Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow specification of a list of namespaces for the operator to watch #106

Open
ron1 opened this issue Nov 19, 2021 · 4 comments
Open

Allow specification of a list of namespaces for the operator to watch #106

ron1 opened this issue Nov 19, 2021 · 4 comments

Comments

@ron1
Copy link

ron1 commented Nov 19, 2021

I would like to limit the set of namespaces that the operator is watching. This should be configurable when deploying the operator.
@raffaelespazzoli
Copy link
Contributor

can you describe the use case you are trying to address?

@ron1
Copy link
Author

ron1 commented Nov 19, 2021
edited
Loading

I have a central namespace in which I store externally-defined tls certs/keys as secrets w/cert-utils-operator annotations. I use kyverno resource generation w/sync (https://kyverno.io/policies/other/sync_secrets/) to clone and rename these secrets into multiple workload-(dev|test)-[1-9] namespaces for use by Ingress resources and Java-based Deployment resources. The cert-utils-operator augments these secrets with a keystore and a truststore to support the Java applications running in the different namespaces.

Currently, both kyverno and the cert-utils-operator are watching and mutating these secrets in the central source namespace and all the target workload namespaces. It is inefficient for the cert-utils-operator to watch the secrets that get cloned/synced to the target namespaces. Furthermore, it seems that management of these secrets in both the source and target namespaces by the cert-utils-operator is causing kyverno to thrash as it attempts to sync these secrets.

I would like to configure the cert-utils-operator to only watch and mutate secrets in the central source namespace as an optimization and also to minimize any potential conflicts with kyverno resource generation.

@raffaelespazzoli
Copy link
Contributor

can you share one of these secrets, just the annotations. I'd like to get a better idea of what is happening.

@ron1
Copy link
Author

ron1 commented Dec 8, 2021

My secret is as follows:

Name: my-secret
Namespace: my-namespace
Labels:
- app.kubernetes.io/managed-by=kyverno
- kyverno.io/generated-by-kind=Namespace
- kyverno.io/generated-by-name=myNamespace
- kyverno.io/generated-by-namespace=
- policy.kyverno.io/gr-name=gr-n7vqx
- policy.kyverno.io/policy-name=sync-my-system-my-secret
- policy.kyverno.io/synchronize=enable
Annotations:
- cert-utils-operator.redhat-cop.io/generate-java-keystores="true"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ron1 @raffaelespazzoli