Merge pull request #69 from signadot/cluster-config-allowed-namespaces

Include Allowed Namespaces in Cluster Config

Author: daniel-de-vera

signadot/operator/README.md

@@ -66,6 +66,14 @@ kubectl delete ns signadot
 | `serviceLabels`      | Labels to add to all deployed `Service` objects           | `{}`     |
 | `serviceAnnotations` | Annotations to add to all deployed `Service` objects      | `{}`     |
 
+### Controller Manager parameters
+
+| Name                            | Description                                                                 | Default |
+| ------------------------------- | --------------------------------------------------------------------------- | ------- |
+| `allowedNamespaces`             | Restrict the namespaces in which `signadot-controller-manager` will operate | `[]`    |
+| `sandboxTrafficManager.enabled` | Whether to enable the sandbox traffic manager sidecar on forked workloads   | `true`  |
+
+
 ### Image customization parameters
 
 The parameters in the table below allow one to specify image names for the
@@ -120,7 +128,6 @@ style resources and are not needed in an installation which uses the new
 | `jobExecutorProxy.image`              | Job Executor Proxy container image override             | `signadot/job-executor-proxy:vX.Y.Z`   |
 | `jobExecutorProxy.imagePullPolicy`    | Job Executor Proxy container image pull policy          | `IfNotPresent`                         |
 | `jobExecutorProxy.imagePullSecret`    | Job Executor Proxy container image pull secret          | `""`                                   |
-| `sandboxTrafficManager.enabled`     | Whether to enable the sandbox traffic manager sidecar on forked workloads | `true`                         |
 | `sandboxTrafficManager.init.Image`     | Sandbox traffic manager sidecar image override | `signadot/sandbox-traffic-manager:vX.Y.Z`                         |
 | `sandboxTrafficManager.init.ImagePullPolicy`     | Sandbox traffic manager sidecar image pull policy | `IfNotPresent`                         |
 | `sandboxTrafficManager.init.ImagePullSecret`     | Sandbox traffic manager sidecar image pull secret | `""`                         |

signadot/operator/templates/_helpers.tpl

@@ -1,7 +1,10 @@
+
 {{/*
 cluster config template
 */}}
 {{- define "compileClusterConfig" -}}
+{{- $allowedNamespaces := (include "getAllowedNamespaces" . | fromJsonArray) -}}
+allowedNamespaces: {{ if gt (len $allowedNamespaces) 0 }}{{ printf "\n" }}{{ toYaml $allowedNamespaces | indent 2}}{{- else -}}[]{{- end }}
 routing:
   istio:
     enabled: {{ if and (hasKey .Values "istio") (hasKey .Values.istio "enabled") -}}{{ toString .Values.istio.enabled }}{{- else -}}false{{- end }}
@@ -15,4 +18,20 @@ trafficCapture:
   enabled: {{ if and (hasKey .Values "trafficCapture") (hasKey .Values.trafficCapture "enabled") -}}{{ toString .Values.trafficCapture.enabled }}{{- else -}}true{{- end }}
   requestHeadersElide: {{ with .Values }}{{ with .trafficCapture }}{{ with .requestHeadersElide }}{{ printf "\n" }}{{ toYaml . | indent 4}}{{- else -}}[]{{- end }}{{- else -}}[]{{- end }}{{- else -}}[]{{- end }}
   responseHeadersElide: {{ with .Values }}{{ with .trafficCapture }}{{ with .responseHeadersElide }}{{ printf "\n" }}{{ toYaml . | indent 4}}{{- else -}}[]{{- end }}{{- else -}}[]{{- end }}{{- else -}}[]{{- end }}
-{{- end -}}
+{{- end -}}
+
+
+{{/*
+get allowed namespaces
+*/}}
+{{- define "getAllowedNamespaces" -}}
+{{- if .Values.allowedNamespaces }}
+  {{- $userNamespaces := .Values.allowedNamespaces -}}
+  {{- if not (has "signadot" $userNamespaces) }}
+    {{- $userNamespaces = append $userNamespaces "signadot" -}}
+  {{- end }}
+{{- $userNamespaces | toJson -}}
+{{- else -}}
+[] 
+{{- end }}
+{{- end }}

signadot/operator/templates/allowed_namespaces.yaml

@@ -1,6 +1,7 @@
 # Bind the ClusterRole containing namespaced permissions to the
 # controller-manager's ServiceAccount only in the specified namespaces.
-{{ range $namespace := .Values.allowedNamespaces }}
+{{- $allowedNamespaces := (include "getAllowedNamespaces" . | fromJsonArray) -}}
+{{ range $namespace := $allowedNamespaces }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

signadot/operator/templates/signadot-controller-manager-deployment.yaml

@@ -42,8 +42,6 @@ spec:
         command:
         - /manager
         env:
-        - name: ALLOWED_NAMESPACES
-          value: {{ range $i, $val := .Values.allowedNamespaces }}{{ if gt $i 0 }},{{ end }}{{ $val }}{{ else }}""{{ end }}
         - name: SIDECAR_INIT_IMAGE_PULL_POLICY
           value: {{ with .Values }}{{ with .routeInit }}{{ with .imagePullPolicy }}{{ . }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}{{- else -}}"IfNotPresent"{{- end }}
         - name: SIDECAR_INIT_IMAGE_PULL_SECRET

signadot/operator/templates/signadot-manager-namespaced-clusterrole.yaml

@@ -26,6 +26,7 @@ rules:
   - ""
   resources:
   - pods
+  - endpoints
   verbs:
   - create
   - delete

signadot/operator/templates/signadot-manager-role-clusterrole.yaml

@@ -12,18 +12,6 @@ metadata:
     {{- end }}
   name: signadot-manager-role
 rules:
-- apiGroups:
-  - ""
-  resources:
-  - endpoints
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
 - apiGroups:
   - admissionregistration.k8s.io
   resourceNames: