feat: install dynamo operator cluster-wide by default

[julienmancuso]

Overview:

install dynamo operator cluster-wide by default

Summary by CodeRabbit

• Chores

  • Changed default: operator namespace restriction disabled, granting cluster-wide scope by default. Added guidance for enabling restriction and setting a target namespace via Helm; values updated accordingly.

• Documentation

  • Updated Kubernetes guides to use the dynamo-system namespace.
  • Added instructions for creating ${NAMESPACE} and deploying multiple operator instances.
  • Documented namespaceRestriction options and corresponding Helm commands.
  • Updated logging examples (DYNAMO_NAMESPACE) to reflect the new namespace.

[coderabbitai]

Walkthrough

Updates Helm chart default to disable namespaceRestriction for the Dynamo Operator (cluster-wide by default), expands README guidance on scoping/targetNamespace, and standardizes Kubernetes docs to use the dynamo-system namespace with added notes on operator scope and setup commands.

Changes

Cohort / File(s)	Summary of changes
Helm chart defaults and docs deploy/cloud/helm/platform/values.yaml, deploy/cloud/helm/platform/README.md	Flip dynamo-operator.namespaceRestriction.enabled default from true to false. Expand README to clarify cluster-wide default, how to enable restriction, and how targetNamespace is used.
Kubernetes docs namespace standardization docs/kubernetes/README.md, docs/kubernetes/installation_guide.md, docs/kubernetes/logging.md	Change default namespace references to dynamo-system. Add explicit kubectl create namespace ${NAMESPACE}. Add guidance on operator watching all namespaces by default and how to enable namespace restriction via Helm set commands. Update example env var DYNAMO_NAMESPACE.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor U as User
  participant H as Helm Chart
  participant O as Dynamo Operator
  participant NS as Kubernetes Namespaces

  U->>H: helm install ... (namespaceRestriction.enabled=false)
  H-->>O: Deploy Operator (cluster-scoped RBAC)
  O->>NS: Watch all namespaces

  alt Restrict to a namespace
    U->>H: helm install ... --set dynamo-operator.namespaceRestriction.enabled=true --set dynamo-operator.namespaceRestriction.targetNamespace=<ns>
    H-->>O: Deploy Operator (namespaced RBAC)
    O->>NS: Watch only <ns> (defaults to release namespace if unset)
  end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• feat: Add Grove and Kai scheduler as part of dynamo cloud helm chart #2755 — Also changes the same Helm value dynamo-operator.namespaceRestriction.enabled; closely related default/description behavior.
• fix: add steps to install using published helm charts #1623 — Modifies namespace restriction fields/templates, including handling of targetNamespace; tied to operator scoping.
• docs: Update the operator docs #2172 — Updates operator documentation around namespace usage and scope; aligns with current doc changes.

Poem

In dynamo fields where pods abide,
I hop with charts set cluster-wide.
Flip a flag—now stay confined,
One namespace, tidy and aligned.
Helm bells ring, namespaces gleam,
Carrots deployed—what a dream! 🥕🐇

Pre-merge checks

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The pull request description only contains the Overview section and omits the required Details, Where should the reviewer start, and Related Issues sections from the repository template, leaving reviewers without information on specific changes, entry points, or issue context.	Please update the PR description to include a Details section summarizing both code and documentation changes, a Where should the reviewer start section listing key files for review, and a Related Issues section referencing any relevant issue numbers.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The pull request title clearly and concisely summarizes the primary change of making the Dynamo operator run cluster-wide by default, which aligns directly with the modifications in the Helm values and documentation.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

deploy/cloud/helm/platform/values.yaml (1)

36-38: Clarify description of targetNamespace (watch scope vs deploy ns).
Wording “Target namespace for operator deployment” can be read as where the operator Pod runs, not what it watches. Suggest clarifying it as the namespace the operator watches when restriction is enabled.

Apply this diff for clarity:

-    # -- Target namespace for operator deployment (leave empty for current namespace)
+    # -- Target namespace to watch when restriction is enabled (defaults to Helm release namespace if empty)

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 70f9938 and 0b01ffc.

📒 Files selected for processing (5)

• deploy/cloud/helm/platform/README.md (1 hunks)
• deploy/cloud/helm/platform/values.yaml (1 hunks)
• docs/kubernetes/README.md (2 hunks)
• docs/kubernetes/installation_guide.md (3 hunks)
• docs/kubernetes/logging.md (1 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: julienmancuso
PR: ai-dynamo/dynamo#1474
File: deploy/cloud/operator/internal/controller/dynamocomponent_controller.go:1308-1312
Timestamp: 2025-06-11T21:29:28.650Z
Learning: User julienmancuso expects replies in English; avoid switching languages unless explicitly requested.

📚 Learning: 2025-09-17T22:35:40.674Z

Learnt from: julienmancuso
PR: ai-dynamo/dynamo#3100
File: deploy/cloud/operator/cmd/main.go:186-190
Timestamp: 2025-09-17T22:35:40.674Z
Learning: The mpiRunSecretName validation in deploy/cloud/operator/cmd/main.go is safe for upgrades because the Helm chart automatically populates dynamo-operator.dynamo.mpiRun.secretName with a default value of "mpi-run-ssh-secret" and includes SSH key generation functionality via sshKeygen.enabled: true.

Applied to files:

• deploy/cloud/helm/platform/values.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build and Test - dynamo

🔇 Additional comments (5)

docs/kubernetes/logging.md (1)

34-34: LGTM: Namespace example aligned to dynamo-system.
Matches the new defaults across docs. No further action.

docs/kubernetes/installation_guide.md (2)

72-72: LGTM: Default namespace set to dynamo-system.
Consistent with the broader docs shift.

---

102-110: Good tip block; commands are correct.
Minor note: targetNamespace is ignored unless restriction is enabled, which you state. No changes needed.

If desired, add a one-liner example combining both flags:
--set "dynamo-operator.namespaceRestriction.enabled=true,dynamo-operator.namespaceRestriction.targetNamespace=dynamo-namespace"

docs/kubernetes/README.md (1)

26-26: LGTM: Default namespace set to dynamo-system.
Matches installation guide.

deploy/cloud/helm/platform/README.md (1)

61-63: LGTM: Docs reflect new default (cluster-wide).
Table defaults and descriptions match values.yaml.

Consider adding a short “Upgrade Notes” section calling out the default change to cluster-wide and how to retain prior behavior via namespaceRestriction.enabled=true.

[tmonty12]

nice work