Skip to content

Commit fff0657

Browse files
authored
Merge pull request #238 from sabre1041/reenable-watch-namespace
2 parents 9ad05c7 + 1a2bb0b commit fff0657

9 files changed

Lines changed: 123 additions & 39 deletions

File tree

README.md

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -543,6 +543,32 @@ spec:
543543
544544
If a schedule is not provided, synchronization will occur only when the object is reconciled by the platform.
545545
546+
## Accessing Secrets and ConfigMaps in Other Namespaces
547+
548+
By default, the operator monitors resources in the namespace that it has been deployed within. This is defined by setting the `WATCH_NAMESPACE` environment variable. Support is available for accessing ConfigMaps and Secrets in other namespaces so that existing resources may be utilized as desired.
549+
550+
To enable the operator to access resources across multiple, set the environment variable with a comma separate list of namespaces that include the namespace the operator is deployed within and any additional namespaces that are desired.
551+
552+
To make use of this feature when deploying through the Operator Lifecycle Manager, set the following configuration on the `Subscription` resource:
553+
554+
```yaml
555+
apiVersion: operators.coreos.com/v1alpha1
556+
kind: Subscription
557+
metadata:
558+
name: group-sync-operator
559+
namespace: group-sync-operator
560+
spec:
561+
channel: alpha
562+
installPlanApproval: Automatic
563+
name: group-sync-operator
564+
source: community-operators
565+
sourceNamespace: openshift-marketplace
566+
config:
567+
env:
568+
- name: WATCH_NAMESPACE
569+
value: "<comma separated list of namespaces>"
570+
```
571+
546572
## Deploying the Operator
547573

548574
This is a namespace level operator that you can deploy in any namespace. However, `group-sync-operator` is recommended.

config/default/manager_auth_proxy_patch.yaml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,11 @@ spec:
2828
- "--health-probe-bind-address=:8081"
2929
- "--metrics-addr=127.0.0.1:8080"
3030
- "--leader-elect"
31+
env:
32+
- name: WATCH_NAMESPACE
33+
valueFrom:
34+
fieldRef:
35+
fieldPath: metadata.namespace
3136
volumes:
3237
- name: tls-cert
3338
secret:

config/helmchart/templates/_helpers.tpl

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -69,3 +69,14 @@ Create the image path for the passed in image field
6969
{{- printf "%s:%s" .repository .version -}}
7070
{{- end -}}
7171
{{- end -}}
72+
73+
{{/*
74+
Check if WATCH_NAMESPACE environment variable has been provided
75+
*/}}
76+
{{- define "group-sync-operator.checkWatchNamespace" -}}
77+
{{- range .Values.env -}}
78+
{{- if eq .name "WATCH_NAMESPACE" -}}
79+
{{- print "true" -}}
80+
{{- end -}}
81+
{{- end -}}
82+
{{- end -}}

config/helmchart/templates/manager.yaml

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -55,12 +55,16 @@ spec:
5555
image: "{{ template "group-sync-operator.image" .Values.image }}"
5656
imagePullPolicy: {{ .Values.image.pullPolicy }}
5757
name: {{ .Chart.Name }}
58-
{{- if .Values.env }}
5958
env:
59+
{{- if eq (include "group-sync-operator.checkWatchNamespace" .) "" }}
60+
- name: WATCH_NAMESPACE
61+
valueFrom:
62+
fieldRef:
63+
fieldPath: metadata.namespace
64+
{{- end }}
6065
{{- with .Values.env }}
6166
{{- toYaml . | nindent 12 }}
6267
{{- end }}
63-
{{- end }}
6468
resources:
6569
{{- toYaml .Values.resources | nindent 12 }}
6670
livenessProbe:

config/manager/manager.yaml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,11 @@ spec:
3535
requests:
3636
cpu: 300m
3737
memory: 200Mi
38+
env:
39+
- name: WATCH_NAMESPACE
40+
valueFrom:
41+
fieldRef:
42+
fieldPath: metadata.namespace
3843
livenessProbe:
3944
httpGet:
4045
path: /healthz

config/manifests/bases/group-sync-operator.clusterserviceversion.yaml

Lines changed: 43 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,11 @@ spec:
4040
- description: Azure represents the Azure provider
4141
displayName: Azure Provider
4242
path: providers[0].azure
43+
- description: AuthorityHost is the location of the Azure Active Directory endpoint
44+
displayName: Azure URL
45+
path: providers[0].azure.authorityHost
46+
x-descriptors:
47+
- urn:alm:descriptor:com.tectonic.ui:text
4348
- description: BaseGroups allows for a set of groups to be specified to start
4449
searching from instead of searching all groups in the directory
4550
displayName: Base Groups
@@ -90,22 +95,18 @@ spec:
9095
path: providers[0].azure.insecure
9196
x-descriptors:
9297
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
93-
- description: URL is the location of the Azure platform
94-
displayName: Azure URL
95-
path: providers[0].azure.url
98+
- description: Prune Whether to prune groups that are no longer in Azure. Default
99+
is false
100+
displayName: Prune
101+
path: providers[0].azure.prune
96102
x-descriptors:
97-
- urn:alm:descriptor:com.tectonic.ui:text
103+
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
98104
- description: UserNameAttributes are the fields to consider on the User object
99105
containing the username
100106
displayName: Azure UserName Attributes
101107
path: providers[0].azure.userNameAttributes
102108
x-descriptors:
103109
- urn:alm:descriptor:com.tectonic.ui:text
104-
- description: Prune Whether to prune groups that are no longer in Azure. Default is false
105-
displayName: Azure Prune
106-
path: providers[0].azure.prune
107-
x-descriptors:
108-
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
109110
- description: GitHub represents the GitHub provider
110111
displayName: GitHub Provider
111112
path: providers[0].github
@@ -207,6 +208,12 @@ spec:
207208
path: providers[0].github.organization
208209
x-descriptors:
209210
- urn:alm:descriptor:com.tectonic.ui:text
211+
- description: Prune Whether to prune groups that are no longer in GitHub. Default
212+
is false
213+
displayName: Prune
214+
path: providers[0].github.prune
215+
x-descriptors:
216+
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
210217
- description: Teams represents a filtered list of teams to synchronize
211218
displayName: Teams to Synchronize
212219
path: providers[0].github.teams
@@ -222,11 +229,6 @@ spec:
222229
path: providers[0].github.v4url
223230
x-descriptors:
224231
- urn:alm:descriptor:com.tectonic.ui:text
225-
- description: Prune Whether to prune groups that are no longer in GitHub. Default is false
226-
displayName: GitHub Prune
227-
path: providers[0].github.prune
228-
x-descriptors:
229-
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
230232
- description: GitLab represents the GitLab provider
231233
displayName: GitLab Provider
232234
path: providers[0].gitlab
@@ -322,16 +324,17 @@ spec:
322324
path: providers[0].gitlab.insecure
323325
x-descriptors:
324326
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
327+
- description: Prune Whether to prune groups that are no longer in GitLab. Default
328+
is false
329+
displayName: Prune
330+
path: providers[0].gitlab.prune
331+
x-descriptors:
332+
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
325333
- description: URL is the location of the GitLab server
326334
displayName: GitLab URL
327335
path: providers[0].gitlab.url
328336
x-descriptors:
329337
- urn:alm:descriptor:com.tectonic.ui:text
330-
- description: Prune Whether to prune groups that are no longer in GitLab. Default is false
331-
displayName: GitLab Prune
332-
path: providers[0].gitlab.prune
333-
x-descriptors:
334-
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
335338
- description: Keycloak represents the Keycloak provider
336339
displayName: Keycloak Provider
337340
path: providers[0].keycloak
@@ -428,6 +431,12 @@ spec:
428431
- description: LoginRealm is the Keycloak realm to authenticate against
429432
displayName: Realm to Login Against
430433
path: providers[0].keycloak.loginRealm
434+
- description: Prune Whether to prune groups that are no longer in Keycloak.
435+
Default is false
436+
displayName: Prune
437+
path: providers[0].keycloak.prune
438+
x-descriptors:
439+
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
431440
- description: Realm is the realm containing the groups to synchronize against
432441
displayName: Realm to Synchronize
433442
path: providers[0].keycloak.realm
@@ -441,11 +450,6 @@ spec:
441450
path: providers[0].keycloak.url
442451
x-descriptors:
443452
- urn:alm:descriptor:com.tectonic.ui:text
444-
- description: Prune Whether to prune groups that are no longer in Keycloak. Default is false
445-
displayName: Keycloak Prune
446-
path: providers[0].keycloak.prune
447-
x-descriptors:
448-
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
449453
- description: Ldap represents the LDAP provider
450454
displayName: LDAP Provider
451455
path: providers[0].ldap
@@ -553,6 +557,12 @@ spec:
553557
path: providers[0].ldap.insecure
554558
x-descriptors:
555559
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
560+
- description: Prune Whether to prune groups that are no longer in LDAP. Default
561+
is false
562+
displayName: Prune
563+
path: providers[0].ldap.prune
564+
x-descriptors:
565+
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
556566
- description: RFC2307Config represents the configuration for a RFC2307 schema
557567
displayName: RFC2307 configuration
558568
path: providers[0].ldap.rfc2307
@@ -566,11 +576,6 @@ spec:
566576
path: providers[0].ldap.whitelist
567577
x-descriptors:
568578
- urn:alm:descriptor:com.tectonic.ui:text
569-
- description: Prune Whether to prune groups that are no longer in LDAP. Default is false
570-
displayName: LDAP Prune
571-
path: providers[0].ldap.prune
572-
x-descriptors:
573-
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
574579
- description: Name represents the name of the provider
575580
displayName: Name of the Provider
576581
path: providers[0].name
@@ -615,8 +620,9 @@ spec:
615620
path: providers[0].okta.extractLoginUsername
616621
x-descriptors:
617622
- urn:alm:descriptor:com.tectonic.ui:text
618-
- description: GroupLimit is the maximum number of groups that are requested from OKTA per request. Multiple requests will be made using pagination if you have more groups than this limit.
619-
Default is "1000"
623+
- description: GroupLimit is the maximum number of groups that are requested
624+
from OKTA per request. Multiple requests will be made using pagination
625+
if you have more groups than this limit. Default is "1000"
620626
displayName: Group Limit
621627
path: providers[0].okta.groupLimit
622628
x-descriptors:
@@ -632,16 +638,17 @@ spec:
632638
path: providers[0].okta.profileKey
633639
x-descriptors:
634640
- urn:alm:descriptor:com.tectonic.ui:text
641+
- description: Prune Whether to prune groups that are no longer in OKTA. Default
642+
is false
643+
displayName: Prune
644+
path: providers[0].okta.prune
645+
x-descriptors:
646+
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
635647
- description: URL is the location of the Okta domain server
636648
displayName: Okta URL
637649
path: providers[0].okta.url
638650
x-descriptors:
639651
- urn:alm:descriptor:com.tectonic.ui:text
640-
- description: Prune Whether to prune groups that are no longer in OKTA. Default is false
641-
displayName: OKTA Prune
642-
path: providers[0].okta.prune
643-
x-descriptors:
644-
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
645652
- description: Schedule represents a cron based configuration for synchronization
646653
displayName: Schedule
647654
path: schedule

