Description
The Signadot operator Helm chart currently hardcodes signadot as the
deployment namespace in 60+ places across 44 template files. This makes
it impossible to install the operator into any namespace other than signadot.
Problem
Organizations that enforce namespace naming policies — such as
{product}-{service}-{environment} conventions — cannot use this chart
as-is, because the signadot namespace name may violate their policies.
Specifically, the following resource types all hardcode namespace: signadot:
- Deployments, ServiceAccounts, Services, Roles, RoleBindings — resources are always created in
signadot
- ClusterRoleBindings (
subjects[].namespace) — ServiceAccounts outside the signadot namespace cannot receive cluster-wide permissions
- MutatingWebhookConfiguration (
clientConfig.service.namespace) — the webhook fails to reach the service when installed in a different namespace
_helpers.tpl — the getAllowedNamespaces helper always appends "signadot" to the watched namespaces list
Proposed Solution
Add a namespace parameter to values.yaml (defaulting to "signadot" for
full backward compatibility) and replace all hardcoded references with a
template helper {{ include "operator.namespace" . }}.
Default behavior (unchanged):
helm install signadot-operator signadot/operator \
--set controlPlane.clusterToken=$CLUSTER_TOKEN
# Resources still deployed to "signadot" namespace
Custom namespace:
helm install signadot-operator signadot/operator \
--set controlPlane.clusterToken=$CLUSTER_TOKEN \
--set namespace=<custom-namespace>
The template files contain # This file is generated. Do not edit. comments.
If there is an upstream generator, changes may need to be applied there.
Please advise if a different approach or location is preferred.
Description
The Signadot operator Helm chart currently hardcodes
signadotas thedeployment namespace in 60+ places across 44 template files. This makes
it impossible to install the operator into any namespace other than
signadot.Problem
Organizations that enforce namespace naming policies — such as
{product}-{service}-{environment}conventions — cannot use this chartas-is, because the
signadotnamespace name may violate their policies.Specifically, the following resource types all hardcode
namespace: signadot:signadotsubjects[].namespace) — ServiceAccounts outside thesignadotnamespace cannot receive cluster-wide permissionsclientConfig.service.namespace) — the webhook fails to reach the service when installed in a different namespace_helpers.tpl— thegetAllowedNamespaceshelper always appends"signadot"to the watched namespaces listProposed Solution
Add a
namespaceparameter tovalues.yaml(defaulting to"signadot"forfull backward compatibility) and replace all hardcoded references with a
template helper
{{ include "operator.namespace" . }}.Default behavior (unchanged):
The template files contain # This file is generated. Do not edit. comments.
If there is an upstream generator, changes may need to be applied there.
Please advise if a different approach or location is preferred.