From 589747f239a220a096b3675e130e85afab6ce701 Mon Sep 17 00:00:00 2001 From: Rory Z <16801068+Rory-Z@users.noreply.github.com> Date: Mon, 23 Dec 2024 10:16:58 +0800 Subject: [PATCH] feat(deploy): support single namespace Signed-off-by: Rory Z <16801068+Rory-Z@users.noreply.github.com> --- .github/workflows/deploy.yaml | 14 ++++++++++++-- Dockerfile | 2 +- deploy/charts/emqx-operator/README.md | 1 + .../templates/controller-manager-rbac.yaml | 19 ++++++++++++++++++- .../templates/controller-manager.yaml | 7 +++++++ deploy/charts/emqx-operator/values.yaml | 3 +++ main.go | 17 +++++++++++++++++ sidecar/reloader/Dockerfile | 2 +- 8 files changed, 60 insertions(+), 5 deletions(-) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 7000f8549..b54e4b948 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -32,6 +32,12 @@ jobs: - [EMQX, emqx, "config/samples/emqx/v2beta1/emqx-slim.yaml"] - [EMQX, emqx, "config/samples/emqx/v2beta1/emqx-full.yaml"] + single_namespace: + - false + - true + exclude: + - install: static + single_namespace: true steps: - run: minikube start @@ -63,11 +69,15 @@ jobs: helm install emqx-operator deploy/charts/emqx-operator \ --set image.tag=${{ github.sha }} \ --set development=true \ - --namespace emqx-operator-system \ + --set singleNamespace=${{ matrix.single_namespace }} \ + --namespace ${{ matrix.single_namespace && 'default' || 'emqx-operator-system' }} \ --create-namespace - name: Check operator timeout-minutes: 5 - run: kubectl wait --for=condition=Ready pods -l "control-plane=controller-manager" -n emqx-operator-system + run: | + kubectl wait --for=condition=Ready pods \ + -l "control-plane=controller-manager" \ + -n ${{ matrix.single_namespace && 'default' || 'emqx-operator-system' }} - name: Deployment emqx timeout-minutes: 5 uses: ./.github/actions/deploy-emqx diff --git a/Dockerfile b/Dockerfile index bfb69eb75..5e54635dc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # Build the manager binary -FROM golang:1.22 as builder +FROM golang:1.22 AS builder WORKDIR /workspace # Copy the Go Modules manifests diff --git a/deploy/charts/emqx-operator/README.md b/deploy/charts/emqx-operator/README.md index cbb6df28d..31f9e7814 100644 --- a/deploy/charts/emqx-operator/README.md +++ b/deploy/charts/emqx-operator/README.md @@ -34,6 +34,7 @@ The following table lists the configurable parameters of the cert-manager chart | Parameter | Description | Default | | --------- | ----------- | ------- | | `skipCRDs` | If `true`, skips installing CRDs | `false` | +| `singleNamespace` | If true, the operator will watch only the namespace where it is deployed. If false, the operator will watch all namespaces. | `false` | | `development` | Development configures the logger to use a Zap development config (stacktraces on warnings, no sampling), otherwise a Zap production config will be used (stacktraces on errors, sampling). | `false` | | `image.repository` | Image repository | `emqx/emqx-operator-controller` | | `image.tag` | Image tag | `{{RELEASE_VERSION}}` | diff --git a/deploy/charts/emqx-operator/templates/controller-manager-rbac.yaml b/deploy/charts/emqx-operator/templates/controller-manager-rbac.yaml index 173d5f40b..154ce7a91 100644 --- a/deploy/charts/emqx-operator/templates/controller-manager-rbac.yaml +++ b/deploy/charts/emqx-operator/templates/controller-manager-rbac.yaml @@ -16,12 +16,23 @@ imagePullSecrets: {{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 +{{ if .Values.singleNamespace }} +kind: RoleBinding +metadata: + name: {{ include "emqx-operator.fullname" . }}-manager-rolebinding + namespace: {{ .Release.Namespace }} +{{- else }} kind: ClusterRoleBinding metadata: name: {{ include "emqx-operator.fullname" . }}-manager-rolebinding +{{- end }} roleRef: apiGroup: rbac.authorization.k8s.io + {{- if .Values.singleNamespace }} + kind: Role + {{- else }} kind: ClusterRole + {{- end }} name: {{ include "emqx-operator.fullname" . }}-manager-role subjects: - kind: ServiceAccount @@ -29,10 +40,16 @@ subjects: namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 +{{ if .Values.singleNamespace }} +kind: Role +metadata: + name: {{ include "emqx-operator.fullname" . }}-manager-role + namespace: {{ .Release.Namespace }} +{{- else }} kind: ClusterRole metadata: - creationTimestamp: null name: {{ include "emqx-operator.fullname" . }}-manager-role +{{- end }} rules: - apiGroups: - "" diff --git a/deploy/charts/emqx-operator/templates/controller-manager.yaml b/deploy/charts/emqx-operator/templates/controller-manager.yaml index b69a5c27c..5688b5cfa 100644 --- a/deploy/charts/emqx-operator/templates/controller-manager.yaml +++ b/deploy/charts/emqx-operator/templates/controller-manager.yaml @@ -51,6 +51,13 @@ spec: - containerPort: 9443 name: webhook-server protocol: TCP + {{- if .Values.singleNamespace }} + env: + - name: WATCH_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- end }} readinessProbe: httpGet: path: /readyz diff --git a/deploy/charts/emqx-operator/values.yaml b/deploy/charts/emqx-operator/values.yaml index 1c6e87675..da36eb7fb 100644 --- a/deploy/charts/emqx-operator/values.yaml +++ b/deploy/charts/emqx-operator/values.yaml @@ -4,6 +4,9 @@ skipCRDs: false +## If true, the operator will watch only the namespace where it is deployed. If false, the operator will watch all namespaces. +singleNamespace: false + # Development configures the logger to use a Zap development config # (stacktraces on warnings, no sampling), otherwise a Zap production # config will be used (stacktraces on errors, sampling). diff --git a/main.go b/main.go index c3e81fcb7..bd0795e74 100644 --- a/main.go +++ b/main.go @@ -34,6 +34,7 @@ import ( utilruntime "k8s.io/apimachinery/pkg/util/runtime" clientgoscheme "k8s.io/client-go/kubernetes/scheme" ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/cache" "sigs.k8s.io/controller-runtime/pkg/healthz" "sigs.k8s.io/controller-runtime/pkg/log/zap" @@ -102,6 +103,9 @@ func main() { LeaderElectionID: "19fd6fcc.emqx.io", LeaseDuration: ptr.To(time.Second * 30), RenewDeadline: ptr.To(time.Second * 20), + Cache: cache.Options{ + DefaultNamespaces: getWatchNamespace(), + }, }) if err != nil { setupLog.Error(err, "unable to start manager") @@ -173,3 +177,16 @@ func main() { os.Exit(1) } } + +// getWatchNamespace returns the Namespace the operator should be watching for changes +func getWatchNamespace() map[string]cache.Config { + var watchNamespaceEnvVar = "WATCH_NAMESPACE" + + ns, found := os.LookupEnv(watchNamespaceEnvVar) + if found { + return map[string]cache.Config{ + ns: {}, + } + } + return nil +} diff --git a/sidecar/reloader/Dockerfile b/sidecar/reloader/Dockerfile index 606d25472..a1a79fc3f 100644 --- a/sidecar/reloader/Dockerfile +++ b/sidecar/reloader/Dockerfile @@ -1,5 +1,5 @@ # Build the manager binary -FROM golang:1.18.3 as builder +FROM golang:1.18.3 AS builder WORKDIR /workspace # Copy the Go Modules manifests