main() {
 	var enableLeaderElection bool
 	var probeAddr string
 	var requeueAfter int64
+	var watchNamespace string
 
 	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
 	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
 		"Enable leader election for controller manager. "+
 			"Enabling this will ensure there is only one active controller manager.")
 	flag.Int64Var(&requeueAfter, "requeue-decrypt-after", 5, "Requeue failed reconciliation in minutes (min 1).")
+	flag.StringVar(&watchNamespace, "watch-namespace", "", "Namespace to watch for SopsSecret objects (default: all namespaces).")
 
 	opts := zap.Options{
 		Development: true,
@@ -65,15 +69,29 @@ func main() {
 
 	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
 
-	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
-		Scheme: scheme,
-		Metrics: metricsserver.Options{
-			BindAddress: metricsAddr,
+	cacheOptions := cache.Options{}
+	if watchNamespace != "" {
+		cacheOptions.DefaultNamespaces = map[string]cache.Config{
+			watchNamespace: {},
+		}
+		setupLog.V(0).Info(fmt.Sprintf("Watching SopsSecret objects in namespace %s", watchNamespace))
+	} else {
+		setupLog.V(0).Info("Watching SopsSecret objects in all namespaces")
+	}
+
+	mgr, err := ctrl.NewManager(
+		ctrl.GetConfigOrDie(),
+		ctrl.Options{
+			Scheme: scheme,
+			Cache:  cacheOptions,
+			Metrics: metricsserver.Options{
+				BindAddress: metricsAddr,
+			},
+			HealthProbeBindAddress: probeAddr,
+			LeaderElection:         enableLeaderElection,
+			LeaderElectionID:       "ca57d051.github.com",
 		},
-		HealthProbeBindAddress: probeAddr,
-		LeaderElection:         enableLeaderElection,
-		LeaderElectionID:       "ca57d051.github.com",
-	})
+	)
 	if err != nil {
 		setupLog.Error(err, "unable to start manager")
 		os.Exit(1)

config/manager/manager.yaml

@@ -57,5 +57,10 @@ spec:
           requests:
             cpu: 10m
             memory: 64Mi
+        env:
+          - name: WATCH_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
       serviceAccountName: controller-manager
       terminationGracePeriodSeconds: 10