config/rbac/role.yaml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,14 @@ metadata:
55
creationTimestamp: null
66
name: manager-role
77
rules:
8+
- apiGroups:
9+
- ""
10+
resources:
11+
- configmaps
12+
verbs:
13+
- get
14+
- list
15+
- watch
816
- apiGroups:
917
- ""
1018
resources:

controllers/groupsync_controller.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,7 @@ type GroupSyncReconciler struct {
5151
// +kubebuilder:rbac:groups=redhatcop.redhat.io,resources=groupsyncs/status,verbs=get;update;patch
5252
// +kubebuilder:rbac:groups=user.openshift.io,resources=groups,verbs=get;list;watch;create;update;patch;delete
5353
// +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch
54+
// +kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch
5455

5556
func (r *GroupSyncReconciler) Reconcile(context context.Context, req ctrl.Request) (ctrl.Result, error) {
5657
logger := r.Log.WithValues("groupsync", req.NamespacedName)

main.go

Lines changed: 18 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,7 @@ var (
4444
)
4545

4646
const (
47-
defaultLeaseDuration = 60 * time.Second
47+
defaultLeaseDuration = 45 * time.Second
4848
defaultRenewDeadline = 30 * time.Second
4949
defaultRetryPeriod = 10 * time.Second
5050
)
@@ -82,6 +82,8 @@ func main() {
8282

8383
ctrl.SetLogger(zap.New(zap.UseDevMode(true)))
8484

85+
watchNamespace := getWatchNamespace()
86+
8587
mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
8688
Scheme: scheme,
8789
MetricsBindAddress: metricsAddr,
@@ -93,6 +95,7 @@ func main() {
9395
LeaseDuration: &leaseDuration,
9496
RenewDeadline: &renewDeadline,
9597
RetryPeriod: &retryPeriod,
98+
Namespace: watchNamespace,
9699
})
97100
if err != nil {
98101
setupLog.Error(err, "unable to start manager")
@@ -123,3 +126,17 @@ func main() {
123126
os.Exit(1)
124127
}
125128
}
129+
130+
// getWatchNamespace returns the Namespace the operator should be watching for changes
131+
func getWatchNamespace() string {
132+
// WatchNamespaceEnvVar is the constant for env variable WATCH_NAMESPACE
133+
// which specifies the Namespace to watch.
134+
// An empty value means the operator is running with cluster scope.
135+
var watchNamespaceEnvVar = "WATCH_NAMESPACE"
136+
137+
ns, found := os.LookupEnv(watchNamespaceEnvVar)
138+
if !found {
139+
ns = ""
140+
}
141+
return ns
142+
}

0 commit comments

Comments
 (0)